How Businesses and Individuals Are Responsible For Securing Personal Data
This is more than just bad passwords. Data security is as all-encompassing as the “Internet of Things,” a phenomenon that makes it harder for you to unplug from the internet. Yet, your data is not as secure as you would hope. Recent cybersecurity trends and legal developments will guide your understanding of what you should be doing with electronic customer data.
In addition to collecting payment information, passwords and profiles to conduct business online, businesses collect more nuanced information like demographics, preferences, and browsing history, according to the Electronic Frontier Foundation, a digital privacy rights advocacy group. This data can give businesses powerful insights into their customer’s behaviors and preferences.
With power, however, comes great responsibility. Because businesses collect data, they also maintain it. State laws and federal agencies compel businesses to maintain data securely, creating new organizational obligations and risks.
Protect What You Collect
Recent developments in California, the home of Silicon Valley, illustrate the increasing legal and technical obligations of business who plug in.
For years, California Civil Code section 1798.81.5 has required businesses to “maintain reasonable security procedures and practices” to protect “personal information” from “unauthorized access, destruction, use, modification, or disclosure.”
Last year, the California Legislature expanded this definition of “personal information” to include medical information and email addresses in combination with a password, or a set of security questions that allow access to your password. Expanding the definition to include more things puts more pressure on businesses to secure private information. If a business does not act on increased pressure with action, such as an assessment, the threat of litigation against them naturally increases.
The law reflects how users actually behave, not how businesses might wish they did. Though experts, like the National Cyber Security Alliance, recommend that users change passwords regularly and have different passwords, most users don’t. What California’s law suggests is that businesses can’t simply do the minimum; they must develop safeguards that even protect users who may not follow best practices.
In the Absence of Federal Laws, States Pick Up the Burden
Almost all states have data security laws. While the federal landscape is fairly sparse in civil privacy protection, the Federal Trade Commission has had fair success in prosecuting data security cases under the auspices of Section 5 of the FTC Act. However, until new federal laws go gangbusters, state-based and common law legal theories drive litigation.
For example, this past year saw LinkedIn and Target settle class actions for alleged breaches of consumer data. These cases were successful, at least initially, in alleging LinkedIn and Target’s data security protocols violated state law. Recent litigation suggests that even in the absence of federal legislation, companies could be held liable for failing to reasonably maintain data security standards.
According to Inside Counsel, experts project that data security lawsuits will increase in 2016: “We are now seeing litigation aimed not just at faulty security protocols that may have allowed a breach to occur in the first place, but also failure to immediately take action to remedy the breach.” Businesses must act quickly and smartly.
Because more private information is legally protected and legally enforced, businesses must make a plan to better maintain the security of private or consumer-related data. The plan should identify and address internal risks just as much as external risks.
For example, most data breaches are not initiated by hackers or “cyberattackers.” Instead, they are mainly the result of innocent human error, such as an employee falling prey to a phishing scheme. See LawRoom’s recent post, Why Data Security Is an HR Initiative. A business must leverage its resources to tackle external and internal risks to data security.
Today marks Data Privacy Day. What better way to ring in this day than encouraging awareness of data privacy and security. Sure, you don’t get roses or a day off, but you can gain valuable insight into how to secure your company, and your customers, from data hazards in the 21st Century.
Liked this? Read these:
Learn more about LawRoom’s online data security training.
Read our white paper on effective data security training.
Read our post on Why CTO’s should be involved in data security training.