2019 presents businesses with new cybersecurity and privacy challenges: rapid advances in technology, sophisticated new cyberattacks and stricter privacy regulations here and around the world, just to name a few. Businesses that fail to plan risk significant financial and reputational damage.

Those at the front of the fight, but out of the headlines will:

  • Afford users and consumers true “data self-determination” and transparent control over data while providing a frictionless digital experience.
  • Master what data they collect, who has access to it and how long they have it: “Cradle-to-grave” control over data will win the day.
  • Master baseline data privacy and security, whether defined by statutory schemes, best practices or voluntary industry standards.
  • Remain battle-ready for the critical infrastructure breach (financial, utility and/or transportation).
  • Deploy robust methods to repel the email compromise.
  • Implement tested response plans for digital deep fakes (false video and audio recordings) and other disinformation campaigns.
  • Master vendor and supply chain data security.

Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.

The FBI reports that cyberattacks could overtake terrorism as the major threat to the country. According to the Department of Homeland Security, between October 2011 and February 2012, there were 86 reported attacks on U.S. computer systems that control critical infrastructure, factories and databases, compared with 11 over the same period a year ago.

Now more than ever, the focus should be on securing and insulating our nation’s computer and Internet infrastructure from both internal and external attacks. The first step in anticipating large-scale cyberattacks is to start thinking of them more like the proverbial disaster waiting to happen — not a question of if, but when. Planning requires going beyond the limitations of current thinking and considering worst case scenarios.

To keep reading my full article visit “The Internet Privacy Debate Misses the Point,” published April 23 by the Huffington Post.

Much ado has been made in recent weeks about the FTC’s Do Not Track proposal, the push from Congress to protect consumers, and the response from Google, Microsoft and Mozilla, as well as the online ad industry, about the risks and rewards of self-regulation. But what has seemed to be missing from the debate is the public’s own outcry. Amidst the churning discussions there has not been a sense that the general online population is overly concerned about whether an advertiser can track their preferences… at least until the information they share leads to a distinct invasion of privacy with repercussions.

All in all, this debate remains self-contained, and raises more questions than it answers.

From the political front, the Congressional proposals present an issue that is easy to support. Who is “against” privacy? Perhaps the same people who want to bring down apple pie and stop Veterans Day parade…

Technology executives and startups being buffeted about by the concern of over impending government regulation, agreeing on a self-implemented system, and monetizing so -called "privacy assets" for those opting to share more. But how much of the genie is already out of the bottle? Is it possible to truly claw back or sanitize people’s data that is already out there?

There is certainly cause for public concern, though it seems that is not the case until an actual situation occurs. If a website, social forum or third party advertiser holding your personal information is hacked or breached, the potential invasion of privacy on personal preferences could be huge. Finances, sexual preference, and many items that could lead to identity theft are all put at risk. Yet we continue to "like" and "share" and post pictures because living online has become an extension to daily life.

Is this public acceptance? Maybe we won’t know until there is a problem that draws attention on a national scale. The public has control over their own activity online, and the amount of information they wish to share.

If the public is truly concerned about online privacy, it is a matter of self-regulation on a personal level. In the meantime, the government and the industry will continue to swirl in a cycle that perhaps will only end with a set of regulations and authorizations that create more unenforceable layers than there were before. Data thieves will always find ways to game the system, there will always be a risk when sharing personal information online, and advertising will not stop being the fuel that runs much of the internet.

On February 10, 2011, the New York City public hospital system filed a lawsuit against its records management contractor over allegations that the contractor permitted the theft of unencrypted data tapes storing health information and other personal data on some 1.7 million patients and staff. The New York City hospital system disclosed the breach, which occurred on December 23, 2010, for the first time in a February 11, 2011, statement. The complaint alleges that six data tapes, storing HIPAA protected information and other personal data for approximately 1.7 million patients at three facilities, as well as for employees, vendors, contractors and other service providers, were stolen from a van left unlocked in Manhattan by the hospital system’s records management contractor. In a statement, the hospital system said that, while the stolen tapes have not been found, no fraud has been reported and the tapes are protected by a proprietary system that makes the data difficult to access.

Last week, the federal government fined Cignet Health (Maryland) $43 million for violating the privacy rights of 41 patients by denying them access to their medical records.  The fine levied by the Department of Health and Human Services is the first under HIPAA’s privacy rule.  The Department of Health and Human Services’ Office of Civil Rights determined that, between September 2008 and October 2009, Cignet Health violated patients’ rights by denying them access to their medical records.  Cignet Health also repeatedly failed to cooperate with the investigation conducted by the Office of Civil Rights and did not comply with a subpoena for medical records issued by the Office of Civil Rights until ordered to do so by a federal judge in March 2010.

Separately, the  federal government reached a $1M dollar settlement with Massachusetts General Hospital over potential violations of patient privacy laws when an employee lost patients records on local public transportation.  The lost information concerned 192 patients in the hospital’s Infectious Disease Associates outpatient practice, including information pertaining to patients with HIV/AIDS.  For 66 patients, the lost data included billing forms that recorded name, birth date, medical record number, health insurer and policy number and diagnosis.

