Who is ultimately responsible for your digital privacy and security?
IN a socially-connected digital world, we bleed data on a daily basis. Sometimes, we’re even party to it, although in many cases, data leakage is inadvertent.
With location-aware social networks like Facebook, Twitter, Instagram and the like, plus ubiquitous connections through smartphones, smartwatches and IoT, we never truly gain privacy. Social networks form a picture of us from our daily habits, opinions and search histories. It’s also been said that Google knows more about us than we do.
In an ideal world, we could truly trust technology companies to keep our data safe and secure. However, the reality of the matter is that businesses, mischievous hackers, even criminals can take this data and use it for their own nefarious ends.
When using free web services, you end up giving them carte blanche to analyze and even share your data. For example, Snapchat’s terms of service grant the chat company the express permission to “exhibit and publicly display content in any form and in any media or distribution method (now known or later developed).” The app can also share data with third parties.
Data leaks can also occur even without the use of apps. Previous glitches in the iPhone resulted in voicemails and iMessages being forwarded to the phone long after the user sells or disposes of the device.
The biggest risk, of course, is the thriving cybercrime industry. On the deep, dark web, it’s possible to find people selling stolen PayPal accounts, credit card details and other financial or identity information for a nominal sum.
In 2014, large-scale breaches involved 200 million personal records at Court Ventures, 76 million household information from JPMorgan Chase, as well as $300 million in lost revenue from 160 million stolen debit and credit cards. In the latter, Russian hackers were even to breach into the NASDAQ stock exchange system itself!
Are tech companies responsible for your privacy?
As users, it’s not always easy to kick the social media habit. And it’s not that simple to switch to a non-tracking search engine like DuckDuckGo when you’ve been Googling for as long as you can remember. If you’re on the bleeding edge, you probably use a smartwatch or a fitness tracker to watch your daily activities.
With all that user data floating around in cyberspace, service providers should ideally implement the bare minimum security by encrypting data transfers with SSL/TLS, and likewise encrypting user information at-rest in their databases.
An emerging trend today is the next-generation web standard, HTTP/2, which will default to encrypted connections, unlike most of today’s websites, which still transmit data in clear text.
The human factor
Beyond infrastructure concerns, service providers also need to address the human factor. For example, BYOD is a growing trend – companies are allowing employees to bring in their own computers and devices to connect to the corporate network. This comes with risks, of course, and organizations will need to enforce policies and restrictions to prevent leakage of sensitive data.
According to a 2014 report by McKinsey and Co., businesses will need to be proactive in enforcing security and ensuring cyber resilience. Organizations need to actively deploy and test defenses and integrate these throughout the enterprise.
However, the responsibility will ultimately fall in the hands of top managers. “Given the cross-functional, high-stakes nature of cyber security, it is a CEO-level issue,” says the report. “Cyber resiliency can only be achieved with active engagement from senior leaders of public and private institutions.”
This doesn’t mean individual users have a reduced responsibility and liability when it comes to securing our own data. Each of us is only as safe as our personal privacy habits will allow. People who don’t have safe data practices online are more prone to identity theft and other crimes.
However, with millions of users enjoying services now considered as essential for day-to-day communication and collaboration, tech companies will need to up the ante in securing and safeguarding user information.
The risk of consumer injury can grow along with the increasing volume and sensitivity of data. According to the FCC, leaky tech companies will need to answer to both customer and regulators. “If they fail to secure the life cycles of their big data environments, they may face regulatory consequences, in addition to the significant brand damage that data breaches can cause,” says chairwoman Edith Ramirez.