The combination of the headline worthy data breaches and new privacy legislation have put data protection and privacy on the top of the agenda for electronics OEMs.
The rise of new data privacy regulations with strict mandates for the handling of personal data – along with a continued string of high-profile breaches and data misappropriation – are putting data protection and privacy at the top of corporate agendas.
These breaches and the resulting regulatory fines and exposure are having significant impact on the reputations and bottom-lines of the organizations involved. Meanwhile, all companies are building larger and larger troves of data which requires an even greater focus on security to better protect data as it is used across an organization and shared with external parties. This requires a privacy-focused approach to the data itself, and also taking a range of steps to ensure that breaches do not occur.
How should a company think about these issues? Following are several considerations to keep in mind.
Factor-in privacy as Part of big data & AI initiatives
Any company or organization storing and mining ‘big data’ will increasingly need to consider both security and privacy as part of the overall strategy.
While one organization may have strong controls on its access to data, when that data is shared across organizations, the privacy policies may not be enforced along the way – leading to use of the data in ways that users did not originally intend. The Cambridge Analytica case illustrates how data can be harvested for controversial means. And now there are lawsuits in progress against four of the country’s major telecommunications companies for their role in selling access to the real-time location of their customers’ phones to a network of middlemen companies – with reports of data ending up in the hands of bounty hunters.
Artificial Intelligence (AI) also complicates the landscape – with machine learning seeing patterns and drawing inferences, which could identify characteristics that may expose individuals or groups in ways that impact privacy – such as identifying patterns suggesting a health issue such as Alzheimer’s. Information exposed in data breaches can cause issues in the short-term – with passwords, Social Security numbers, passport numbers and other sensitive information released – but also some longer term implications due to inferences drawn from machine learning.
Build a cross-functional team
As data privacy and security continues to converge, it is all the more important to put together a cross functional team that involves legal, information technology, data protection and privacy practitioners, compliance and those in broader enterprise risk management. This approach helps to ensure thoughtful consideration of how data is identified, protected, shared and the types of access controls that are in place.
Consider guidance from NIST
The National Institute of Standards and Technology (NIST) recently released a draft version of a Privacy Framework that's modeled on its well-regarded Cybersecurity Framework, a voluntary Framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risk.
The draft Privacy Framework explains the concept of privacy risk management and provides advice for how businesses can protect sensitive data. Although the Framework deals with issues beyond security, it incorporates security considerations and explains how privacy and security overlap. NIST is currently asking for public comments on the initial Privacy Framework.
Up your cybersecurity & data protection
The Equifax breach – which exposed the Social Security Numbers, birth dates and addresses of 148 million people – was deemed ‘entirely preventable’ had the company taken basic security measures, including software updates and data encryption.
The majority of breaches occur by human error or negligence. Addressing four key areas of vulnerability can go a long way toward boosting cybersecurity across an organization. These include: weak passwords and lack of two-factor authentication; lapses in software patching; phishing or email-borne attacks that prompt people into clicking on a link that downloads malware into a system, and USB and removable media devices containing malware. These issues are being addressed in a new, free program being offered by the Cyber Readiness Institute and used by small and medium-sized companies to improve the processes necessary to help mitigate these risks.
Considering guidance from the NIST Cybersecurity Framework is also advised. The risk-based approach offers a range of ‘people, process and technology’ controls that can be scaled to an organization’s size and priorities.
The intersection between data privacy and cybersecurity will continue to evolve and pose challenges for organizations. In this shifting landscape, it’s more important than ever to identify sensitive data, consider privacy policies and take steps to ensure data protection.
– Pamela Passman, President/CEO, Create.org