PLAN AHEAD

Incorporate privacy and security from start to finish.
Thinking about the data you will collect and store while you design your product or service is only one part of “baking in” privacy. You also need processes in place to address issues that might arise in the future. Save time, money, and even your reputation by maintaining privacy and security practices that are holistic, regularly re-evaluated, and prepared for potential data security issues and legal demands.
GROW YOUR PRIVACY AND SECURITY TEAM ALONGSIDE YOUR PRODUCTS.

The assignment of key personnel to oversee privacy and security issues is a great way to proactively address problems and maintain consistent practices throughout a product’s lifecycle. For large companies, there might be multiple people whose primary role is to protect privacy and security, including a chief privacy officer and/or chief information security officer, a dedicated privacy group, and specific members of each product team focused on privacy issues. But even two-person startups can benefit by making sure that someone is specifically responsible for thinking about privacy and security issues so that they aren’t ignored until it’s too late.

Case Study

AT&T Phoned In Cybersecurity: Suffers Massive Data Breach

AT&T was blasted in the press for its “sloppy” cybersecurity, questioned by members of Congress, and

AT&T was blasted in the press for its “sloppy” cybersecurity, questioned by members of Congress, and hit with a class action lawsuit for its “sweeping” data breach when the company disclosed in 2024 that hackers accessed six months of call and text records from “nearly all” of its more than 70 million customers. AT&T admitted that there are ways to identify the names associated with specific telephone numbers and security experts are concerned that “any information could help hackers access more data.”

Case Study

Mobile Phone Carriers Ring Up $20 Million FCC Proposed Penalty for Lax Privacy and Security

The FCC hit Q Link Wireless LLC and Hello Mobile Telecom LLC with a proposed penalty of $20 million in 2023 for failing to protect the privacy and security of people’s information.

The FCC hit Q Link Wireless LLC and Hello Mobile Telecom LLC with a proposed penalty of $20 million in 2023 for failing to protect the privacy and security of people’s information. FCC rules require service providers to authenticate who someone is before giving them access to personal information and require the use of reasonable data security standards. The mobile phone carriers’ apparent violation of those rules placed customers “at increased risk for privacy violations and bad actor’s potential misuse of their sensitive personal data.” FCC Enforcement Chief and Head of the Privacy and Data Protection Task Force made it clear that this enforcement action should put all telecommunications service providers “on notice that protecting customers’ data should be their highest priority, and we will use our authorities to ensure that they comply with their obligations to do so.”

 

RE-EVALUATE YOUR PRIVACY AND SECURITY PRACTICES WHEN YOU MAKE MAJOR CHANGES.

Failing to recognize your changing privacy and security needs as your company and products evolve can create new risks for your users and your reputation. Instead, use regular assessments to evaluate and update your privacy and security practices. Assessments should take place before a new product is launched and whenever major changes are implemented.

Case Study

Apple Walks Back Anti-CSAM Feature Over Surveillance Concerns

Apple ultimately took the right step to safeguard user privacy, security, and free speech by scrapping a controversial plan to scan users’ iCloud accounts to flag content (such photos sent over iMessage) that may be ab

Apple ultimately took the right step to safeguard user privacy, security, and free speech by scrapping a controversial plan to scan users’ iCloud accounts to flag content (such photos sent over iMessage) that may be abusive or exploitative. The initial announcement had been met with widespread criticism, with over 90 civil rights and policy groups and security experts condemning the mechanism as a problematic surveillance technology that would undermine the privacy and security of Apple customers. After this extensive public backlash, Apple put its plan on hold and then announced in 2022 that it would not move forward. The company committed to finding other ways to help prevent child sexual abuse material while preserving its users right to privacy and free speech.

WORK WITH OUTSIDE EXPERTS TO IDENTIFY AND ADDRESS PRIVACY AND SECURITY RISKS.

Seeking and accepting advice from outside your company can bring a new perspective to your privacy and security risks, helping you identify and fix potential problems before they impact your users and your business. Consultants and independent researchers can help you identify flaws in your products or your infrastructure and fix them before they lead to a major incident. Work with researchers who responsibly disclose flaws in your product rather than risk a public relations disaster by trying to silence their work.

Case Study

Tesla Accelerates Security Fixes by Cooperating with Researchers

Tesla was able to quickly address a vulnerability in the software for one of its cars by cooperating with researchers who discovered the flaw.

Tesla was able to quickly address a vulnerability in the software for one of its cars by cooperating with researchers who discovered the flaw. Even before the bug was known, Tesla implemented a “coordinated disclosure policy” to pay researchers for finding and submitting vulnerabilities. When researchers found a security hole in one of Tesla’s cars, Tesla quickly fixed the problem and publicly thanked the researchers by co-presenting with them at a conference. The company enjoyed praise by industry experts and the public for its strong pro-security stance.

 

 

Case Study

CyberLock Accused of “Abuse of the Legal System” After Threatening Researcher

Electronic lock maker CyberLock drew harsh criticism for its “abuse of the legal system” when it sent threatening legal letters to a researcher to prevent him from publicly revealing his research about its products.

Electronic lock maker CyberLock drew harsh criticism for its “abuse of the legal system” when it sent threatening legal letters to a researcher to prevent him from publicly revealing his research about its products. The researcher uncovered security flaws that undermined the protections promised by CyberLock’s locks and notified the company of his findings. In response, the company slapped the researcher with threatening legal letters to discourage him from publicly revealing his research, sparking media criticism and outraging members of the security community.

Share This: