How Social Loneliness Could Effect Privacy Practices

Social media was designed to connect people. At least, that’s what those behind these sites never stop of telling us. They’re meant to create, as Mark Zuckerberg says, “a digital town square.” Yet, as it turns out, the effect social media has on us seems to actually be going in the opposite direction. Social media is making us less social. 

Last year a study by the University of Pittsburgh and West Virginia University was published showing links between social media use and depression. And now the same team has released new study that takes things a step further. The study found that not only does social media lead to depression, but actually increases the likelihood of social isolation. According to the study’s findings, for every 10% rise in negative experience on social media, there was a 13% increase in loneliness. And what’s more, they found that positive experiences online show no link to an increase in feelings of social connections.  

These two studies make clear what we may already feel: the form in which social media connects us ends up leaving us more isolated. And, as strange as it may sound, this could have a profound impact on how we view our privacy. At root, privacy involves the maintenance of a healthy self-identity. And this identity doesn’t form in a vacuum. Instead, it is shaped through our relationship to a community of people. 

So, to the extent social media is isolating, it is also desensitizing to our notions of ourselves and to the world which surrounds us. When we lose a sense of boundaries in relation to community then anything, including the value of  privacy, can go out the window.  

And this can turn into a vicious cycle: the lonelier you feel, the more you’re likely to seek validation on social media. Yet, the more you seek that validation, the more that sense of loneliness rears its head. And often seeking this type of social validation leads to privacy taking a back seat. Earlier we wrote about an increase in the success of romance scams, which is just one example of how a sense of loneliness can have the effect of corroding privacy practices.  

While these studies don’t exactly mean we should go off the grid, it’s clear that to understand and value ourselves, we need at times to detach from technology. And, from a business perspective, there are lessons to be learned here too. While technology can make communication more convenient, that shouldn’t translate to having every conversation through a digital platform. Pick up the phone. Have lunch with a customer. Talk to them instead of selling themHaving more personalized conversation will not only translate to stronger business relationships but may even have an effect on the value placed on privacy as well.  

New York Isn’t Sleeping on Consumer Privacy

Two years later the impact of Equifax’s massive data breach continues to be felt. As we reported last week, the FTC announced a $700 million settlement with Equifax. Then on Thursday, in reported response to the settlement, New York governor Andrew Cuomo signed two new data privacy bills into law.  

Here is a quick run down of the two privacy laws New York passed last week and how they could impact your business:

Senate Bill S3582

The first bill passed into law last week concerns consumer credit reporting agencies. Under the new law, all credit reporting agencies that have experienced a data breach are required to offer effected consumers free identity theft prevention and mitigation services for up to five years. The law additionally gives effected customers the right to freeze their credit at no cost.  

SHIELD Act

The second and by far most impactful of the laws passed is the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). While the focus is simply on breach notification procedures, the law is noticeable for the expanded scope of the regulation and the broadened definitions it introduces. 

In short, the new law requires businesses to report any breach of personal information that an organization hasWhat is notable, however, is that the SHEILD Act doesn’t just apply to businesses operating within New York. Instead, any organization that owns the personal information of New York residents must now comply with the reporting requirements.  

What’s more, the law expands the definition of what counts as a data breach. Traditionally, data breaches are understood as an instance where someone actually takes an organization’s data. The SHIELD Act, however, expands this definition to also include instances where the data has simply been accessed by an outside entity. The definition of personal information has also been expanded by thnew law to include biometric data and a usernames or email addresses in combination with a password or security question.  

In addition to notification requirements, the law requires businesses with the personal information of New York residents to implement “reasonable” security requirements. These include compliance with regulations such as HIPPA and GLBA as well as “reasonable administrative, technical and physical safeguards.” 

Lastly, the law lays out a new penalty framework for organizations that fail to properly report data breaches. Under the SHEILD Act, action against businesses will be pursued by the State Attorney General rather than through individual or class action civil suits. The law also increases the maximum penalty for organizations from $150,000 to $250,000.  

Signs of Regs to Come

These two new laws solidify the impression that New York is working hard to strengthen its stance on cyber security and data privacy. Just last month state senator Kevin Thomas introduced the New York Privacy Act, considered by some to surpass even the GDPR in the privacy rights it gives consumers. Perhaps the most unique feature the bill proposes is the concept of Information Fiduciaries. 

While the Privacy Act has a long way to go before passing into law, the ease with which these two laws were enacted may be a sign of things time.  

How The Cookie Crumbles

Cookies have been and continue to be an essential part of how we use the internet. In essence, cookies are small files created by websites you visit that are saved on your computer. The files contain information on what websites you visit and how you interacted with those sites.  

This might make any privacy-minded person pause. Why should we allow websites to create records of what we do online? Well, the answer isn’t so straight forward. Not all cookies are created equal. Some forms of cookies are essential to what we’ve come to expect from our online experience. Others are a little more suspect.  

