The current digital ecosystem makes it virtually impossible for people to resist sharing their personal data with organizations. Shouldn’t there be a way for them to assess their risk each time they choose to share?
Even though they worry about online privacy, most people are just fine with handing over their personal data in exchange for better services. Whether it’s helpful suggestions in your Netflix queue or a news feed curated just for you each morning, it’s hard to resist the temptation of a personalized digital experience.
This trend won’t reverse itself. Equifax-like data breaches can happen repeatedly and privacy experts can ring the alarm all day long but people will still keep sharing their personal information online. How can we make it safe for them?
Why People Just Can’t Stop Forking Over Their Personal Data
Marketers know exactly how to tap into our innate desires to be fulfilled. Joining forces with app developers, they now know exactly how to coax us along a digital journey through brilliant techniques that play on our psychology, our culture, and our personal goals for a better life.
What they get in exchange — data — is the new currency of business. Current marketing ideology is based on the notion that the more you know about your customers (and your aspiring customers), the more you can work to please them by offering what they want when they want it.
With data, companies can also offer a better experience. That’s important since, in a global marketplace where competition is fierce and there’s always someone who can undercut on price, the new way to distinguish your product or service is by offering a better experience.
Skipping to the crux of the matter: Data = Profits.
Data is Money So Forget About Self-Policing
Just as it’s human nature to take risks (give away our personal data), it’s in the nature of businesses to chase profits. If profits are tied to the collection of personal data, it’s not reasonable to expect organizations to fully police themselves when it comes to data protection and privacy.
Data protection is similar to environmental protection. If you compare personal data to the environment, you’ll immediately see where this is going.
Governmental agencies are in place to protect environmental interests. We have the Environment and Climate Change Canada (ECCC) and the U.S. has their Environmental Protection Agency (EPA). Without them, companies would still be dumping toxic waste into our lakes and rivers. They’d still be selling us harmful, unsafe products. The standards these agencies use are also used to audit and score organizations’ compliance with environmental laws.
Consumers similar need protection for their data. As the wily ways of Facebook have demonstrated, we can’t count on organizations to keep our data safe. Even if they have good intentions, most companies fall short of being able to secure the data they collect and protect the privacy of those they do business with.
What’s needed is a way consumers can know whether to trust the organizations they choose to engage with.
But Whom Can You Trust?
Some companies are good stewards of personal data (or at least they try to be). But we all know there’s a wide spectrum out there. And ranging from GDPR-compliant organizations that rank high on the trust scale all the way down to the likes of Facebook, organizations are all over the place with security and privacy.
“It’s no longer just about understanding whether a company you’re going to do business with is credit-worthy, we need to understand what their security posture is”
-Jeffrey Wheatman, Gartner Research VP in Security & Privacy
Unfortunately, there’s no way of knowing the extent to which you can trust an organization to safely manage your data.
Shouldn’t there be a universally-mandated way for people to assess an entity before engaging with them? In the spirit of GDPR, this would give people the information they need to make good decisions about who gets to see their data.
There are Already Some Cyber Risk Ratings Available
Cybersecurity ratings are nothing new. There’s already a growing industry that’s maturing fast. The problem is, there are mainly just ad hoc solutions for niche segments of the population:
- Investors have Moody’s, who will soon start adding a cyber risk component to their credit-rating expertise.
- Insurance companies use paid cybersecurity rating services to underwrite cyber liability
- Businesses have a range of paid options for determining ratings from a growing list of private companies such as RiskRecon, SecurityScorecard, AT&T, and others
But where’s the individual in all this? None of these paid, enterprise solutions will do anyone much good when a private consumer is adding an airline app to their phones or creating an account with yet another online e-commerce website.
Standards are Needed and They Need to Have Teeth
The U.S. Chamber of Commerce can be applauded for making inroads toward fair and accurate security ratings that can be applied on a national level. But that’s all they are… inroads. At the moment, cooperation with those ratings is strictly voluntary.
We already know that standards don’t mean much to, for example, Mark Zuckerburg. Zucky seems to even have difficulty with privacy compliance in the face of clearly-defined, legally enforceable data protection laws such as GDPR.
How hard do you think he’s laughing at the voluntary standards?
As Facebook’s reaction to EU-level data protection measures has shown use, even if protocols are in place and backed by law, those laws need to be clear and they need to have teeth.
To understand why, just look what Google did when they had a data breach in their Google Plus product. The private data of half a million users were exposed and they waited seven months before telling anyone about it.
GDPR dictates a 72-hour window for reporting a breach to those affected.
Left to their own devices to interpret the rules, Google execs decided they weren’t legally bound to make a report. The consequences? We’re still wondering. Teeth? Needed badly.
Where All This Leaves Us
So where does this leave us? Clearly, there’s a need for a universally-accepted cybersecurity/privacy protection standard for all entities. That standard should be used to create a public rating system that is free and readily available to all citizens so they can make decisions about their private data on the fly. We have public health standards that allow for inspections of restaurants, the results of which are publically available to anyone eating out. Why can’t we have the same level of protection for our private data, the true embodiment of our identities both online and in the real world?