It’s been over four years since the European Union (EU) implemented its groundbreaking General Data Protection Regulation (GDPR). The GDPR has become the model for personal data privacy laws in many other countries, and for the California Consumer Privacy Act (CCPA), which took effect in 2020. New data privacy laws are set to take effect in four more U.S. states in 2023, and six states are actively working on bills.
But in four years' time, there’s been little progress at the federal level. The discussion draft of the American Data Privacy and Protection act, released on June 6, 2022, has several unresolved issues that will likely stand in the way of bipartisan support. This lack of federal privacy regulation is costing U.S. businesses money, in ways they don’t even realize.
Regulatory uncertainty and the lack of a single compliance standard is obviously costly, though the cost can be difficult to quantify. What’s less obvious but more quantifiable is the explosion in crimes against businesses, specifically business email compromise (BEC) and ransomware. These crimes are being fueled by the widespread availability of very detailed, legally collected personal data. If the government won’t act, it would behoove businesses to take steps to help employees protect their personal data, and in the process protect themselves.
According to data from the IC3, the FBI’s Internet Crime Complaint Center, BECs cost businesses $2.4 billion in 2021, up from $1.8 billion in 2019. BECs dwarf all other types of cybercrime against businesses, and accounted for 34% of 2021 losses from all types of cybercrime. Ransomware schemes cost businesses $49 billion in 2021, up from $9 billion in 2019.
Those costs only reflect direct losses. According to research from the Ponemon Institute, the cost of loss productivity and remediation of compromised credentials and systems associated with these crimes can more than double the tab.
Work from home, where computing environments are less secure, has been a factor in the rise in these crimes. But so has the increase in the amount and variety of personal data available on the internet.
Data fuels phishing, which is the gateway for these crimes. Phishing is typically done via email, but also via text or instant messaging, social media, and even collaboration platforms. Criminals use data to pose as a trusted source communicating in one of these channels, and convince the victim to click on a malicious link. That can lead to the installation of malware, ransomware, or the collection of login credentials or other sensitive data.
This can have devastating consequences for individuals, but phishing attacks are increasingly being used to gain entry to government and corporate systems. The IC3 received 323,972 phishing complaints in 2021, up from 25,344 such complaints in 2017 — a stunning 120% increase. According to Verizon’s 2020 Mobile Security Index, 2% of employees click on a phishing link every day.
Once inside they gain access, bad actors can lurk inside company systems, studying workflows, monitoring communications and waiting for an opportunity. Let’s say an employee posts about their vacation on social media. That’s the opening a bad actor has been waiting for.
They hop into the vacationing employee’s email account, which contains a thread with a vendor’s accounts payable discussing payment of an invoice. The bad actor adds another message to the thread: “Can you also update our bank account and send the payment to the new account.” According to the IC3 report, the average loss for a successful BEC attack like this was $120,000 in 2021.
Phishing is becoming ever more effective due to all the data criminals have to customize their communications. They don't even have to steal the data. They can get it on any one of about 150 people search sites, a segment of the data broker industry that has been growing both in size and in the type of information they collect.
These sites, which are largely unregulated, started out collecting publicly available data such as names, addresses, phone numbers. Now they collect an even wider variety of data gleaned from a much wider variety of sources. Information such as a person’s political views, dietary preferences, pets, and even a person’s Amazon wish list can be easily found for a small monthly subscription fee. And it’s all currently legal.
Companies can and should mount aggressive, ongoing efforts to train employees to recognize and report phishing emails and related scams. But they can also reduce the fuel for these crimes by helping employees to scrub their data from people search sites. There are a number software as a service providers that will do this for them on an ongoing basis. Offering data privacy as a benefit is a relatively inexpensive way to help protect both employees and employers from cybercrime.
Personal data is a very sensitive tool that cybercriminals use to cause real harm to people whose data is publicly available on the internet. But it’s not just individuals who suffer. Employees’ digital health businesses as well.
The payday from crimes against business can dwarf gains from crimes against individuals, making them especially attractive targets. Businesses are only as safe as their most digitally vulnerable employees.
It may be years before we have comprehensive federal legislation to protect data privacy. That is why organizational efforts to prevent cybercrime must include restoring employees’ privacy by removing their personal information from the internet. That will make it more difficult for malicious actors to obtain employee data to leverage in their attacks.