First-Party Cookies

In general, first-party cookies are there to make our online experience easier and more convenient. They’re used by individual websites, and store information so you don’t have to re-identity yourself every single time you use a site. They allow you to stay logged into websites as you navigate between pages and visits to those sites. They save your location so you can quickly check the weather in your area or buy movies tickets without having to re-enter your information every time you use those sites. 

In short, we rely on first-party cookies every time we visit a website. Their essential to how we use the internet and don’t necessarily present a risk to your privacy online. 

Third-Party Cookies

Third-Party Cookies, on the other hand, are a different story. Unlike first-party cookies, these cookies track your movements between websites. These types of cookies are not created by the website your visiting, but by a third-party whose code is on that site. This could come from plug-ins, or, as is more often the case, from advertising platforms. These cookies can then keep track of your movement between any website that features these third-party codes.  

Because they are not limited to your interaction with one specific website, they can be used to construct a much larger and more detailed profile of not only your online presence, but personal characteristics, spending habits, and lifestyles.  

Taking Control of Your Cookies

Because cookies are such an important part of how we interact with websites, blocking all cookies is unnecessary and will make using sites far more inconvenient. However, depending on your level of comfort there are steps you can take to have more control of what cookies websites are using. 

  • One option is to change your browser’s privacy settings to ask permission before accepting cookies for all websites. You can choose which websites save cookies depending on your level of trust and how frequently you use those sites. 
  • Most browsers also give you the option to only block third-party cookies. This will still allow individual websites to save information about how you use their sites but will stop entities from tracking your movement across the web. There are also several ad-blocking extensions you can use that will remove advertising codes from websites when you visit them, effectively blocking those third-parties from saving cookies on your computer. 

Cookie Disclosure Requirements

By now, you’ve probably seen many websites display banners either stating that they are using cookies or asking consent for their use. This is due to several laws coming out of EU that now require websites to obtain consent to use cookies. The ePrivacy Directive was implemented in 2002 and was the first of such laws to require notification of a website’s use of cookies.  

However, the newly enacted GDPR has further enhanced these requirements. Now, websites are required to not simple notify users that cookies are being used, but most give information on how those cookies will be used and gain consent from users for each of those purposes.  

While the U.S. currently does not have such laws in place, if your organization has servers in an EU nation, you may still be subject to GDPR restrictions. In any case, it is likely such regulations will be also enacted in the U.S. soon, so many organizations are choosing to display such banners preemptively.  

Cyber Security Regulations for Small and Medium Size Businesses

As cybersecurity concerns increase, so have government regulations. The problem, however, is that these regulations are not all enforced on the federal level, and sometimes pertain only to specific types of businesses. It is important for  businesses to understand the regulations for their industry and/or geographic location and take steps to put the right cybersecurity program in place in order to comply. To help with that process, here is a short guide to four of the most important cybersecurity and privacy regulations in the U.S. today.

  • HIPPA –  The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is one of the oldest and well-known federal privacy regulations in the U.S. These regulations requires that all companies within the healthcare and health insurance industry implement administrative, physical, and technical safeguards to ensure the protection of all electronic health information. This includes periodic risk assessment reports, workforce training and management, and access and audit controls. More information on HIPPA and how to ensure compliance can be found here

 

  • NYSDFS Cybersecurity Regulations – In 2017 The New York State Department for Financial Services put in place regulations for all financial institutions requiring a license to operate in New York. These regulations require that a comprehensive cybersecurity program be put in place including the designation of a Chief Information Security Officer, the implementation of cybersecurity policies based on  a comprehensive risk assessment, and periodic penetration and vulnerability tests. The regulations require businesses to provide cybersecurity training for employees, limit the amount of time data is retained, encrypt all nonpublic information, audit their third party vendors, develop an incident response plan, as well as notify the NYSDFA of any breach of nonpublic information. 

 

  • Securities and Exchange Commission: As of 2018, the SEC has put in place cybersecurity initiatives designed to protect retail investors from cyber-related attacks. These regulations effect all investment and public companies operating in the U.S. The role of these initiatives is primarily to provide resources for business to identify and assess cybersecurity risks, detect compromises to systems, plan for response to compromises, and steps to recover stolen data. However, SEC does require companies to report how data is being secured, and any cyber-related incidents such as data breaches. You can find the SEC’s resource page here. For even more information, the Financial Industry Regulatory Authority has additional resources and checklists for small business.

 

  • California Consumer Privacy Act (CCPA): The CCPA is one of the newest regulatory laws in the U.S. and provides consumers extensive control over how businesses collect and use personal information. The law applies to all for-profit entities doing business in California that collect personal consumer data. According to the CCPA, companies must provide consumers information on what data is being collected, and gives consumers the right to opt-out of the sharing or selling of personal information. Consumers additionally have the right to sue if a breach occurs when the company used careless or negligent means to protect data. The CCPA will go into effect in January 2020, and the full initiative can be found here

 

 

While not all of these regulations are will pertain to your business, it is likely that such initiatives will be standardized across industries and states in the near future. It is therefore essential that businesses begin to put some of these practices in place now. Here are some basic steps that can be taken today:

  1. Develop a cybersecurity policy. Two tools that can help come from the National Institute of Standards and Technology (NIST), which provides security and privacy controls for federal organizations, and the International Organization for Standardization (ISO), which specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the context of the organization.
  2. Work towards improving the security controls in the organization with special emphasis on access control, data encryption, security governance, incidence response, vulnerability management (eg: patching and scanning), and vendor management.
  3. Train everyone on their role in cybersecurity
  4. Have someone in the organization responsible for cybersecurity and make sure they are getting training.

