The evolution of privacy requirements and risks has progressed at lightning speed; we’re a far cry from listing “dumpster diving” as a critical risk in exposing personally identifiable information (PII) as we did 20 years ago. Paper shredding may still have its place in security protocols for now, but today, the rapid advancement of technology and “big data” has created data privacy risks that are primarily digital in nature.
We never could have predicted exactly what 2020 would look like 20 years ago, but by analyzing current trends and developments, a basic pattern emerges – one that we can apply to the year ahead: Advancements in technology will continue to create new products and services, while new and increasing privacy risks will be presented relative to the data driving these new technologies. As a result, new and enhanced regulations will be adopted in attempts to mitigate or address these risks. Here are a few developments that I predict will emerge as a result:
With the proliferation of ransomware and hacking for the purposes of PII collection and creating disruption, cybersecurity protections must be upgraded. The global interdependence of financial firms calls for a coalition of the best minds in cybersecurity and data privacy to develop and share holistic data standards and programs. This will be no easy endeavor, but a collective pool of data security experts sharing their tools and techniques for the benefit of all seems to be the best way to address and solve the global epidemic of cybercrime.
Federal Versus State Privacy Standards
While the financial services industry has been federally regulated for many years, businesses in other sectors have just begun to grapple with newly-enacted data privacy legislation on the state level. Many states, including but not limited to California, Massachusetts, New York Hawaii, Maryland, Washington, Florida, and North Dakota either have passed or have pending legislation enacting data privacy laws.
The very definition of personal information is, at present, an evolving conversation, and in 2020 will continue to expand to include any data that can be reasonably linked to a particular consumer or household. Additionally, the right to access one’s personal information, the right to the correction of information, the right to data deletion, and the right to take private legal action for data privacy-related offenses are typical features of recent regulations. This trend will continue in 2020 and expand to more states, until eventually, a federal data privacy law is enacted – a concept that’s already being discussed in earnest.
Management of Third Parties
The sharing of information with third-party vendors to facilitate the delivery of products and services requires the sharing of PII. This requires that the third party be subject to the same regulatory and compliance standards for the use and safeguarding of PII as the originator.
This requires more stringent third-party risk management, as regulators will levy heftier fines and penalties for information misuse, or weak and ineffective data controls and standards. This will extend far beyond contract provisions that address data safeguards and controls within the third party. Periodic risk assessments must be conducted by originators to confirm policy and procedural compliance. Regulators will increase their focus to ensure compliance and adequate third-party oversight.
Facial Recognition and Privacy
Recent advancements in facial recognition technology have brought the topic to the forefront of privacy debates. This technology provides an enhanced and efficient security feature for access to phones and other devices but also poses great risks if not properly controlled. In China, the use of facial recognition is used to keep tabs on citizens, while in the UK, the recent expansion of facial recognition use by law enforcement enables real-time personal identification.
US investigative and law enforcement agencies are beginning or may soon adopt this technology to enhance their surveillance capabilities. This is seen by many as an erosion of civil liberties, and a significant violation of the right to privacy guaranteed by the US Constitution. Few states in the US have sounded any alarms of these risks – through Illinois just won a suit against Facebook last week over the tech giant’s misuse of biometric data. Ultimately, this technology will proliferate so quickly that a federal standard will need to be created.
Disposal of Dormant PII
Financial institutions have long been subject to the Data Disposal rule. The Federal Trade Commission, the nation’s consumer protection agency, enforces this rule which states that once a business is finished with sensitive information derived from consumer reports, a company must take steps to dispose of it securely. The Disposal Rule applies to consumer reports or information derived from consumer reports. This law was enacted to protect the privacy of consumer information and reduce the risk of fraud and identity theft.
While many organizations outside the financial sector have not been required to comply with the rule, new legislation like CCPA may encourage a shift, especially as increasing cases of data breaches and related ID theft occur. Mounting risk, combined with the financial burden that comes with maintaining voluminous amounts of unused data will encourage timely disposal or deletion of unused data.
Additionally, regulators will begin to focus on this area and confirm that actions are in place to delete this data when it is no longer needed, and programs will be developed to identify unused or dormant PII.