Developing and implementing data privacy and security policies is one of the first steps in creating organizational culture change that is focused on the protection of data and information. 2018 was the “year of privacy”, starting with a Facebook security breach that led to the exposure of 50 million user accounts. This breach was accomplished by exploiting a feature in Facebook’s code that enabled hackers to gain access to user accounts and potentially take control of them. In January 2019, over 1.76 billion records were leaked online, including approximately 773 million records from the “Collection #1” data breach, where unique email addresses and over 21 million unique passwords were posted to a hacking forum according to Hack Brief: An Astonishing 773 Million Records Exposed in Monster Breach by Brian Barrett.
- The main cause of data breaches are malicious or criminal attacks
- The global average cost of a data breach is $3.6 million, and continues to increase each year
- Approximately 91% of cyber attacks can be linked to a phishing email
Data protection is the result of deliberate decisions made by each individual user. Organizations provide data privacy and security guidance to all employees and contractors. In addition, companies need to inform employees about current threats, and teach personnel about new regulations and safeguards in place. This includes informing employees and contractors about, but not limited to, the following:
- Importance of enhanced password settings;
- Utilization of two-factor authentication;
- Relevance of phishing attacks (e.g. teaching employees and contractors to not click on suspicious links or emails and to pay attention to detail);
- Not allowing visitors to piggy-back into the organization’s facilities;
- Conducting annual data privacy and security training;
- Data encryption at rest and in transit;
- Addressing negative events through Incident Response planning;
- Conducting third party reviews (e.g. receiving an SOC report and reviewing controls being relied upon);
- Reviewing policy to ensure data privacy and security controls are up to date
Failing to appropriately protect user data can also have multiple types of consequences including reputation, financial obligations, data breaches etc. The Europe Union (EU) General Data Protection Regulation (GDPR) was approved and adopted by the EU Parliament in April 2016. “GDPR reshapes the way in which sectors manage data, as well as redefines the roles for key leaders in businesses, from CIOs to CMOs. CIOs must ensure that they have watertight consent management processes in place, whilst CMOs require effective data rights management systems to ensure they don’t lose their most valuable asset – data.” 
GDPR violations can cost up to 4% of a company’s worldwide revenue. GDPR applies to:
- Organizations located within the EU;
- Organizations located outside of the EU if they offer goods or serves to or monitor the behavior of EU data subjects; or
- All companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location
Domestically, the California Consumer Privacy Act (CCPA) applies to companies that have any of the following:
- Annual gross revenues in excess of $25 million;
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices;
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
The California Consumer Privacy Act will accomplish the following:
- Individuals will have the right to know what information large corporations are collecting about them. Businesses use personal information for their own purposes, including targeting individuals through ads, discriminating based on price or service level, and compiling information into an extensive electronic file.
- Individuals will have the right to tell a business not to share or sell personal information. Businesses not only know where individuals live but also driving habits, personality, sleep habits, health and financial information, current location, web browsing history, etc.
- Individuals will have the right to protections against businesses which do not uphold the value of their privacy. Businesses that collect sensitive personal information should take basic steps to keep it safe. Currently, there are no consequences for companies who do not keep sensitive information safe. However, this law will introduce consequences.
While many individuals within organizations may see themselves as immune to the risks associated with data privacy and security, recent social media trends illustrate that the opposite can be true. On July 17, 2019, Hannah Sparks published an article, FaceApp Security Concerns: Russians Now Own All Your Old Photos, in which the author stated “the Russian app is one of the most downloaded across the globe, with fans on social media. The tool augments your face to look double or triple your current age.” The concern, however, comes when individuals grant the app permission to access their photo gallery.
As data protection has evolved from the early days where an IT group and a standalone firewall were seen as adequate measures for ensuring protection, to the current more holistic approach of providing awareness and training throughout all levels of the organization, and ensuring that encryption is enabled on all devices that may contain company/user data, it is increasingly important to remain vigilant and to keep all personnel – including both employees and contractors – well informed on data privacy and security best practices.
If you’d like to learn more about data privacy and security, or if you think your organization may benefit from specialized expertise, please contact SC&H for more information.