Personal data protection means we all need to step up
Why we need to make “Your personal information is very important to us!” actually mean something.
Anyone who has ever placed a call to a service or support line has heard a lovely voice reassuring you that “your call is important to us!” The irony of course is that it starts to ring a bit hollow after the minutes tick by while you wait on hold for help.
As we learn about yet another data breach, could we now add a line that says “your personal information is important to us”?
Is our personal information very important to the multitude of organizations we interact with online every day? It certainly doesn’t feel that way when we read about yet another new data breach either from a government, or retailers and services we trust.
As it stands, I just assume anyone can find out what sort of games I used to play on my Sony PlayStation, what my cholesterol level is, which hotels I have stayed in, and who knows what else.
While I appreciate the years of free credit monitoring these various breaches have afforded me, it is frustrating that it keeps happening.
When the Canadian Privacy Commissioner’s report finds “strong indications of systemic under-reporting” and simply states that “The department blames the breaches on misdirected mail, security incidents and employee misconduct” I shake my head.
Surely these people know there are multiple tools and practices available to prevent those things?
So why does this keep happening?
Let’s break down that last line about “…misdirected mail, security incidents and employee misconduct.”
In this scenario, people simply make a one-click mistake that unfortunately can be very costly.
It’s often something as simple as sending an Excel file to a co-worker… or at least you thought you did. Instead you accidentally clicked on the autofill in Outlook and oops, you just sent a sensitive customer list to some other external person in your address book.
You now have a breach you need to report.
This term can be a bit vague and include all manner of situations.
Let’s say it’s about stolen credentials. Someone at the organization might have been fooled by a phishing email, or perhaps they use the same password at work as they do for another service that has been breached.
Either way, a bad actor was able to capture the employee’s credentials, making it easy for him or her to sign in and extract additional information they can use or sell.
Once discovered, you now have a breach you need to report.
This one sounds bad but in an end-user’s defense, sometimes these aren’t malicious.
I once spoke to a CISO at a large bank who felt quite gutted about having to terminate a very bright co-op student after an incident of misconduct. The co-op student was working on a particularly difficult problem and decided to share a spreadsheet with his study group at school to crowdsource a mathematical solution to the challenge. In doing so, the co-op student was able to solve the difficult problem, but he also – unintentionally – exposed a multitude of account holder details which were on another tab in the file.
This is a perfect example of a scenario that could have easily been avoided leveraging available data protection tools while educating the end-user of the behaviour. It could have been a win-win instead of a serious data breach and very unfortunate end for the co-op student.
So back to my original question. Is saying “your information is very important to us” the new lip service we are to simply accept?
So how will this change?
Governments are trying to affect change through new regulations, but while GDPR, CCPA, and a few others are top-of-mind, we still hear about data breaches every week.
We don’t hesitate to hold the same organizations to account for warranties, guarantees, service level agreements and more – but how many of us ask these organizations what they are doing to protect our personal information?
It’s going to take a groundswell of consumers, citizens, and the online users to push meaningful change from the bottom up.
Once all of us start asking this question, front line employees will start demanding those answers from their management.
Organizations will likely only start to pay more attention to these issues when purchases are held up or memberships aren’t renewed.
We need to get to a point where a sincere statement of “your privacy/security/personal information is important to us” actually rings true.