State of Privacy in 2018: Q&A With Richard Purcell

Jan. 28 marks the annual Data Privacy Day (DPD), which was adopted in North America to bring together businesses and private citizens in an effort to share strategies for protecting consumers’ private information. Richard Purcell, DPD advisory board member and CEO of the Corporate Privacy Group spoke to Risk Management Monitor about the current state of privacy.

Risk Management Monitor: How do you view privacy?
Richard Purcell:
The concept of privacy is really complex and layered. I like to think of it as being grounded by two basic behaviors—respect and discretion. The idea of privacy is not the same as secrecy. Secrets are not shared and are kept hidden as unknown ideas or thoughts, whereas privacy is the act of sharing information, trusting that the recipient will not share it any further.

RMM: How has technology redefined privacy?
RP: Over the last several years, we’ve heard from individuals who believe that their privacy has been assailed. Upon examination, we might find some reasons that are relevant to our emerging technology use:

There are many instances in which people have lacked respect for their own information, sharing personal information with others and commercial interests without restraint. A simple review of Twitter, Facebook, Instagram, Flicker, Tumblr and other social media sites confirms this. Just as often, commercial players have shown a lack of respect for the personal information entrusted to them by individuals. Examples include banks that have used customer information to open accounts without providing notice or asking for consent. This is a distinct showing of disrespect for the information.

Information has become the basis for commercial activity, so using and sharing personal information is quickly becoming how companies make money—Facebook is a social media site, but makes more than 90% of its revenues by selling users’ data to advertisers—credit bureaus make their money solely be collecting financial info, not from people, but from other companies, in order to calculate risk and sell reports (for example, credit reporting has a long history regarding privacy thru FICRA, FACTA, and OECD FIPs.).

RMM: In 2000 you were named Microsoft’s first corporate privacy officer. How has the privacy landscape changed since then?
RP: Privacy and data protection are beginning to be better and more closely integrated into security practices. It’s taken a long time to get them better integrated. Security practices have strong levels of discipline without much of a human factor. Privacy practices have strong moral bases, which security is getting more in tune with, so they are sharing their traits in ways that are helpful. We are not there yet, though, because security is a binary condition. You either have the security practices or you don’t. Privacy is harder to define because practices are more behaviorally based. We still find privacy issues are driven by human failings, errors or miscalculations as opposed to technologies.

Privacy professionals have gained more of a voice and authority over time in their organizations. They are not just advisers anymore, saying ‘Watch out for this,’ or ‘We can’t do that.’ They have become people with decision-making authority, which is only increasing. The position analyzes conditions and bases those recommendations on risk profiles and the challenges they present. Companies are then free to choose whether they take the risk or mitigate it.

RMM: What developments will impact your work in 2018?
RP: Regulatory changes matter a lot and apply to industrial sectors in the United States. External regulations are much more broadly applicable.

EU GDPR. Any company doing business in the EU has to adjust its governance program to comply with the GDPR by late May 2018. That means taking a broader definition of personal data; documenting its data processing activities; strengthening its user consent provisions; developing support for data erasure, portability and rectification; enhancing oversight and data breach responsiveness; and generally paying more attention to data protection.

EU ePrivacy. Broadband providers in the U.S. may celebrate the FCC dropping of the net neutrality/privacy rules, but they still have to deal with the EU ePrivacy Directive.

Australia, Korea, Japan and even China are strengthening their data protection programs. China announced its displeasure with the practices of Ant Financial (an Alibaba affiliate), Baidu (search organization) and Jinri Toutiao (newsfeed organization) for lacking adequate policies and practices in collecting, using and sharing personal information. You know something important is happening when China begins enforcing stronger privacy regulations.

Annual Data Privacy Day to Focus on Safeguarding Data

Last year was certainly a turning point in the history of online privacy and cyber security. Between ransomware attacks, the Equifax breach and the Federal Communication Commission’s vote to repeal net neutrality regulations—just to name a few high-profile incidents in the United States—businesses and citizens have more reasons than ever to safeguard their information.

To address this important issue, the annual Data Privacy Day (DPD) will be held Jan. 28, with online and in-person events leading up to it now that celebrate individual users’ rights to privacy and aim to prevent cyber theft and risk. DPD has been led by the National Cyber Security Alliance (NCSA) in the U.S. since 2011 and “highlights our ever-more connected lives and the critical roles consumers and businesses play in protecting personal information and online privacy,” said NCSA Executive Director Michael Kaiser.

DPD was created to commemorate the 1981 signing of Convention 108 by the Council of Europe and is observed by more than 47 countries. It was the first legally binding international treaty dealing with privacy and data protection and officially recognized privacy as a human right. NCSA also co-hosts National Cybersecurity Awareness Month and the Department of Homeland Security’s Stop.Think.Connect. campaign, which aims to increase the public’s understanding of cyber threats.

“Our personal information and our habits and interests fuel the next generation of technological advancement, like the Internet of Things, which will connect devices in our homes, schools and workplaces,” Kaiser said. “Consumers must learn how best to protect their information and businesses must ensure that they are transparent about the ways they handle and protect personal information.”
On Jan. 25, LinkedIn will live-stream an event from its San Francisco office exploring the theme of “Respecting Privacy, Safeguarding Data and Enabling Trust.” The broadcast will feature TED-style talks and panel discussions with experts focusing on the pressing issues that affect businesses and consumers. Additional DPD happenings include Twitter chats and networking gatherings to maintain a dialogue about the importance of privacy rights.
The relevance does not end on Jan. 29, noted Richard Purcell, DPD advisory board member and chief executive officer of Corporate Privacy Group. He has witnessed the event’s evolution and its impact on risk management and privacy professionals.

