Privacy Management (EDP) is a Three-Legged Stool and It’s Up to Us
When it comes to protecting our external data privacy from the prying eyes and greedy hands of hackers, cyber criminals and threat actors of all kinds, no one is coming to save us. Not our government, not the business community, not non-profit or advocacy groups. Yes, all these parties must play a role in things. But it is up to us. We the people, the citizens, the workforce, the advocates, the individuals. We are the ones we’ve been waiting for!
This inspirational line was penned by South African poet June Jordan when she presented her “Poem for South African Women” to the United Nations on August 9,1978, commemorating the 40,000 women and children who risked great harm protesting apartheid in the South African capital on August 9, 1956. The powerful quote has been invoked many times since. By the Civil Rights Movement in the US in the 1960s, by President Barack Obama in his 2008 campaign speeches and by many others. The notion is a powerful one: each of us, individually and collectively, is responsible in every way for solving the problems that vex us all.
Today, Privacy Bee for Business invokes this idea as it relates to the crisis of data privacy exploitation and the global tsunami of data breaches – the result of weak or absent external data privacy (EDP) practices. The vulnerability of every one of us to exploitation by cyber criminals, identity thieves, hackers and threat actors of every stripe is on full display. The daily news contains story after story of data breaches affecting businesses of all sizes, governments at federal, state and local levels, organizations public and private. The routine compromise of hundreds of millions of peoples’ personal data seems to be an overwhelming challenge and one without a viable solution and EDP is central to the solution.
What is society to do about this seemingly insurmountable and dangerous problem? Who is working on the EDP problem? Who will come to the rescue of us all? The answer lies not in any singular group or organization. The answer must then come from us. We, ourselves are the ones we’ve been waiting for. We’re the ones who must – each as an individual – accept responsibility for external data privacy management. It’s a problem so vast that it will require the action of millions to lift the burden off the collective shoulders of humanity. As it is said, “many hands lighten the load”.
What does this mean in practice? It means each of us has to cultivate a true understanding of privacy and what we can do to protect it for ourselves, our businesses and our fellow citizens. Yet, according to Pew Research, 78% of Americans say they understand very little or nothing about what business and government do with the data they collect.
Those of us in the workforce must advocate for privacy to be a priority in the organizations – public and private – where we work. Those of us in public service and government must advocate for privacy to be a priority in legislation, judicial matters and regulatory actions. To achieve this true understanding of external data privacy, it is instructive to think of privacy management, an in particular, external data privacy management, as a three-legged stool.
This paper defines the three legs forming the foundation necessary to move forward as a global society free from the specter of exposure and damage at the hands of threat actors. Whether they seek to hijack our identities for personal gain, unduly influence political or social structures, steal intellectual property, enact terrorism, pursue industrial espionage or simply engage in malicious mischief, cyber criminals and threat actors can only be neutralized if all three legs of the three-legged stool of privacy are strong.
Leg One – Large Organizations Public & Private | Businesses, Non-Profits, NGOs
Pew Research Center’s 2023 report, “How Americans View Data Privacy” revealed two out of three Americans don’t believe it is possible to go through daily life without having their data collected by companies and organizations with whom they interact. From the same Pew report come the following eye-opening statistics:
81% said they have little to no control over the data companies collect about them
81% also said the potential risks of allowing companies to collect their data outweigh the benefits
79% are either very or somewhat concerned about how their data is being collected and used by companies
59% admit having very little to no understanding of what companies do with the data they collect
Despite these findings, almost eight of ten Americans are asked to agree to a privacy policy at least once per month. A full quarter say this a near daily occurrence.
Americans may not be entirely educated on how their external data privacy is being manipulated and abused. But even more than ten years ago, nearly nine in ten people knew enough to say their willingness to share personal data with any organization depended on how much they trusted said organization.
88% of users told PriceWaterhouseCoopers researchers back in 2012 that their willingness to share personal data depends on how much they trust a company.
60% of users shared they’d spend more money with a brand they believed trustworthy when it comes to protecting their personal data. This according to the 2021 Global Consumer State of Mind Report an annual benchmark study produced by data anonymization company Trūata.
