Consumer skepticism and stronger protections call for security changes
2018 became the year where protecting personal information established itself as a right that is wanted by and entitled to citizens. More people started questioning who owns their data and why companies seem to require so much information about their users to operate. It was also the year that the world was formally introduced to the GDPR, a new policy that brought topics like digital privacy and personal data protection to the fore.
While GDPR was the most high profile regulation to go into effect, it wasn’t the only notable data protection policy. In 2018 alone data protection laws or amendments were either passed or proposed in Argentina, Bahrain, Brazil, Canada, Chile, India, and Japan, among many other nations. All of the laws are understandably different around the edges, but stay aligned in their core principles:
- Security by design
- Consent
- The right to be forgotten
- Extraterritorial application
We anticipate that these new regulations around the world on how consumer data is collected and protected will bring three key security trends to businesses in 2019:
1. Consumers will become more selective about how they share information.
2. Lawyers will be more closely involved in product development.
3. New companies will provide a secure solution to the compliance puzzle.
Consumers will be more selective about which companies they share their information with. Why?
Penalties for regulatory violations will become more high-profile. Scandal followed Facebook in 2018. In April, founder Mark Zuckerberg testified to Congress that Cambridge Analytica acquired the personal information of millions of users; in September, Facebook announced a security breach of 87 million users.
These scandals put conversations around data protection and ownership in the news cycle. GDPR is sharpening its teeth and taking a first big bite out of Facebook. If it is decided that the company violated GDPR with its most recent data breach, the penalty may cost the company up to $1 billion (4 percent global annual turnover). It is not unthinkable that other countries who have users impacted by the breach will follow suit.
There will be seemingly more data breaches than ever before. In the first half of 2018 alone, researchers counted 945 data breaches that caused 4.5 billion data records to be compromised. They project that the number of reported data breaches will be even higher for the second half of 2018 as GDPR came into effect in May 2018.
This does not necessarily mean there are more data breaches happening, but we’ll certainly be hearing about more data breaches. GDPR requires that companies follow a strict 72-hour window for public disclosure following a data breach. Security mishaps that have stayed under wraps in the past, such as the recent announcement of the 2015 vulnerabilities of Google+, must be announced within three days. We also predict that more companies will be making hasty data breach announcements with incomplete information in order to adhere to the narrow disclosure window under GDPR.
Lawyers and the international court system will be driving more sprints in 2019
Corporate lawyers will be taking a closer look at data protection court rulings. The tension between new consumer data protection laws and the companies that require consumer data to do business will be tested in the courts. These new data protection laws will be challenged, and rightfully so, by companies that operate in this space. As courts adjudicate, attorneys for companies that deal with consumer data will be more involved in product development and engineering than ever before to ensure compliance with an ever-evolving set of precedents.
But it won’t just be private businesses following along; consumer rights groups and countries with similar laws will be watching and learning as companies and the courts work to establish reasonable standards for consumer data protection.
Secure data compliance solutions will become a product in itself
Similar to what we saw in the credit industry with Payment Card Security Data Security Standard (PCI DSS), we anticipate that new companies will step up to solve the consumer data protection puzzle and establish a reasonable standard for securing consumer data.
In short, consumer data drives business. But when that data contains personally identifiable information (PII), it ought to be protected using application(s) that are secure by design—meaning security is at the forefront of how it is engineered.
Companies will benefit from a product that fulfills three principles: (1) Security by design (2) Safeguards personal information of consumers (3) Allows businesses to easily work with consumer data (4) Achieves regulatory compliance. These components are necessary to solving the headache that will follow the implementation of these disparate global regulatory standards in 2019.
Companies that operate using special classes of data that are protected by regulatory measures, such as protected health information (PHI) under the stewardship of HIPAA in the United States, must make security a top priority in order to operate within the bounds of the law. But the law mustn’t be so strict as to force innovative products to fold under the burden of compliance.