Introduction
Over the last few years, privacy has become a term that has relevance for almost everyone in almost every context: be it an organization trusted with the information of their customers, governments monitoring citizens’ data in the name of national security or a consumer simply buying a pair of sneakers online.
When we hear about privacy in the news, it is usually an incident related to online hackers or what is also known as a cyber attack. The message is usually the same: an individual that was lured into giving out their personal information, generally causing them great financial losses; or corporations that did not realize what their infrastructure and process vulnerabilities were and exposed their information to unknown entities that caused great damage financially or in terms of reputation.
What the media does not make too evident is what the key reasons that caused these breaches were. In some cases, these incidents are related to a lapse in data security but in a great number of cases they are related to lack of judgment when it comes to protecting someone’s private information, be it your own or your customers’.
Why is it important to understand the difference between data security and privacy safeguards? Because they are not one and the same and yet, they are so interdependent that failure to comply with one will compromise the other.
Data security refers to a company’s need to protect its stakeholders’ (namely consumers, partners, employees) information from external threats whereas privacy safeguards refers to a company’s need to protect its stakeholders’ from the company’s own use of their data.
If we look at the problem of data and privacy breaches from these two perspectives, there is so much more to do than ensure that firewalls are up and the anti-virus software is up to date. We need to ensure that no only our infrastructure is ready to overcome an attack, but that ourselves – in the case of individuals – or our own people and processes – in the case of organizations – are knowledgeable enough to avoid mistakes that may prove disastrous, either in terms of reputation or from a financial perspective.
Background
For the last few years, the Ponemon Institute has been tasked to gather data across the globe and estimate the overall cost to organizations of a data or privacy breach. In 2016, they estimated that in Canada, the average cost of such a breach amounts to CAD$278 per record.
This means that if a corporation exposes as little as 10,000 records belonging to their customers or any other stakeholders, the direct costs of detecting the breach, notifying affected parties, resolving the issue and expending on consequential costs such as fines, affected party’s compensation, loss of existing business and reputational impacts will amount to close to CAD$3MM.
Main root causes of data and privacy breaches
An interesting data point to consider is that, as mentioned before, the main culprit of most data breaches is cyber attacks. However, organizations also find that human error contributes to data and privacy breaches in a large proportion2:
Figure 11 Root causes of data breaches2
Usually the root cause of human error around data management comprises situations where training in privacy practices is not adequate. This results in employees that are tasked with handling private information do not know what precautions to take to safeguard the data or are not aware of the severity of the consequences of private data exposure.
Most of the mistakes found around human error relate to sensitive information being sent to the wrong recipient (about 30% of the time), publishing private data in public web servers (about 17% of the time), inadequate data disposal practices (about 12% of the time), external theft due to employees leaving sensitive data available in unsecure places (about 17% of the time) and last but not least, internal employee theft (about 8% of the time),. Also, let’s not forget that most cyber attacks take place because employees fall for phishing or social engineering attempts, which are also due to lack of awareness or training in such areas.
Human error has proven to be the most difficult to control because in some cases, it goes beyond technology. Data and privacy breaches are not only experienced through technology but also through mishandling of physical records. In 2015 the firm BakerHostetler found that of the data and privacy incidents that they handled for their clients, 13% involved paper records (with 2% involving both paper and electronic records); and for healthcare clients, the number was as high as 25%4.
These are the reasons why it is paramount to give policies, processes, training and awareness programs the same level of importance that is given to IT infrastructure security.
By having clear and established policies around private data management, including but not limited to privacy management, incident response best practices, data loss prevention and overall awareness around how to handle data on daily basis, both the human error and the risk of cyber attacks will be reduced considerably.
Organizational gaps around privacy practices
Most organizations have a clear IT governance structure that provides a clear strategy for data security. Anti-virus and anti-malware, network firewalls, encryption on transit and at rest, implementation of VPNs and secure communication tunnels are just a few practices implemented across the board to ensure that external entities do not compromise organizational data. Even though new threats arise all the time, IT leaders and technical experts strive to be on top of these trends and combat them accordingly.
However, when it comes to privacy practices, unfortunately there are still some gaps to close. As I mentioned before, the human factor is still a big risk that most of the time is overlooked. Just as it happens with cyber threats, privacy regulations and legislation is constantly evolving but outside of the Chief Privacy Officer and some privacy team members, up to date information on how to handle privacy scenarios does not trickle down to all levels in the organization.
Some key gaps that a few organizations currently experience and can be easily remediated are:
- Employees know about privacy but it is not top of mind on their day-to-day activities unless there is a clear policy and training around it that is reinforced on regular basis
- New projects and initiatives do not go through a privacy assessment to identify if or when private information will be handled and what is the best approach to minimize privacy risks
- Privacy policies, processes, procedures and training are not reviewed on regular basis to adapt to new business needs, but most importantly, privacy regulation
- An incident response team is not appropriately set up to minimize the impacts of a privacy breach starting with detection all the way to notification and remediation. The longer it takes to close the loop on a breach, the more expensive the incident becomes
- Data loss prevention policies and procedures are not in place thus increasing the risk of a serious privacy breach
How to minimize privacy risks and create a culture of privacy accountability
Based on the information presented, a clear area of focus for any organization that handles private information should be internal business practices. Having a work force that is clear on what their responsibilities are, how to ensure the protection of customers’ private data and how to minimize the chances of data being compromised, are key steps to ensure clear adoption of privacy practices.
Some recommendations on how to achieve a culture of privacy may include:
- Adopt appropriate change management. Awareness, training, reinforcement are the three key ingredients in any organization to adopt a new way of doing business. In this case, becoming privacy-centric
- Take a risk-based approach. With privacy organizations cannot predict what, how or when a breach will occur. It is important to be ready for such an incident but an organization cannot be completely consumed by this threat. Look at and prioritize risks from the most serious ones that can cause harm to an individual to the ones that can be easily transferred to someone else (like an insurance company) or just accepted because they are insignificant in the big picture of the business
- Establish a data and privacy governance framework. This will ensure that privacy is always top of mind and practices around the organization see it as a priority
Conclusion
Security, either from a physical or a technological point of view, is paramount to the achievement of these goals but it is not everything. An engaged workforce that clearly understands the importance – and the consequences – of handling private information appropriately will be as valuable as the most expensive infrastructure implemented to date.
Adopting a culture of privacy awareness and practices will go a long way to balance the need to ensure effective customer service, convenience for stakeholders and protection of private information.