How to keep personal data safe when companies can’t (or won’t)

January 17, 2018 Huffington Post

By: Ale Brown

Organizations came under fire in 2017, a year of reckoning for businesses on how they managed corporate and personal data. The increase in cyberattacks, and in particular the use of ransomware, has become so pervasive that an underground ransomware market has developed in strength.

According to Carbon Black, the number of ransomware applications available for purchase, which currently accounts for approximately 45,000 different ransomware products, has grown from US$250,000 in 2016 to US $6.25 million in 2017. A staggering 2,500 per cent increase.

The stats continue with ransomware payments from affected individuals and organizations totaling close to $1 billion dollars in 2016, up from $24 million in 2015. Ransomware is becoming sophisticated, easy to access and, most important of all, the best way to make a profit out of malware.

One thing is clear: cyberattacks, in their many forms, are here to stay.

But the question remains are organization incentivized to prioritize our safety, or are they more driven by self-preservation?

A tale of two cyber gaffes

Equifax and Uber were two high-profile cases last year that rocked consumer confidence and suggested the latter – self-preservation. The lack of privacy management processes shown by the two companies before, during and after the breached have resulted in them facing serious financial and legal consequences that have significantly hindered both their profits and their credibility.

These are lessons worth learning for other businesses. Thinking of the other long-lasting implications, such as loss of customer trust and reputational damage, some companies may be forced to close their doors completely. We are living in a new world of cybersecurity and privacy awareness and we need to evolve in the way we do business today and into the future.

Equifax’s main downfall was that they were not prepared with comprehensive policies and processes outlining specifically how to handle a breach response. Instead, their approach appeared carless. Ranging from directing worries customers to a questionable domain separate from their website to check whether their information had been compromised, to high-level executives selling their sticks days before the breach announcement. That does not do much to soothe the worries of thousands and indicates a lack of risk management structure being in place. Thus, their response, instead of eliminating doubt and quickly resolving the issue, actually further damaged credibility and exacerbated the situation.

Then there is Uber: another important example of a lack of transparency at a time when arguably it is needed most. More often than not, the truth will come out and the lengths that Uber went to pay off hackers to delete data and keep the breach secret were a huge violation of public trust. The case with Uber is worsened by the very nature of the personal information the company has access to and was unfortunately exposed: names, email addresses, phone numbers and driver’s licenses. therefore, if public safety were their number one priority, they would have ensured they were protected not only from a security standpoint but from a privacy management one too. With the appropriate steps laid out clearly, that would not only extinguish the fire but most importantly, would minimize damage to customers.

Consumer impact: another important consequence of a data breach

Data breaches can have very hefty financial implications for a consumer. A consumer will spend on average about 20 hours and $770 on lawyers and time lost to resolve the case when they find themselves on the receiving end of a date breach.

Accounting to PwC’s Consumer Intelligence Series, 92 per cent of customers want companies to be proactive about data protection. Although consumers want both companies and government to be involved in data protection, over half of respondents believe companies bear the larger share of responsibility. In industries as wide-raging as finance or tech, businesses are playing catch-up when it comes to enforcing an effective privacy framework.

The most dangerous misconception consumers can have when it comes to data privacy is eschewing their share of the responsibility. Consumers have a stake in how they control their personal data and they need to act on it.

Lessons to learn

These are some of the takeaways on what to do if you find out your personal data has been compromised by a cyberattack or a privacy breach incident:

Stay alert and be proactive

First and foremost, make sure you know what businesses have your data and how they use it. If you receive letters or emails from companies you don’t recognize, call them and ask them how they obtained your information.

If a company informs you of a breach, change your account passwords, be mindful of phishing emails and if you believe your credit or debit card numbers have been compromised, reach out to the credit card company or banking institutions and request a new card. Keeping an eye on your credit score for a period of time doesn’t hurt, either.

Make a complaint to the appropriate regulators

In Canada, there are different regulators responsible to ensure that persona; data is managed appropriately. If you feel a company is not using your personal data as per your expectations or if you believe your data has been compromised, you have the right to reach out to the Office of the Privacy Commissioner of Canada or to the local privacy authorities in your province.

In the case of complaints around email communications, the Canadian Anti-Spam legislation (CASL) is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC) and they take these complaints very seriously.

Ask the organization for identity theft monitoring services

When there is a data breach and an organization gives you notification, in most cases they offer identity theft monitoring services. If they don’t, demand that they provide such services since you are certainly at a higher risk of identity fraud and the implications that this conveys. Identity theft monitoring usually includes insurance that will cover any costs related to an identity theft incident so it is very important to ensure you are protected.

Request the organization to erase your data

If you experience a breach and you don’t feel you will do business with this company due to lack of trust or simply because you are not interested anymore, ask them to erase whatever personal data they have that belongs to you to ensure that if an incident occurs in the future, you are not impacted by it again.

Moving forward in the cyber world

The digital world has provided great opportunities for organizations and consumers to work with each other more efficiently. When done right, this dynamic can help establish long lasting loyalty from consumers whose lives are made easier by companies that provide them with personalized products and services.

However, protecting personal data is paramount in moving forward to continue fostering this trust and loyalty. The world of cyberattacks is here to stay, and my advice to consumers is to stay vigilant – and remember that you have options. ultimately, protection of your personal data is in your hands.

Read the full article here: http://www.huffingtonpost.ca/ale-brown/how-to-keep-personal-data-safe-when-companies-cant-or-wont_a_23331062/