In the wake of the 2013 Target breach, information security experts highlighted the apparent anomaly that PCI Compliance did not automatically mean that Target’s data was secure. The retailer had recently been certified by the payment card industry’s minimum set of security controls and standards just weeks before hackers installed malicious code onto their network – and Target (and their customers) subsequently fell victim to a devastating attack.
This may not be a perfect analogy, but it’s worth considering whether the same holds true for the minimum standards imposed for data privacy.
Can companies comply with new regulations like the California Consumer Privacy Act (CCPA), but still not take the right steps to go far enough to protect their data?
Should privacy protection extend beyond the letter of the law to not just safeguard privacy as a means of achieving compliance, but to also preserve – and enhance – brand trust?
Privacy Came Before Compliance
This question is an intriguing one to consider ahead of Data Privacy Day 2020 on January 28th, just four weeks after the CCPA has officially gone into effect. Data Privacy Day in North America (and Data Protection Day in the EU) was launched in 2008 to not only raise consumer awareness of how they can protect their data, but to encourage companies to be more transparent about their data processing activities.
The ultimate goal of Data Privacy Day is to minimize the number and reduce the impact of data breaches that expose consumers’ sensitive and personal information – along with businesses’ valuable data. Of course, this goal is aligned with the CCPA. Notably, CCPA has the prevention of data breaches in its scope: the law includes a private right of action to contest whether adequate security measures were in place to protect sensitive data – over and above regulatory penalties.
At BigID, we have been fortunate to work with early adopters of data-driven privacy protection. This has put BigID in a position to play a role in formulating some of the strategies that proactive enterprises are adopting to tackle privacy compliance – and beyond.
Privacy as Brand Trust
For customers in the US, the introduction of CCPA was a catalyst (and business justification) to invest in privacy automation, responsible information management, data intelligence technologies and building out a privacy team (with subsequent resources) to operationalize these new regulations. We are increasingly seeing enterprises take a more rigorous approach to ensure that the GDPR principle of “purpose limitation” extends deeper into data governance and analytics – even as enforcement lags.
For these companies, compliance is obviously imperative. But compliance with CCPA is the first step, not an end state. Designing and implementing a set of baseline processes and technologies is necessary due to the sea change in the number and breadth of emerging data protection and privacy regulations – from the recently re-introduced Washington Privacy Act to competing privacy bills currently tabled in the US Congress.
The motivation in making such investments is not to simply minimize the threat of fines, penalties, or class action lawsuits: programmatic privacy protection is an investment in brand trust. These enterprises understand that privacy protection extends beyond the letter of the law – and that their responsibility extends beyond the specifics of any one legal regime.
There is, of course, always a risk that comes from non-compliance. Under the law, enterprises are of course obligated to produce policies and procedures that ensure ethical and legal behavior amongst its employees and established processes. But with brand trust becoming a bigger concern for end-users and companies alike, risk is not merely confined to a company’s failure in following established laws and standards.
Balancing Risk and Reward
Why is brand trust so important?
In the age of data-driven organizations, personal information is an asset that can be used to generate insights, identify new opportunities and enhance customer experience. On the flip side, personal information is a liability if data is not collected, protected and utilized appropriately.
When enterprises fail to take the right steps to manage and mitigate liability from collecting and processing personal data, they risk losing the ability to accumulate a powerful asset and optimize their data. Preserving brand trust, therefore, becomes a key strategic corporate concern.
So how can enterprises make the right investments to safeguard privacy as a means to ensure brand trust?
A commitment to privacy as a core business value is a foundational step. In turn, that commitment needs to be followed up with a measurable strategy to define, communicate, and operationalize policies on how data is collected, processed and shared.
Ask any CPO or CISO and they’ll emphasize the importance of sound data practices that preserve and protect their consumers’ personal information and businesses’ valuable data assets. No one wants to be the next Target, Sony or Equifax.
That strategy starts with compliance. If, however, enterprises are perceived as merely paying lip service to privacy protection, or hiding behind the specifics of a regulation, they face the risk of compounding the damage to brand trust. To make the right choices about the collection and use of personal information, a thoughtful policy framework must be aligned with sound processes and modern tools for demonstrable and sustainable privacy protection.
The Path Forward
We recommend the approach taken by our proactive customers: engineer the right balance between risk and reward while stitching together investments already made in data privacy management with new programmatic tools that would add value to the company’s data intelligence strategy. Insights gleaned from data intelligence can serve as the connective tissue to put policies into practice at scale and across functional areas.
One of the major repercussions of breaches like Target is that information security now has a voice in the boardroom. This Data Privacy Day, it’s high time to consider when the privacy office should also have their voice heard loud and clear.