Top Six Privacy and Compliance Predictions for 2016
on December 18, 2015
- Cyber Security
- Data Breach Notification
- Data Privacy
Privacy and compliance have been under siege in 2015, as cyber-crime, cyber-terrorism, and cyber-espionage surged. No longer was identity theft or identity fraud the single overriding concern in breach situations: stolen personal information is now used for blackmail, extortion, and to cause reputational damage. At the same time, organizations across all industries have continued to struggle with privacy and security budgets and with the division of responsibilities between IT and privacy/compliance functions, especially during incident response. None of these issues will be resolved in 2016, but there will be an evolution in the privacy and compliance arena. Here are expert predictions on where those changes are likely to occur.
Mahmood Sher-Jan, executive vice president and general manager of the RADAR® business unit at ID Experts, predicts that 2016 will be the year that businesses of all sizes realize that they are targets for cyber-attacks and begin to prepare in earnest. In particular, third-party vendors will face unprecedented scrutiny and contractual obligations from their clients about their security, privacy, and incident response practices. “Until now, small and medium-sized businesses have tended to believe that information theft and data breaches are a big-business problem. But the data around breaches in 2015 has shown that cyber-criminals are often targeting smaller organizations, both for the information they hold and as a back door into the systems of their larger business partners. For example, the Target breach started with a successful phishing attack against a refrigeration subcontractor that had worked at Target stores and other retailers. After dealing with a breach affecting as many as 100 million customers and paying $200 million dollars in breach response costs, it’s a good bet that Target isn’t giving that HVAC subcontractor any future business, and they will be very thorough in evaluating the security practices of their third-party vendors.” Mac McMillan, co-founder and CEO of information security and privacy consulting firm CynergisTek, agrees, and adds, “privacy and security is everyone’s concern, individuals as well, but particularly those at greater risk such as children and seniors.”
Smaller businesses are often attacked because they don’t see themselves as targets, and are therefore unprepared. Some industries, such as healthcare, have privacy and security regulations for business partners, and so those companies have been on notice that they need to take action. “No company, regardless of industry or size, can afford to lose customers, so businesses need to start assessing their privacy and information security risks to better protect themselves and their customers,” added Sher-Jan.
Dr. Larry Ponemon, chairman and founder, Ponemon Institute, says consumers will expect greater control in the future over how their personal data is collected and used, even as their data is gathered and transmitted by an increasing number of devices. “In general, people recognize that we have had less control of our personal information as technology has become ubiquitous in our lives. And the businesses that create and sell all this technology—smartphones, tablets, fitness gadgets, etc. —have tended to assume that people are willing to sacrifice their privacy for convenience and the chance to use cool things. But there’s a pendulum. As consumers, we don’t want businesses or the government to have information that could marginalize us, and we don’t want to trade privacy for the opportunity to use new technologies.”
“Even if our information is not used maliciously, once the data is collected, the tendency is to use it. As individuals and as businesses, we have to think about what kinds of controls we want to have in place to make sure people don’t use personal information in bad ways. Organizations will have to figure out how to protect the privacy of their customers, employees, or other stakeholders, or they are going to lose business.”
Dr. Ponemon also predicts more privacy and security regulations being introduced in 2016: “If you go back 10 years to the Gramm-Leach-Bliley Act and HIPAA, industries like finance and healthcare have been regulated, but a lot of others have not. I think in the near future we’ll see new regulation, especially in the face of big data, which is a force for good and evil. It’s amazing how much people are gleaning from stuff you post online, just with web crawlers. For example, my Facebook photo shows my eye color, and retailers can now use that to predict my color preferences and create personalized advertising. Everything you do online generates a trail of data, with its own privacy implications. I may use my smartphone to order ahead at a restaurant, but no one really needs to know that I like cheese pizza and not pepperoni pizza.”
“There may also be regulations to address the privacy and security issues around the “Internet of things” [IoT]. The IoT is taking off so quickly that security is being thought about after the fact. I think there will be a backlash, both because of data breaches and because data will be used by businesses in ways we don’t want. Sure, hackers could take control of connected devices and cars could crash or refrigerators could blow up. But there are more subtle privacy issues. For example, what if your smart refrigerator broadcasts that you’re low on white wine, but you told your insurer you never drink, and now that data gets loose? The IoT will generate massive amounts of new and potentially sensitive data, and people are going to be asking for standards there.”
Dr. Ponemon expects that 2016 will bring a “global harmonization” of privacy and security requirements, with the recent EU ruling against the Safe Harbor agreement adding urgency to the effort. He says, “This will happen not because of international altruism but because it is hard for companies to do business across all these varying privacy and security standards. For example, in the wake of the Safe Harbor ruling, U.S. businesses are scrambling to relocate their storage to data centers in Europe in order to keep doing business with the EU. This kind of disruption is bad for business (except for the cottage industry of data centers springing up in Switzerland and Ireland). While there may not be one single standard for every country, we will see more creativity on the part of privacy regulators to come up with standards that are mutually acceptable. You can never have one standard for the world, but you can have minimum standards that everyone has to meet.” Dr. Ponemon also looks for worldwide standards for disclosure of data breaches, and he thinks the U.S. Securities and Exchange Commission will bring increasing pressure for companies to disclose breaches in quarterly and annual reports.
Doug Pollack, ID Experts chief strategy officer, says that in 2016, boards of directors will get involved with privacy and security: “I think in the coming year corporate boards will finally wake up and pay attention to data security and customer privacy threats. There is increasingly more at stake in data breaches—potential loss of personal privacy but also loss of intellectual property, reputational damage, and risks to operations. This past year, several very large health insurers were hacked, as was a very large agency of the federal government, and the perpetrators are thought to have been in or related to the Chinese government. In light of these events and the ease in which they appear to have been carried out, the companies and organizations to whom we entrust our personal data are faced with significant governance and risk issues. I would expect that corporate boards will increasingly mobilize in 2016 to more directly address the cyber risks that seriously threaten their organizations.”
Dr. Ponemon concurs that more boards of directors will be getting involved in security oversight. “I think we will see more directors being held responsible and possibly subject to lawsuits when breaches happen. There are a couple of cases right now in the courts. I think we’re going to see precedents that will change requirements on boards. We may also see the composition of boards change, bringing on board members who are experts in security.”
Macmillan offers rays of hope, predicting that privacy, security, and compliance organizations will rise to the challenges of the coming year. He is already seeing signs of new and effective tactics emerging. “One new best practice that has resurfaced this year is the use of exercises to engage users and help them better understand the threat of cyber- incidents as well as their roles in avoiding, detecting, and responding more effectively.”
He also sees better alignment between privacy and security functions in the future: “I see them all, including physical security, coming together under the banner of better risk management. In healthcare, in particular, as the information ecosystem that manages PHI expands to reach out to the patient, involving more players, more partners, more service providers, etc. and as a result becomes more complex, we need to evolve our risk management models and appreciate that all of these disciplines are more effective when integrated fully.”
These are our watchwords for 2016: be prepared and stand together. (And if you want more information and advice to help you prepare for next year’s challenges, check out our expert predictions on the threat landscape [link to first installment].)