Data and the Expectation of Privacy
As the capacity of technology is rapidly advancing, it is easy to get caught up in the allure of the possible. Technology, and especially the emergence of cloud computing, opens many new worlds of possibility and opportunity. With all of this capacity, it is imperative that we ask the question, “just because we can, does that mean we should?”
Here are just a few examples of some amazing capacities that we have with technology and data:
- A while back, it was discovered that Target was able to determine a woman’s expected due date, with startling accuracy, based on buying habits. This was discovered when they realized that a young woman was pregnant and they sent her a packet of coupons. The reason this became a big deal was because she was 16, her dad found the coupons and he didn’t know she was pregnant.
- Retailers, often, provide WiFi to shoppers. This is not an altruistic offering, however. They are working to combat a practice called showrooming where you look at a product in a store then go online to shop for it. Various retailers have taken various approaches such as:
- Redirecting you to their website when you try to go to competitor sites
- Capturing your cell phone and/or e-mail address and conveniently sending you a coupon for the thing you just looked up at a price slightly better than you just found on a competitor’s site.
- I was recently listening to a talk from the CIO of the stadium for a sports team and he was talking about how they are providing WiFi for season ticket holders in their facility. When members connect, they log in and the IT department is able to triangulate the person’s position through their facility. They are able to tie this to the demographic data that they know about you (Remember, you logged in) to see how different people, from different demographics, travel through their facility. This allows them to position items targeted at one demographic in the places that demographic tends to travel while placing other items, targeted at other demographics, in other locations.
I point this out because I believe it is imperative to know that data is a critical cyber currency that is analyzed, traded and monetized. Especially when you are using “free” services, the reality is that data about you, your usage, etc. is the fee. The provider uses that data to be able to more accurately market to you, route you to specific content and much more. While this is especially true with free services, this is still true with many paid services. One of the reasons that many of the cloud offerings out there are so affordable is because there is a secondary revenue stream for the provider in the analysis of your data.
With all of this data collection people and the government, are starting to look more critically at security, your right to expect privacy and who is obligated to what. Back in 2016, the European Union passed a regulation titled “General Data Protection Regulation” (GDPR) that tries to target this topic. It starts with a basic premise that the right to expect privacy is a basic human right and businesses that collect personal information about you must protect your data accordingly. They are enacting fines that total anywhere from 2 – 4% of a business’s global revenue if they have a breach. One example was that Tesco Bank, a UK bank, had a breach in early November 2016. 25 million pounds were stolen from 9,000 accounts. If GDPR had been in effect at that time, the estimates are that Tesco would have faced $2.65 Billion in fines. These regulations go into effect in May of 2018 and businesses are scrambling to be prepared for it.
The GDPR standard goes on to say that, if you have a breach, you must provide notice no later than 72 hours after the breach is detected (Equifax waited 41 days to notify people of their breach) and that you must describe the nature of the breach, “including the number and categories of data subjects and personal data records affected”.
The US has not enacted anything nearly as stringent as the EU’s GDPR but there are things in the works in the US that are headed this direction as well.
On the personal side, this SHOULD help to increase the expectation of privacy around data that companies have about you.
On the business side, your obligation to take appropriate measures to secure data, protect it and notify if there is a breach is increasing. We are seeing that companies that took measures to follow industry best practices tend to have more protection, not only from a breach but in the case of a breach. One of the things we do with our clients is to regularly audit their networks and perform security testing so we can be sure that what we think is working is actually working.
If you are interested in talking more to see how we might be able to help you with this and other IT needs, please click HERE to contact us.