As technologies advance in our fast-paced world, our activities and information are being constantly collected and monitored – so what is ‘privacy’? The digital privacy debate amplifies amongst government regulators, consumer and privacy advocates, and company board members. Just as the omnipresent nature of the Internet convinced companies to embrace it and its use permeated into core business processes, the ubiquitous nature of personal data has now made privacy an issue that can no longer be ignored. The global concern regarding digital privacy is one of the hot topics at the upcoming RSA 2020 Conference that will be held in San Francisco in late February.
Privacy Involves More than Security
Let’s first define what we mean by “privacy.” People often equate digital privacy today with cybersecurity. While security is an important aspect of privacy, privacy involves more than just the protection of data. While cybersecurity focuses around protecting against known and unknown threats, privacy expands into the issues of control, ethics, and the transparent handling of data. Thousands of companies and organizations today hold the personal data of people from across the world. Twenty years ago, the average person could have used two hands to count the number of organizations that stored personal data about them. Today, one’s personal data resides within databases and storage arrays of so many companies, it is impossible for private citizens to know who has their data and how they are using it. Whether a person’s email address was compromised in a data breach, whether it resides on a laptop that was stolen, or whether a company openly shares it with another company, the result is still the same; that email was shared. In the same way that a storage company is responsible for the belongings of someone who rents space from them, companies need to own up to the responsibility of preserving the privacy of personal data. Organizations must consider both security and privacy when formulating a data protection strategy.
GDPR and CCPA are forcing the Issue of Privacy
Companies that have treated the protection and privacy of digital data with a casual attitude have recently received a wakeup call concerning the magnitude of their responsibility. A rapidly exploding landscape of regional, national, and global privacy regulations are taking hold across the world. The collection of data is not limited by sovereign boundaries or nationalities. Europe’s own GDPR affects U.S. based companies in the same manner as European based entities as long as the personal data of European citizens is involved. The same is true of the U.S., as California’s CCPA became law of the land in 2020, forcing any company regardless of border to uphold their responsibility to protect the personal data of California citizens. The California privacy law drives home the importance of data management. While the initial reaction to these newly created regulations has been a checkbox approach to simply ensure compliance, companies are beginning to re-evaluate how they use customer and third-party data and what their ethical responsibilities are concerning it.
Increased Social Responsibility
A recent 2019 survey showed that 81 percent of consumers would stop engaging with a brand online after a data breach. Thanks to the proliferation of large data breaches in news headlines over the past five years, consumers are very aware of how vulnerable their personal data is. The expressed concern of data security isn’t driven by just anxiety however. Whether it is cybersecurity, wage disparity, or ecofriendly manufacturing and packaging processes, private citizens are demanding greater social responsibility from corporations today. People and governments are holding companies to greater accountability. As a result, board members and company executives have an obligation not just to owners and shareholders, but customers, employees, and society at large.
Privacy Concerns breed Opportunity
With so many consumers demanding more accountability and social responsibility from companies concerning their personal data, some companies are making efforts to differentiate themselves from competitors using privacy commitments. Companies such as Apple and Microsoft have made commitments to be leaders in ensuring that all products and services are built around the principle of privacy.
DoCRA Provides the Blueprint of Standards
A commitment to ensuring data protection and privacy does not mean you need to bust your budget on every available security tool on the market. It means accepting your Duty of Care. Duty of care is an implied degree of protection that a “reasonable person” applies to protect others from harm. This “reasonable” level of effort and commitment is what a judge will determine concerning litigation regarding a data breach.
Pursuing what is deemed “reasonable” may be seem vague, but it is clarified thanks to the Duty of Care Risk Analysis Standard (DoCRA). This Standard was created, reviewed, and updated by the DoCRA Council. The Council is a not-for-profit (501(C)(3)) organization that authors, maintains, and distributes standards and methods for analyzing and managing risk. The very mission of DoCRA is to:
“provide to the public a risk analysis method that aligns with judicial and regulatory expectations for demonstrating ‘due care,’ the ‘reasonable person,’ and ‘reasonable,’ and ‘appropriate’ safeguards.”The DoCRA Council
The DoCRA standard helps companies establish reasonable security strategies that incorporate their mission, objectives, and social responsibility. And the first step is to determine what risks your organization may have. A good start is to leverage the DoCRA Checklist, that helps assess your duty of care, and contact HALOCK to scope and quote a risk assessment. Prepare for the changing regulatory environment with a balanced look at your security and privacy safeguards.
Download these resources to ensure you have considered your business goals, your customers, and your third-party obligations for your data security.
SANS Security Leadership Poster 5 Keys for Building a Cybersecurity Program & CIS Controls
(ISC)2 Security Congress | The Questions a Judge Will Ask You When You are Sued for a Data Breach | Getting to Reasonable Security
RSA Conference 2020 and RIMS 2020
We will be presenting on Duty of Care Risk Analysis at these events and hope we can connect with you there.
We also will be hosting a happy hour at RSA in San Francisco on Thursday, Feb. 27, 2020 – please be our guest. It will be a fun time of giveaways, goodies in the gorgeous Intercontinental. RSVP here to reserve your place for WHISKEY BUSINESS at the The Living Room in the Intercontinental at 5pm.Enhance your security strategy to address your changing working environment and risk profile due to COVID-19. HALOCK is a trusted cyber security consulting firm and penetration testing company headquartered in Schaumburg, IL in the Chicago area servicing clients throughout the United States on managing risk with reasonable security strategies.