Trust in Data Can Be a Competitive Advantage
As we begin to move out of the coronavirus shutdown, the last thing anyone wants to deal with is a data breach.
There has been enough upheaval in life, and people just want to figure out how to put things back together, not deal with identity theft, credit card and account changes, and credit rating hits. Thus, “cyber trust” will become a competitive factor in the marketplace, and consumers are increasingly likely to exercise their legal rights requiring businesses to protect data about them.
Privacy laws are fueling the demand for trust in data. The California Consumer Protection Act (CCPA) provides a statutory right of action and damages following “unauthorized access and exfiltration, theft or disclosure” of unencrypted and unredacted personal data if the business did not maintain “reasonable security procedures and practices.” The plaintiff’s bar has taken note. At least five class action lawsuits have already been filed using this provision. The wording of the provision goes beyond data breaches; unauthorized disclosures can sweep in improper data sharing. Zoom now has four class action lawsuits filed against it claiming violations of CCPA provisions, including that it improperly shared personal information with Facebook through its iOS app.
The Scramble to Comply
Many companies are still scrambling to meet the requirements of the CCPA, including those impacting their privacy policies. Enforcement kicked in on July 1, 2020. Under the law, consumers have the right to know what categories and specific pieces of information the company collects about them and how it will be used, shared or sold. It is important to note that the CCPA defines personal data much more broadly than the European Union’s General Data Protection Regulation (GDPR). The CCPA applies to any information that is “reasonably capable” of being associated with or linked to (directly or indirectly) a particular consumer or household.
The CCPA sweeps in a long list of included data fields, such as physical characteristics or description, address and telephone number, insurance policy number, education, passport and driver’s license numbers, biometric data, geolocation data, and “unique identifiers” such as an IP address, cookies, pixel tags, customer numbers, and mobile ad identifiers. Other data elements afforded protection include race, color, sex, gender, age, sexual orientation, and commercial information, such as records of personal property or products or services purchased.
It can be a struggle for companies to identify all the data elements they have about a person, much less list all the ways those data are being used, shared or sold. Companies that have well established privacy practices will be more prepared in this regard than those that don’t. However, the reach of the law into technical data, such as digital identifiers, IP addresses, and pixel tags will be problematic for many businesses that do not have strong IT and data analytics teams to help them understand their collection, use and sharing of such data.
Many other states are following California’s privacy lead. According to the International Association of Privacy Professionals, at least 10 other states have privacy legislation pending, including Illinois, Maryland and New Hampshire, which have similar private right of action provisions pending in their legislatures. New Jersey, New York and South Carolina have bills pending that provide a private right of action without a security requirement.
Trust as a Competitive Advantage
The flurry of privacy legislation has heightened consumer awareness and increased the demand for data protection. A recent McKinsey article titled “The consumer-data opportunity and the privacy imperative” states, “As consumers become more careful about sharing data, and regulators step up privacy requirements, leading companies are learning that data protection and privacy can create a business advantage.” McKinsey surveyed 1,000 North American consumers and found that consumers are more careful about what they share and who they share it with. Consumers trusted financial and healthcare companies the most, but even they scored only 44%—the highest rating.
More than half of the consumers surveyed told McKinsey that they valued email content, the identity of email recipients, the content of downloaded files, and chat rooms and groups the most, calling privacy protections for this information “very important.” Since about half of the respondents said they were more likely to trust a business that asks only for data that is relevant to its product or which limits the amount of data it collects, McKinsey determined, “These markers apparently signal to consumers that a company is taking a thoughtful approach to data management.” McKinsey noted that consumers “may even vote with their feet” and walk away from doing business with companies whose data-privacy practices they don’t trust, don’t agree with, or don’t understand.
About half of the consumer respondents also indicated a higher trust level in companies that reacted quickly to hacks or breaches and proactively reported them. The cyber criminals have had a field day during the coronavirus shutdown, and many businesses probably do not yet realize that they suffered an attack or have malware in their system. These things are much harder to detect when IT and security staff monitor the system from home and are unable to keep up with patches and software updates.
Companies that want to come out of the shutdown with a competitive edge will begin focusing on the customer and their data and make sure their privacy and cyber-security programs are robust, their data inventories and data mappings are complete, and any sharing or sale of the data has been carefully analyzed and documented. Agents and brokers can help their clients analyze their coverage and understand new privacy liabilities and risks.