How Public & Private Organizations Currently Handle External Data Privacy
In the absence of a unifying standard for external data privacy (or data privacy in general) applied by governmental regulators, most organizations are left to their own devices when it comes to protecting the PII of their customers. That is to say, the free market is at work in this regard. All industries are essentially self- policing when it comes to data privacy protection and the implication is that those with higher trust (read: stronger security policies) earn a larger proportion of available market share.
self-policing – noun
self-pə-ˈlē-siŋ
: the act or action of supervising the activities or policies of one’s own group in order to prevent or detect and address violations of rules and regulations without outside enforcement
Clearly, many organizations seek to achieve competitive advantage in their respective fields by delivering (or at least producing the credible appearance of) a safe and secure data environment. Recognizing that 60% or more of consumers will spend more with a given organization if there is the perception of trust is a powerful profit motive. However, there is still no mechanism by which the public can accurately measure any organization’s efforts against a common benchmark. Predictably, every organization – even those making a conspicuous showing of privacy concerns – inevitably suffers a data breach and its trust profile is diminished.
As litigation mounts against high-profile companies for data protection failures after data breaches are made public, some are beginning to get out of the business of gathering consumer data. Consider the recent $115 million judgment against data giant, Oracle. The high cost of judgments and the subsequent revenue losses from opportunity loss/reputation damage was enough to compel Oracle to decide to cease building dossiers of consumers with whom they had no first-party relationships.
Clearly, left to their own devices, and in spite of the significant budget and effort allocated to preventing data breaches, no organization is safe from becoming a victim. It is becoming evident to businesses and other organizations that something different must be done.
How Public & Private Organizations Can Succeed at EDP
Privacy Bee for Business is revolutionizing the ways organizations approach EDP and develop strong defenses against data exfiltration, breaches, ransomware and other forms of privacy-driven cyber crime. With increasing awareness of how external data privacy is essential to cybersecurity as the lodestar, Privacy Bee delivers an array of scanning tools, audits and assessments at no cost to organizations. These free tools help an organization of any size – from the SMB with ten employees to the enterprise with ten thousand workers – gain concrete measurements of its risk exposure.
The External Data Privacy Audit (EDPA) is a web-based privacy app enabling organizations to quickly and easily scan their employees yielding an extensive profile. It identifies privacy exposures and vulnerabilities, then extrapolates the potential financial impact of the risk for breach across your company. It’s a critical view into risk assessment, operational inefficiency, emerging cyber risk, and External Data Privacy management.
A unified employee audit, the EDPA brings together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). The impact assessment formulated by the EDPA lays an elegant foundation for a comprehensive cost benefit analysis. Any organization can deploy EDPA at no charge. – Learn more about the EDPA here.
The Privacy Risk Assessment (PRA) is another free tool used to evaluate internal procedures as part of efforts to improve business privacy and de-risk business from exposure to PII-infused spear phishing and other social engineering attacks. (PRA) is roughly 75 questions and takes about an hour to complete. It explores how customer and employee data is managed by your organization, illuminating any opportunities for improvement, unmitigated risk, or insufficient GRC. Once completed, the answers are used to derive a business’s Privacy Risk Score. With the hard data delivered by PRA, an organization has metrics it can use to set goals for lowering privacy risk.
Empowering Privacy Management by appointing a Chief Privacy Officer is a step more organizations have been taking recently. As it becomes clear that the traditional cybersecurity methodologies and practices managed by a CIO or CISO do not extend sufficiently to the unique tasks associated with EDP management, forward-thinking organizations are creating the new executive position of Chief Privacy Officer (CPO).
In a press release highlighting recent research findings, the National Association of State Chief Information Officers (NASCIO) wrote, “With privacy emerging as a critical policy priority, spurred by the absence of comprehensive federal legislation, an increasing number of states are taking matters into their own hands, enacting privacy laws and officially appointing Chief Privacy Officers to oversee their implementation and develop privacy programs.”
NASCIO research reveals that only 24% of organizations polled reported having an established privacy program. Yet, the prevalence of the title “chief privacy officer” has surged to 88%, indicating the growing recognition and institutionalization of the role within state governments. These two figures alone suggest that organizations are beginning to realize the imperative.