“The community of privacy professionals is not made up of private people. They want to share information,” noted Purcell, who was named Microsoft’s first corporate privacy officer in 2000. “They initiate a dialogue that the officers bring back to their companies. I have seen how it has stimulated events inside corporations and universities that were inspired by Data Privacy Day networking discussions. The professional development aspects of the day are profound.”
Newly released information from NCSA demonstrates how privacy is impacted in both personal and professional environments—from healthcare and retail to social media, home devices and parenting. Some statistics include:

  • In 2016, 2.2 billion data records were compromised and vulnerabilities were uncovered in internet of things products from leading brands.
  • 41% of Americans have been personally subjected to harassing behavior online and nearly one in five (18%) has been subjected to particularly severe forms of harassment online, such as physical threats, harassment over a sustained period, sexual harassment or stalking.
  • Nearly one-third of consumers do not know that many of the “free” online services they use are paid for via targeted advertising made possible by the tracking and collecting of their personal data.
  • About 78% of respondents to a recent survey of healthcare professionals said they have had either a malware and/or ransomware attack in the last 12 months.

Protecting Your Business from Cybercrime

Saturday, January 28, is Data Privacy Day, a day designed to promote awareness about privacy and education about best privacy practices. With that in mind, we decided to devote today’s and tomorrow’s posts to data privacy and how companies can achieve more secure, robust methods to dealing with the ever-present risk of cyber crime and data theft. Today’s post is by Tim Francis, business insurance management and professional liability and cyber insurance lead for Travelers.

IT departments play a pivotal role in identifying and mitigating exposures to cyber threats. However, there are risks that exist outside the company network. Businesses may be overlooking other points of vulnerability where a hacker can potentially attack, including but not limited to company cell phones, smart phones, tablets, laptops and other mobile devices. Every type of technology brings the potential for a cyber crime. Even if every employee is securing their personal and work technologies constantly, information can be compromised.

Institutions that understand the commitment necessary to create a robust anti-fraud program have a plan in place that involves numerous security options. This includes proper breach response planning, establishing information, and insurance protection. Corporate risk managers can be a valuable asset to their companies by becoming part of the planning process. They can also activate their professional networks and refer their companies to other advisers for additional guidance including lawyers, crisis communications specialists and other professionals.

Corporate risk managers should also advise their companies on the importance of employee engagement as part of a cyber risk management plan. When employees understand the potential impact on the company (possibly including their job security) they are likely to be more willing to take the necessary precautions to protect company information by following established protocols for information security. Employees should understand the costs associated with addressing a breach including having to install credit monitoring for hacking victims, liability expenses and potentially losing business and even deterring new business opportunities from prospective clients who get wind of security failures. Getting full buy-in and participation for mitigating cyber risk from the top down in an organization can make a significant impact on reducing cyber exposures.

Operating without a cyber risk management plan could have a crippling effect on a company’s reputation. The way in which companies respond to cyber threats can be scrutinized by clients, stakeholders and the public, especially because victims are often directly impacted by slow response. For example, if a company does not respond quickly, victims of the crime may miss opportunities to cancel credit cards and alert their banks about suspicious activity. The window for fraudulent activity can be prolonged by companies that are unprepared to deal with a cyber breach. With a strategy in place for responding to a cyber event, businesses can execute against their plan and focus on getting back to business as usual.

As cyber attacks dominate headlines, companies must make efforts to properly secure both their technology and networks. Recent media reports have identified major companies, organizations and governmental entities across the U.S. as unfortunate examples of what can happen when a business is unprepared for a cyber crisis. Corporate risk managers can help their companies to adapt their risk management strategies and practices so that their employees and their customers remain ahead of emerging cyber risks.

Yes, It’s Data Privacy Day

It may surprise you, as it did me, to learn that today is Data Privacy Day, an “international celebration of the dignity of the individual expressed through personal information.” But Data Privacy Day also highlights the need for individuals to protect their data and how they can go about doing so.

There are many organizations out there that aim to help individuals protect their personal information and help businesses comply with data protection laws and regulations. The Online Trust Alliance is one such organization, whose mission is to create an online trust community, promoting business practices and technologies to enhance consumer trust globally. They recently released their “2011 Data Breach Incident Readiness Guide” to help businesses in breach prevention and incident management.

According to their newest guide, the true test for organizations and businesses should be the ability to answer key questions such as:

  1. Do you know what sensitive information is maintained by your company, where it is stored and how it is kept secure?
  2. Do you have an incident response team in place ready to respond 24/7?
  3. Are management teams aware of security, privacy and regulatory requirements related specifically to your business?
  4. Have you completed a privacy and security audit of all data collection activities, including cloud services, mobile devices and outsourced services?
  5. Are you prepared to communicate to customers, partners and stockholders in the event of a breach or data loss incident?

With the White House, members of Congress, Commerce Department and the FTC calling for greater privacy controls and breach notifications, self-regulation by businesses is becoming more and more important.

Google, one of the supporters of Data Privacy Day and the initiatives of The Privacy Projects, is hosting a public discussion on privacy later this afternoon with representatives from the Electronic Frontier Foundation, the FTC and the National Institute of Standards and Technology scheduled to attend. If you can’t stop by Google’s DC office for this event, don’t worry — it will be captured on video and posted to YouTube soon after.