FOLLOWING the Facebook data security issue with Cambridge Analytics and others, we are all receiving e-mails from Twitter, Facebook, Google and many others, advising us of their new privacy rules and requesting us to read them carefully and accept them. Many of us, I am sure (me included) receive the e-mail, have a brief look at the long privacy rules and promptly delete it. Either we don’t care whether someone has our private information or the cost—measured in time and hassle—of changing the passwords, etc., was greater than the expectation of the harm from not doing so.
Of course, our behavior is at odds with the important assumptions in the public debate. The Philippines, the United States and Europe have been abuzz with discussions about privacy, driven in large part by the revelations that the information from as many as 87 million Facebook users was sold to a private company, and by the information that two fast-food chains in the Philippines had data breaches involving very personal information of tens of thousands of their customers. The topical question is: How can we protect information about ourselves that is on social media?
This question comes with a second question: Do we really care about privacy, given the fact that only a few Facebook users decided to cancel their membership in Facebook? Consider whether you would trade the privacy of your friends for a free slice of pizza. Researchers asked undergraduate students in the US to provide the e-mail addresses of their friends; to entice them to do so, some were offered free pizza. It turns out that if you offer free pizza (or an amount of money), the likelihood that they will protect the privacy of their friends is cut in half.
I don’t consider anything on my Facebook page as sensitive, private content. That stands, however, in contrast with the e-mails stored on my Gmail account, which have lots of private information that I would not want anyone to read. I doubt I am alone in wanting my e-mail to stay private. Which is why I was surprised to learn that less than 10 percent of active Gmail accounts use a new “two-factor authentication” protocol to access a Gmail account. It seems that for the overwhelming majority of Gmail users, the benefit of extra security isn’t worth the small cost of providing a bit extra information at the login stage.
All this highlights the importance of personal responsibility—a key part of the discussion about data privacy that has been conspicuously absent. If you care about what’s in your e-mail, take simple steps to protect it. Social-media platforms are in the public square. It’s the responsibility of users to make sure there is nothing on their social-media accounts that should not be made public.
Moving from the personal data protection to business, allow me to add:
With perhaps a few exceptions, every business that collects personal data from customers, clients and vendors is exposed to a security breach where that data is exposed, comprised and/or stolen. This inevitable fact is just one of the costs of doing business in an interconnected world. The EU’s GDPR and the Data Privacy Act of the Philippines (DPA) do not, and cannot, expect businesses to patch unknown security vulnerabilities or avoid security incidents altogether. However, they do require businesses to make every effort to mitigate the damage security breaches have on people.
To that end, it is vital that all enterprises take measured and documented steps to close security vulnerabilities, prevent security breaches, and mitigate the risks when prevention fails. The mere fact that an enterprise made a substantial and documented effort in this regard could be enough to establish data-privacy compliance and avoid substantial fines and penalties after a security breach.