Individuals, corporations, and the government all have a role to place. In the US, during the first six months of 2018, 291 records were stolen or exposed every second.
And that’s just the first half of the year. The data breach tsunami included mega breaches such as Facebook and Marriott.
These data breaches are instructive. Both resulted in exposing millions of records containing private information, but there are significant differences between them.
Hackers stole data of 500 million Marriott customers — including names, credit card numbers, mailing addresses, and passport numbers.
Facebook is a different story. Facebook sold personal data from 50 million accounts to a third party. This is a standard practice of many online entities, especially in social media. Let’s not go into the user agreements we supposedly read. No one does. And mobile apps that you want to use are going to require access to your phone’s data if you want to use them. Do you? Probably. So just assume your data will be mined or sold or shared and act accordingly.
Social media exists as a way to extract valuable data from you
Their only business model is to monetize your data. This is the ugly truth. Facebook continues to respond to a cascade of privacy scandals and continues to announce initiatives, as Mark Zuckerberg did again on March 6. MENTIS remains skeptical about the efficacy of self-regulating by social media companies, since — let’s say it again — their primary business model is to monetize your data.
So, we have two scenarios, and the difference is this: who can make a difference and what can they do? And this is where the individual, the corporation, and the government can all contribute to slow down data loss.
Social media is optional, and the lesson learned is that users should SHARE LESS. About everything. This is a vastly different situation from most corporate breaches because the one person who has control over the data going out into the wild and crazy world of the internet is the user. This is one place where you have control over what you share and what you don’t, and it’s time you exercise that. No, it’s not necessarily wrong to trade service for something valuable, but yes, social media should be upfront about that fact, and most definitely yes, you the user should be wary about what and how much you share. And again yes, we should have government regulations to establish stringent minimum standards for security, but that is down the line if it ever happens and if it can be enforced. But the bottom line is that for stopping data leakage, at least in this part of the online world, the individual user has ultimate control.
Corporate data breaches are a different animal
Most of us, especially outside Europe, have little control over our data in corporate systems. We have no idea who has our data and how long they’ve had it. From your local pharmacy to the department store where you bought a scarf for your mother in 2004 . . . your very valuable data is in systems that someone else manages. Your role is to exercise vigilance in the choices you make about sharing your information, to change passwords, and follow the rules of good data hygiene. And if you are a shareholder, you have additional leverage in pressuring for investment in security — after all, a data breach affects your share value significantly.
But the onus is on the companies who manage your data
Statistics show that a staggering 41% of the breaches are not sophisticated attacks through unknown backdoors but are inside threats. The most obvious case is Edward Snowden, a trusted insider who systematically stole from the U.S. National Security Agency. His access to sensitive data called into question a number of laxities on the part of the NSA including the fact that the NSA did not have a list of users who had access to such data. But the overall issue at NSA was lax and ineffective INTERNAL security across the board, which brings us back to Marriott. In 2015, the hotel chain Starwood announced that it had been exposed to a small breach, just four days after being acquired by Marriott. We have to wonder whether or not Marriott had been able to do a proper audit of Starwood security — an opportunity to gain some intelligence that might have prevented or minimized the later massive Marriott breach. Organizations should be serious about insider threats with a well-formulated and layered security strategy that includes knowing where the data is and who has access to it, anonymization of sensitive data in the systems, and buttress that with restrictive data permissions for devices and users that are authorized and authenticated. In addition, organizations should deploy their best solution: their employees. Employees at every level, from the top down, can be the best deterrent to data loss. They should be aware of each of their roles in protecting data and be trained for their position and responsibility.
Does government have a role to play?
Absolutely. The mishandling of data by Facebook triggered the US government dig into the issue of the vast reserves of personal data present in the social network, although it has been public and congressional pressure, not regulation, that has resulted in Facebook’s various attempts to improve. On the regulatory side, however, the European Union’s GDPR legislation, has some teeth in it. The GDPR gives EU consumers more control over their data, on how it is collected, and on how it is used. Acts like the GDPR require minimum levels of protection from internet providers, data analysts, and anyone who makes a living off data — even countries OUTSIDE the GDPR who touch EU citizens’ data. The government must play the role of giving citizens the power to own their data and decide who should have access to it.
It takes a village
Individuals have more power than they know. Individuals who are shareholders have even more. Public and shareholder pressure on companies like Facebook and Amazon demonstrably work and individuals should keep it up. The power of the purse is the pressure individuals can exert on those they do business with to ensure they understand that aggressive data protection is a competitive advantage. Any entity with your data must be honest and upfront about data retention, data mining, and sales of data. And governments should level the playing field, enabling individuals to stand up to organizations and control their own data.
The bottom line is — you can do a lot. But if you want to be empowered to own your data, you must be vigilant and stay digitally literate.