Data is the DNA of a digital revolution.

More than ever before, businesses rely on consumer data to make informed decisions, drive growth, and meet customer needs. Data is among a business’ most valuable assets, and increased reliance on data comes with an even greater responsibility to work to safeguard its privacy and security.

Cyber criminals are also keenly aware of how valuable business data is, as evidenced by recent ransomware trends. Cyber attackers used to primarily rely on encryption to compel ransom payments. These criminals would lock businesses out of their systems and data, demanding ransom payments in exchange for decryption keys.

Today, attackers increasingly rely on encryption-less ransomware. In some cases, they don’t even bother locking businesses out of their systems anymore because they understand the threat of disclosing sensitive data can be just as powerful. They’re also expanding beyond ransomware. More than 800,000 cybercrimes were reported to the FBI in 2022, totaling $10.3 billion in losses — a nearly 400% increase since 2018. 

Cyber incidents typically affect data privacy in one way or another, whether data is being unlawfully accessed and manipulated for funds transfer fraud, exfiltrated in a ransomware attack, or otherwise leveraged in unauthorized ways for financial gain. Organizations that fail to adequately safeguard data can put themselves at risk not only of the direct impacts of a cyber attack but also liability to others, including fines, reputational damage, and lost business.

Distinguishing between data privacy and data security

Data privacy and data security are closely related concepts but are not the same. Both are essential components of protecting sensitive information, and, consequently, it’s not unusual for legislative and regulatory measures to address them together.

Data privacy refers to the proper handling and use of sensitive data, which includes personal data and financial data. Most businesses collect sensitive data as part of routine operations and may be obligated to prevent unauthorized access to that data. In some cases, individuals have a legal right to control how their personal data is collected, stored, and used.

Data security refers to the act of protecting sensitive data and preventing its unauthorized access and misuse. Businesses improve data security by implementing security measures like encryption, firewalls, and multi-factor authentication. 

Understanding the legislative and regulatory landscape

Data privacy and security laws are complex and can vary by location and industry. Simultaneously, the legal landscape is evolving because governments are actively passing new measures to improve data security and data privacy. The legislative and regulatory space is dynamic. Businesses should be mindful of their potential obligations and seek legal counsel when those obligations are not clear.

Data privacy laws are not new, and some even date back to the early 1970s. The General Data Protection Regulation (GDPR) is widely regarded as one of the most significant and far-reaching data privacy frameworks, establishing requirements for processing and/or transferring the data of European Union (EU) residents.

Organizations that fail to adequately safeguard data can put themselves at risk not only of the direct impacts of a cyber attack but also liability to others, including fines, reputational damage, and lost business.

Because GDPR extends to non-EU entities that process EU residents data, the United States and EU established the Data Privacy Framework (DPF) to facilitate trans-Atlantic data transfers. The DPF took effect July 2023 and is the successor to the now-invalidated Data Privacy Shield. Beyond the EU, Australia is eyeing periodic updates to its long-standing Privacy Act, and Canada is similarly considering amendments to strengthen its existing data privacy laws.

Unlike the EU, Australia, and Canada, the U.S. does not have comprehensive federal data privacy laws. Instead, the U.S. addresses data privacy through piecemeal federal and state-level measures — and some of these laws also address data security. The following are a few commonly cited federal legislative and regulatory measures that address data privacy, data security, or both:

• Gramm-Leach-Bliley Act: Requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.

• FTC Safeguards Rules: Requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.

• Fair Credit Reporting Act: Governs access to consumer credit report records and promotes accuracy, fairness, and the privacy of personal information assembled by credit reporting agencies.

• Health Insurance Portability and Accountability Act: Protects sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Beyond federal measures, many states have enacted laws regarding the protection and/or use of personal information, to include:

• California Privacy Rights Act (CPRA): Expands existing laws and, among other things, creates a new category of sensitive personal information and the right to limit the use of that information, and it imposes stricter obligations on certain businesses that handle personal data, including the need to conduct regular risk assessments and data protection assessments.

• New York SHIELD Act: Strengthens existing data security laws by expanding the types of personal data that requires consumer notice after a breach and requires that companies protect the security, confidentiality, and integrity of personal data.

• Oregon Consumer Protection Act (OCPA): Provides individuals with numerous rights over their personal data and imposes obligations on businesses and how they utilize consumers’ personal data.

• Massachusetts Information Privacy and Security Act (MIPSA): Requires anyone that utilizes the personal data of a Massachusetts resident to develop, implement, and maintain a comprehensive information security program.

How businesses can prioritize data privacy

With so many changes and new regulations, it’s clear that businesses should  continue to prioritize data privacy going forward. But what does it actually mean to protect data? And how can businesses prioritize data privacy?  

A comprehensive approach to data privacy should adhere to best practices. Below are a few key ways businesses can begin to address data privacy:

Establish a data privacy framework

A good first step is to establish a robust data governance framework. Such a framework could include comprehensive data privacy and data management policies, appointing data protection officers, and conducting regular audits to ensure compliance with internal policies and external legislative and regulatory frameworks.

Businesses can also look for ways to integrate privacy controls into the service and product development process from the outset. By embedding privacy safeguards into the design process, companies can proactively address potential privacy risks rather than scrambling to react after the fact.

Promote transparency and trust

Data breaches can erode public trust and engender unease about data practices. Even businesses with an excellent track record on data privacy and security may have to make a considerable effort to regain and maintain customer trust.  

To try to preserve trust, businesses must be transparent about why they collect data, as well as how the data is being collected, used, shared, stored, and protected. This information should be easily accessible and part of a privacy policy that outlines their overall data practices.

Invest in robust security controls

Businesses should also invest in security measures to help protect data. Businesses can significantly reduce the risk of unauthorized access to data by implementing cyber hygiene best practices, like encryption techniques, multi-factor authentication, and access controls.

Unresolved critical vulnerabilities and end-of-life software are two important indicators of a business’ likelihood of experiencing a cyber incident. Coalition policyholders with one unresolved critical vulnerability of any kind are 33% more likely to experience a claim — underscoring the importance of timely remediation and proper cyber hygiene.

Regular employee training on data security best practices is another proven way to reduce the chances of employees falling prey to social engineering attacks. Phishing remains the most common attack vector for cyber attacks, contributing to 76% of cyber claims.

Enhancing security with Active Cyber Insurance

Building a strong data governance framework, promoting transparency, and investing in security controls are all essential steps toward effective data protection. However, even businesses with the most comprehensive security programs can be breached — a cyber attacker only has to get lucky once.

That’s why every organization should enhance its cybersecurity posture with an Active Cyber Insurance policy. Beyond the protections and coverages afforded by a cyber policy, Coalition helps businesses through preparedness and prevention tactics. Every cyber quote from Coalition includes a cyber risk assessment, along with access to educational resources to help resolve existing vulnerabilities.

Businesses should try to strike a balance between collecting and leveraging customer data to better serve customers  with seemingly contradictory measures like limiting data collection to protect privacy — all in the name of preserving data privacy in the digital age.

Curious if your business has unresolved critical vulnerabilities? Sign up for Coalition Control to receive a cyber risk assessment today.

The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. While every effort has been made to ensure that the information provided is accurate, this information is provided without any representation or guarantee or warranty of any kind about its accuracy and completeness. Some of the information provided herein may not apply to your business's unique circumstances. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.

Insurance products are offered by Coalition Insurance Solutions Inc.(“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and available on an admitted basis through Coalition Insurance Company(“CIC”) a licensed insurance underwriter (NAIC # 29530). Insurance products offered through CIS and CIC may not be available in all states. Complete license information is available here.