Getting to know you

April 11, 2016
The state of data privacy in 2016 and what industry, government and consumers can do to help improve it

The relative anonymity that most consumers experienced just 10 to 15 years ago has all but disappeared.

Our personal photos are now documented on one social media site, our professional lives on another, and our 140-character thoughts on yet another. Our online information and preferences help fuel subscription services to deliver the movies, clothes and food that we want while also helping businesses offer more personalized and targeted services through loyalty programs.

This explosion of consumer data is creating new opportunities for businesses to understand, meet and even predict consumers’ needs. But it’s also creating new concerns around the privacy of consumers and their sensitive data.

Indeed, a recent Ponemon Institute privacy poll found that most consumers care about privacy and fall into one of two categories: privacy ‘sensitive’ and privacy ‘centric.’[1]

The majority of consumers (63 percent) are privacy sensitive. They believe privacy is important, but don’t take steps to protect their data because they believe the appropriate privacy guards are already in place. Privacy-centric consumers (14 percent) care enough about privacy that they will change their behaviors or even forego something that is important to them out of concern for their privacy.

Meanwhile, less than one-fourth of consumers fall into a third category: privacy ‘complacent.’ These consumers are generally indifferent to protecting their privacy and don’t care if their sensitive data is shared or sold.

The fact that most consumers care about privacy shouldn’t be surprising; given the amount of information they’re sharing online and storing on mobile devices, the growing prevalence of Internet of Things (IoT)-enabled devices collecting personal data, and the high-profile data breaches that have struck corporations and government institutions in recent years.

Regulations Fall Short

Despite the explosion of customer data that’s being collected, stored and shared, governments have struggled with how to best protect consumers’ privacy.

This was exemplified when the European Union Court of Justice recently struck down a safe-harbor agreement between the European Union and the U.S. that had allowed European companies to transfer personal data to the U.S. The court determined the agreement didn’t meet European objectives for protecting Europeans’ privacy rights.[2]

In the U.S., some laws have been in place for years to help protect consumers’ data privacy. This includes the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry and the Gramm-Leach-Bliley Act in the financial services industry. Also, nearly every state has passed a law requiring organizations to notify people if their personal information has been compromised in a data breach.[3]

However, this mix of different laws can be confusing for companies to follow and ensure compliance. Additionally, current privacy protection laws don’t apply to every industry, and breach-notification laws aren’t in place in every state.

An ideal alternative would be to harmonize all requirements under one federal organization, such as a chief privacy office within the U.S. Department of Commerce.

A privacy office could establish and enforce a single set of requirements to help ease compliance for industry, as well as apply privacy requirements across all industries to fill the gaps that exist today. It could also give consumers a form of redress if their information is inappropriately used against them, similar to how the Fair Credit Reporting Act allows consumers to dispute information in their credit report or if the information in the report has been used against them.

Beyond this, a federal office dedicated to privacy could fulfill a valuable secondary role of establishing and enforcing privacy guidelines within government agencies.

Industry’s Role

Protecting the privacy of consumer data may be law in some industries, but it’s also good practice in all industries. Companies that view privacy not as a compliance burden but as a corporate responsibility can use it as a strategic advantage to improve their reputation among customers, attract better employees and ultimately increase revenue.

So what can the industry do to improve privacy?

First, they need to create a data inventory for all data in their possession. This will help them understand what data is being collected, where it’s being stored and how it’s being protected.

They also need to establish a governance control process. This could fall under a single position, such as a chief privacy officer, or be shared across multiple positions. Regardless, an adequately funded governance process will help ensure best privacy policies are continually updated as well as monitored, followed and enforced among employees.

Data-privacy efforts should be strong and robust. More than encrypting data and requiring that employees use strong passwords to access data, companies should conduct an audit to understand where privacy vulnerabilities exist both in digital and physical form. For example, clean-desk policies should be in place and privacy filters should be used on every computer and mobile-device screen to help ward off potential visual hackers and insider threats.

Lastly, employee education is crucial. Almost everyone in an organization can access some degree of sensitive data, so training must be mandatory for all employees. Specialized training also should be provided for the employees who handle the company’s most sensitive and confidential information.

Consumer Responsibilities

While consumers have a right to expect that industry and governments will work hard to protect the privacy of their data, they also have an obligation to be mindful and protective of their data themselves.

Many people have been taught to be mindful of their surroundings when entering the PIN code at an ATM, but they don’t apply similar caution when using laptops or mobile devices to access sensitive financial, health or personal information in public places. Just being aware of potential onlookers is a good start, and using privacy filters to limit their view can be an even bigger step to helping protect data privacy.

Other steps that consumers should be taking include using strong, complex passwords for all log-ins, reading privacy policies before joining any websites or memberships, and avoiding the use of unsecured public Wi-Fi accounts.

While anonymity may be increasingly difficult in an interconnected world, taking steps to help protect data privacy can and should be expected. This requires a shared commitment by organizations, government, and employees – especially as we move into new phases data sharing and security.

About the author

Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework.

He is also the chairman of the Visual Privacy Advisory Council and receives compensation from 3M in connection with his participation on the Visual Privacy Advisory Council.

 Attributions:

 [1] Privacy and Security in a Connected Life: A Study of US, European and Japanese Consumers, Ponemon Institute. March 2015.

[2] The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid, Court of Justice of the European Union, Oct. 6, 2015

[3] Security Breach Notification Laws, National Conference of State Legislatures, Jan. 4, 2016