Preserving data privacy in a digital age
Review the current regulatory environment for data protection as well as how it differs from data security.
Data is the DNA of a digital revolution.
More than ever, businesses rely on consumer data to make informed decisions, drive growth and meet customer needs. Data is among a business’ most valuable assets, and increased reliance on data comes with an even greater responsibility to work to safeguard its privacy and security.
Cybercriminals are also keenly aware of how valuable business data is, as evidenced by recent ransomware trends. Cyberattackers used to primarily rely on encryption to compel ransom payments. These criminals would lock businesses out of their systems and data, demanding ransom payments in exchange for decryption keys.
Today, attackers increasingly rely on encryption-less ransomware. In some cases, they don’t even bother locking businesses out of their systems anymore because they understand the threat of disclosing sensitive data can be just as powerful. They’re also expanding beyond ransomware. More than 800,000 cybercrimes were reported to the FBI in 2022, totaling $10.3 billion in losses — a nearly 400% increase since 2018.
Cyber incidents typically affect data privacy in one way or another, whether data is being unlawfully accessed and manipulated for funds transfer fraud, “exfiltrated” in a ransomware attack or otherwise leveraged in unauthorized ways for financial gain. Organizations that fail to adequately safeguard data can put themselves at risk not only of the direct impacts of a cyberattack but also liability to others, including fines, reputational damage and lost business.
Distinguishing between data privacy and data security
Data privacy and data security are closely related concepts but are not the same. Both are essential components of protecting sensitive information and, consequently, it’s not unusual for legislative and regulatory measures to address them together.
Data privacy refers to the proper handling and use of sensitive data, which includes personal data and financial data. Most businesses collect sensitive data as part of routine operations and may be obligated to prevent unauthorized access to that data. In some cases, individuals have a legal right to control how their personal data is collected, stored and used.
Data security refers to the act of protecting sensitive data and preventing its unauthorized access and misuse. Businesses improve data security by implementing security measures like encryption, firewalls and multi-factor authentication.
Understanding the legislative and regulatory landscape
Data privacy and security laws are complex and can vary by location and industry. Simultaneously, the legal landscape is evolving because governments are actively passing new measures to improve data security and data privacy. The legislative and regulatory space is dynamic. Businesses should be mindful of their potential obligations and seek legal counsel when those obligations are not clear.
Data privacy laws are not new, and some even date back to the early 1970s. The General Data Protection Regulation (GDPR) is widely regarded as one of the most significant and far-reaching data privacy frameworks, establishing requirements for processing and/or transferring the data of European Union (EU) residents.
Because GDPR extends to non-EU entities that process EU residents’ data, the United States and EU established the Data Privacy Framework (DPF) to facilitate trans-Atlantic data transfers. The DPF took effect July 2023 and is the successor to the now-invalidated Data Privacy Shield. Beyond the EU, Australia is eyeing periodic updates to its long-standing Privacy Act, and Canada is similarly considering amendments to strengthen its existing data privacy laws.
Unlike the EU, Australia and Canada, the U.S. does not have comprehensive federal data privacy laws. Instead, the U.S. addresses data privacy through piecemeal federal and state-level measures — and some of these laws also address data security. The following are a few commonly cited federal legislative and regulatory measures that address data privacy, data security, or both:
- Gramm-Leach-Bliley Act: Requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.
- FTC Safeguards Rules: Requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.
- Fair Credit Reporting Act: Governs access to consumer credit report records and promotes accuracy, fairness, and the privacy of personal information assembled by credit reporting agencies.
- Health Insurance Portability and Accountability Act: Protects sensitive patient health information from being disclosed without the patient’s consent or knowledge.
Beyond federal measures, many states have enacted laws regarding the protection and/or use of personal information, including:
- California Privacy Rights Act: Expands existing laws and, among other things, creates a new category of sensitive personal information and the right to limit the use of that information, and it imposes stricter obligations on certain businesses that handle personal data, including the need to conduct regular risk assessments and data protection assessments.
- New York SHIELD Act: Strengthens existing data security laws by expanding the types of personal data that requires consumer notice after a breach and requires that companies protect the security, confidentiality, and integrity of personal data.
- Oregon Consumer Protection Act: Provides individuals with numerous rights over their personal data and imposes obligations on businesses and how they utilize consumers’ personal data.
- Massachusetts Information Privacy and Security Act: Requires anyone who utilizes the personal data of a Massachusetts resident to develop, implement, and maintain a comprehensive information security program.
How businesses can prioritize data privacy
With so many changes and new regulations, it’s clear that businesses should continue to prioritize data privacy going forward. But what does it actually mean to protect data? And how can businesses prioritize data privacy?
A comprehensive approach to data privacy should adhere to best practices. Below are a few key ways businesses can begin to address data privacy:
No. 1: Establish a data privacy framework
A good first step is to establish a robust data governance framework. Such a framework could include comprehensive data privacy and data management policies, appointing data protection officers and conducting regular audits to ensure compliance with internal policies as well as external legislative and regulatory frameworks.
Businesses can also look for ways to integrate privacy controls into the service and product development process from the outset. By embedding privacy safeguards into the design process, companies can proactively address potential privacy risks rather than scrambling to react after the fact.
No. 2: Promote transparency and trust
Data breaches can erode public trust and engender unease about data practices. Even businesses with an excellent track record on data privacy and security may have to make a considerable effort to regain and maintain customer trust.
To preserve trust, businesses must be transparent about why they collect data, as well as how the data is being collected, used, shared, stored and protected. This information should be easily accessible and part of a privacy policy that outlines their overall data practices.
No. 3: Invest in robust security controls
Businesses should also invest in security measures to help protect data. Businesses can significantly reduce the risk of unauthorized access to data by implementing cyber hygiene best practices, like encryption techniques, multi-factor authentication and access controls.
Unresolved critical vulnerabilities and end-of-life software are two important indicators of a business’ likelihood of experiencing a cyber incident. Coalition policyholders with one unresolved critical vulnerability of any kind are 33% more likely to experience a claim — underscoring the importance of timely remediation and proper cyber hygiene.
Regular employee training on data security best practices is another proven way to reduce the chances of employees falling prey to social engineering attacks. Phishing remains the most common attack vector for cyberattacks, contributing to 76% of cyber claims.
Businesses should try to strike a balance between collecting and leveraging customer data to better serve customers with seemingly contradictory measures like limiting data collection to protect privacy — all in the name of preserving data privacy in the digital age.
This article was initially published on Coalition’s website and is reprinted here with permission.
Sezaneh Seymour is head of regulatory risk and policy at Coalition. Prior to Coalition, Seymour spent the past 18 years working on national security, technology and trade issues at the State Department, Treasury and the White House.
Related: