Over the past five years, I’ve had the privilege of providing cybersecurity training, implementation and auditing support, and consultation guidance for countless U.S. businesses. I’ve also practiced most areas of business law over the past forty years.
In this time, I learned that most people were not really worried about cybersecurity and privacy. They felt that these types of regulations only impacted Europeans and health care providers.
That, of course, couldn’t be further from the truth. Although legislations such as the EU GDPR (General Data Protection Regulation) includes the world’s most far-reaching data protection requirements, and the U.S. healthcare sector is one of the few industries with robust federal laws on the topic – thanks to HIPAA (Health Insurance Portability and Accountability Act) – these are not the only places where U.S. organizations should be concerned about cybersecurity.
That’s one of many myths that business leaders still believe, and in this article I look at several others.
Myth: There is no precedent for cybersecurity and data privacy in U.S. law
This idea is wrong on many levels. The concept of data privacy in the U.S. is over a hundred years old and has its roots in an essay published by professors Louis Brandeis and Samuel Warren publication of The Right to Privacy in the Harvard Law Review in 1890.
Although law review articles can have an outsized impact, they are, of course, not law. That came in 1965, when the US Supreme Court enshrined data privacy as a right. (Griswold v. Connecticut, 381 U.S. 479 (1965)).
This case held that the general right to privacy is found in the “penumbras,” or zones, created by the specific guarantees of several amendments in the Bill of Rights, including the First, Third, Fourth, and Ninth Amendment.
While the concept of privacy existed in the U.S., it was not used generally until the excesses of Big Tech in monetizing personal data became evident in the past few years.
This has led to a cascade of new privacy laws, beginning with the California Consumer Privacy Act in 2018 and followed by six other acts being passed – with Iowa and Indiana becoming the latest.
In addition to these laws, there are also new biometric laws like the Illinois BIPA (Biometric Information Protection Act).
The reality for US business is that they must protect their customer’s privacy and data. Not only to comply with an ever-increasing series of laws, but to satisfy the preferences of customers.
Myth: Technology alone can address cybersecurity.
This is simply not going to happen. Humans work on and with technology. You cannot get the humans out of the loop.
For example, the numbers vary, but phishing is always implicated in the vast majority of attacks. Criminal hackers bypass security tools by tricking people into handing over their login credentials, where they can then steal sensitive information or payment card data.
Some of the most flagrant offenders are top management who fall for carefully crafted spear phishing campaigns.
This is why the most effective cybersecurity strategy is staff awareness training. Individuals are the line of defense against phishing, so they need to know how to spot the signs of a scam and respond appropriately.
Myth: The U.S. doesn’t properly fine organizations for non-compliance
One of the biggest talking points surrounding the EU GDPR is the potential for mammoth fines. In some cases, organizations can be penalized up to 4% of their annual global turnover, and it’s resulted in eyewatering fines, such as the recent €1.2 billion ($1.3 billion) sanction against Meta.
It’s led some people to ask why organizations in the U.S. doesn’t face similar penalties, but the fact is that the country does issue such fines. In 2019, the FTC (Financial Trade Commission) slapped Facebook, which would later rebrand as Meta, with a $5 billion penalty for data privacy violation.
One of the reasons these sorts of penalties are discussed less often is the way they are handed out. Whereas the GDPR gives data protection authorities – which in most cases a single national authority for each country in the bloc – the freedom to set fines based on their judgment, the U.S. operates on a class action lawsuit basis.
Enormous fines are therefore less common, but strict penalties can and will be issued based on the number of people who fall victim and choose to seek recompense.
Myth: Privacy is not important to consumers and not part of the business model.
In fact, consumers value privacy highly. According to a Cisco survey, 94% of firms said their customers would not buy from them if their data was not properly protected.
For further evidence of this, you only need to consider the public’s opinion of website cookies. Their introduction to web browsing revolutionized marketing in the mid-1990s, with organizations using cookies to provide tailored advertising to individuals.
However, in recent years people have come to realize how much cookies violate our privacy. Organizations hoover up information about the way we browse their site, and the information can provide alarmingly detailed information about us without first asking for our consent.
According to a 2021 study, only one third of respondents in U.S. said they allow all cookies.
In response, both Safari and Mozilla had total cookie protection on their web browsers, while Google is currently phasing out third-party cookies in Chrome.
Fact: Cybersecurity is only going to become more important
If there’s an overarching theme to these myths, it’s that the times are changing. Many misconceptions about cybersecurity stem from people failing to see the changes in the threat landscape and the way that these challenges are being legislated against.
Worse still, those who do recognize these changes often misdiagnose the solution. For instance, a large contingent of people believe that artificial intelligence can resolve many of the data privacy and data protections problems that organizations currently face, but this won’t address the core problem.
Namely, business leaders must understand the fundamental importance of data privacy and use appropriate tools in responsible ways.
They must stay in line with the demands of consumers and the ways they are being protected in state privacy laws.
Over the past decade, the public has become increasingly aware of the need for privacy and cybersecurity. They are demanding better protection from their government, but also better accountability from the firms with whom they do business.
Businesses that can adapt to the new reality will succeed, ones that can’t will fail.
