2017 was full of emerging technology and data breaches. There is reason to believe that 2018 will be more of the same.
Here are some observations on trends for 2018.
- Blockchain – While not exactly a privacy issue, it is tied to security. Blockchain technology creates a decentralized, digital ledger of transactions—so far a “tamper-proof” record—of who owns what. Ubiquitous in connection with bitcoin and other cryptocurrency discussions, blockchain technology has many other uses, such as in supply chains and medical recordkeeping, which will likely intensify in 2018.
- Biometrics – Biometric data is as biologically unique to each individual as fingerprints and gets special protection. Unlike social security numbers, biometric information cannot be changed if compromised. Several states have enacted laws regarding biometric information. Because of Illinois’ private right of action law, Google’s “art selfie” feature is not offered there, and facial and fingerprint scan technology used in connection with employment can be affected.
- Internet of Things (“IoT”) – Data is being collected everywhere from devices on you, in you, in your home, in your car and around you. Privacy and data security concerns have migrated from healthcare and financial services to include appliances, toys, cars and fitness tracking devices. When this data is linked to other data, others arguably know more about you than you know yourself. Businesses collecting this data need to pay attention to what they do with it, how they protect it, and what disclosures they make about the data’s collection and use. Privacy and data security issues are crucial to many businesses, beyond traditional privacy and security focused businesses in the financial and healthcare sectors. Regulations abound and vary from jurisdiction to jurisdiction.
- Artificial Intelligence (“AI”) – Once something out of a science fiction novel, AI is now incorporated into any major software development. Machine learning can be something as simple as auto-correct or auto-complete, or as complex as autonomous vehicles, smart home monitoring products and robots. An interesting wrinkle: when AI software interacts with other software programs to obtain data, does that add additional users’ costs, etc. under the licenses for the software with which it connects?
- Compliance – More states are enacting or enlarging laws relating to data collection, security requirements and breach notification. Federal laws already apply to certain industries including financial services, healthcare and government contractors, and there has been talk of broader federal regulation. Outside the US, the new data regime of the European Union, known as the General Data Protection Regulation, goes into effect in May 2018. It will apply to any organization that processes the “personal data” of individuals in the EU and (i) offers goods or services to people in the EU, (ii) monitors the behavior of people in the EU, or (iii) has an office in the EU. Fines for noncompliance are expected to be significant. In addition, Russia and numerous other countries have enacted data protection and security laws, including data localization laws, that require storage of their citizens’ personal data in databases located inside their borders.
- Breaches and Cybersecurity – Gartner predicts costs of cyberattacks and overall security spending in 2018 to increase to $93 billion. Recent news about vulnerabilities in hardware (dubbed Meltdown and Spectre) increase risks and costs once a hacker is already in your system. Preparedness, in addition to prevention measures, can also lessen costs of a breach. A June 2017 study by IBM and the Ponemon Institute states that if the main time to contain a data breach was less than 30 days, the costs were reduced by approximately 25%. Being prepared and having a plan in the event of a breach can make a difference in handling the response effectively. It may also avoid embarrassment and loss of reputation. Look at Equifax’s response to their breach – too little, too late and the wrong tone.
The bottom line is to pay attention to what data is collected, where it is stored, who has access and how long it is kept. Don’t collect data that is not needed or useful. Train employees. Be sure agreements with vendors that have access or store data include protections. Get rid of data that is no longer useful. Have a plan in place in the event of a breach, update it regularly and implement it if a breach occurs.