California State Senator, Joe Simitian (D-Palo Alto), who authored the state’s existing data breach law in 2002, has introduced Senate Bill 24 to strengthen the content of notices provided to individuals when their personal information has been hacked, stolen or lost. If passed, Senate Bill 24 proposes to offer individuals better protection against identity theft by standardizing the content for data breach notification, including (i) a general description of the incident, (ii) the type of information breached, (iii) the date and time of the breach and (iv) a toll-free telephone number of major credit reporting agencies for security breach notices in California. Senate Bill 24 would also require public agencies, businesses and others to send a copy of the breach notification to the California Attorney General if more than 500 Californians are affected by a single breach. Former Governor Arnold Swarzenegger vetoed similar legislation introduced by Senator Simitian.

Last week’s vote by the FCC on net neutrality rules raises new concerns and resolves very little about keeping an open internet. Let’s start with the basic issue of whether the FCC has jurisdiction to regulate the internet. Most commentators agree that the FCC has overreached its grant of authority and that legal challenges are all but certain. Is the FCC regulating or legislating? In all probability, providers that do not fare well under the proposed net neutrality rules may decide to challenge the FCC’s jurisdiction in court.

 

The new rules prohibit broadband or wired line providers from blocking access to services, applications and legal content, and from “unreasonably” discriminating against traffic on their networks – no such strict restrictions are placed on wireless or mobile broadband providers. Why should the FCC treat wireless providers differently than fixed line broadband providers? Do the so-called technological challenges faced by the wireless industry justify the disparate treatment?   Are we concerned that more consumers, including minorities and the poor, use wireless devices to access the internet?

 

Why does the FCC discourage but not flat out ban "paid prioritization" by wired line broad brand providers? Does this rule create a risk that two internets will develop – one for the moneyed haves and a second for the non-moneyed have-nots? 

 

The new rules are a tangible victory for ISPs, and give these providers the wiggle room to capitalize on usage based pricing. For example, a broadband provider could theoretically charge an access fee for a movie streaming service such as Netflix over a wireless connection. The FCC’s distinction between fixed-broadband and wireless networks may recognize that wireless networks are more constrained in terms of bandwidth, so under the new rules a smaller set of applications is offered protection specifically on wireless networks.

 

While the FCC maintains that it will monitor the markets for abuses and “discourage” them, the question is whether the FCC will be able to enforce the rules given that the language is so tame. In the meantime, the FCC’s apparent lack of jurisdiction over the internet begs for someone to pick this fight.

A recent analysis of the past year’s data breaches by Imperva concludes that, in 2010, there has been a nearly 200% increase over 2009. Conversely, the number of records compromised shrank nearly 100% — from 230 million records in 2009 to 13 million records in 2010. These results are based upon information provided by the Privacy Clearinghouse (PRC), a nonprofit that tracks publicly disclosed U.S. data breaches http://bit.ly/dDYgxI.

 

  2009 2010 % Change
Data Breaches Reported 250 484 + 194%
Records Compromised 230 million 13 million – 95%

 

 

While these results may seem like good news at first glance, the real message for businesses is that they have to be more vigilant than ever when it comes to security and privacy issues. In large measure, the number of compromised records is down because hackers have fine-tuned the art of the steal.

 

Think of it this way. An amateur thief might come into your house and ransack it, stuffing everything within reach into a shopping bag.  A professional knows where to find the safe containing the jewelry, bonds and other real valuables and would only go after them.                               

 

Data is today’s richest currency.  As it grows in value so does the technical sophistication and savvy of today’s cyber thieves. In an economy based upon intellectual capital and information technology,   it’s essential to know how to protect information and respond to increasingly sophisticated and targeted data breaches, as well as the legal and the regulatory recourse available when this type of violation occurs.

 

Some final notes related to the above numbers … They only represent “publicly disclosed” breaches. It’s likely that unreported breaches would push these figures much higher. In addition, according to the Financial Times, for the first time ever worldwide data theft in 2010 surpassed physical losses for global companies http://bit.ly/dGVOna.

In the recent federal case in the Middle District of Tennessee, ReMedPar, Inc. v. AllParts Med., LLC, a split among federal circuit courts is apparent regarding the interpretation of the Computer Fraud and Abuse Act’s (CFAA) civil cause of action for accessing a protected computer without authorization or exceeding the scope of permitted authorization. In ReMedPar, Inc, the plaintiff filed a suit against an independent contractor who allegedly gave a competitor the plaintiff’s software and source codes to develop a comparable software system. The case was dismissed as the court found the independent contractor was not without or exceeding authorization as he was given permission to access the computers by the plaintiff. The split in interpretation among the federal circuits of the CFAA is apparent with the Middle District of Tennessee and others courts, including the 9th Circuit, holding CFAA claims are only applicable to those cases in which access was undeniably exceeded; whereas the 1st and 7th Circuits hold a less extreme approach, finding CFAA claims are permitted when a person misuses access in any way adverse to the authorizer’s interest.