In late September, representatives from the biggest tech companies testified before the Senate Committee on Commerce, Science, and Transportation. At almost the same time, Facebook announced that a massive data breach had affected almost 50 million users. This odd fluke of timing illustrates the perilous nature of data protection right now.
Because of data breaches at Facebook and countless other leading companies, consumers are understandably wary about how much of their personal data is being tracked and stored. These fears were stoked after the Cambridge Analytica scandal, as it became clear that personal data was being used for far more than just targeted advertising. Better protections are something that consumers are beginning to prioritize and demand, but until just recently big tech has controlled the conversation.
The aforementioned Senate hearing was just the most recent time that companies like Google and Microsoft have had to appear before Congress. Thus far legislators have taken a hands-off approach to data protection, but that position is quickly changing. As more of life has shifted online, the issues of data privacy and protection have become critical to the public good. Congress is beginning to treat them as such.
Additionally, Apple came out in favor of federal data regulations. The company supports giving users the right to control what information is stored, who it is shared with, and why. Considering that consumers, Congress, and now big tech are all in favor of stricter protections, companies need to begin preparing for a cybersecurity and regulatory future that looks drastically different from today. Luckily, an example already exists.
Following in the EU’s Footsteps
The General Data Protection Regulation went into effect throughout the European Union last spring and represented the first major push for data legislation. GDPR lets each member country devise its own specific data protection rules, but they all share the same objectives: giving users transparent control over their own data.
The GDPR rules affect any company that has consumers or does business in Europe, meaning lots of American companies are forced to comply. Some companies are even considering voluntary adoption of these rules — at least in part — to prepare for impending data regulations that are likely coming to America.
California recently passed AB 375, the California Consumer Privacy Act of 2018, which gives consumers far more control over their data. Other state regulations (along with federal legislation) will likely also come down the pike, suggesting that compliance will be a complex issue for any business, regardless of footprint.
It will also be consequential. GDPR and other existing rules levy fines based on the size and severity of the breach. Companies are penalized for every record that is compromised, meaning that large-scale breaches can cost millions or even billions of dollars.
There is no clear timeline for when nationwide regulations will take effect in the U.S., nor what form they will take. What is clear, however, is that companies choosing to prepare now will be ahead of their competition in enhancing their cybersecurity.
Preparing for an Uncertain Future
Companies don’t have to wait for new laws to hit the books to begin planning for compliance. They also don’t need to recruit an army of lawyers. Instead, follow these strategies to prepare for whatever happens next at the local, state, national, or international levels:
1. Follow core principles. Rather than trying to align your policies with future regulations, commit to some core principles such as consent, anonymization, and encryption. Making these your ongoing priorities will keep you on the right side of the law more often than not.
2. Evolve your culture. New rules could be right around the corner, and getting prepared takes time. In addition to new policies and protections, companies will need to cultivate an updated culture that respects data and gives preference to privacy. Making those changes meaningfully will not happen quickly or easily, which is why companies should get started sooner rather than later.
3. Treat all data as equal. Stop thinking about data as valuable/invaluable or secure/insecure. GDPR and other rules treat all data breaches equally, no matter what kind of data is compromised. That means rather than securing select information channels and databases, companies will need to take broader approaches to data classification.
4. Practice good governance. A systematic approach is important for preventing breaches, but it’s just as important after a breach. Data rules commonly require companies to disclose a breach within days after it occurs. The only way to prepare for the technical, logistical, and reputational fallout on such a short timeline is to have policies and plans in place.
5. Seek the opportunities. Compliance is an obligation and an opportunity. Companies that make every effort to keep data safe tend to strengthen their customers’ confidence. Treating data protection as an investment, rather than a burden, makes it easier to get compliant and stay compliant.
We are quickly reaching a tipping point when lax data security is unacceptable for everyone. Now that nearly every stakeholder is on board, sweeping change is likely around the corner. Anyone with data at stake should read the writing on the wall and make data protection their next big initiative.