Internet Safety 101
22 - 03 - 2022
Data Protection and Privacy
I'm sorry to be the bearer of bad news, but your data is not actually safe on the internet.
Almost every single person will have used or come into contact with some of the following businesses/brands, and all of them have suffered some sort of breach in one way or another over the past decade. I challenge you to read this list and say you haven't got an account with anyone listed here, and these are just the names that stand out to me, this is far from all of them!
Starbucks, Steam, Zoom, Nintendo, Sony (including but not just PSN), Microsoft, Capcom, Twitch, Ubisoft, Sega, Yahoo, AOL, Betfair, Verizon, WordPress, Westpac, Citigroup, NASDAQ, 7-Eleven, Bank of America, Snapchat, TikTok, Telegram, Instagram, Patreon, Reddit, LexisNexis, Aadhaar, MySpace, Twitter, Facebook, LinkedIn, e-Harmony, Marriott, US Dept of Homeland Security, First American Financial Corp, Capital One, Adobe, Equifax, Volkswagen, Bose, McDonalds, British Airways, EasyJet, Cathay Pacific, the Ministry of Defence, HMRC, the NHS, the UK Driving Standards Agency, Ofcom, Dun & Bradstreet, Primary Care Support England, Norfolk City Council, Trafford Council, Electronic Arts, CD Projekt Red, Accellion, Morgan Stanley, Expedia.com, Hotels.com, Hilton, Gately, Cakebox, People Data Labs, Elasticsearch, Under Armour, Quora, MyHeritage, Panera, New Egg, Starwood, Deep Root Analytics, Dubsmash, eBay, Heartland, Apollo, Badoo, Evite, VK, Youku, Rambler, Dailymotion, Anthem, Dropbox, Tumblr, Uber, Home Depot, TJX group, Ashley Madison, Bonobos, MG Grand, 123RF, Mailfire, SolarWinds, the GAP, JP Morgan Chase, Hewlett Packard, MongoDB, Mozilla, Nippon Television, U.S. Army, UPS.
These people cannot guarantee that they can protect your data. No-one can truly promise that given the current state of technology. Whether it results in the loss of personal data, or stolen secrets, whenever a data breach occurs the effects can be substantial. The impact of such breaches on us as individuals could be massively reduced and potentially eliminated if we just took a bit of extra care with our data. And by "we"/"our" I don’t mean the likes of Facebook/Google, although they definitely have their role to play, I'm talking about all of us.
We can overcome many of the biggest risks, and act as a catalyst for change, by taking charge of our own data. This is what we have to do to start working towards that.
1. Awareness of processing and your rights
- Read up, listen up.
- Rights, act on them.
2. Become an internet ninja
HTTPS - the S literally stands for SECURE!!!!!
- Don’t be Phooled
- Phishing, spears and all.
- Use VPNs wherever possible.
- Have more than one email account/online presence.
- Password discipline
- Use different passwords. They don’t all have to be unique, but at least different levels of security.
3. Be bothered
- Do your homework
- Google them! At least have a nosey, find out whether the business asking for your data has a good track record or not. If they already lost someone else’s information or had their secret sauce stolen last week, they probably can't protect your information either. To be honest, no one can, but at least some businesses will try to protect it as bet they can to minimise the chance that a breach will occur, and further minimise the extent of any breach if (or rather when) that does occur.
- Value your data.
- Assume it is going to be breached in some way, consider not giving the information out in the first place.
- If you are being asked to provide data when you don’t think it’s strictly required to view that PDF report you've been waiting to read, contact them directly to let them know what you think. It is not legal to force people to provide information in order to access something, if that data isn't strictly required to provide that thing/service/whatever it is you want to access.
- Don’t just give it up, make 'em work for it! Check what you get in return, is it worth receiving spam for the next year or two? Maybe don't give up the crown jewels on the first date, consider providing a dummy email address or other false (pseudonymised) information if that isn't going to breach any contract with that business. It may not be wise to lie to HMRC about your tax return (spoiler - you could end up in prison), but if they ask for your email address before they let you view some kind of guidance document, that's a different matter altogether.
- Multi Factor Authentication
- So many options, RSA, mobile phone authentication, fingerprint, face ID.
4. Complaints and complacency
- Make the complaint, don't just let it happen or think "but it’s only X and Y data, they can't do anything with that".
- Lawsuits/legal remedies
- Global or go-home.
- Rights for everyone, for harm anywhere, or bust.
- Create a value for data - sell it! Meaning risk can be quantified and used to effectively scare businesses into taking better steps. Things like the British Airways settlement (although we don't know how much they settled for) demonstrate that the harm to individual people arising out of data breaches is hard to quantify, but there are ways to assess it.
Data breaches are becoming far more widely reported, but awareness doesn’t come close, and we can't expect people to monitor how often their data is breached and by whom on a daily basis because that's a job in and of itself! Which means, we probably need to create an industry to manage this for us.
Sam Crich is a Senior Associate within Berwins’ Commercial team. For advice on any of the above, or anything related to Digital Law, call Sam on 07595 650226, or email SamCrich@Berwins.co.uk.