Question

In the fall of 2016 Yahoo disclosed several major security breaches involving more than 1.5 billion user accounts. The results of these disclosures delayed the purchase by Verizon and reduced the Yahoo purchase price by at least $300 million. In June 2017 Yahoo shareholders agreed to the final sale to Verizon, nearly a year after the purchase was announced. What responsibility do firms have for the protection of customer data provided in the operation of their firm? Should Verizon have backed out of the deal with Yahoo given the scale and duration of the security issues brought to light in the fall of 2016?

Answer 1

ANSWER-

The regulatory environment for brand owners and retailers that do business online is getting stricter thanks to changes going into effect during the next couple of years in the European Union (EU), as well as existing regulations in the U.S. Companies that adapt quickly can turn these changes into a competitive advantage. Several specific changes that apply to online business are close at hand as a result, including data portability requirements, “right to erasure” provisions, and a rapidly-evolving patchwork of regulation that changes from country-to-country across the globe and from state-to-state within the U.S.

As we grapple worldwide with the implications of the incredible amount of personal data generated every day, consumers are pressuring brands and legislators alike for more control over their information. This only becomes more complicated as more and more businesses pivot towards subscription models, where customer-brand relationships are longer-term and more fluid, and involve more uses of personal data and consumer behavior information. Neglecting the privacy desires of these consumers puts brands at risk of everything from fines and penalties to a loss of trust with their customers, which in the most extreme of cases could lead to being put out of business. Here are compliance obligations for which organizations should start preparing.

Businesses can protect customer data-

1. Ensure you have effective endpoint, network and email protection that filters out spam, malware and dangerous file types.

2. Train employees to be suspicious of emails, especially those that contain attachments, and to report any unusual emails or attachment behaviour to IT.

3. Consider a patch assessment tool to ensure your operating system and applications are up to date with the latest security fixes. Most exploit kits see success due to exploits in software for which a patch is already available and just has not been deployed.

4. Install endpoint protection software and/or a secure web gateway that can identify and block exploit kits before they infect your systems.

5. Crooks want to capture more than just one user’s password and confidential files – they want access to your back-end databases, your PoS network and your testing network. Consider segregating your networks with next-generation firewalls that treat your internal departments as potentially hostile to each other, rather than having one big “inside” fenced off from the even bigger “outside”.

6. Put in place a device control strategy to identify and control the use of removable storage devices – not only does this prevent bad stuff getting in, with data loss prevention DLP, but it can also help stop personally identifiable information (PII) and intellectual property (IP) data from going out.

7. Implement full disk protection and encrypt sensitive data stored on servers or removable media for sharing with business partners.

8. Use application control to keep track of, and restrict, unnecessary software that reduces security without adding any needed benefit.

9. Implement a data protection policy which guides employees on how to keep personal data secure

10. If you move to the cloud make sure that the ability to encrypt the data – both in the cloud and also when being transferred – is on your core requirements list.

Consumer desire for control

In 2016, the EU parliament approved a new regulation bolstering data protection measures for individuals in the EU. The General Data Protection Regulation (GDPR) is intended to give individuals greater control over their personal data and simplify the regulatory environment for brands operating online by providing uniformity across the EU. Though this regulation will likely not be enforced until 2018, and there is looming uncertainty for how the recent events of Brexit will impact regulations for the United Kingdom, it is not too early for brands that do business in the EU to start preparing.

The ripples caused by this legislation will reach every corner of the global retail market. Part of the regulation calls for data portability, allowing an individual to request transfer of personal data from one processing system to another in a commonly-used format. Non-compliance with certain articles contained within the GDPR can result in fines of 20 million euros, or 4 percent of total global revenue, whichever is greater.