As written about in a Privacy Bee for Business white paper titled, “Become a Data Privacy Hero and Earn a Corner Office as Chief Privacy Officer”, ambitious professional individuals with the clarity of foresight can play an integral role in bringing better EPD management to their workplace. And in so doing, they’d be doing their individual part in strengthening the first leg of the three legged stool that protects us all.
Leg Two – Governments and Regulatory Bodies
Without doing a deep dive into the history of privacy regulation, it is sufficient to say that in the United States, there is no federal regulation to provide a minimum threshold for compliance with any metrics governing how data is collected, processed and protected. It is fair to say that America’s European counterparts in government have been more proactive in regulating this space.
In 2018, the European Union passed its General Data Protection Regulation or GDPR. Comprehensive privacy legislation, GDPR applies across all industry sectors and to companies of all sizes, laying down the rules for the protection of personal data and for the movement of data.
The EU’s GDPR was used as the basis for California’s version of data privacy regulation. In 2018, California state legislators passed two new laws – the California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA). Read the details of these two laws and the regulations they mandate at the International Association of Privacy Professionals (IAPP) site here.
The state of California, with an economy ranked sixth largest in the world, is certainly better off for having instituted these regulations. In the wake of their passage, eighteen other states have since passed state-level privacy legislation including CO, CT, DE, FL, IN, IA, KY, MD, MT, NH, NE, NJ, OR, TN, TX, UT and VA. However, the lack of a federal standard hampers the efficacy of efforts to interrupt the ongoing onslaught of data breaches and other cyber crime.
In an executive order issued July 9, 2024, President Joe Biden asked the Federal Trade Commission to establish federal “rules on surveillance and accumulation of data.” While this is a laudable goal, enforcement by executive order is not the most effective way to achieve binding privacy regulations and relies on the support of others to yield significant change.
The current approach to self-regulation is about as enlightened as asking the fox to watch the chicken coop.
Writing in Forbes magazine, technology expert Joe Toscano decries the ineffective nature of reliance of larger organizations on self-policing when it comes to privacy protection. Toscano speaks with privacy advocate and tech executive Vijay Sundaram. Sundaram notes, “For far too long Big Tech companies have been able to operate under self-serving business models that are harmful to consumers and competitors alike,” Sundaram continues, “Preventive regulation must address these business models that brazenly use online surveillance and the accumulation of users’ data to drive their own profits while limiting competition. The current approach to self-regulation is about as enlightened as asking the fox to watch the chicken coop.”
Toscano suggests federal intervention and regulation is needed to break up what he characterizes as a monopoly in Big Tech when it comes to data privacy. He points to Connecticut Senator, Dick Blumenthal’s recent letter to the Federal Trade Commission urging anti-trust action to go after the large Data Broker and other Big Tech organizations that have been able to surveil Americans with virtually no consequences for years.
As discussed in the Privacy Bee for Business white paper titled, “Who Guards the Guards? The Scourge of Data Broker Breaches and How to Stop Them” Data Brokers are long overdue for accountability. There are presently no requirements or limitations on who can become a Data Broker in the US.
Renowned cyber security and data privacy expert, Brian Krebs writes at his popular infosec industry site, KrebsonSecurity, “You see, here in America, virtually anyone can become a consumer data broker. And with few exceptions, there aren’t any special requirements for brokers to show that they actually care about protecting the data they collect, store, repackage and sell so freely.” No one is actively monitoring the trafficking of weapons-grade PII (Personally Identifiable Information).
How Government & Regulatory Bodies Can Succeed at EDP
Outside of Congressional action to pass new privacy legislation with teeth and enforceability, our government can do more to empower individuals. Again, we are the ones we’ve been waiting for when it comes to making external data privacy management a regular part of best practices.
One way government is acting (besides Congressional action) is by providing incentives to attract talent in positions essential to data privacy. To this end, the Biden administration recently launched an initiative to encourage careers in cybersecurity, as businesses try new tactics to get unfilled IT security roles staffed. Ostensibly, many of these un-staffed roles include the CPO roles and other privacy management positions discussed earlier as part of the first leg of the three-legged stool.
In September of 2024, the White House Office of the National Cyber Director (ONCD), in collaboration with the Office of Management and Budget (OMB), announced the “Service for America” initiative, which is part of the National Cyber Workforce and Education Strategy (NCWES). The announcement comes as the US faces a significant cybersecurity talent shortage, with 225,200 more workers needed to fill nearly 470,000 job openings, according to a June report from CyberSeek.
