How IT leaders can address online privacy risks [Q&A]

Enterprises are facing a rapidly changing privacy landscape, in which some laws contradict each other, while struggling to reduce costs and gain visibility into their privacy risks.

Indeed there’s been a recent increase in lawsuits against companies for online privacy violations that is putting significant strain on C-level executives and they're looking to their IT leaders to address all of this risk with technology.

We spoke to Ian Cohen, CEO of LOKKER, to discuss what IT executives need to consider to address C-suite privacy concerns and protect their companies from online risks and their resulting impact if not properly addressed

BN: What does the current online privacy landscape look like?

IC: The current state of privacy is a bit of a mess due to the patchwork of different state laws, and this creates uncertainty and fear. To elaborate on this a bit, there are 18 states that have passed comprehensive privacy laws to date. There's also federal law and industry-specific laws like those covering health and financial data. Each is nuanced with differing requirements, for example, some require opting in to data sharing, some requiring opting opt. And some require a private right of action, which means that anyone can bring a lawsuit against a company who they feel has misused their data. And unfortunately for companies, often fines and lawsuits go hand-in-hand. When a company gets fined by an enforcement agency, oftentimes lawsuits will follow. In addition to the key driver of these laws, many of them allow for a private right of action, which means private class action lawsuits. Some privacy defense law firms have over 100 cases on the books at any given moment.

As a result, the C-suite and boards want clarity and assurance that the company is covered and compliant to ensure the company is handling consumer data responsibly. This requires similar oversight to cybersecurity.

Getting this clarity and assurance can be difficult. It requires both legal and technical oversight that can get very detailed. The solution is to have a single dashboard that compliance, legal, IT and marketing teams can view that covers overall exposure and monitoring for the C-suite, and detailed data for legal and technology teams.

BN: What is the underlying issue driving these lawsuits and why might IT executives not even know they need to address it?

IC: The underlying issue is the over collection, storage and sharing of consumers' personal information, and a lack of understanding about what some privacy tools actually do. For example, many companies have started implementing cookie consent tools with the genuine intention of protecting their visitors' privacy, and complying with emerging laws. However, when you dig into how they actually work, these tools typically only get consent for cookies, not the other pixels, trackers, and fingerprinters that also collect personal information.

The issue obviously becomes much more consequential when the subject of a company's website involves healthcare and financial services where PII and Protected Health Information (PHI) are collected. There are dozens of different laws that require compliance in different ways.

BN: What is the challenge with the technology solutions IT teams currently have in place to tackle this issue?

IC: Third-party cloud software, particularly ad tech. This is basically the engine that drives the entire free Internet, so it's a serious conundrum for a lot of companies. You can say just shut it all down, but most people wouldn’t like the result. So the hard task that everyone has to solve right now is how to use the essential functionality and other tools with tighter controls over them.

The technical challenge to doing that in the past is that these third parties are served from the edge, meaning that they are communicating directly with a company’s end users and therefore hard to monitor–unless you have a real-time tool that monitors data collection and tracking technology from the end-user perspective (the client side).

BN: What industries do you feel are at greatest risk when it comes to safeguarding online privacy?

IC: Without a doubt, healthcare has been put under the most scrutiny because medical data is so tightly regulated by HIPAA, and for obvious reasons. Many of the new laws also have specific clauses around PHI, and in several cases allow private legal actions. This has led to an enormous number of both regulatory and private legal actions.

Retailers that have health-related brands are also at high risk since they are running ecommerce websites that also contain medical terms. There's a direct conflict between what drives revenue and some of the new privacy mandates.

The only way to manage this effectively is to use precision controls over each tag, limiting what the website is allowed to do including the data it's allowed to collect and the additional tags it's allowed to introduce.

BN: How can IT leaders deal with C-suite privacy concerns and protect their companies -- and their customers -- from online privacy risks?

IC: The C-suite needs access to a report that gives them a clear benchmark of where they sit and how it compares to other companies. While engineering and legal may manage this dashboard and introduce the real-time tools I discussed earlier, it's critical that everyone is operating from a single source of truth, a single dashboard.

Image credit: md3d/depositphotos.com