Data is, without a doubt, any business’ greatest asset at the moment. Efforts around Big Data analytics, personalization and more seek to use customer data to direct changes in operations and optimize the customer experience. But with that enhanced use of data comes questions around privacy and security and how organizations can contend with new regulations, such as the General Data Protection Regulation set out in Europe, as well as shifting user expectations.
Professor Christian Espinosa, Instructor of Cybersecurity, Maryville University. Photo courtesy of Maryville University.
Data Privacy Day is the perfect time to raise these questions. The day presents an opportunity to expand education and awareness around data, as well as to encourage users and businesses to protect their information online.
In honor of Data Privacy Day, BizTech spoke with professor Christian Espinosa, an instructor of cybersecurity at St. Louis-based Maryville University with 25 years of experience in the cybersecurity industry, who has also served as a network and systems engineer, a white hat hacker and security consultant. Here, Espinosa lays out the data privacy environment for businesses, evolving vulnerabilities and what can be done to advance protections.
BIZTECH: What does the data privacy landscape look like in the U.S. right now?
ESPINOSA: The U.S. is slightly behind Europe when it comes to data privacy regulation, as the General Data Protection Regulation has set the standard there. But we are moving more toward the protection of consumer personal health information and personally identifiable information with regulations like the California Consumer Privacy Act.
BIZTECH: What do you think are the greatest threats to personal data at the moment?
ESPINOSA: Most consumers don’t understand what can be done with someone’s personal data, which means that the greatest threat is simply the vulnerabilities we haven’t thought of yet.
For example, wearable devices now can measure everything from heart rate to body temperature. That data, which is associated with your identity, is sent to your smartphone, which could be compromised, and from there it’s sent to the cloud, which could also be prone to hacking.
Moreover, that data could be used for various things that might make the consumer feel uncomfortable. Sleep data could be associated with stress levels, which could then be used by insurance companies to adjust rates based on those sleep patterns.
Ultimately, there are use cases for all this personal data that people simply can’t comprehend.
BIZTECH: What might the near future bring as personalization, analytics and other initiatives prompt businesses to collect more data, something consumers might not be comfortable with or aware of?
ESPINOSA: With wearable devices in particular, there are several ways that organizations or industries could collect, analyze and make decisions based on this data.
Take sports betting, for instance. Now, an athlete often uses a heart rate monitor. If a field goal kicker’s heart rate is below 60 percent, their chance of getting a field goal is 90 percent. If it’s above that, it’s much lower. In real-time sports betting, tapping into this information could sway the entire gambling industry.
BIZTECH: How is data privacy in the future likely to be influenced by consumer expectations and shifting standards, like GDPR and the California Consumer Privacy Act?
ESPINOSA: There are two perspectives on this: the one of the consumer and the one of the organization. The consumer will have this expectation with the advent of legislation like GDPR that they will have the right to be forgotten, and that if they don’t want an organization to have their data, it will be removed. This comes with an increased awareness and sense of control from the consumer.
For the organization, these types of legislation should prompt them to think about whether or not they actually need to collect the data, because there will be more regulations and restrictions around its use. In the past, there hasn’t been regulation to say that they must delete data upon a consumer request or handle it in a certain way, so it was collected more freely. Now, businesses will need to think twice.
BIZTECH: What can businesses do to improve data transparency and security for consumers as expectations change?
ESPINOSA: Businesses need to be transparent. Right now, most organizations have a privacy statement that explains how they deal with data, but transparency needs to go several steps further. Businesses should specifically explain to consumers what the data is, how it’s been collected, its intended use and the reason behind using it. Moreover, they should explain how they plan to protect it.
And, if the consumer doesn’t want that data collected, there should be a way for the consumer to request that it be removed, and a way for the organization to confirm or validate the removal of the data from all systems.
BIZTECH: Are there any tools or technologies that can help businesses and healthcare organizations improve data privacy and security efforts?
ESPINOSA: There are tools that help, but there is no silver bullet. Manually documenting the flow of data that needs to be protected — from data acquisition to data disposal — is the most critical aspect. Once this is documented thoroughly with a tool such as Microsoft Visio, controls can be designed and put in place to control access, encrypt data, track the data, log access and transactions, etc.
BIZTECH: Is there one thing you want organizations to understand about data privacy and security?
ESPINOSA: People need to understand that it seems like there is a simple solution, but there really isn’t. As organizations move to implement GDPR and other privacy requirements, it becomes apparent that, if someone wants data removed, there’s not a single button you can push to remove it.
Once you get data into your environment, it’s extremely difficult to even know where it exists. Data often lives on a mobile app, desktop app and in the cloud simultaneously. Even if it’s removed from one area, there’s a high probability it still exists in other locations.
BIZTECH: If you could wave a magic wand and change one thing about data privacy and security, what would it be?
ESPINOSA: If I could change one thing it would be that organizations actually understand the data flow of consumer data and data they are trying to protect. Most organizations don’t even understand how the data is stored, removed, or who has access to it.
Organizations should seek to build out a data flow diagram and clearly outline the lifecycle of consumer data, PHI and PII, which would make everything a lot easier.