Data privacy seems to have surpassed all other technological buzzwords (with Big Data, AI and IoT largely responsible for the increase in available data) in the last few years, primarily because of the number of data breaches, which continues to rise unabated each year.
The most annoying aspect of all is that the individuals with compromised data are for the most part entirely blameless; they have simply made the mistake of trusting a third party (whether a bank, business, government organization or healthcare provider) to secure their data adequately.
Understandably, we are all frustrated, especially when we personally take all the necessary precautions to protect our personally identifiable information (PII). We shred documents in a cross-cut shredder, we use different long alphanumeric (with special characters) passwords for each online service and change them regularly, we use VPNs and avoid insecure Wi-Fi. All these precautions become worthless when the third parties we deal with take a casual approach to protecting our data. Clearly, as much as we would like to avoid it, legislative efforts become necessary to force all who handle data to do so in a responsible manner, as if their own data (and those of their family members) was involved.
Clearly, when ethics and data security are not enforceable or even present in data storage processes, then regulations are needed to force compliance in areas that should have been obvious to even the most intellectually-challenged root vegetables.
What’s The Big Deal About Data Privacy Anyway?
Well, it’s quite simple and I’m sure many readers feel the same way. I’m very careful about the data I place online and expect those I deal with to have some sort of security policy in line with my requirements. I don’t want my data sold, exchanged or shared with those I have no dealings with. After a hospital stay to remove the part of my brain that reacts to presidential/political incompetence, I don’t wish to receive calls, emails or snail mail offering medical insurance, hats, orange wigs or invitations to attend political rallies. VIP cards in retail outlets should not result in a bombardment of unsolicited catalogs or invitations to acquire yet another credit card.
Of course, the above examples are annoyances, but the real problem is that the more people that have your PII, the greater the odds of identity theft. Alarmist BS, you cry… hardly, given the Equifax breach last year. Identity theft is on the rise globally but let’s focus on the U.S. for the moment. According to Experian, the Identity Theft Resource Center (ITRC) reported a 44% increase in breaches in 2017, exposing almost 179 million records. Some 31% of those affected by data breaches are later targeted for identity theft.
And, the most recent ITRC report at the time of writing indicates that there were 89 reported data breaches in the U.S. in December 2018 with a total of 945,735 records exposed. It’s worth noting that this an 11-page pdf where the majority of listed breaches shows ‘records exposed’ as ‘unknown’. 500,000 exposed records came from the San Diego Unified School District and 243,000 from Goldsilver, a New York-based provider of gold and silver dealer services. The other breaches came from a mix of healthcare and financial providers, educational institutions, government services and businesses, including one entry from Harley Davidson.
What records are involved in these data breaches? Financial info, medical data, billing addresses, phone numbers or social security numbers are sure to be involved, all of which can be used to aid identity theft. Therefore, when companies obviously cannot protect our data, it’s time for regulations and government involvement, ideally with financial penalties for non-compliance.
Our Data is Valuable…
It’s a given that hackers are not stupid, and they target their attacks at industries that will yield results. Financial and healthcare service providers have long been identified as juicy targets and it remains a mystery why organizations in these industries are still hacked. Obviously, they cannot protect data in the manner necessary to prevent data breaches. So, what’s the answer?
Segregation of data would seem obvious. Forget the joys of automation, data sharing and remote access. Bring back the ‘air gap’ between online networks (networks that are connected to the internet) and segregate PII in a contained network, encrypting and anonymizing data as it is collected online. Data would then be added incrementally to the offline network as needed for analytics, marketing, etc. Sure, it might involve manual updates and two terminals (one for the connected network and the other for the offline network) for helpdesk operators or customer service but it would work, in my opinion. If everything remains connected or stored in the cloud, data is at risk as hackers are creative and patient, waiting for that one software, hardware or employee exploit that will allow them network access.
No discussion on data privacy is complete without mentioning social media and big retailers such as Amazon. Collectively, our online data is precious and the reason why Facebook, Google and Amazon are global goliaths. By using their products and services, we willingly share our data, which is then used/sold on in a variety of ways to ‘improve services’ and fix an election. Smart speakers, for example, send all audio to remote storage, which is then used to improve speech recognition/AI.
Data privacy will never be a reality if the urge to connect and share everything continues.
What’s Being Done to Increase Data Privacy?
Look at the EU, yes, look at them… far from the so-called American Dream but their citizens can control what happens to their data on a global scale, thanks to the introduction of the GDPR. All organizations that handle the data of EU citizens must comply, regardless of location – it is not optional. Sure, compliance causes additional expense, but breached companies brought it on all companies by not protecting their harvested data. California has followed suit with the California Consumer Privacy Act, and forces organizations to considers an individual’s right to privacy, including the right to prevent the sale of your information. This is certainly a step in the right direction, but it needs to roll out on a national level and evolve along with technology. It makes sense to do this, as third parties (regardless of location) who store data on Californian residents will need to comply.
Unfortunately, none of these regulations mandate how data is to be protected, leaving that to the organizations involved. Still, it’s a start and regulations that force everyone to comply with them can only improve our privacy in the long run. George Washington never envisioned how technology would involve itself in our lives and I’m sure if he had known, he would have included a reference to responsible handling of personal information, forcing Big Business to handle our data as we expect. Protecting us from identity theft, waiting until we are seeking products and services before sending info and not selling our data seem like common sense requirements, even in a technological age.