The Privacy Rights Clearing House reports over 212 million records having been breached for the year by April of 2018. This is a clear indicator that both privacy and information security are failing at protection through traditional practices. With over 109 reported breaches impacting every possible industry sector, the adage of 'when not if your firm will be breached' becomes increasingly poignant. So the question remains, "how can privacy and information security work together to stop the damage of these breached records?" Perhaps the answer is no longer about stopping the breach but rather in working with our customers in addressing their concerns.
Fatemeh Khatibloo, in his article "Marketers, Here's How Your Customers Feel About Privacy" from Forbes.com (https://www.forbes.com/sites/forrester/2016/12/16/marketers-heres-how-your-customers-feel-about-privacy/#4625b79318e4), discussed how different generations of consumers all were concerned about their privacy and personal identity but beyond that they were concerned about how the businesses they worked with treated them and their data. This raises the question of whether we are addressing the customers true concerns around their data requirements. Contrast two laws aimed and data privacy: GDPR and HIPAA. These laws, while from different populations, were aimed at addressing consumer concern over data privacy. GDPR places extensive regulations on an organization with the intent of providing control over the data into the hands of a consumer. HIPAA places extensive regulations on an organization with the intent of providing safeguards around how firms handle the data. In either case, are the needs of a consumer addressed if the data is breached? In either case, are the regulations and safeguards reasonable and achievable in a manner that achieves true improved security for the consumer across the average business without undue hardship for the business?
As we look at these two regulatory statutes, both have extensive information security requirements. Both have extensive privacy requirements. Neither one has a statement around the obligation to the consumer expectation or around "doing what is right".
In 2018, an on-line health and fitness company had a breach of their customers' usernames, email addresses and hashed versions of the respective passwords. The scope of this breach, in respect to the type of data exposed, is limited in that the passwords were hashed and no direct sensitive data, such as payment card data or health information, was exposed. Consumers are likely to look at the actions taken by this firm and judge them not on the exposure but rather on their response; which was extensive and appropriate. This company exemplified the responsibilities of information security and privacy in their response to this event. They leveraged their security team to identify and contain the event and to help their customers gain a sense of control and privacy as they were notified of the event and the actions that they could take.
This response supports the expectations illustrated by a poll conducted by RSA in 2017. (https://www.rsa.com/en-us/blog/2017-05/2017-consumer-cybersecurity-confidence-index) RSA surveyed 2,100 consumers on their interest around control of how their personal data was secured. Over 90% of the respondents agreed on two points: they wanted a visible reassurance of security of their data and they wanted to be involved in the security of their data. The following Infographic is from RSA illustrates the results of their survey. (https://www.rsa.com/content/dam/pdfs/5-2017/RSA-consumercybersecurity-infographic.pdf)
In 2016 the security firm Gemalto produced a report on security and consumer loyalty. (http://www6.gemalto.com/l/51442/2017-01-10/84bqhl/51442/141507/global_research_customer_loyalty_report_2017.pdf) This report showed that the majority of consumers believe it is the responsibility of a company to protect the consumers data. Yet, most of the respondents to the Gemalto survey felt that few firms were doing an adequate job with the security of consumer data.
Despite these clear findings, many privacy and information security professionals fail to see the importance of securing to the customer expectation and "doing what is right". Scot Finnie, in his article "Corporate Executives, Customers at Odds on cybersecurity" (https://securityboulevard.com/2017/11/corporate-consumer-views-diverge-securing-customer-data/) discusses results from a Ponemon Institute report where only about half of the IT/security professionals polled felt it was their companies' obligation to secure personal information. Additionally, he reports that approximately 45% of IT/security professionals believe that corporate executives do not understand the importance of protecting the company brand or reputation.
This stark contrast between the consumers' confidence and expectations around their data's security and the service that is being provided by the companies entrusted with the consumer data, is a clear indicator that the information security and privacy industry must re-evaluate how it approaches its responsibility to data protection. It is clear we are not meeting the needs of the consumer. What service are we providing our corporate leadership if we are not helping them to understand the demands of their customer base? Our job, as security and privacy professionals, is not to secure the data. It is not to implement regulations, compliance standards or cool security technology. Our job is to help the leadership of our respective firms better understand the risk facing our corporate brand and the potential impact of those risks. Among those risks is the loss of consumer trust and confidence. As privacy and security practitioners we are obligated to help our leadership understand the impact of losing consumer confidence and trust in how our respective firms manage customer data.