There is more to data privacy than getting hacked.
Data privacy is all about how a company gathers and protects data. Fortunately, there is more than one line of defense, according to a recent joint study done by the International Association of Privacy Professionals (IAPP) and Bloomberg BNA, a source for legal, regulatory business information.
The "Assessing and Mitigating Privacy Risk Starts at the Top" study concluded that companies of all sizes are looking at data privacy as an issue of concern. It polled 347 internal privacy professionals on a number of issues, asking them to rate risks on a scale of 1 (no worry) to 5 (very concerned). They were also asked to identify the size of their companies.
"There is a lag in how companies are approaching their data privacy and data security programs," noted Brian Kudowitz, commercial product director for privacy and data security at Bloomberg BNA. Firms that deal with financial services, retail, healthcare, and hospitality are more aware of these issues. "Other companies are still catching up," Kudowitz said.
Kudowitz draws a clear line between the terms "data privacy" and "data security." They are not the same thing.
Data Security, Data Privacy Are Different
Data security is in the realm of IT, where it meets the technical standards for protecting the data itself. Data privacy is more about what information is collected, how the information is used, and how it is transferred, Kudowitz explained.
Despite these subtle differences, there is a connection between the two. For example, a company may try to prevent an inside hack by gathering employee data. The mission may be data security, but the gathering of the data is a data privacy issue.
There is a cluster of four factors that respondents identified as crucial in addressing the data privacy challenge: leadership buy-in (88%), corporate training and education (86%), IT resources (86%), and IT ability (84%). Of the four, leadership buy-in is the key. If the boss is not on board, it results in a chain reaction that chokes off funding for training, education, security, and compliance, Kudowitz pointed out.
Is The Cloud More Secure?
More tech-minded observers might argue that storing corporate data in the cloud would probably improve a company's data security. But here Kudowitz sounded a cautionary note: "Cloud creates further risk exposure. Many measures taken, while they offer a solution, also create opportunities for other issues to arise."
In other words, every solution raises a new, different set of problems. "This speaks to the complexity of this area of the law," Kudowitz said.
[ Are you sure your privacy is protected on Windows 10? Read Microsoft Explains Windows 10 Privacy Policies. ]
To help put some of these challenges into perspective, Bloomberg Law: Privacy and Data Security is offering "chart builders," a time-saving practice tool that can integrate and display regulatory law on data handling and breaches across different states and provinces. "Part of managing risk is understanding differences from jurisdiction to jurisdiction," Kudowitz said.
Among other findings, the survey respondents identified brand impact (61%) as a bigger worry than data breach (58%) for US firms. "Brand holds a lot of value," Kudowitz said. Companies spend years, if not decades, building up a brand. If customers associate the brand with a bad experience arising from a data breach, they would probably avoid the store or the good that brand represents. At this point, it is not the loss of money but the viability of the company that is at stake, Kudowitz pointed out.
Also, respondents from larger US companies are more likely to rate outside counsel as the most important asset in risk mitigation (64%) compared with IT security (43%).
Outside counsel can figure out the common denominator of legal protection across various jurisdictions when companies deal with data privacy issues, Kudowitz noted. "They also have to deal with incidents when they arise," he said.
But there is a bit of crossover between outside counsel and in-house IT.
"One can't be a remedy for the other," Kudowitz said. "IT can't replace the assessment of privacy concerns. Getting outside counsel can't replace leveraging sophisticated information security." Companies can benefit from the overlap between IT and outside counsel, he added.