Editor’s note: Breaches happen all the time in the world of digital commerce, but a hack of Atlanta-based Equifax earlier this year was not your normal, run-of-the-mill data heist.
One distinguishing factor was the size of the breach, which was said to have exposed personal records of more than 146 million Americans — nearly half the U.S. population.
And that revealed another issue: Americans can shy away from retailers they feel aren’t keeping their records secure, but they have no such choice when dealing with credit-reporting agencies.
As global commerce increasingly goes online, companies, consumers and regulators keep betting that benefits from speedy online transactions will outweigh the costs of securing them and the systemic risk of breaches.
But to maintain the trust that underpins this fragile system, each link in the chain has put its best foot forward on data protection.
In this sponsored interview, Global Atlanta spoke with Kevin Coy of the Washington office of Arnall Golden Gregory LLP, who specializes in data protection laws, to learn how all partners involved can comply with the law and better protect themselves in the process. Mr. Coy will be hosting a webinar Dec. 5 on Europe’s new data privacy regulations. Learn more here.
-Trevor Williams
Global Atlanta: Is there a sense that the Equifax breach and others like it could undercut confidence in digital commerce, or is the march toward more online activity inevitable?
Kevin Coy: I think breaches, particularly high-profile breaches, give consumers pause, but I don’t think the entire digital economy is at risk. There are problems, to be sure, and organizations can and should work diligently to protect the data that they hold, but I don’t see us making a return to the old days of pre-digital activity.
The financial sector in particular heavily relies on the Internet. I think there will be a continued challenge to financial institutions and other companies to balance the consumer’s desire for convenience with the need to have security.
Global Atlanta: But due to that, don’t companies have to store even more data, compounding the problem further? Do breaches help the public grow more aware and guarded about how their data is shared?
Coy: Breaches have the effect of bringing data security to a broader public attention. That tends to ebb and flow, but the real issue is that breaches have gotten larger and larger over the years as fraudsters have been able to gain access to larger troves of information.
Consumers certainly can be sensitive to protecting their data where they have the choice. But once that information has been shared with a company, the consumer doesn’t really have further control and has to rely on that company.
It’s important for companies of all sizes that hold personal data to take steps to safeguard it and to consider in the context in their business models what data they need to collect, how long they need to keep it, and whether they can minimize their risks on these fronts.
Companies should keep in mind their legal obligations but also follow guidance from their security experts or other experts are putting out to try to harden their systems as far as possible, and also keep an eye on regulatory developments and enforcement actions. They should also build redundancies into their systems so that they minimize the potential that one person making a mistake compromises the entire architecture.
Especially in payments, there is this new frontier in terms of authentication: Everybody’s trying to figure out how to verify ID with both security and seamlessness. Are we in the really early stages of this, especially on the legal front?
Fraudsters are becoming more sophisticated and consumers haven’t always proven to be the most vigilant about safeguarding their own online lives — there’s the classic example of the 1-2-3-4 password — so companies are now looking for other means of security to supplement or replace user ID and password.
In the telecom space, Apple and others have been using fingerprints to grant access to devices. Now with the iPhone X, that is shifting to facial recognition. Some are now even doing it on the basis of voice prints, typing activity and other activities.
Biometrics create the possibility of increased security, and a lot of companies are looking into this, but questions are arising about whether these can be spoofed in some way, along with whether they may run afoul of other data protection laws.
Illinois, for instance, has a biometric privacy statute for a number of years that has precipitated a lot of litigation. We could see more legislation in this area as biometrics continue to expand in the authentication space, as well as questions around what the best practices are.
From the companies’ perspective, is it getting to the point where accepting some level of risk related to fraud is becoming just a cost of doing business?
I don’t think it’s a question of anyone saying, ‘If we get hacked we get hacked, and if we’re compromised we’re compromised.’ Companies want to safeguard the data that they hold, in my experience, and it’s just important to redouble those efforts, to learn from prior incidents and take steps to try and secure the data that you need to have and minimize the risk of a breach.
Given the fact that companies know the need for data protection, why does it seem like we’re not doing well, like there are so many breaches happening at any given time?
It’s not particularly newsworthy that bank A or company B didn’t have a data breach today — and that’s a good thing. That means we’re not doing as poorly as we could be.
It’s also important to remember that the bad guys, the fraudsters, are always looking for new way so compromise data, so it is somewhat of an arms race between those holding data and those looking to compromise it in terms of defending against the next new technique.
Software is continually being updated with patches to correct vulnerabilities that have been identified. Companies obviously need to keep those updated. But remember, the hacker only needs to be right one time. That’s true with fraudsters seeking to do complex hacking, but it’s also true in sort of garden-variety email scams. The proverbial Nigerian prince, if he emails a million people at no real cost to him, but if only a fraction of a percent of the recipients act on that, that’s probably still a pretty good day for the prince.
What’s happening in the regulatory environment to encourage companies and consumers to do a better job?
A regulation in and of itself isn’t going to protect data. The company itself has to do that, assessing their controls, minimizing the data they hold, having an ongoing review of their security practices to learn from new threats.
While being cognizant of the varying local laws in jurisdictions where they do business, companies should also take cues from enforcement actions by the FTC and other agencies.
The FTC has brought over 60 data-security cases over the years and investigated many others. State attorneys general have investigated many cases and brought actions, including including a settlement earlier this year with Target related to their large data breach a few years ago.
Those settlements can often be instructive for organizations because they sometimes include operational changes the regulators have demanded beyond the creation of standard information-security plans. Also, agencies lay out in the complaints the conduct they believe was inappropriate, so these are instructive for other companies as they’re trying to safeguard their systems.
What’s going on in Europe with data privacy? It seems to always be a step ahead of what’s going on here…
They have a new law called the General Data Protection Regulation, or GDPR, which companies are expected to comply with by May 25, 2018. It has a broad reach and applies not only to companies within the EU, but also those outside of the EU that are doing business there or engaging in certain monitoring activities.
If they haven’t already done so, companies should look at what obligations they may have under the new rules coming into force next year. In addition to GDPR, there’s also the question of transferring personal information across national borders, whether it’s from the EU to the US or between other countries.
The EU-U.S. Privacy Shield is one way of transferring data from the EU to the U.S., but companies should always make sure they maintain a defensible basis for moving any customer or client information.
Do you see trade agreements as having a role to play in this? Is that the appropriate place to hammer this stuff out, or should it be done more on a bilateral basis?
Trade agreements can be useful in potentially addressing concerns around data localization. Increasingly, governments are looking to say — out of protectionism or privacy reasons or a combination of both — “We don’t think personal data should leave our country.” Trade agreements can potentially seek to address those issues by creating a framework for data transfers.
Kevin Coy is a partner in the Privacy Practice of Arnall Golden Gregory LLP. This article is produced as part of the company’s annual sponsorship of Global Atlanta.
Learn more about EU regulation in the upcoming AGG Webinar: It’s Time to Comply with the EU General Data Protection Regulation