January 24-28th is Data Privacy Week! Given the ever evolving state of data privacy, this is a great opportunity to discuss how we can protect ourselves against data breaches and identity theft. Originally, this tradition started as a day observed on January 28th as a result of a European Council meeting on the subject in 1981. This was “an educational initiative focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking.” (Wikipedia)
Clearly the people who started this initiative made an extremely accurate prediction: The breadth and usage of the internet would expand rapidly and data privacy laws would fail to keep up with the times. While there have certainly been some recent advancements in data privacy laws such as GDPR it remains true that we have a long way to go before we, as a society, can consider our personal data adequately legally protected.
As users of internet services, we are all victims of the mishandling of our own personal data. We can see this mishandling in so many ways:
- Data breaches as a result of malware leading to massive swaths of personal info such as credit card and social security numbers being stolen and sold by bad actors
- Ransomware attacks that have now also turned to data extortion - threatening to leak confidential data and risk damage to company reputation, for a price. This is one of the more recent and nasty developments in the Infosec space.
- Terms of service agreements (which most of us fail to read) allowing companies to sell our data, usually to marketing agencies, so that those agencies can target us for personalized ads
- Identity theft as a result of our data being stolen or improperly handled by the many companies that have access to it
While we as individuals cannot (directly) change data privacy laws, we can certainly change our behaviors to mitigate vulnerability to any data disasters as listed above.
Considering privacy vs. convenience
Many apps and websites ask for access to different types of personal info. This can include your contacts list, geographic location, or microphone access. We would all benefit to consider the downsides of sharing our data with organizations before we click on the “allow all” button. Some questions that are valuable to ask before accepting the data request prompts on an app include:
“Is this company trustworthy?”
“Is there any real reason this app needs access to my microphone?”
“Why does this game app need GPS data from me?”
If it’s possible to use an apps’ or websites’ primary functionality without granting it additional access to other parts of your phone/computer, we recommend you do so purely to minimize how much free data they get from you. As a general rule, if the app is free, then you and your data in that app are the product.
Add protection layers to your data
There are some crucial activities we can all take to lower our risk of things like identity theft or an online account being taken over. The first one is improving our password habits, and we can do this in a few simple ways:
- Use long (18+ character) unique passwords for each account. Pass phrases can really help!
- Utilize a password manager to generate unique and strong passwords (with the benefit of not having to remember them!)
- Turn on MFA (multi-factor authentication) for any service that has it as an option
Many account “hacks” originate from leak of password data from a service. Once hackers have passwords that are associated with email accounts, they can do what is called “credential stuffing”. This is a cyberattack method in which attackers use lists of compromised user credentials to breach into other accounts that use that same email and password combination. Using MFA and unique passwords will keep you protected from this kind of attack.
Another really great option available to us is the ability to freeze our credit with all of the different credit agencies. In the U.S. there are three main credit agencies: Transunion, Equifax, and Experian. These agencies have an extraordinary amount of data on each U.S. citizen and therefore, a data breach (as we saw with Equifax in 2017) can lead to millions of people having their social security, birth date, and other information stolen. When bad actors have access to this type of personal data, they can attempt to open lines of credit (such as credit cards or loans) in your name. The best method to preventing this kind of identity theft is to freeze your credit with all of these credit agencies. Having your credit frozen will mean that any time you (or a bad actor) tries to open a new line of credit, you have to contact the credit agencies and provide them with a specific pin code and a length of time you’d like your credit freeze to be lifted. It’s a bit of a hindrance when applying for a new loan, but it is nowhere near the amount of headache and frustration you’ll go through if your identity is stolen.
Join the conversation!
Data privacy week is a time for all of us to educate ourselves on the current state of data privacy and what we can do to protect ourselves. While we definitely need more robust privacy/data legislation in the U.S. and across the world, we can all take actionable steps towards protecting ourselves in the meantime. I hope that the information I’ve provided here has helped you all recognize the steps you can take to protect your data and why we should care enough to take those steps.
We all want to take back control of our data and our online identities - that requires us to change habits and normalize this conversation. All of us could use a bit more privacy - even if it’s for, like, one second.
Do you have any data privacy tips to share with the rest of us? I’d love to hear the steps that any of you have taken to protect your data or identity! Please respond here or join the conversation with us on Twitter by tweeting us @Webroot on that platform. Can’t wait to hear your thoughts!
Loving the Gifs!
Also I’m not sure GDPR has brought anything to the table other than more leverage for criminals in their extortion!
That’s a really interesting take! I’m curious if there’s any stats available on GDPR effectiveness. I do know that it has definitely added a layer of leverage that ransomware operators can hold over their victims. I wonder whether it’s been a net benefit at all or if it’s mostly been a bad piece of legislation!
