Data Privacy Day: Are you in control of your information?

Posted by Vito Nozza on Jan 28, 2021 10:00:00 AM

As today is Data Privacy Day, it is only fitting that we discuss your data and understand the rights you have when sharing that information. How many of you have used Google? Apple? Facebook? Amazon? Within the last day? Did you know what you were agreeing to when you quickly scrolled down to the accept their terms of service boxes? How about when you accept the numerous cookies that pop up on seemingly every website that you visit? Do you know what these “accept” actions have given companies permission to do?

Let’s go back to before the Internet age—actually, we don’t need to go that far back. How about 15 years ago. Before you accepted terms online, those terms were on paper and you needed to sign them to signify that you understood what your personal information was being used for. Many of us (if not all) have walked into an Urgent Care Center, visited our doctor, and opened up a checking account. All those forms (if you actually read them) included the rights of the entity collecting the data and what could be done with it. Was it going to be used for marketing purposes? Research purposes? Perhaps a third party required them to provide business analytics to said company or others in the same industry.

If you were a customer of some of the five worst offenders to data governance due diligence, here’s what happened after you signed those forms: Your information was being shared without you knowing it. Companies ended up being breached and apologizing for the “inconvenience,” with the thought process that “we’re sorry” would be a lot less costly than creating a proper Data Privacy program within their company. These offenders included:

  • Yahoo, who was scanning your email only to pass it over to the NSA. But you agreed to that, right?

  • Vizio, who never informed you—or even received permission—to monitor your watching habits or viewing preferences

  • One of the best scenarios, and a little different from the normal convention, was when Ashley Madison (a “discreet” adultery site) was breached and its clients’ information was released to the public due to the company’s complacent data privacy practices

  • CVS didn’t help out HIPAA matters either, when they delivered medication to the wrong house in the neighborhood, by not performing proper data or material handling or having an accredited logistics company take charge of those deliveries

  • Facebook, who allowed subscriber data to be sold to a political consulting firm, Cambridge Analytica, without user consent. The data was to be used for “academic research.”

So, what can you do about all this, you may be asking? You really can’t do much (unless you are prepared to say “no” to a lot of things we take for granted today) without truly understanding the contract you are signing. However, rest assured you are not fighting this alone.

Privacy Acts have been around since the beginning of the “personal information collection” era. The Privacy Act of 1974, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. The pressure to increase Governance and Due Diligence within companies increased with the GDPR (General Data Protection Regulation) act, formed in the European Union. It then elevated the penalties and fines when the CCPA (California Consumer Protection Act)—the first of its kind in the US—was released in January of 2020. These acts, and many others to follow, have put more pressure on companies to act ethically about the data that they collect, share, and destroy, as per agreed upon actions. Companies are now taking note, as fear is a great motivator.
 
Now, you may be thinking: I can’t do much about this, but what are companies doing? Well, let’s understand the three actors that are involved in Data Privacy. We have the following:

  • A Data Subject is the individual whose personal information is being processed. That would be you.

  • A Data Controller, on the other hand, is the organization (but it may also be an individual) that decides how personal information is being utilized and processed. The organization that is the data controller is typically subject to the heaviest amount of regulation by privacy and data security laws.

  • The Data Processor refers to any organization or person that processes data on behalf of a data controller. This could be a supply chain partner or a third-party cloud provider.
For example, a healthcare organization will collect data that pertains to you (Subject) and house it securely, with proper data access controls. The healthcare entity, also known as the Data Controller, might decide that they want to provide proper availability and create a plan that includes housing data backups to the cloud. The cloud provider is now the Data Processor who is not allowed to do anything to the Data; that is not permitted by the Controller. Ensure that the third-party Data Processor is practicing, at minimum, your security risk tolerances in the form of what you deem “acceptable risk.”

With the Fair Information Practices set forth, the Accountability Principle is the most important. Data Controllers are the party responsible for any and all data that they handle. Having a proper Data Privacy Program to access, protect, sustain, and respond to breaches is key in ensuring that client data stays private and fines are minimized, keeping the company’s financials intact.

At ConvergeOne, we have Privacy Specialists who have created and provided lifecycle services around a Data Privacy Program. We can assist in determining the right path for your company’s Data Handling practices and also extend that program to your third-party vendors.

In closing, on this Data Privacy Day, let’s be a little more vigilant in who we allow access to our data, and, as companies, exercise due diligence when it comes to data privacy for our clients. After all, we all want our privacy protected, don’t we?


GET TIPS ON DATA PRIVACY AND OTHER COMPONENTS OF A ROBUST CYBERSECURITY PROGRAM

21 Cybersecurity Tips for 2021

You should prioritize building a cyber-aware culture within your organization for areas like data privacy and proactively follow a number of steps to keep your information and people protected from cyber-attacks. Download this ConvergeOne white paper to receive all 21 cyber tips to get your organization started.

Download the Free White Paper

Topics: Cyber Security, Data Protection


 

Vito Nozza
Vito Nozza  -- Vito Nozza is the Principal Consultant, Cyber Security Lifecycle Consulting in ConvergeOne’s National Cyber Security Practice. His career spans 20+ years in Enterprise Architecture, with 15 years specific to Cyber Security. He has held roles as a CTO, Director, Principal Architect and Global Security Advisor, which have all led to establishing guidance and consultative measures to SME and Enterprise-grade entities. Vito has been paramount in establishing cloud security, guided frameworks and disaster/incident response plans, with overall GRC and ERM goals.