Tech is a growing field and expands every day. Systems such as government traditionally favor time and processes to make changes. While this means it is thoroughly informed when the decision is made to move forward, this gap also reinforces that laws are not always up to date. In the cyber world, where the latest vulnerabilities or technologies update every few hours, it is easy for the process of regulation to be left behind. In recent years, this has meant regulation and legal enforcement around data collection have not kept pace with the exponential growth in the tech industry.
The problem with data collection
Like millions of Americans, I was impacted by the Equifax data breach in 2017. In the aftermath, it was tragically proved that once data is stolen, the repercussions can continue to haunt victims with lasting effects. The data stolen in one breach can be used to compromise other systems or be extorted again. Personal Identifiable Information (PII) can be considered information such as names, home addresses, email addresses, or phone numbers. As a subset, there is Sensitive Personal Identifiable Information (SPII) including social security, driver’s license, financial account, alien registration, passport identification, and more. While this data is intrinsically vulnerable, these are numbers people only have once in their life, it also means that it is extra damaging to fall into the hands of the wrong actors. When this identifying information is accessed, it is available for bad actors to store and use. This means the cycle of exploiting vulnerable individuals’ information can be perpetuated longer than any responsible party likes to admit.
At the time of this article, in the eyes of the law, the considerations of what data must be protected vary by state governance. There is not yet a hard and fast federal rule about whether a piece of information is considered PII or SPII, as it requires a case-by-case assessment of the specific risk involved. For example, a credit card number can be placed as PII, but would medical information be SPII or PII?
Harm to consumers: Sensitive and personal
The issue of lack of oversight comes into play when we think about the modern-day world we live in now. As consumers, we give away a wide range of PII to companies every day, with every digital action or reaction. Our movements, prayers, friends, menstrual cycles, web browsing, faces, and fundamental aspects of our lives are now all online. These pieces of information compose pieces of our identities and are generally shared with certain parties for certain reasons. When this data is exposed, it is not only a threat to the business’s integrity, brand and trust, but ultimately means the consumers’ human right to privacy and protection of their identity has been violated.
It is estimated that a successful ransomware attack takes place every 11 seconds in 2022. When a business carries PII, the highest risk is to the identifiable person whose information can then be leaked and used for nefarious purposes by cyber criminals. This reiterates it is up to the businesses who collect the information to take responsibility for the people whose information they are taking to ensure they are taking steps to protect the data entrusted to them. PII that may be collected for security purposes or for account data must be protected in accordance with state, federal, and international laws and regulations that apply to their businesses.
Consumer consent: Another gray area
Consumer consent is also an issue. In this day and age, we are willing to give out PII for discounts on email lists, for free food coupons, personality quizzes, and more that collect our data. Since our data is everywhere, it complicates the matters of de-mystifying what giving up personal facets of your identity legally means and what is at risk. The question additionally lies with how informed the consumer is on the risk. If either the consumer is not well informed about what the data will be used for and where their risk lies in submitting the PII, and the company standards for safeguarding data are not checked, the responsibility falls on the company. Cases like the Equifax Data Breach Settlement illustrate the ways in which companies are responsible for protecting their participants’ data.
However, much like what PII is, there is much concern about what it truly means for customers to give consent. Are they consenting when they click “submit” their data? And are they consenting to give up their data to the company to resell, to use in their data analytics and find out how to best target advertisements, or to be a part of an email list? This is another part of the problem.
Often, organizations rely on data-in-rest encryption as their last line of defense. Unfortunately, if the file or information is being worked on, or is accessed using privileged credentials, this protection is rendered useless, and hackers can still steal the underlying data. This goes back to the question of consumer consent. Some consumers, and organizations are told by the tools or collectors of the data that the data is protected the entire way through its lifecycle. However, to move forward, U.S. businesses and government agencies should consider data-in-use encryption as a standardized practice for data collectors instead. This cybersecurity method keeps the data and IP encrypted and protected when it is stored, when it is being actively utilized, and when it is in the state in between the two, neutralizing all possible data-related leverage and limiting the need for breach disclosure.
The historical data protection toolbox comprising prevention and detection, backup and recovery, and encryption-at-rest is no longer sufficient for the current threats and vulnerabilities to individuals, especially ransomware and the inevitable extortion that follows. It does not compose the entire picture, and does not protect the data in question when the file or information is being worked on or is accessed using privileged credentials – all protection in place is rendered useless, and hackers can still steal the underlying data prior to encrypting the systems. This is a major gap in our security and one that hackers exploit in the vast majority of breaches. The bottom line is that when malicious entities use legitimate credentials, traditional security controls fail to safeguard the data!
With encryption-in-use data protection, should adversaries break through perimeter security infrastructure and access measures, both structured and unstructured data will be undecipherable and unusable to bad actors. Both ransomware and extortion protection can be achieved through data-in-use encryption, as it provides unprecedented immunity against data-based attacks. This is an ideal way to protect regulated and consumer data.
As we know, the world of data collection is big and oftentimes can lead to big consequences for individuals. At this time, the Federal Trade Commission is calling for the submission of comments including topics like those discussed in this article. There are further prompts on the website to address this. If you are interested in the human right to a private identity or have more illuminating information about the ways data security must be addressed, you can submit a comment and read more here: https://www.ftc.gov/legal-library/browse/federal-register-notices/commercial-surveillance-data-security-rulemaking