echo ''

Virtru Security Insights

Join 10,000+ Security Professionals Who Receive Our Content Every Month

How Data Privacy Issues Can Unite Business and Consumer Interests

April 6, 2017
How Data Privacy Issues Can Unite Business and Consumer Interests

There has long been tension between consumer rights advocates and businesses over the use of consumer information, however that may soon be a thing of the past. A greater awareness of hackers, government spying, consumer demand, and regulatory pressure are making executives and board members focus on data privacy issues in a way they never have before.

Businesses are starting to understand that protecting consumers is an essential component of corporate security, and that they have far more to gain by supporting consumer privacy than disregarding it.

How Data Privacy Issues Have Divided Businesses and Consumers

Looking Back: Access to Customer Data

Although online privacy poses unique challenges, the roots of our current privacy issues go back decades. Vendors and lending organizations have long kept track of customer debts, and looked for better ways to weed out customers who represented bad credit risks. In the 1950’s and 1960’s, they started to form cooperative credit bureaus, where creditors could pool information on delinquent or default debtors in a town or region. They’d pool personally identifiable information like names and addresses, along with credit data and even newspaper clippings with information such as marriages, deaths and promotions.

This posed some obvious data privacy issues. Creditors were able to keep track of a lot of personal information about debtors, and they used it to determine their suitability for credit without much accountability. By 1970, regulators were already moving in to protect consumer data. The Fair Credit Reporting act of 1970 required banks to maintain accurate consumer info, and prevented them from tracking personal information that’s not relevant to your financial status.

It also established the rights of consumers to know what’s in their files and whether that information has been used against them. Likewise, it also allows them to correct inaccurate information, and have old data expunged.

Organizations were required to standardize their practices and respect consumer rights. However, the introduction of computers created new data privacy issues, by allowing credit bureaus to store even more comprehensive information about consumers. These bureaus moved from single-region and single-industry, and began to track consumer behavior across industries and wide geographic areas. Creditors could make more informed decisions about the risks individual debtors posed, which helped automate finance and increase profitability, but also pitted consumer and business interests against each other.

Since then, this pattern has repeated over and over again. Businesses have found new ways to capitalize on consumer information, and regulators have moved in to protect consumer rights. However, the general trend has been toward more tracking and less business privacy.

Many current privacy issues stem from the growing range of profitable ways companies can track consumers. Many websites and apps now track, sell and pool data on consumers’ online behavior and purchases. Free email and document services often scan private files and correspondences to target ads to users. Mobile apps and other portable devices allow businesses to track where customers go, who they talk to, what they see and say and, increasingly, even their biometric data.

Even in brick-and-mortar shops, tracking is increasing, with 30% of retailers employing facial recognition, according to one study. However, although this has been profitable for businesses, it has also contributed to emerging data privacy issues that could profoundly alter the debate.

Data Privacy Issues: Protecting Information From Competitors and Hackers

As businesses have gathered more and more data from customers, they’ve paradoxically had to work much harder at preserving and protecting it. Protecting data was relatively easy when you could just lock it in a filing cabinet. Now, businesses often have to make extremely sensitive information available to multiple offices and remote workers, scattered all over the world.

Customers expect a customized user experience, and companies often store very detailed data about user behavior — where they click, what they buy, how they respond to different types of ads and interfaces and so on.

At the same time, Businesses are tasked with safeguarding Personally Identifiable Information under HIPAA, PCI-DSS, and other compliance regimes, as well as regional, national and local laws. Failure to do so can lead to big compliance penalties, while undermining customer trust and harming future business.

Data Privacy Issues: The Consequences of Breaches Have Worsened

As data has become more valuable to companies, it has also become more valuable to hackers. The average cost of a breach worldwide increased 23% from 2013 to 2015, topping out at $4 million — $7 million for US organizations according to the Ponemon Institute’s 2016 Cost of Data Breach Study.

These numbers don’t tell the whole story either. Increased churn rates (up 2.9%, according to Ponemon) can weaken a company and strengthen its competitors, with long term consequences for its place in the industry that are hard to even estimate. Compliance fees and fines are unpredictable as well, and have been increasing across industries. In 2016, Advocate Health Care had to pay a record $5.5 million settlement after its subsidiary breached 4 million patients’ PHI, stemming from a 2013 theft of several laptops.

Advocate was also required to submit to a complex corrective action plan which likely costs millions more. And that doesn’t count lawsuits, credit monitoring services for customers, and other costs. In fact, cleanup is often the most complex and costly part of a breach. Between investigating the breach, finding and remediating weaknesses, patching systems, compensating customers, and lost productivity, post-breach costs can easily run into the hundreds of millions.

And all these data privacy issues can spawn from something as minor as a stolen laptop. With costs continuing to increase, protecting data is rapidly becoming more important than collecting it, causing businesses to rethink their approach to customer information.

Data Privacy Issues: The Blurring Line Between the Personal and Professional

Businesses are increasingly unable to take two privacy postures — one towards consumers and the other towards professionals, because ultimately everyone who works at a business is also a consumer. And there is no clear place where one role ends and the other begins.

