Cambridge Analytica: a timely reminder for corporate New ZealandThe furore over Facebook and its relationship with political consulting firm Cambridge Analytica has yet to settle because it raises important questions for all businesses.
Coincidentally, the Cambridge Analytical incident has been unfolding as new regulations such as the General Data Protection Regulation (GDPR) in the European Union and the Australian Data Breach Notification rules are introduced, having widespread implications for all social media users.
That’s according to Peter Bailey, general manager at Aura Information Security, who points out that multiple forms of social media are used by most companies today.
“When you are holding customer data, you must have a clear idea of what it is, how it is being used and where it is stored. The appropriate safeguards must be in place to protect the information. And, if it is shared or on-sold to any third parties, it must be protected by those third parties with the same level of rigour, as well as the explicit informed consent of the people from whom that data originated,” says Bailey.
In the Facebook and Cambridge Analytica data breach, the political consultancy created an app to collect data from Facebook users supposedly under an informed consent process. The data was purportedly only to be used for academic study, and targeted hundreds of thousands of Facebook users.
Where things go off the rails and abuse the trust of those people is that the app collected the personal information not only of those who took the survey, but also the data of everyone in their Facebook network. The data was then used for a purpose other than the stated academic research – that is, to potentially guide public opinion. Some 85 million Facebook user’s data was compromised, including that of more than 60,000 New Zealanders, with just 270,000 of those having given some consent for the use of their private information.
Bailey says the range of uses of personal data is ‘huge’. “Those uses range from the legitimate, such as for the targeted advertising provided by social media networks, quasi-legitimate, like the manipulation of public opinion, or downright illegal like identity theft. Companies need to understand this range of uses, because it goes to the heart of why data is so valuable – and, in turn, that demonstrates the necessity for the protection of that data.”
To date the laws have been somewhat left behind by the march of technology. As a result, the direct consequences of data breaches to date have not been particularly significant in the eyes of the law.
The recently introduced parliamentary Privacy Bill intends to replace the 25-year-old Privacy Act and bring New Zealand’s Privacy laws in line with recent international developments and reforms, including GDPR and the Australian data breach notification regulation.
Fundamental aspects of the Privacy Act, such as the information privacy principles which regulate the collection, use and disclosure of personal information, are retained, but the Bill introduces new ways to enforce those principles.
Among the provisions are mandatory reporting of privacy breaches, the ability for the Commissioner to issue Compliance Notices, strengthening of cross border data flow protection; and the potential introduction of fines up to $1 million.
With these changes set to come into force soon, Bailey urges businesses to take a close look at the way they hold and use data. “Data is incredibly valuable and can be used and manipulated to do great things. However, it can also be misused for criminal purposes. Companies need to be transparent on what they are collecting and how data is to be used if they are to gain and retain the trust of customers.”
Locally, Bailey says attitudes towards data protection span a range from those organisations which know there are issues but choose to ignore them, those which are blissfully unaware, and those which have sufficiently rigorous systems, technology and processes in place to comply with the world’s most stringent regulations. “The Cambridge Analytica incident, however, has served to bring home the relevance and necessity of looking after your customers’ data. Attacks are real. Compromises are real. And the consequences, too, are real.”
While many companies generally have good practices in place, Bailey says respecting data privacy should not be an afterthought. “Not only can a breach have a serious impact on your business’ reputation, soon it will also have serious financial implications,” he concludes.