THE BLOG

How To Keep Personal Data Safe When Companies Can't (Or Won't)

Are organizations incentivized to prioritize our safety, or are they more driven by self-preservation? At times, it can be the latter.

01/16/2018 10:42 EST | Updated 01/16/2018 10:46 EST
Tero Vesalainen via Getty Images

Organizations came under fire in 2017, a year of reckoning for businesses on how they managed corporate and personal data. The increase in cyberattacks, and in particular the use of ransomware, has become so pervasive that an underground ransomware market has developed in strength.

According to Carbon Black, the number of ransomware applications available for purchase, which currently accounts for approximately 45,000 different ransomware products, has grown from US$250,000 in 2016 to US$6.25 million in 2017. A staggering 2,500 per cent increase.

The stats continue with ransomware payments from affected individuals and organizations totaling close to $1 billion dollars in 2016, up from $24 million in 2015. Ransomware is becoming sophisticated, easy to access and, most important of all, the best way to make a profit out of malware.

One thing is clear: cyberattacks, in their many forms, are here to stay.

But the question remains are organizations incentivized to prioritize our safety, or are they more driven by self-preservation?

Getty Images

A tale of two cyber gaffes

Equifax and Uber were two high-profile cases last year that rocked consumer confidence and suggested the latter — self-preservation. The lack of privacy management processes shown by the two companies before, during and after the breaches have resulted in them facing serious financial and legal consequences that have significantly hindered both their profits and their credibility.

These are lessons worth learning for other businesses. Thinking of other long-lasting implications, such as loss of customer trust and reputational damage, some companies may be forced to close their doors completely. We are living in a new world of cybersecurity and privacy awareness and we need to evolve in the way we do business today and into the future.

If public safety were their number one priority, they would have ensured they were protected.

Equifax's main downfall was that they were not prepared with comprehensive policies and processes outlining specifically how to handle a breach response. Instead, their approach appeared careless. Ranging from directing worried customers to a questionable domain separate from their website to check whether their information had been compromised, to high-level executives selling their stocks days before the breach announcement. That does not do much to soothe the worries of thousands and indicates a lack of risk management structure being in place. Thus, their response, instead of eliminating doubt and quickly resolving the issue, actually further damaged credibility and exacerbated the situation.

Then there is Uber: another important example of a lack of transparency at a time when arguably it is needed most. More often than not, the truth will come out and the lengths that Uber went to pay off hackers to delete the data and keep the breach secret were a huge violation of public trust. The case with Uber is worsened by the very nature of the personal information the company has access to and was unfortunately exposed: names, email addresses, phone numbers, and driver's licenses. Therefore, if public safety were their number one priority, they would have ensured they were protected not only from a security standpoint but from a privacy management one too. With the appropriate steps laid out clearly, that would not only extinguish the fire but most importantly, would minimize damage to customers.

Kirke Consulting

Consumer impact: another important consequence of a data breach

Data breaches can have very hefty financial implications for a consumer. A consumer will spend on average about 20 hours and $770 on lawyers and time lost to resolve the case when they find themselves on the receiving end of a data breach.

According to PwC's Consumer Intelligence Series, 92 per cent of customers want companies to be proactive about data protection. Although consumers want both companies and government to be involved in data protection, over half of respondents believe companies bear the larger share of responsibility. In industries as wide-ranging as finance or tech, businesses are playing catch-up when it comes to enforcing an effective privacy framework.

The most dangerous misconception consumers can have when it comes to data privacy is eschewing their share of the responsibility. Consumers have a stake in how they control their personal data and they need to act on it.

Getty Images/iStockphoto

Lessons to learn

These are some of the takeaways on what to do if you find out your personal data has been compromised by a cyberattack or a privacy breach incident:

Stay alert and be proactive

First and foremost, make sure you know what businesses have your data and how they use it. If you receive letters or emails from companies you don't recognize, call them and ask them how they obtained your information.

If a company informs you of a breach, change your account passwords, be mindful of phishing emails and if you believe your credit or debit card numbers have been compromised, reach out to the credit card company or banking institution and request a new card. Keeping an eye on your credit score for a period of time doesn't hurt, either.

Protecting personal data is paramount in moving forward to continue fostering this trust and loyalty.

Make a complaint to the appropriate regulators

In Canada, there are different regulators responsible to ensure that personal data is managed appropriately. If you feel a company is not using your personal data as per your expectations or if you believe your data has been compromised, you have the right to reach out to the Office of the Privacy Commissioner of Canada or to the local privacy authorities in your province.

In the case of complaints around email communications, the Canadian Anti-Spam legislation (CASL) is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC) and they take these complaints very seriously.

Ask the organization for identity theft monitoring services

When there is a data breach and an organization gives you notification, in most cases they offer identity theft monitoring services. If they don't, demand that they provide such services since you are certainly at a higher risk of identity fraud and the implications that this conveys. Identity theft monitoring usually includes insurance that will cover any costs related to an identity theft incident so it is very important to ensure you are protected.

Request the organization to erase your data

If you experience a breach and you don't feel you will do business with this company due to lack of trust or simply because you are not interested anymore, ask them to erase whatever personal data they have that belongs to you to ensure that if an incident occurs in the future, you are not impacted by it again.

More from HuffPost Canada:


Moving forward in the cyber world

The digital world has provided great opportunities for organizations and consumers to work with each other more efficiently. When done right, this dynamic can help establish long lasting loyalty from consumers whose lives are made easier by companies that provide them with personalized products and services.

However, protecting personal data is paramount in moving forward to continue fostering this trust and loyalty. The world of cyberattacks is here to stay, and my advice to consumers is to stay vigilant — and remember that you have options. Ultimately, protection of your personal data is in your hands.

Follow HuffPost Canada Blogs on Facebook

Also on HuffPost: