ITworld reports on a brewing data security dispute between a group of 30 U.S. companies and the privacy watchdog Center for Digital Democracy. Companies such as AOL and Adobe have been accused of not following Safe Harbor provisions required by European law.
Why are we talking about EU regulations? Well, the EU has laws to protect its citizens' data. If a U.S. company handles the data of a European citizen, it has to follow "Safe Harbor" laws (a compromise formed between the EU and the U.S. Federal Trade Commission), which govern the use and storage of European data.
The Center for Digital Democracy claims that 30 companies violated the law by…
- Inaccurately representing their data collection processes.
- Not informing EU citizens about the retention of their data for marketing purposes.
- Not providing clear-cut ways for users to opt out of their data storage programs.
This isn't the first international data fracas we've seen. U.S. companies and EU regulators have been butting heads for a long time (see our post, "Only 1% of Cloud Service Providers Meet Proposed EU Regulations (and Why You Should Care)"), and these problems will likely continue to get worse as EU laws get stricter.
But what, if anything, does this mean for small IT consultants? Let's take a closer look at what you need to do to reduce your IT liability in the Wild West of digital privacy.
Why Data Security Is Like the Wild West
On the frontier, life wasn't lawless. But the laws in place were hard to enforce and citizens didn't know when, or if, they'd be held accountable. That's a lot like the current data security world.
It's impossible for the EU or another government to keep track of every piece of data collected about its citizens. In this dispute, the Center for Digital Democracy objected primarily to the way U.S. companies were building "digital dossiers" about EU users. However, this is a fairly common practice for companies that take a big-data approach to marketing.
A digital dossier is a collection of information about a user. It might contain data about their geographic location, shopping tendencies, household income, and other information that can be gleaned from their online activity. By collecting this data, many companies hope to more accurately and effectively target sales and marketing (or sell the data to other businesses).
EU law requires businesses to disclose these practices to users and provide simple ways for them to opt out. But the problem is that – in the United States – big-data marketing is big business. And it's booming.
For many U.S. companies, abiding by higher European data security standards doesn't make sense. Is a small-business owner supposed to check the passport of every user that logs onto their website or uses their mobile app?
As you've probably guessed, most IT professionals simply can't follow the letter of these laws (or don't know that they even exist). Much like in the days of the Wild West, there's a huge discrepancy between what the laws say and how they are enforced.
How Can IT Professionals Protect Data Security Liabilities?
A liability is something that you can be sued for. But the current confusion surrounding data security laws make it hard to know when you'll be protected from a lawsuit.
In reality, IT consultants have to accept a certain amount of risk in their work, including…
- Third-party risk. If you use a service provider for a client's IT, you can be sued if the provider is hacked or makes errors that lead to financial losses for your clients.
- Data breach exposure. No technology is bulletproof. As cyber criminals devise new ways to steal data, there may always be some risk of a data breach.
- User error. You can actually be sued for mistakes made by clients. For instance, if a client is hit by a phishing attack, they can sue you for not having proper IT security in place to limit their email risk.
Given the burdensome demands of data laws and the constant risk you're exposed to, you need to find a way to cover your IT liability. Errors and Omissions Insurance can do just that. E&O Insurance pays for cyber liability lawsuits – when clients sue you over data breaches or losses related to insecure networks.
Though it's impossible to follow developments in all data security laws, small IT firms should make an effort to comply with the regulations that guide their industry. While the IT landscape can be a bit like the Wild West, it's good to know you've got insurance to protect you from the cost of a lawsuit. To learn more about E&O for IT professionals, contact a TechInsurance agent.