Death and Your Data


It’s been said that humans are becoming nothing but data for companies. That’s certainly a cynical outlook, but it’s not entirely wrong. As the CCPA ratchets up regulations on how companies can store and collect data on users, it begs the question what happens to our data after we die?

Several companies specialize in the destruction of your consumer data after you pass on. Recently California enacted data security laws that now allow you to request a company destroy any data they’ve collected on you. This option is currently only available to California residents, but it’s expected that other states will follow suit shortly.
If you’re dead, why would you care about your personal data? Good question. Think about it this way, all the iTunes music and movies you’ve purchased over the years, are actually the licenses to stream the content, not the actual content itself. Those licenses expire upon your end of life. Not leaving behind digital copies of your favorite films to friends and family may sound like a frivolous thing to worry about, but the implications of your digital footprint are much bigger.

Consider your medical records. The UK legally stipulates that medical records must be kept for at least 10 years after you die. Access is considerably restricted, but it is out there and subject to data breaches. Is there anything in your medical history you’d prefer stay private?

Most if not all search engine and email companies do not have any limits on how long it can store the private content of emails, cloud storage or other personal details. Would you be okay with your entire inbox being exposed to the world in the event of a breach? Probably not.

Some consumer companies do not have a great reputation for data security. When you are alive, you’re able to control what happens to your data and privacy in the wake of a data hack, but in death you and your reputation are powerless. There are things you can do now to prevent potentially embarrassing information to be leaked but it requires a careful comb of your digital profile. Perhaps you should be asking more companies to destroy your data, and maybe be more mindful about whose cookies you freely accept online.

More resources

https://www.forbes.com/sites/bernardmarr/2017/02/01/what-really-happens-to-your-big-data-after-you-die/#242b72e61184

https://www.technologyreview.com/s/612283/six-things-to-do-with-your-data-before-you-die/

Demystifying Zero Trust

If we’ve learned anything from global politics, it’s that every piece of technology equipment is vulnerable to hackers. The very idea of a data breach is enough to keep a security executive (or CISO) up at night. Bad press, huge revenue losses, eroded consumer trust and worse, heavy penalty fees have led the industry to develop the Zero Trust model.

Zero Trust is fairly literal. Meaning, it’s a security system that does not trust any user attempts to access (or work within the applications), of an enterprise system unless their ID can be verified at several points. It was created by John Kindervag of Forrester Research in 2018. Since then it’s become a buzz word that few truly grasp the meaning of.

Ordinarily, an organization’s data accessibility assumes that if you are able to log in, you can be trusted. This model has become outdated as cybercrime gets more sophisticated. 64% of organizations have experienced a phishing attack in the past year. Most hacks are the result of a phishing link in an email being clicked on. In fact, 90% of data breaches involve some sort of phishing element. Often the entry point for a hacker isn’t where the data they want lives, but it grants them access to whatever isn’t restricted. Zero Trust aims to make these kinds of scams impossible. If implemented correctly, attempts to hack into an enterprise system would trigger alarms for the security team, thus thwarting the attack before it starts.

Many organizations do not have the resources to entirely overhaul their current security measures, but thankfully Zero Trust is scalable to fit the needs of your organization. There are many iterations of Zero Trust and some of them may already be in use at your company. A lot of IT staffs have already started rolling out pieces of Zero Trust, including virtual seminars and fake phishing scam links in employee email accounts. The bigger Zero Trust picture is that data breaches are preventable, but it comes down to good training, strong security measures and knowledgeable security professionals.

Futher reading…

https://www.phishingbox.com/resources/phishing-facts

https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

CCPA – Who is Next?

Inspired by California’s CCPA, more states are debating whether to follow suit. The California Consumer Privacy Act (CCPA) is a bill signed into law in late 2019 to protect California residents from having their personal data shared or sold to third parties without consent. This law went into effect on the first of the year.

The CCPA follows quick on the heels of the General Data Protection Regulation (GDPR) in Europe, which took effect in 2018. The key tenants of the law are very similar, essentially barring organizations from collecting or storing personal data without the consumer’s consent. As a result, nearly every website now informs users that some sort of digital fingerprint is being recorded.

So what is my “data” and why is that important? Personal data is defined by the state of California as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The use of your personal data by companies is important because it can determine how an organization will market directly to you, even if you don’t want them to. Think of all those robocalls and junk emails you get that you don’t remember opting into. That is likely the result of a company that you did share your info with, selling that data to another company that also wants to market to you.  

One of the biggest points of the CCPA is that consumers have the right to access the data being collected on them, the right to ask an organization to delete their data, and the right to not have their data shared with anyone unless they personally opt-in. Enforcing this new law will be challenging as nearly 90% of American companies are not yet in compliance. Consequences for failing to adhere to the new law include steep, even financially devastating fines regulated by the FEC.

Currently the law only protects California residents, but it’s expected that other states will quickly adopt the law too. Since California has one of the highest populations of any US states, the CCPA is important for any organization targeting California residents for marketing or commerce. Data breaches continue to erode consumer trust and the CCPA is the first measure taken by a US state to hold companies legally liable for any mishandling. Expect states like Massachusetts, Minnesota, Pennsylvania, New Jersey, and New York to follow.

Additional Resources:

https://oag.ca.gov/privacy/ccpa

https://www.consumerreports.org/privacy/california-privacy-law-ccpa-california-consumer-privacy-act/

https://iapp.org/resources/article/california-consumer-privacy-act-of-2018/