US consumers are becoming increasingly concerned with data privacy, specifically of how companies are managing their personal data. The majority of Americans (87%) characterized data privacy as a human right, yet most still don’t take adequate security precautions with their information, a KPMG report found.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) (TechRepublic)
KPMG’s The New Imperative for Corporate Data Responsibility report, released on Wednesday, surveyed American consumers to determine their attitudes toward data privacy and what they expect from corporations.
“There’s been a pretty significant shift in evolution around privacy. You look at HIPAA from a healthcare perspective, you look at some of the banking regulations like GLBA, but there was never really a large scale focus on privacy as either a fundamental human right or even as a core expectation that a lot of consumers had,” said Orson Lucas, principal at KPMG cyber security services.
“Fast forward to a few years ago, with GDPR becoming this global phenomenon that brought a lot of attention to individuals about what data they have that’s being shared with companies, how that’s exposing them potentially to breaches, as well when that data is not appropriately protected,” Lucas said.
Despite 97% of American consumers indicating data privacy is important to them, and 56% saying they want more control over their data, more than 40% still reuse passwords, use public Wi-Fi, or store credit cards on file at online stores–all dangerous data privacy practices, the report found.
Consumer folly and expectations
Overall, consumers are increasingly suspicious of what companies are doing with their personal data. Consumers said they don’t trust companies to ethically sell personal data (68%), to use personal data in an ethical way (54%), to ethically collect personal data (53%), or to protect personal data (50%), the report found.
Respondents said they are most concerned about data breaches that center on potential theft of their Social Security number (83%), credit card number (69%), and their passwords (49%).
“A lot of times people feel like [data protection] is overly complicated. When you look at terms of service, as you look at privacy policies, a lot of times it’s written in a way that standard era consumers are not able to really interpret or understand, because they feel it’s overly complex, dozens or hundreds of pages long,” Lucas said. “The real content gets buried in the legal.”
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
“If we’re going to pivot toward a more consumer-friendly, consumer-centered view of privacy, it’s important that we bring clarity, simplicity, and a feeling of more control over data to allow individuals the ability to manage that better,” Lucas said.
However, consumers themselves aren’t very cognizant of protecting their own data, the report found. Some 61% of consumers said they don’t use computer security software or multi-factor authentication. And, 69% of respondents said they choose not to install mobile device security software when available.
The reason consumers fail to protect themselves may also be a lack of understanding, Lucas said, but there are ways to remedy that.
How consumers and companies can protect data
Nearly all (91%) of respondents said they agree that the data privacy rights of the CCPA should be extended to all US citizens. The protection gives consumers the right to delete personal data and the right to know how their data is being used, the report found.
In the meantime, customers can protect themselves in a couple ways, Lucas said.
“One way consumers can exercise that right is by being selective with whom they do business with based on the way that companies manage,” Lucas said. “The level of transparency that individuals have with those companies [matters], that you have a clear sense that they’re doing the right thing with your information.”
Lucas also emphasized the importance of multifactor authentication. Most organizations offer this service, but it’s also easy for consumers to implement on their devices and accounts, he said.
However, the majority of organizations believe that companies (91%) and government (90%) should have a responsibility to protect consumer data, the report found.
More than nine in 10 Americans said companies should implement data privacy guidelines, be held responsible for corporate data breaches, take corporate data responsibility seriously, and take the lead in establishing that responsibility.
One way companies can show their dedication to data privacy is through minimization, said Steve Stein, principal at KPMG cyber security services.
“There’s this whole concept of minimization–trying to make sure that companies only collect the information that they need to fulfill a contract or a transaction,” Stein said. “Asking for more and more personal information is probably not the greatest idea when that information could be compromised or breached at some point in time.”
This concept is naturally accomplished within CCPA, Stein said, and a federal regulation similar to CCPA may be in our future.
“We anticipate that laws like the CCPA are going to go national and potentially have a federal statute that applies across the country. Given the reaction to CCPA, it feels as though that reality is coming,” Stein said.
“What we’re seeing from companies is that they probably have to act now, or risk being in this reactive compliance-oriented position,” Stein said. “A lot of the companies we’re working with now are definitely taking privacy more seriously: Building governance, accountabilities, technology tools to better understand and have visibility into the personal data they collect, store, and manage.”
“Once they have at least an understanding and visibility into that personal information, they’re in a much better position to protect and foster trust. It’s to foster trust with regulators, foster trust with boards of directors, foster trust with their customers,” Stein added.
For more, check out Companies often rely on manual processes to comply with California’s new privacy law on TechRepublic.