C-Suite Priorities: Privacy or Profit?
Privacy or profit, that is the question. For C-suite executives around the world, striking a balance between safeguarding their organization’s data and meeting government regulations without adversely affecting day-to-day operations has always been a careful balancing act.
In light of recent high-profile cyber-attacks in 2016 and 2017 and changing government policies regarding data privacy and security, Radware wanted to gauge executives’ views on privacy – both as individual consumers and as business leaders. To find out, Radware surveyed over 200 IT executives throughout the United States and Europe. This article provides an overview of the key findings from Radware’s Cyber-Security Perceptions and Realities: A View from the C-Suite report.
Overall, while most respondents agree that privacy is compromised by current laws and legislation related to information security, 80% feel the government should do more to protect personal information. That is true whether they were responding as business leaders or as individual citizens – and regardless of their home country.
Europe: Committed to Privacy?
Since the mid-1990s, legislation that protects the information privacy of individuals in the EU is primarily based on EU Directive 95/46/EC: the Data Protection Directive. This legislative act set out minimum standards on data protection—offering guiding principles without specific instructions or harsh penalties for non-compliance. Each country within the EU has taken Directive 95/46/EC and transposed it into its own, local data protection laws.
In January 2012, the European Commission proposed a comprehensive reform of the data protection rules in the EU. Known as GDPR, it is the largest reform in data protection law in the past 20 years. The goal: to return control over personal data to EU citizens and simplify the regulatory environment for business through greater cross-EU consistency.
Slated to take effect on May 25, 2018, GDPR aims to provide protection concerning the processing of personal data and the free movement of such data. It represents an entirely new set of regulatory rules and measures to comply with and implement by any organization that controls or processes any form of personal data. Under the GDPR, “personal data” is to be interpreted in the wide sense of the term—and pertains to any information relating to an individual, whether his or her private, professional or public life. Personal data can include anything from a name, picture, email address, financial details, posts on social networks or even a computer’s IP address.
Not abiding with the GDPR will be met with enforced action including fines of up to €20 million or 4% of the offending organization’s annual worldwide revenue when facing a breach of the data protection rules. The GDPR includes provisions that promote accountability and governance that can be audited with non-compliance, leading to administrative fines of up to €10 million (or 2% of annual worldwide revenue).
Whenever a company wants to trade or do business with one or several of the EU member states, it will have to prove adequacy. In other words, virtually any company that does business in the EU will need data protection standards that are equivalent to the EU’s GDPR starting in May 2018. This virtually makes GDPR a global, worldwide regulation affecting organizations and businesses around the globe—and that is poised to have a huge impact on the competitiveness of US companies in EU markets.
In France, companies also face a specific law from 1978, Loi Informatique et Libertés, which strictly supervises the use of personal data and the consolidation/filing of extensive databases containing personal, private data. For German companies, the shift to the GDPR will likely be less traumatic, as national laws already mandate prompt and thorough reporting by any organization deemed part of “critical infrastructure.” For companies in the UK, the road may be a bit rockier as they face massive uncertainty related to Brexit. Initial signs seem to suggest that most companies will still work to meet GDPR requirements, as those will govern any data that large, UK-based companies may hold in other EU countries.
Undoing New Protections in the U.S.
At the end of the last presidential administration, the US Federal Communications Commission (FCC) approved a set of rules designed to increase protections for consumer privacy. As explained in an FCC news release, “The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information.”
Opt-in: ISPs are required to obtain affirmative ‘opt-in’ consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.
Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer ‘opts-out.’ All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.
Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.”
Before the FCC could actually enact those rules, however, the then-newly elected presidential administration rolled them back—signaling the US’s shift away from Europe in terms of privacy laws. In a similar signal of deregulation, on May 18, 2017, the FCC voted to begin repealing what are commonly referred to as “net neutrality” laws. “[Net neutrality is] the idea that phone and cable companies should treat all of the traffic on their networks equally—no blocking or slowing their competitors, and no fast lanes for companies that can pay more,” as an NPR article succinctly explained.2 Enacted in 2015, these rules had placed ISPs under strict FCC oversight. Now it appears that the FCC will be taking a lighter touch in regulating phone and cable companies, potentially easing the regulatory burden for business but creating more privacy risks for consumers.
The Privacy Pendulum
While the EU and, in all likelihood, the post-Brexit UK, are tightening the reins on consumer privacy protections, the U.S. appears to be headed in the opposite direction. How these competing forces will affect cyber security—and global competitiveness—remain to be seen.
Results by Region
In Europe, 67% of executives agree that privacy is compromised by current privacy laws and legislation related to information security.
In the U.S., the finding was similar, with 66% indicating that current laws are putting privacy at risk and 75% looking to government to do more.