The rate of adoption of Bring Your Own Device (BYOD) shows just how fast things are changing. A February 2013 study, showed 44% of companies allowing BYOD, and another 18% planning to allow it within the next year. By March 2014, 60% allowed it and another 14% were planning to — a combined total of 74%. Within a few years, virtually all businesses will allow employees to work on their own devices.

Most of those BYOD users are choosing personal apps with access to their data that could compromise secure business data. Other companies are collecting information from the devices that they use to access work accounts. A maliciously or poorly programmed app could potentially steal passwords, confidential reports, and other data. Although there are settings in G Suite security and other programs that can mitigate these risks, many companies aren’t taking the time to set them up, monitor, and maintain them.

The mobility of the modern workforce exacerbates these data privacy issues. Around 61% of workers check work email while vacationing, 57% work from home when they’re out sick, and almost 1 in 4 regularly telecommute. An unsecured wireless connection could easily allow hackers to spy on them and steal valuable information.

And even without BYOD, employees’ online personal lives can cause major data privacy issues. Workers could reuse personal passwords on work accounts, give out information on social networks that can be used to attack the company, or discuss (and potentially compromise) company business from personal accounts.

Companies are starting to become aware of these privacy issues, and they are taking a more nuanced view of access, but many don’t understand that you can benefit from cloud mobility without compromising data privacy. With the increasingly strict regulatory environment, it’s time they learned how.

Why Data Privacy Issues Must Unite Business and Consumer Interests

You Can’t Comply Without a Strong Data Privacy Posture

Imagine you run a retail company that has a home office in Virginia, selling locally made products. You use a cloud service run by a company located in Minnesota to store your database, and use G Suite for email and routine business. You primarily sell to other Virginians and people in nearby states, and work with local suppliers. Whose privacy laws do you have to uphold?

This isn’t an easy answer. For example, if you sell to a Californian, and you have to disclose your privacy policy on your homepage in accordance with the California Online Privacy Protection Act (CalOPPA.) Collect data from a French citizen, and you’re subject to the European Data Protection Directive or (starting on May 25th, 2018) General Data Protection Regulation.

And it’s not just you who needs to comply — you’re responsible for your customers and partners’ data privacy everywhere. The software providers who make your apps, the organizations you contract to do your marketing and payment processing, the data centers where your data is stored, the servers it travels over — all of them could cause serious data privacy issues by failing to protect the data you’ve been entrusted with.

It’s an unsustainable situation for companies. You’re potentially liable for laws you’ve never even heard of, and accountable for the practices of companies you have no control over. And as the regulatory environment heats up, the risks will only become greater. There’s no way to resolve these data privacy issues with a patchwork of rules and policies that cover every privacy law which could apply. The only workable solution is a unified approach, where everyone’s privacy is protected as rigorously as possible.

Adopting a Strong Business Privacy Posture Protects Everyone

Our interconnected age demands a different approach to privacy. Each of us is a worker, a consumer, a security risk, and a potential privacy champion. Workers increasingly eschew traditional offices for homes, cafes, and other places where their company does not control the infrastructure. And nearly all businesses outsource services where data privacy issues can be incredibly damaging — such as payment processing and billing. Everyone is at risk, so everyone needs to work together.

It’s in the interest of your business to protect the privacy of your customers, partners, team and even competitors. You need to set privacy policies that are strong and transparent enough to conform with the strictest consumer privacy regulations, and convince your partners to do the same. And you need to speak out as a leader on current privacy issues, to show your customers you’re on their side.

How to Lead on Data Privacy Issues

“Leadership” is a term that gets thrown around a lot in the business sphere. Often, it refers to communicative or managerial skills. If you’re good at explaining your vision, recognizing skills or delegating responsibilities, you might be commended for your leadership.

But leading on data privacy issues required a more thorough approach. To be a leader, you need to treat business and consumer privacy not just as an important part of risk mitigation, but as a moral obligation. You need to take a stand for your customers, stakeholders, and partners.

Leading also means choosing smart solutions that address current privacy issues and security concerns. Your company needs security solutions which fit user workflow. In an ideal world, a secure email provider and a portal may both protect consumer and partner data, but in reality, portal adoption is terrible. It’s very difficult to get customers to even use them, and it can be a big inconvenience for your own team. This makes secure email a better fit in most cases — particularly if it has a tool for recipients to read encrypted emails and attachments without installing anything.

But it’s not enough to take responsibility for privacy in-house. Since your partners’ data privacy issues can endanger your data, you need to make sure they’re following your lead. Data-centric encryption allows you to protect your users’ data anywhere it goes — if you can get your partners to adopt the same tools you’re using. Use business associate agreements to mandate your partners use client-side encrypted email and file sharing whenever consumer data and other sensitive information is involved.

This is another good reason to choose user-friendly software. Your partner may not be willing to adopt a particular portal, but they’re already using email, along with G Suite or similar cloud file sharing and productivity apps. By choosing a tool that works with their existing modes of communication, you’ll minimize the inconvenience of security, allowing your partners to stand up for their users without getting in the way of their workers.

For more information, watch our free webinar, 4 Ways to Enhance Email Security and Simplify Compliance.