Securing Customer Data
The United States still lacks any centralized, formal legislation at the federal level regarding the security of the electronic transmission of personal data. Instead, companies rely on a sectoral approach, combining other means of regulation in addition to government policy, which often differs by state (see the nationwide patchwork that is the set of data breach notification laws). In contrast, the UK operates under its Data Protection Act. Passed in 1998, it is the main piece of legislation that guides the protection of personal data. Similarly, the European Union has its Data Protection Directive, which—although it is to be imminently overridden by the new European General Data Protection Regulation (GDPR)—has regulated the processing of personal data, and has been an integral part of European privacy law.
I cite all of these not to highlight the differences of situation, but actually point out they all have in common: that too often it seems the case that organizations will do the bare minimum when it comes to securing consumer data. Checking off the boxes on whatever guidelines or compliance policies are in place, while necessary, is not enough. According to WallBlog, companies should also take it upon themselves to be innovative with their approach to their customers’ information. Already, surveys have shown that people are increasingly wary about sharing their data, considering all the breaches that keep making the news.
Data is the lifeblood of a business, however: from the personalization of content and services (i.e. ads), to the estimated financial benefits it could bring to numerous sectors (i.e. $300 billion annually cut from US health costs). Organizations should thus be demonstrating unequivocally how much they value that of their customers. Implementing more effective data protection policies is the least they can do, including even something as simple as discouraging password re-use. Although, personally, I have little hope of this happening any time soon. The most common passwords of last year were still painfully bad. And I think “Solo” was on the Top 10 list as well. Star Wars is a movie, folks, not data security. Hackers don’t even need a lightsaber to cut through that one.
With only minimal effort, all those laws and standards won’t be sufficiently effective in protecting consumers and companies alike from today’s advanced cybercrime.