At the most granular level, individuals working at every level of government, from municipal to state to federal governments must advocate for more and better privacy legislation and regulations. Again, we’re the ones we’ve been waiting on. As more Americans clamor for action, those on the inside of governance are most effectively situated to lead the charge. To these public servants, Privacy Bee for Business offers an exhaustive repository of privacy legislation in the resource section of its website. These resources are useful in educating ones self on the patchwork of existing regulations and providing insights into how more comprehensive legislation could be crafted.
Leg Three – Individuals like You
Individual Responsibility – Like wearing seat belts or going to the gym, individuals must take ownership over their privacy and protect it as they would their other critical personal interests. This means bringing privacy matters to the attention of your workplace leadership and modeling the correct behavior in the workplace. It means advocating for your elected representatives to focus efforts on protecting your data privacy. It means applying active efforts in your personal affairs to ensure you’re making safe and secure decisions as you traverse the internet to ensure you’re protecting yourself and others.
We are the ones we’ve been waiting for when it comes to protecting data privacy. And it seems the younger generations are at the forefront of the movement. The Cisco 2023 Consumer Privacy Survey revealed that younger generations of consumers are exercising their Data Subject Access Rights (DSAR) at rates far and above their older cohorts. As the following graphs illustrate, the number of Americans exercising DSAR deletions is rising year over year. And it is most well-understood by those 18–24-year-olds.
The DSAR is the mechanism by which consumers are able to compel any organization to remove their personally identifiable information from any database where the organization may hold it. DSAR deletions is the actionable step taken once an individual has learned that their unsecured external data is exposed. By issuing a DSAR request, an individual is securing their personal data, one exposure at a time.
With the average individual having their data exposed at – on average – 3500 locations on the web (Data Brokers, People Search Sites, Public Records, Social Media sites, etc.) the process of reducing this level of exposure is a very labor intensive one. And it is what Privacy Bee for Business (and personal too) delivers for the cost of the user subscription. As noted, the diagnostics – EDPA, PRA and other solution elements – are offered at no cost. They help users understand their personal risk exposure and that of the organization they may work for. But it is the DSAR process that requires time and effort to issue, monitor, confirm and repeat.
Other findings from the Cisco report point toward the necessity of individual participation in data privacy advocacy. From another recent IAPP news article:
Government’s role in privacy
Consumers want the government to take the lead in protecting privacy, and respondents [to the Cisco study] overwhelmingly indicate support of their country’s privacy laws. Sixty-six percent of survey respondents said privacy laws have had a positive impact, compared with only 4% who said they’ve had a negative impact.
Privacy law awareness
Awareness of privacy law is a critical enabler of consumer confidence. Among consumers who are not aware of their country’s privacy laws, 40% felt confident they could protect their personal data. Among consumers who are aware of the privacy laws, it’s 74%, a significant difference.
How Individuals Can Succeed at EDP
The very best thing an individual can do to succeed at external data privacy management is to understand that practicing good EPD hygiene protects everyone not just oneself. Similar to covering your mouth when you sneeze, covering your own data privacy helps protect everyone else around you from becoming infected. You can be the one you’ve been waiting for when it comes to enacting the solution to the vexing challenge of data breaches and all the cybercrime they enable.
Be a vocal supporter of data privacy in your workplace. You needn’t even be a member of the IT department to share with your executive leadership some information about Privacy Bee for Business. There’s plenty of information at the website on how the solution succeeds, potentially saving millions of dollars and driving exceptional return on investment (this white paper does a great job of detailing the ROI potential).
Be a staunch proponent of EDP in your community and as a voter. Stay abreast of all efforts at your local level, in state government and at the federal level. Educate yourself on the legislation and regulation being proposed to protect your interests and those of all around you. Share what you learn with your family, friends and community.
Take control over your own personal external data privacy by engaging Privacy Bee for Consumers to protect your identity and those of your immediate family. On the plus side, if you can convince your employer to engage Privacy Bee for Business, then your coverage will be paid for by your employer. Either way though, the cost for the Privacy Bee service is nominal and the benefits far outweigh the meager cost and the outsized risk of allowing your personal data to remain unsecured.
