2018’s Biggest Data Privacy News Stories
As the year draws to a close, we wanted to take a moment to review the biggest data privacy news stories of 2018 and discuss what we can learn from them as we move into the new year.
1. Europe’s GDPR
Probably the biggest news story is the European Union’s Global Data Privacy Regulation (GDPR). This regulation, which came into effect in May 2018, places significant limits on how companies must collect and store data.
In addition to outlining what companies must do when they process personal data, the GDPR has new regulations relating to how companies must handle data breaches. Businesses are now required to notify their relevant data protection authority within 72 hours of becoming aware of a breach. Depending on the type of data, the company must also notify impacted individuals, if the breach involves a high risk to their rights and freedoms.
Perhaps the most shocking aspect of the GDRP are the high fines a company faces for failure to comply with the regulation. Severe breaches can carry fines up to €20 million ($22.5 million), or 4% of a company’s annual revenue, whichever is greater. As a result, companies like Amazon.com, which took in just under US $178 billion in revenue in 2017, could be looking at multiple billions of dollars in fines for noncompliance.
If your company is subject to the GDRP, you should be looking closely at this regulation to ensure you are complying with all aspects of it. Remember: even if your company is attached by hackers, you can still be fined.
In order to ensure you are fully compliant with the regulation, speak with an attorney who specializes in internet privacy law.
2. Huge Data Breaches
It seems like every week, we get data privacy news stories. In July, the Identity Theft Research Center reported that over 22 million records were exposed in the first half of the year alone.
Companies like Under Armour faced off against hackers who broke into the MyFitnessPal app, affecting over 150,000,000 users. While there were enough data protections in place to secure sensitive identifying information and credit card numbers, Under Armour’s password protection system was partially protected under a weaker hashing system that was easier to compromise. The stolen passwords could then be sold or used in online scams.
Perhaps the biggest data breach story was the Cambridge Analytica / Facebook scandal. This spring, it came to light that 50 million profiles were harvested data from user’s profile pages to analyze and influence election results, including the 2016 presidential election.
The program collected information about each individual user who completed a personality test, but also information from those user’s online friends. The usage violated Facebook policies, which allowed collection of data only to improve in-app experiences, not for advertising or other purposes. This breach led the UK to issue a £500,000 fine on Facebook (approximately US$644,000), which Facebook has recently appealed.
Facebook is taking a number of steps internally to prevent another Cambridge Analytica scandal, including reviewing apps that have access to large amounts of user data, and turning off the app’s access to someone’s data if it has not been used in the past three months. Imposing and adhering to this sort of internal policy may help limit this type of data misuse. The increased GDPR data privacy protections may also help prevent another Cambridge Analytica scandal, although Facebook previously failed to adhere to an agreement with the Federal Trade Commission (FTC) regarding its users’ data privacy.
Foreign operatives also attempted to steal intellectual property from universities. In March, the US Department of Justice filed charges against an Iranian company and nine individuals for hacking into hundreds of universities around the world, including 144 in the US. The attacks involved sending phishing emails to professors in order to gain access to university data.
These attacks began in 2013, and are estimated to have stolen 31 terabytes of academic data and intellectual property.
What can Your Company Learn From These Sensational Headlines?
In the Under Armour example, the company had many protections in place to protect user’s passwords, but its hashing protocols were flawed. Regularly reviewing and updating the security of your data encryption can help you stay one step ahead of hackers.
You should store data separately, as Under Armour did, to ensure that financial information, including credit card numbers, are kept separately from login data.
To avoid inadvertently allowing third parties to have access to your customer’s personal data, as in the Facebook case, you can follow GDPR guidance on appropriate limitations. You should also routinely audit third party use, to ensure they are adhering to your company’s privacy policies.
If you believe a third party is misusing your customer’s data, you can shut them out and ensure they dispose of the data, including backups, properly. You can also offer rewards to people who find holes in your security system.
Finally, as the Iran-University breach demonstrates, hackers do not always target automated systems. Sometimes the weakest links in data protection are humans.
You should routinely remind anyone who has access to your network – from first semester freshmen to tenured professors – to be wary of emails from unknown sources, even emails that make it through spam filtering. Your employees should exercise extreme caution before clicking on links in these emails.
3. Data Leaks
A data leak may not seem as serious as a data breach, because it may be inadvertent disclosure, rather than a malicious attempt at hacking into your company’s data. However, a data leak can cause as much harm as a deliberate breach.
In 2018, an employee discovered that Panera Bread’s website included plain text personal data from users who ordered food online. It is estimated that millions of customers’ names, addresses, credit card numbers, and birth dates were vulnerable to automated tools searching for this type of data.
Making matters worse, the leak went on at least eight months after Panera’s head of information security was made aware of the problem.
To avoid putting your company in this situation, you should continue to conduct internal audits of your company’s website and security system. You should take reports of data leaks seriously and investigate them in a timely fashion when they are brought to your attention. Most importantly, you should not let the leak continue especially if there is a quick fix to stop it.
This article does not contain legal advice, and is for informational purposes only. Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws, and manage data breaches when they occur. To discuss your data privacy needs, contact Revision Legal’s internet attorneys with the contact form on this page, or call us at 855-473-8474.