It's easy to be cynical about Data Privacy Day, especially with all the data that companies collect on individuals today. Some have even taken to calling Monday's special day of events Lack of Privacy Day.
Fear not. In time for Data Privacy Day, the Internet Society has issued a nine-point code of conduct that offers insights into how companies can more effectively manage personal data, including ways to improve how they handle anonymized data and keep consumers better informed on what they actually consented to releasing.
"People regard data as a commodity they can exploit, but they have to change to becoming a responsible steward of that data," says Christine Runnegar, senior director of Internet trust for the Internet Society. Companies have to change their mindset, she adds.
They also must be held accountable and stop using the consumer's consent to excuse bad practices, she says. For example, very often company websites will post long-winded forms at the bottom of the page written in legalese that people gloss over and accept.
"People often don't know what it means or what the risks are," Runnegar says. "Businesses have to offer a clearer explanation of what the personal data will be used for and make clear that it is for legitimate and reasonable purposes. They should follow up with written explanations in plain language of what the person actually consented to releasing."
There's good reason for the concern. TrackOff reports that 75% of the websites people visit collect information about them and, on average, that personal information gets sold for as low as less than three cents. Data brokers have expanded from collecting a person's browser history and email to making inferences about religious affiliations, credit card information, and even health issues.
But with GDPR in effect, the California Consumer Privacy Act coming on line next year, and Brazil and India focusing on privacy, companies and security pros can no longer ignore it and have to find ways to layer in privacy with security.
Take Care of Anonymized Data
The Internet Society's code of conduct also makes clear that anonymized data should be treated as if it were personal data. A good example: A travel website may ask for your name, address, age, and frequent travel destinations. In anonymizing the data, the company may strip out the names and run an analysis on the age demographic of people who visit a certain destination. Today, companies often resell this information, but moving forward they need to think twice about doing so because there are ways to trace that data back to specific individuals.
"We also want companies to be creative and go above and beyond what the privacy laws require," Runnegar says. "A good example would be a secure messaging service that would only use your phone number to set up the account, then delete it after that so it can't be reused."
Jadee Hanson, CISO at Code42, says too many companies don't even know what kind of data they have, and, even if they do, they haven't set specific rules on who can use what data and how they will monitor that those rules will be followed.
"Once I have established what PII the company has, then I need to use security controls to set privacy settings for the two people who can have access to that data," Hanson explains. "Where companies fall down is they don't have any way to validate that the rules are being followed."