Last year, Salesforce CEO Marc Benioff compared Facebook to cigarettes, in that it's similarly addictive. He took the comparison a step further, stating that “the government needs to really regulate what’s happening,” much like it did with the tobacco industry in the late 1990s. Facebook co-founder Chris Hughes recently argued for “breaking up Facebook” for many reasons, the core of which revolve around Facebook’s privacy practices. Mark Zuckerberg himself joined the chorus of those calling for greater regulation of the Internet in March of this year.
The parallel here to cigarettes is interesting — not due to the actual usage of or health risks associated with the two products, but for the impact of potential regulations could have on online powerhouses like Facebook.
Will this actually improve privacy?
In 1997, the United States entered into a landmark agreement with tobacco companies. Those companies agreed to pay more than $246 billion over 25 years for smoking cessation, healthcare costs and more. Twenty-one years later, smoking is at an all-time low, dropping from 23% of adults participating in the activity in 1998 to just 14% today. Will a similar regulatory approach work in creating an Internet that puts privacy first?
Proponents of the EU's General Data Protection Regulation (GDPR) and the forthcoming California Data Privacy Law believe so, but history tells a different story. The Payment Card Industry Security Standards Council (PCI SSC) established the Data Security Standard (known as PCI DSS) 13 years ago. The goal was to establish security controls that would protect cardholder data. However, after some of the biggest data breaches occurred at businesses that were PCI compliant — such as Heartland Payment Systems and Target — organizations quickly learned that regulatory zeal doesn’t always equate to better security and protection of data.
Perhaps worse, regulations can give executives a check-box mentality, focusing on compliance for auditing purposes rather than on truly securing data and maintaining privacy. Additionally, it creates scenarios where companies may weigh the potential privacy fines as less impactful to their business than a data breach.
Privacy is about more than Facebook.
The tobacco settlements of the 90s were about more than just bringing down the big four tobacco providers. It was the beginning of a broad, public/private coordinated effort to drive down smoking rates and educate consumers on the dangers of smoking. As consumers became more educated on the risks of smoking, new billion-dollar markets emerged with products to help consumers quit smoking, accelerating smoking reduction rates.
We should look at the privacy discussion the same way — encouraging private sector innovation to support smart regulation. Regulating privacy without public support for education and policies won’t work. It needs to be about more than just the biggest tech companies like Facebook, Google and Apple. These companies, much like the big four tobacco companies, have the financial strength to weather the inevitable impact of failing compliance with data privacy regulations and have already started the diversification process the cigarette makers went through.
One potential solution is found in MIT research, which suggested a solution called The Respect My Privacy (RMP) framework. The research draws an analogy from real life, where sets of societal rules exist that determine what is acceptable, legal behavior. The majority of us follow these rules. For those that don’t, there are well-defined penalties and punishments. The research suggests we could do the same with social networks – but it can also be applied to privacy issues in general.
Create and work the privacy plan.
While compliance by itself cannot solve the privacy problem, regulations are a clarifying factor that force companies to focus on who and what we are protecting — a plan.
The first step is identifying all the data that needs protection. Privacy needs organizations to understand where critical data exists — and the layers of protection needed to secure those sensitive assets. Protecting privacy demands a multi-pronged plan that needs compliance, cybersecurity and data privacy teams to work hand-in-hand for true success.
Much like there was nicotine gum and anti-smoking advertising campaigns to help smokers, these teams need to be armed with tools to balance these sometimes-conflicting objectives. Consider a large healthcare company we worked with that deployed encryption to protect privacy and comply with regulations. This was a good step, but as threat actors use encryption to hide their own communications, it became difficult for the organization to decipher what was regular network traffic and what was malicious. How are they supposed to protect something they cannot see from something else they cannot see? New data science-based technologies that can identify behavioral patterns in encrypted traffic allowed the organization to identify malicious activity, while preserving the opaqueness of their data.
The other critical step is to prepare for the worst. Very few smokers successfully quit the first time. Every organization similarly needs to be prepared for the worst-case scenario and expect a breach. However, many organizations still botch incident response and struggle to answer questions like “how many records did we lose?” or “how much data left the organization?” Establishing a plan to respond to a data breach or cybersecurity incident is an exercise every executive team should go through. It’s vital that all contingency and incident response plans are regularly tested and executives, compliance, privacy and security teams each know their respective roles and responsibilities. Only then can a detailed and effective response be provided quickly.
So, will privacy go up in smoke?
Facebook has been the fulcrum of our privacy discussion — but regulatory consideration needs to be accompanied by greater awareness, public policy and updated security tools and processes to be impactful.
The only way privacy is preserved in today’s connected world is if companies take ownership and responsibility. A good start is to understand how compliance — combined with broader cybersecurity and privacy initiatives — needs to be applied in your own organization.
