Don't Just Rely on Data Privacy Laws to Protect Information

The following article was written by John Carbo, Director of Information Security at Abacus Group, and originally appeared on Security Magazine.

Data privacy laws are evolving to allow individuals the opportunity to understand the types of data that companies are collecting about them and to provide ways to access or delete the data. The goals of data privacy law are to give some control of the data back to the individual, and to provide a transparent view on the collecting and safeguarding of that data.

Prior to the GDPR and CCPA, it was difficult to understand what was being collected and how it was being used. Was the website selling your information to other companies? Who knows, but chances are they were. We’ve all heard the line: “If it’s free, then you’re the product.” Also, paying for a service is no guarantee that your information is not being sold. Data privacy laws attempt to address these problems by requiring companies to obtain affirmative consent from individuals, explain what is being collected and define the purpose for its use.

This all sounds great and is a step in the right direction, but there are a lot of challenges for both individuals and companies. Various polls put the number of password protected accounts per person anywhere from 25 to 90. It would take a very concerned person to understand and track their personal information across these accounts. Companies need to understand the various data privacy laws that apply and develop internal frameworks to comply and protect the data. Even if both parties are playing fair, this is a difficult challenge.

For US-based companies, here is a non-exhaustive list of data privacy regulations that may apply:

• US Privacy Act of 1974 – Applies to government agencies but provides a good foundation for companies to follow.
• HIPAA (Health Insurance Portability and Accountability Act) – Created to protect health information.
• COPPA (Children’s Online Privacy Protection Rule) – Created to protect information on children under 13.
• GLBA (The Gramm-Leach-Bliley Act) – Requires financial institutions to document what information is shared and how it is protected.
• CCPA (California Consumer Privacy Act) – In effect January 2020 to protect information of California citizens.
• GDPR (General Data Protection Regulation) – An EU law that has global reach.
• State laws – Each state may have their own privacy laws with slight variations.

On top of that, the data privacy laws can be interpreted in different ways, overlap each other and contradict each other. Like security frameworks and controls, privacy laws should be viewed as the minimum baseline to protect personal data. Individuals and companies should take a commonsense approach to data protection to fill the gaps that exist in data privacy laws. They should understand what data is being collected, what is its purpose and if it is necessary to have at all. The best way to protect data is to not have it at all. If it does not exist, then it cannot be lost. This will provide focus to the residual data and what needs to be done to safeguard it.

Here are some best practices on what firms as well as individuals can do to safeguard privacy.

• If you collect it, protect it. Follow reasonable security measures to keep individuals’ personal information safe from inappropriate and unauthorized access. Reduce the amount of data collected to only what is needed to provide the service. Use role-based access control (RBAC) to limit access to the data. Always encrypt the data at rest and in transit. Create a robust backup strategy and test it to ensure the integrity and availability of the data.
• Be open and honest about how you collect, use and share personal information. Think about how the individuals may expect their data to be used, and design settings to protect their information by default. Simply explain what is being collected in an understandable way and why it is needed. Allow individuals to Opt In to providing information and view what is currently stored about them.
• Build trust by doing what you say you will do. Communicate clearly and concisely to the public what privacy means to your organization and the steps you take to achieve and maintain privacy. This should be done with a public privacy policy that is easy to access and understand. The policy should be kept up to date as privacy laws and internal procedures evolve.
• Personal info is like money: Value it. Protect it. Information about you, such as your purchase history or location, has value. Be thoughtful about who gets that information and how it’s collected through apps and websites. You should delete unused apps, keep others current and review app permissions. Think about what websites or apps are requesting and if it makes sense for using the service. This is the famous “why does the flashlight app need access to my location?” Keep in mind that sites and services might share information. Piecing together information from various sources can give an accurate profile of individuals.
• Share with care. Think before posting about yourself and others online. Consider what it reveals, who might see it and how it could be perceived now and in the future. Information shared about yourself is a great resource for social engineering attacks.
• Own your online presence. Set the privacy and security settings on websites and apps to your comfort level for information sharing. Each device, application, or browser you use will have different features to limit how and with whom you share information. Always start with the most restrictive settings and slowly lessen the restrictions as needed. The goal is to find a setting that is restrictive but usable.