US, Israeli experts warn of danger to data privacy in digital age

“When companies are hacked, consumers don’t care whose fault it is. They just say the company wasn’t doing enough to protect their information.”

By YONAH JEREMY BOB
Updated: JULY 4, 2017 09:26
Cyber hacking (illustrative) (photo credit: INGIMAGE)
Cyber hacking (illustrative)
(photo credit: INGIMAGE)
US and Israeli experts in data privacy on Monday warned attendees of a Tel Aviv conference about the numerous risks to customer information in the post-Edward Snowden, cyber-hacking age.
The conference drew attendees from a wide range of law firms as well as venture capitalists and tech-company executives. Among the conference speakers were Joel Strauss and David Straite of Kaplan, Fox & Kilsheimer LLP, and Israel Directors Union international chair Shmuel Ben-Tovim.
According to Strauss, one of the goals of the conference was “to raise awareness for companies’ level of respect for the personal information of customers.”
Top experts at Tel Aviv conference keep close eye on global cyber attack (Reuters)
While conference speakers warned of dangers to customer data posed by criminal hacking and employee negligence, they also cautioned against blanket compliance with government requests for customer data just because they come with the words “national security” stamped on them.
Respecting customer information “is good for business,” said Strauss. “When companies are hacked, consumers don’t care whose fault it is. They just say the company wasn’t doing enough to protect their information,” and potentially turn on the company.
Furthermore, “it is cheaper in the long run to be proactive, rather than reactive,” he explained, noting court cases in which companies have paid millions to settle private litigation or enforcement actions from government regulators.
Strauss emphasized that “data breaches are not a matter of if, it’s a matter of when.” He urged companies to pre-designate who will assess breaches, and to publicize required notifications since 48 of the US’s 50 states have breach notification laws, with different requirements.
He also encouraged companies to regularly using red team outside testers to try to breach their cyber defenses in order to discover their vulnerabilities.
Moving beyond criminal and negligence threats, Straite was asked about the cultural shift in sometimes refusing cooperation with US government requests for customer data – a shift that came about after ex-NSA agent Snowden revealed in 2013, private sector companies’ lack of oversight in sharing data with the government.
"Each company has to decide for themselves what is the best balance between fighting or cooperating with every government request,” said Straite.
Once a business “has data that it lawfully obtains from a customer, it is much easier for the government to get the information... it can be done with a subpoena without the need for a full court warrant,” he warned, adding that, “maybe companies should not gather as much data” if they do not really need it.
Ben-Tovim agreed with Straite that even in Israel, where security agencies are less restricted than in the US, companies “must defend their customers.”
“The Shin Bet [Israel Security Agency] can go to court and say I need this information. This is essential for the state and maybe the court will approve,” but that does not mean that companies do not have a responsibility to look out for their customers’ data, said Ben-Tovim.
Ben-Tovim expressed concern about government officials’ negligent or improper use of data, citing a recent situation in which he said Yair Lapid’s Yesh Atid party was discovered to possess Holocaust victims’ information, which he may have obtained when he was finance minister.
Like the American lawyers, Ben-Tovim also emphasized the range of criminal and negligence risks to customer data.
He said companies must carefully think through the consequences of international business, citing a recent Israeli court ruling against Facebook.
In the ruling, Facebook claimed a customer could not sue it in Israel for unauthorized use of his data since it is a US-based company. But the court rejected this argument, saying that “there is importance... also to the place where the customer lives,” Ben-Tovim said.
It is critical that data privacy be a permanent item on the agenda for boards of directors, to have a comprehensive cyber policy and to employ lawyers and senior technology experts dedicated to the matter, said Ben-Tovim.
One problematic trend in Israel that he flagged is when large companies sufficiently protect their data, but are networked with smaller suppliers who do not. He said the vulnerability of a networked supplier “is also a serious risk.”
A growing approach to dealing with some of these issues is getting cyber insurance, which Ben-Tovim said can be worth doing in the long term, even if it is expensive, especially since the insurance process pushes companies to do due diligence.