5 Things Every Business Should Know about Data Privacy and Security in 2015
Recently, I had the pleasure of attending a panel hosted by the Commonwealth Club in recognition of Data Privacy Day 2015. (Thanks to our excellent client ESET, a sponsor of the event, for the in!) The panel, “Open Forum: Data Privacy Trends 2015,” was moderated by Forrester Research Principal Analyst Fatemeh Khatibloo, and included security executives from Box, Disconnect, IBM, Intel and TRUSTe. True to its name, the event took a comprehensive look at data privacy – what it looked like in 2014 and how it’s evolving in 2015.
With the latest large-scale attacks such as the Target breach and Sony hack top of mind, the panelists shared their thoughts on what businesses need to be thinking about to protect their users and themselves. As one panelist pointed out, the Federal Trade Commission has reviewed eight times as many cases related to privacy in Q1 than is typical.
So what should businesses keep in mind as they forge ahead? Here are five lessons learned from the event:
1. There is a natural tension between security and privacy
The first thing businesses of all sizes need to recognize is that there exists a natural tension between security and privacy – they can’t co-exist at each extreme. As security measures increase (i.e. verifying identity for a particular transaction/log-in), privacy decreases as data has to be submitted. The same can be said for privacy – as less information is requested, the less secure the process. As Christina Peters, chief privacy office at IBM, so eloquently put it: “Security is asserting control over your assets.” Privacy “is about what you want to do with that control and how you observe those choices.”
Panelist Chris Babel, CEO of TRUSTe pointed out that privacy as an issue and focus for business strategy is where the security discussion was 20 years ago. And studies have shown that as security technology gets more complex, users are likely to turn it off to avoid having to deal with it. This allows for more privacy, but leaves consumers at risk.
2. Consumer are concerned about their personal privacy, but that doesn’t stop them from leaving themselves vulnerable.
Security measures that help protect data privacy are something consumers use on the way to what they want, panelists agreed. Consumers are aware of data privacy risks, but like many things in life, privacy does not become a pain point until they are breached. As Malcom Harkins, vice president and chief security and privacy officer at Intel, pointed out, unlike physical theft, where you can walk into your home and see your TV is stolen, ID and cyber theft can happen without you ever noticing –until it’s too late.
IBM’s Peters believes that consumers are concerned and aware of data privacy issues; he compared consumer inaction to the general beliefs we all have about how diet and exercise are crucial to a healthy life. We know what to do, but it’s hard to make actions a reality.
Chris Babel of TRUSTe shared findings from the organizations’ 2015 Consumer Confidence Privacy Index survey that demonstrated that 77 percent of all responses indicated they had taken some steps to protect their online data, but half of respondents indicated they didn’t feel they had done enough.
3. Some technology companies have started “baking” in more security protocols– and this is a very good thing.
On the heels of the discussion about consumer privacy protection, many panelists pointed to the growing number of technology companies that are starting to “bake” privacy and security technology into their products, with Google and Twitter’s latest two-factor authentication additions serving as examples of that. Other examples include the launch of the Blackphone, a totally encrypted, air-gapped mobile phone that privacy geeks have raved about, and WhatsApp adding encryption to its text messaging. The panelists agreed that by embedding the security and privacy measure in the products, we remove human error and relieve users from thinking about protecting themselves. This shift is mirrored in sales conversations behind closed doors. As Box’s Chief Trust Officer Justin Somaini put it “security as a business model has arrived.” Companies no longer wait until a fourth or fifth conversation to bring up security, it is brought up first and is a main issue from the get-go.
4. The regulatory discussion is heating up, but it’s unclear at this point how proposed legislation will drive meaningful change.
All panelists agreed that there is a large opportunity for regulations to improve data privacy and set standards, but urged that these measures should not be prescriptive to the current situation – they need to be forward looking. Because legislation has historically taken some time to go into effect/ drive change (e.g., Sarbanes-Oxley), the general consensus of the panel was that by the time current legislation is passed, there will already be new issues to address.
One idea I liked was the suggestion by Disconnect Co-founder and CEO Casey Oppenheim. He suggested a standard, easy-to-understand data privacy label/grade for different services/technology. Much like a nutritional label gives you a quick glance at what’s in a food item, a data privacy grade would quickly reveal what kind of data a company gathers. A scale from one to 10 would reveal just how much data they gather.
5. Predictions for 2015 vary, but one thing’s for sure – this battle has just begun.
When asked about what predictions the panelists have for 2015 there was a mix of reactions. On the legislative front, Box’s Somaini said he didn’t foresee any huge movement on regulation, while Disconnect’s Oppenheim suggested a major legislative battle between tech companies and the government was on its way and that issues around sharing customer data with governments would come to a head.
Intel and TRUSTe both agreed another data privacy failure was sure to occur, with TRUSTe proposing that a true partnership between government and tech companies was the best solution.
To that affect, IBM’s Peterson empowered the audience to own the future of this issue, noting that those in attendance have a say on it and need to speak up.
What does this mean for our clients?
At MSLGROUP San Francisco and MSLGROUP Boston, we work predominantly with B2B technology clients in a wide range of industries, including healthcare, medical device, big data, security and cloud computing. As Somaini of Box pointed out, these companies are having security conversations with their customers and prospects first, and so should we. We can no longer wait for a reporter to ask the security/privacy question, we have to bring this up to clients now and prepare their spokespeople to address these questions, arm them with their own security and privacy protocols before the call and make sure they are comfortable with the “tough questions.” Also, we need to prepare a crisis communications plan outlining what steps to take if something happens to their customer data. As strategic partners, PR professionals need to ask the tough questions and best prepare our clients to address these vital issues.
Latest posts by Kiley Nichols (see all)
- PR Lessons Learned In 1H 2015: Part One – June 25, 2015
- 5 Things Every Business Should Know about Data Privacy and Security in 2015 – March 19, 2015