2018 was the year of the privacy scandal.
Uber found out that it had been breached and proceeded to track down the hackers and pay them off as part of the ensuing cover-up. The cover-up angered the Federal Trade Commission and the states’ attorneys general, resulting in a greatly-expanded FTC settlement and a $148 million settlement with the AGs of all 50 states and DC.
Facebook apparently allowed application developers unmonitored and excessive access to Facebook user data, admitting to Congress that it did not know where a significant amount of user data was, who had it, and how it was being used. Although we do know now that the data of 87 million users was harvested by an application developer and sold to Cambridge Analytica, a campaign data brokerage firm that combined the Facebook data with data from other sources to compile individual voting profiles used to influence worldwide campaigns, such as the 2016 presidential election, the Brexit vote, and other elections all over the globe.
Facebook lost market value, share, and revenue, as well as taking a huge reputational hit, and found innovation and expansion plans stymied by the scandals. Facebook’s woes continue into 2019, as the FTCxi and AGs continue to investigate Facebook and class action suits proceed, including one in which the Judge promised Facebook a “bone-crushing” discovery process.
Consumer and regulatory anger at privacy failures rival data breach fatigue in the media. Privacy failures are generally seen as self-inflicted; the only victim is the customer. Even the Marriott data breach was criticized for apparent privacy failures, such as keeping personal data too long or in unencrypted form.
Indeed, the so-called personal details that enabled excellent guest service were themselves considered to be a target of the attack. These details are not usually encrypted, but were considered valuable by the attackers.
Privacy differs from security in that privacy assigns value to data, provides a framework and policies for the protection of valuable data (including limits on the business use and disclosure of such data), and seeks to mitigate the risks of exposure to the business and the consumer that business activities may cause. A privacy assessment differs from a security assessment in that data risks are evaluated in the context of the ordinary course of the business and are not limited to administrative, technical, and physical steps taken to protect the data and systems from external attack.
Experts, including yours truly, predict continued focus on privacy throughout the year. Federal privacy legislation is imminent, California’s comprehensive privacy statute is effective at the beginning of 2020, and other states are following. The National Institute of Standards and Technology is developing a privacy framework to add to its Risk Management Framework and the International Organization for Standardization is developing a new ISO standard intended to ensure privacy-by-design in the development of consumer products.
Data privacy has become a cornerstone of any data protection program, including cybersecurity planning.
by Paige Boshell
About The Author:
Paige M. Boshell, Privacy Counsel LLC. Privacy Counsel LLC is a cyber and privacy legal services provider representing businesses who value their proprietary data and the personal data of their customers. privacycounselllc.com. Twitter - @PrivacyCoLLC