Who should be responsible for protecting our personal data?

Governments do not have the resources or the speed required to react to cybercrime. In most cases, businesses lack the incentives to focus on this topic. Consumers think they should be responsible for their own safety online, but most do not have the knowledge or motivation to tackle it.

What can we do to protect users and businesses, and who should take charge?

Half the world’s population is online and leaving behind an ever-growing digital footprint. Around 89% of Americans and 70% of Europeans use the internet daily, and the global internet penetration rate continues to increase rapidly. Research firm Gartner predicts that more than 20 billion consumer IoT devices will be in use by 2020.

According to our own research, American homes already contain on average 17-18 devices, and that number is expected to grow in upcoming years. Parks Associates research shows that 32% of US households with broadband own at least one connected device, and 50% intend to purchase a smart home device in the next year.

In fact today we are hyper-connected, argues Jon Ramsey, chief technology officer at cybersecurity firm Secureworks:

“Today a person has two or three dozen sensors on them. A modern-day car has 500 sensors in it, [there are] 600 sensors in the modern home, 6,000 sensors in a modern airplane. All of these things are generating information.”

While IoT usage has been growing exponentially over the last few years, the scale of IoT adoption and device interoperability has created an insecure environment that is more vulnerable to personal data leaks.

Data breaches have become both more common and more severe. The World Economic Forum’s Global Risks Report 2018 concluded that cyber attacks that were previously considered large-scale are today seen as normal. Hackers are more agile, The threats are becoming more sophisticated; hackers are increasingly agile and are using advanced technology, such as machine learning, to launch attacks.

In recent years, numerous issues have arisen around the way enterprises treat their users’ information. Personal data is processed for political and economic reasons without users’ consent, as happened in the Cambridge Analytica scandal. IBM estimates that the cost of a data breach involving more than 50 million records is $350M.

According to the World Economic Forum, cyber attacks and data fraud are the most likely global risks. Eurobarometer supports this conclusion: 87% of Europeans see cybercrime as an important challenge.

During the G20 Summit in 2017, world leaders emphasized the necessity of trust in digital technologies - including consumer protection, intellectual property rights, transparency and security.

Governments are reacting slowly

The European Union is leading the user privacy discussion with its General Data Protection Regulation (GDPR), which has built a strong legal foundation for securing end-user data in Europe.

In the US, device privacy laws vary depending on the sector, state or data type. Recently, California implemented a new law that governs IoT security on a state level. Technology leaders, meanwhile, are pushing for federal privacy laws, and are beginning to see privacy as a human right.

IoT device manufacturers are forced to comply with these new laws and ensure “privacy by design”. However, this process can present financial and technological issues that not every manufacturer is able to address - which means users’ data is not always secure.

Research shows that consumer attitudes toward digital security are changing as people become more aware of online threats. Recent reports suggest the main issues troubling connected consumers concern the safety of their personal data.

According to the Economist Intelligence Unit, 93% of users name privacy and security as one of their top concerns. Eurobarometer - which carries out public opinion surveys on behalf of the European Commission - found that 86% of people believe they are at an increased risk of becoming victims of cybercrime.

Consumers are also beginning to see IoT devices not only as a valuable asset but also as a threat to their privacy. Device security has become a risk that might lead to privacy breaches - and consumers are becoming increasingly aware of these threats.

A report by The Economist found that 75% of IoT device owners rate device privacy features as ‘very important’. According to a November 2018 survey by CUJO AI of more than 2,600 customers, 77.5% are worried about unauthorized access to their devices. Gigya, meanwhile, reports that 73% of consumers are ‘very concerned’ or ‘concerned’ about IoT device security.

A recent survey by Princeton University revealed that device users are “skeptical of privacy risks from devices that do not record audio or video, such as light bulbs and thermostats”.

To make sure these issues are managed in the future, consumers are starting to discuss their expectations for the next generation of connected devices.

Today, there is no consensus on who is responsible for data privacy. Some consumers agree that the responsibility lies with them, but others think governments or businesses are better equipped to deal with this complex issue.

According to PwC, consumers expect companies to protect their data proactively; 92% of consumers say companies must be proactive about data protection, 82% agree that the government should regulate how companies use private data, and 72% think that businesses, not the government, are best equipped to protect them.

According to Gigya’s report, meanwhile, 63% of people believe that individuals themselves are responsible for their data, while 19% think that the responsibility lies with brands and 18% believe governments should take the lead in protecting users.

Research by GDMA shows different results, with 38% of respondents saying consumers are responsible for their data, with 15% who expect governments to step up. Only 5% believe that businesses and organizations should be accountable.

But the GDMA report concludes that 35% of people believe this issue requires a combined effort from consumers, governments and brands. The Economist Intelligence Unit report shows that 31% of people surveyed expect device manufacturers and service providers to collaborate with governments and uphold privacy standards.

Many internet users believe they themselves have the ultimate responsibility for their data security. According to a Eurobarometer study, however, fewer than half of people take even basic precautions online. Around 45% have either installed antivirus software or upgraded their existing package; 39% restrict the amount of information they give out on websites, and 35% open emails only if they know the source.

The situation is only slightly improved when it comes to password security. The Gigya report revealed that 70% of people use seven or fewer passwords across their online accounts. Eurobarometer concluded that 62% of people had changed their passwords for at least one online service during the last 12 months.

Connected consumers are starting to take more precautions, however. With no adequate privacy and security available on personal or governmental levels, they begin to consider if the tradeoff between privacy and convenience is worth it.

Some users have begun to avoid sharing their information, either by opting out of various online services or thinking twice before buying an IoT device. Eurobarometer reveals that 87% of users avoid disclosing their personal information online, while 39% reduced the personal information they give out on websites. One in 10 respondents has opted out of online banking altogether.

Connected users see the value of data privacy and security, but it’s a concern that should be tackled with a combined effort from governments, businesses and users alike.