With the recent headline-making breaches such as Lord & Taylor and Panera, U.S. consumer sentiment is quickly shifting. Accordingly to a recent study from the American Institute of CPAs (AICPA), 81 percent of consumers are actively worried about how well businesses will protect their personal information and taking actions to safeguard their data. We are witnessing the first real evidence of behavioral changes in U.S. consumers in response to data security breaches.
For years, Americans forgave and forgot breaches as the consequences weren’t severe enough to impact their daily lives. Banks would simply reimburse consumers who had money stolen from them and the consumer would move on. However, this sentiment started to change with the hack of Equifax last year.
American society relies on social security and credit for citizens to find success. Buying a car, purchasing a house and renting an apartment—sometimes even buying a phone or applying for a job—all require Americans to have good credit. With the hack on Equifax, all the consumers impacted are at risk of having their lives essentially ruined with a minimal chance of recovery. This breach of PII was so severe that Massachusetts went through court procedures to be granted permission to sue Equifax for their extensive breach.
All these breaches (and sentiment around them) show that the world as we know it is changing and that these breaches are starting to have real consequences for businesses. Just this week, we’re seeing Facebook face pressure to adhere to GDPR laws globally after their breach around the 2016 election. And although GDPR might not be global yet, with this consumer backlash, the expansion beyond on the EU is quickly on its way.
This expansion can already be seen looking at events that transpired earlier this year. In February, retailers and financial services firms called on the U.S. Congress to create a federal data breach disclosure notification law that supersedes state data breach notification laws. They contended that a federal standard would simplify compliance and make the threshold for disclosure clear to businesses and consumers alike. They aren’t wrong.
With this shift, it’s imperative that businesses start to more effectively secure customer’s information if they are to avoid negative legal and reputational consequences.
For businesses that aren’t sure where to begin, here are a few tips.
Stop storing data: Rather than investing time and money in protecting data from would-be hackers, simply make sure there’s nothing there to steal. The less customer data stored, the less risk there is of that data being stolen. Instead of blurring the screen, tools already exist to allow businesses to store code tokens instead of personal information, making sure not even internal employees have access to the personal data.
Run regular security audits: One of the biggest hurdles to ensuring data security is understanding how your data flow works and identifying any areas where a breach might be a risk. Regular security audits will highlight any vulnerable areas in your system and help your business stay safe.
Ensure your security software is up-to-date: This means not only making sure you’re using the latest version of your software but that you keep on top of any new patches that need updating. This applies to everyone connecting into your system.
Require strong passwords: Making sure your customer logins are as complex as possible will make front-end hacking more difficult. Requiring customers to use unique passwords with a required number of characters or numbers will make hackers’ lives harder.
Understand what access partners have: The issue for Facebook was they weren’t controlling the data that partners could access.
Be very clear with your privacy policies: Consumers need to understand if and how brands are using their data in order to consent. Brands must make sure they are getting permission to collect and leverage personal information.
With the shift in consumer sentiment, U.S. businesses are faced with two options: work to secure their customers’ information correctly and effectively or risk reputational and financial ruin. With under two months until GDPR and the likelihood of U.S. legislation coming onto the docket shortly, what are businesses waiting for? This is the wake-up call.