I cannot speak for the younger generation (I am 61) but when I went to school, calculators were just coming into the school, and I can imagine that quite a few people I knew at school have little idea about online security. All that some people do is buy the computer connect it up to the web and think that is all they need. What is needed is more publicity to raise peoples awareness of online privacy and keeping themselves safe because right now there is precious little about Data Privacy Week that I can see around.
We have to be more aware of these situations like Phishing sites, Scam Emails and Scam Texts and to train ones we know and that’s including our families! Having a good AV like Webroot protects us in many ways like the Web Shield and and the Identity Shield but we can never let our guard down.
Considering privacy vs convenience really strikes a chord with me. So many of our clients put convenience first and it takes a lot of conversation to get them to realize the real importance of privacy. One thing is for certain, once they experience a breach they are on board with every recommendation previously made and they want it done yesterday. It’s an individual thing, some people by nature choose to see things in a positive light because the reality is often an uncomfortable conversation.
Great article about data privacy
A good description of the problem along with helpful guidance to avoid becoming the next victim. If something looks too good to be true then it is potentially problematic. Similarly, if something seeks too much information about you then question the motives and review the intent to potentially bring harm to you.
The continuing education is appreciated by all and keep up the great work!
Interesting take on the “Is there any real reason this app needs access to my microphone?” It raises the question of the privacy rights of Alexa users. Are all conversations being recorded?
On a lighter note there is a great movie from 1974, The Conversation. Highly recommend it.
Very good written. Credit freezing is likely US only, never heard of it in the EU.
Thanks for great written.
Very good story. my tips for the day.
Keep your main email account safe with MFA. Reset your browser on a regular base.
Well written article, that gives a lot to think about!
Some think: "it doesn't happen to me, who do you want my data to be interested in?".
I find an analogy between the no-vax attitude and the privacy attitude of many people.
They think that problems can only happen to others but then when they do they regret it bitterly.
I agree with those who have already written that much more information and awareness is needed.
In smaller organisations, its far easier to explain and promote the real understanding of what data privacy is all about. I always take the time to explain that using their work email to sign up to online forums, polls and the likes should be avoided and for them to use a Gmail or Hotmail account, heck even a protonmail account so that they can keep things away from the business as best they can.
The larger organisations, the staff usually don’t care, and these are the ones you usually deal with pretty quickly in their (usually) limited time with said companies. Sorry, but your end users have to be made to understand that nothing can protect them 100% online and that common sense and the buck landing at their own feet, and NOT the IT people when they screw up, should be enforced more heavily in larger organisations. The IT people being blamed for ineptitude is long gone!
Data Privacy is always important, for all staff of all organizations to understand. The global pandemic has made things even worse where a lot of people work remotely, this in return had phishing attacks increase dramatically. Not many customers and organizations want to really hear about data privacy or GDPR (well should they decide to actually do something some time soon in the near future other than just being another buzz word out there). The sad reality as always, is it only start to matter WHEN they are affected. Thus we as professionals always have to strive our best to stay current, and up to date with the latest trends and fashions in the industry, to be mature enough to do our duties as best as humanly possible to try protect our customers and avoid issues, and to raise the awareness of this as well as the importance of this at all possible opportunities we can get. MFA…. MFA…. MFA…. MFA…. crucial to start with and have implemented across the board.
I would like to start off with how great this article is with actually making people aware of the concerns about security.
I don’t think anyone can be 100% safe online as using the online automatically exposes the user to threat from all different angles.
All companies are exposed in various methods and personally I think all of these big words from security companies give people a false sense of protection as all diligence is gone out of the window when people say they’re protected.
Thank you for this article this has give me somethings to go over with the team.
Well written article, Opens your eyes as to how important Data Privacy is.
Well written article.
Thanks Keenan. Normally reads like this are tough to get through but this was well written and entertaining. Thanks for sharing.
GDPR and likes of data are a huge factor that we all have to consider, whether we care about it or not.
At the end of the day, having the best security measures such as MFA/Two-Factor can save your account from data breaches more than you know it.
Even MFA can be bypassed but, it’s better than having a password only protected account..
Do your part and save your account before it’s too late!
Good read thanks.
Online safety is a tough one to teach everyone. Even those ‘in the know’ can find it hard to recognise fake emails and links.
Things are getting better though (although unfortunately mostly due to people learning from mistakes) and my 6 year old daughter is learning about online safety whilst being introduced to computers so hopefully it is now becoming something that people grow up with as we go along.
Very interesting! Thanks for the post. I’ve never been that convinced by GDPR, it seems to just be terminology used to scare people into more services!
I’m all on board with the intentions of GDPR, but the implementation is often SO user-hostile!
A data privacy tip: lie.
Do some of these websites really need to know your birthdate, address (unless for shipping), your first pet’s name, etc? So long as you use a trusted password manager, you can keep these lies sorted in the event you need to reset a password. In the event of a breach, your fake information cannot be used to impersonate you.
Well written article, that gives a lot to think about!