Ever since last year, most American consumers have been concerned with one thing:  The protection of their personal data.  This was brought up late last year with the advent of some security breaches, such as like those of the Marriott Group, the British Airways website, Target Point of Sale (PoS) malware, etc. But in all honest, it also has been the COVID19 pandemic that has also greatly risen this fear as well.  For example, with more Phishing Attacks, Zoombombing, spoofed up websites coming up, etc., who would not be?

Also, now that the CCPA and the GDPR are now back to conducting audits and levying fines (at least supposedly), people are now more aware just how fragile their Personal Identifiable Information (PII) data sets actually are.  With pretty much everybody working from home now, the trust of handing over your credit card or Social Security number has quickly dwindled.  After all, how can you really trust somebody if you have not met them face to face?

But despite all of this fear and angst, there are a lot of myths out there that need to be broken and explained further.  This is the focal point of today’s blog, so let us get started:

Myth #1:  My personal data only includes what I carry in my wallet or purse:

Yes, we all carry a lot of important pieces of information in these items, such as credit cards, driver’s licenses, etc.  So if this were to be stolen, of course we naturally have a break down, I know that I would.  But personal data extends far beyond this, and into the digital world.  Loosely put, your personal data now includes everything that is used that can build up a complete profile on you as a person.  Probably one of the biggest areas in which we let loose and forget about this is when we are on Social Media, especially that of Facebook.  We feel that we have the right to put up what we want to.  Yes, we do, but this is now the Cyberattacker studies their victims.  The days of them going after a large number of targets are now over.  Rather, they pick out their victims and study them carefully on Social Media and build up their profiles in order to determine what their weaknesses and vulnerabilities are.

Myth #2:  My boss is responsible for protecting my personal data:

When you start work for an employer, you normally have to prove your work status.  This can be done via a Passport, Social Security Card, Driver’s License, etc.  Once you are confirmed and onboarded, then you have to hand your banking information (such as a voided check) in order to get your pay wired to your account.  So yes, these are very critical pieces of PII, and they will be stored at your workplace until you leave.  Because of this, your company is responsible for safeguarding this, and making sure that the controls which have been set forth to protect them are in compliance with both the GDPR and the CCPA.  But in the end, it is ultimately you that have to be responsible for this.  For example, you should be asking questions as to how your PII is stored and who has access to it.  You now have the legal right to ask these kinds of questions under the powers of these pieces of legislation.  And, if you are not happy with the answers you are getting, you also have the right to have your PII datasets deleted completely, and in return, your employer has to provide you with documented proof that it has done so.

Myth #3:  A Privacy Policy and Privacy Notice are the same thing:

No, they are not, and the two terms are very often used together.  A Privacy Policy is like a Security Policy, which lays out how the PII datasets will be stored, processed, accessed, the controls that will be used to protect them, etc.  This is a rather confidential document, and only those people that need to access will get to see it.  On the other hand, a Privacy Notice is much shorter in length (typically less than a page) and is meant to be shared with the public at large.  These will usually contain unclassified information if there have been any changes or updates made to the Privacy Policy, or it will also inform you of your rights, as an employee, if you have any questions or concerns as to how your PII datasets are being stored and used.  Or worst yet, if there is a security breach, it is these kinds of notices that will keep everybody updated as to what is happening, and what is being done to correct and/or mitigate the situation.

Myth #4:  My company suffered a data breach, now I can sue them:

This is a yes and no.  Even if your employer did not suffer a security breach, and if you feel that your PII datasets have been indeed misused, you have the right to not only question it, but you also have the right to legal representation to pursue further courses of action.  But keep in mind, not all organizations are impacted under the CCPA and GDPR.  For example, a company must fall under a certain revenue category as well as other qualifiers in order to make them prone to lawsuits,  So, if you are working for Company XYZ that makes less than $5 million in revenue per year, the chances are that it will not fall under the enforcement teeth of these key pieces of legislation.  So, while you can theoretically sue them, you will have no legal precedence to back you up, and it could take even years before your case is brought to trial, thus draining you of your financial resources.  Also, under the CCPA, you really cannot even sue a company.  Only the California Attorney General can do this, but you do have the right to file a serious complaint with them in order to raise any red flags that can trigger an investigation.

Myth #5:  It is the Data Controller that will process the PII:

This is completely false.  It is the data controller that determines how the PII datasets will be processed, for what reason(s), and who will actually do the actual analysis of the PII datasets.  It is the latter function that will fall under the guises of what is known as the “Data Processor”.  In order to keep a better audit trail, the analysis component is often outsourced to an external, third party vendor.  This is done as a practice for separation of duties.  But also keep in mind, that if you are the employer, and the third party that you have outsourced the analysis function, you are the one that will be ultimately responsible for any compromises that have been incurred.

My Thoughts On This

Well, there you have it, some of the top myths debunked.  There are others out there, and future blogs will address them as they come up.  Remember though that Data Privacy is still a rather murky area, and many people are still wrestling with the new issues that are coming, especially when it comes from the legal perspective.

Many other states want to follow the pattern of California and adopt their own version of the CCPA.  While this can be a good thing, it can also be bad as well in terms of enforcement standards, as each state will have their own set of provisions and mandates.  Also, it can be even equally confusing for a company that does business in multiple states, especially in all 50 of them.

So, how in the heck can one manage all of this?  Really nobody cannot.  Therefore, there have been cries and uproars in DC to have a Federal Data Privacy Act, in which a common set of standards can be established for all pf the states, with the hopes of reducing any confusion and fostering an en environment for data protection for all Americans.