Data Privacy and Cybersecurity: What You Need to Know

Featured article by Laura Edwards, Head of Content at Data Protection World Forum (DPWF)

Concerns about data privacy and cybersecurity are rising daily among businesses worldwide, and with good reason. Consider these facts:

– According to a study by the University of Maryland, there is a hacker attack every 39 seconds on average, affecting one in three Americans annually.

– Last year, hackers stole half a billion personal records – an increase of 126% over the previous year.

– Two out of three companies have experienced web-based attacks, while 43% of cyberattacks have targeted small business.

– The average cost of a data breach is expected to exceed $150 million in 2020, while data compiled by Juniper Research suggests that cybercrime will cost business more than $2 trillion this year alone.

If those numbers aren’t enough to keep business leaders awake at night, then perhaps the toll those cyberattacks have taken on CEOs will grab their attention. Equifax’s CEO Richard Smith, retired abruptly following a data breach, and Target’s Chairman, President, and CEO, resigned in the wake of a 2013 data breach.

Fines and other penalties for data breaches, meanwhile, have cost companies such as Marriott $123 million and British Airways a record $230 million. Uber has been fined in the United States, the UK, France, the Netherlands, and Colombia.

Governments around the world have responded to cyberattacks by enacting regulations to govern data protection and privacy for their citizens. The EU, for example, passed the General Data Protection Regulation (GDPR) in 2016, giving citizens throughout the EU control over their personal data and simplifying the regulatory environment for international companies doing business there. Similarly, Brazil will enact its new General Data Protection Law in mid-2020.

While the U.S. has yet to pass a federal privacy law, individual states are already following California, which will enact the California Consumer Privacy Act (CCPA) in January 2020.

The CCPA applies to any business which does business in California (including companies which don’t have a physical presence in the state) and has annual gross revenues in excess of $25 million, possesses personal information from 50,000 or more consumers, households, or devices, or earns more than half of its annual revenue from selling personal information.

Businesses meeting these criteria will be required to implement and maintain reasonable security procedures to protect consumer data, including a “Do Not Sell My Personal Information” link on the company home page and designated methods for submitting data access requests. If a business fails to comply, it will face numerous sanctions, including fines of up to $7,500 for each intentional violation and statutory damages of up to $750 per California resident and incident.

From fines and regulatory actions to more intangible assets, such as brand reputation and public trust, business leaders clearly have a lot to consider should a data breach occur. And that doesn’t even get into private litigation and class action lawsuits which such breaches are likely to attract. With that in mind, what steps should companies take to make sure they don’t wind up in the headlines or, perhaps even worse, in court?

Certainly, there are a number of basic steps each business should be taking at this point to protect against cyberattacks. Beyond the obvious, though, companies need to ensure that

a culture of privacy runs throughout their organization. To do that, there must be a consistent focus on awareness, education and engagement among employees. If they are not made a part of the solution, they could be unintentionally contributing to the problem.

As part of that effort, it is essential for businesses to break down any organizational silos that still exist so that privacy (data protection) and security teams are working closely together. For some reason, this continues to be a problem that plagues numerous companies, despite the fact that it makes perfect sense for these two functions to be in synch with each other.

From a practical perspective, business leadership needs to understand where their data is held, and to make certain that data security remains a top-tier, board-level priority. Similarly, companies must be sure that an incident response plan is in place, along with back-up procedures that can minimize downtime.

Finally, businesses must recognize that compliance is a journey, not a destination. With that in mind, leadership should take on the role of privacy evangelist. Talk about it constantly. Make it a part of the company DNA so that it becomes second nature to everyone on the team.

Responsible business leaders need to respond to the regulations, fines, and potential for a loss of public trust by taking a proactive approach to privacy and security. Rather than viewing all that is now occurring as the cost of doing business, it is advisable to look instead at the importance of instituting a companywide culture of data privacy, security, and ethics – all of which can add to the value of the overall business.

Laura Edwards is the Head of Content of Data Protection World Forum (DPWF). DPWF will hold its inaugural U.S. PrivSec Conference in New York on November 5-6. The PrivSec Conference Series, which features a comprehensive program designed to help organizations navigate the rapidly growing maze of data protection and cybersecurity requirements in the U.S. and worldwide, will be coming to other cities throughout the U.S. in 2020. For more information, visit https://www.dataprotectionworldforum.com/