Rules and Rewards in Cybersecurity
This might be somewhat similar to my previous post, or at least cover some of the same ground, but it’s a crucial topic, and one I believe deserves emphasis. First, however, let me just say that with the Winter Olympics in PyeongChang are now in full swing, it is once more the time for viewers of certain events to witness some, shall we say, questionable rule systems and judging decisions. This goes for whether you’re an enthusiast or just an average viewer. (Why should a skater who falls be rewarded more points just for trying more complicated moves than one who stays on their feet? Shouldn’t the rules reward achievement and make some sort of sense to the audience?)
Likewise, it doesn’t take more than your average consumer to see the flaws in a system designed to handle and protect their personal data, and express dissatisfaction with the status quo. In Europe, as we covered last week, the end result of this is the impending GDPR implementation. Tighter regulations, broader definitions of Personally Identifiable Information (PII), and strict financial penalties have incentivized organizations who handle the data of European citizens to optimize their cybersecurity efforts.
Consumers are getting ever savvier about their data, after all, and a recent RSA survey reflects this. Among the most relevant data points is that 80 percent of respondents cited the safety of their financial data as a paramount issue. Monetary and identity theft are among their primary data breach concerns.
Not surprisingly, consumer awareness of these breaches is up in recent years, due to the endless headlines of companies and government agencies being compromised. Vast majorities of the RSA respondents said that how a company handles its customer data would impact their purchases (78 percent), while even more (82 percent) said they would boycott a business that was chronically lax in this area. Without trust, and without data privacy as a priority, people are increasingly willing to take their business elsewhere. Not only that, but they’re willing to submit false personal information when signing up for services. Whether this is due to a desire to avoid marketing or communications, to a sense that the information is irrelevant, or a simple mistrust, consumers will go to these lengths if they perceive them as guarding their data better than the organization in question can.
In light of all these factors, it benefits businesses to get their houses in order and adhere to GDPR guidelines. Though there might be growing pains, it is ultimately a boon for consumers.
Which leads me again to the stark and ugly contrast of the current state of the Consumer Financial Protection Bureau in the US. Established to protect consumers from abusive financial practices, the agency no longer seems to have a strong interest in doing so. Accusations of this sort have been made lately, and on Sunday, acting director Mick Mulvaney basically confirmed them to be true. We already knew about the stalled, possibly abandoned Equifax investigation. But this is also supported by an NPR report citing anonymous sources who claim Mulvaney is radically changing the agency, as well as an internal memo that the agency will “fulfill its statutory responsibilities but go no further.” Moreover, other sources in NPR’s investigation say the agency has decided to drop a lawsuit against online lender Golden Valley, which allegedly charged borrowers almost 1000 percent interest.
Perhaps most damning, the CFPB has recently changed its press releases to end with the mission statement to “identify and address outdated and burdensome regulations.”
So, where do consumers turn? How does one boycott an agency designed to protect them when it chooses instead to shamefully abdicate its responsibility? Consumer advocates have been quick to condemn the agency’s altered course, and who can blame them? Why should an organization that fails be rewarded more than the consumers who bear the brunt of that failure? Shouldn’t these rules make some kind of sense?