Finally, while the emphasis in this post is compliance, recognize who you are really doing this for:  your customers, your employees, your investors and yourself.

Nothing Up My FB Sleeve

Two weeks ago,  Mark Zuckerberg penned an essay detailing Facebook’s shift towards a more privacy-focused platform. “As I think about the future of the internet,” he writes, “I believe a privacy-focused communications platform will become even more important than today’s open platforms.” For Zuckerberg, this predominantly means focusing efforts more on his private messaging services (Facebook Messenger, Instagram Direct, and Whatsapp) by including end-to-end encryption across all platforms.

 

But given mirad privacy scandals plaguing Facebook over the past few years, it is important to look critically at what Zuckerberg is outlining. Many of the critiques of Zuckerberg that have been written focus primarily on the monopolistic power-grab that he introduces under the term “interoperability.” For Zuckerberg, this means integrating private communications across all of Facebook’s messaging platforms. From a security perspective, the idea is to be able to standardize end-to-end encryption across a diversity of messaging platforms (including SMS), but, as the MIT Technology Review points out, this amounts to little more than a heavy-handed centralization of power: “If his plan succeeds, it would mean that private communication between two individuals will be possible when Mark Zuckerberg decides that it ought to be, and impossible when he decides it ought not to be.”

 

However, without downplaying this critique, what seems just as if not more concerning is concept of privacy that Zuckerberg is advocating for. In the essay, he speaks about his turn towards messaging platforms as a shift from the town square to the “digital equivalent of a living room,” in which our interactions are more personal and intimate. Coupled with end-to-end encryption, the idea is that Facebook will create a space in which our communications are kept private.

 

But they won’t, because Zuckerberg fundamentally misrepresents how privacy works. Today, the content of what you say is perhaps the least important aspect of your digital identity. Instead, it is all about the metadata. In terms of communication, the who, the when, and the where can tell someone more about you then simply the what. Digital identities are constructed less by what we think and say about ourselves, and far more through a complex network of information that moves and interacts with other elements within that network. Zuckerberg says that “one great property of messaging services is that even as your contacts list grows, your individual threads and groups remain private,” but who, for example, has access to our contact lists? These are the type of questions that Zuckerberg sidesteps in his essay, but are the ones that show how privacy actually functions today.

 

Like a living room, we can concede that end-to-end encryption will give users more confidence that their messages will only be seen by the person or people within that space. But digital privacy does not function on a “public vs. private sphere” model. If it is a living room, it has the equivalent of a surveillance team stationed outside, recording who enters, how long they stay there for, how that room is accessed, etc. For all his failings, we would be wrong to assume that Zuckerberg is ignorant of the importance of metadata. In large part he has built is fortune on it. What we see in his essay, then, is little more than a not-so-subtle misdirect.

First Insurance Data Security Act Goes into Effect in South Carolina

As of the first of this year the South Carolina Insurance Data Security Act has gone into effect. These regulations are based primarily on the National Association of Insurance Commissioners’ Data Security Model Law and are the first of its kind in the U.S. However, given increasing public scrutiny on how business handle sensitive information, it is likely such regulations will be taken up by other states in the years to come. New York, for instance, already has in place similar regulations via the Department of Financial Services. Not even to mention the California Consumer Privacy Act of 2018. Insurance Carriers, brokers, agents and other licensed entities should therefore take some time to familiarize themselves with these new regulations.

 

The South Carolina Insurance Data Security Act contains two major aspects:

 

  1. It requires any “person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to [ ] insurance laws” to notify the state within 72 hours of any cyber security event. The regulation defines such an event as any “resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system.”

 

  1. Licensee’s are required to maintain a comprehensive information security program that details how the company will protect the security and confidentiality of private information against the outside threats. Companies must conduct a full risk assessment of a cyber security event in order to then design and implement a program to mitigate identified risk.

 

  1. Licensees will also be required to implement a third party provider program and to require their providers implement appropriate administrative, technical and physical measures to protect non-public information and relevant systems.

 

It must be noted that these regulations not only pertains to insurance companies, but will also impact insurance brokers, agents other licenses and their third party vendors. The first deadline is a written security program in place by July 1, 2019.  The implementation of a third party provider program needs to be in place by July 1 2020.

 

Moreover, the regulations themselves could easily be applied to fields outside of insurance. The concept of an information security program, for instance, is something that any business handling private information should begin considering in the event that similar regulations are applied across other states and in different sectors.