*Editorial Note: The content of this article is based on the author’s opinions and recommendations alone. It may not have been reviewed, approved or otherwise endorsed by the credit card issuer. This site may be compensated through a credit card issuer partnership.
This article was last updated Jun 15, 2020. Terms and conditions may have changed. For the most accurate information, please consult the issuer website.
With the coronavirus pandemic affecting the way consumers work, shop and socialize, public health and digital security have become top of mind concerns.
Luckily, digital security is not a burden that consumers need to bear alone. Businesses also play a role in keeping their customers’ personal information safe from cyberthreats. There are privacy and data protection laws in place to hold businesses accountable for protecting their customers’ personal information.
To understand these laws more, CompareCards turned to Kevin Powers, founder and director of the M.S. in Cybersecurity Policy and Governance Program at Boston College. Powers worked as an analyst and an attorney for the U.S. Department of Justice, the U.S. Navy, the U.S. Department of Defense, as well as law firms in Boston and Washington, D.C. Powers regularly consults on cybersecurity and national security issues for varying local, national and international media outlets.
Q: What laws are in place to protect consumers from cyberthreats?
Kevin Powers: There are no laws out there, that come to mind anyway, to protect consumers from cyberthreats. Rather, there are a lot of laws and enforcement agencies that require entities to protect consumers’ data from cyberthreats and breaches. Some of the big ones out there are:
- General Data Protection Regulation (GDPR)
- Varying states’ consumer privacy and data protection laws. For example, the California Consumer Privacy Act (CCPA)
- Fair Credit Reporting Act (FCRA)
- Computer Fraud and Abuse Act (CFAA)
- Telephone Consumer Protection Act (TCPA)
- Federal Trade Commission (FTC)
- Securities & Exchange Commission (SEC)
…among many others.
These laws, regulations and enforcement agencies put the onus on the companies that collect and use consumers’ data to protect it by using best practices available. Those entities that don’t comply could potentially be faced with huge fines – for example, Facebook’s recent settlement with the FTC for $5 billion.
Q: Is the law continuing to update at the same rate as technology?
Kevin Powers: No. The law moves and has always moved, at a snail’s pace. That’s not a bad thing; you want laws and legal decisions impacting society to be debated and the decisions following such debates (or court decisions) to be well thought-out, unbiased and appropriate to the situation at hand.
Also, you want continuity – if there is confusion in the law, as there is now in the tech industry, that’s where you have problems.
A perfect example of that is the encryption debate between the federal government and the tech industry. The encryption debate (also known as “lawful access” or “going dark”) involves law enforcement’s claim that encryption is preventing it from gathering information on criminals and terrorists. Law enforcement wants to have the ability to intercept and access encrypted communications from alleged criminals and want the tech companies to allow them to do so.
On the other side of the debate, tech companies argue that encryption protects the security and privacy of their customers’ personal information, and claim that allowing third-party access, even for law enforcement purposes, would weaken security and make its users less secure.
Ultimately, it would be great if both the federal government and the tech industry (and privacy advocates) could work together to resolve that issue, but I’m not holding my breath on that one as of this writing. Both sides seem to be hunkered down and not willing to budge.
Q: What spikes in cybercrime should consumers be aware of during the coronavirus pandemic?
Kevin Powers: It’s not that the cybercrimes are changing. The criminals are using and are going to be using their reliable tools and methods – malware, keylogging, phishing emails, social engineering, ransomware and the like.
Rather, it’s important for consumers to keep up their guard during this crisis and follow best practices – know and protect your data; use strong passwords, a virtual private network (VPN) and multifactor authentication; use secure Wi-Fi; update and back up your data; use anti-malware software. This is the time to focus on security because the criminals are banking on you not doing so!
Q: How can consumers tell if their information was compromised online?
Kevin Powers: Monitor all your accounts regularly – that is the best way to tell if your information is compromised! Consumers need to know what data they have online, where they store it and follow best practices in securing it, as noted earlier.
Q: When might it be safe to save credit card information on a website where consumers frequently shop?
Kevin Powers: I recommend not doing that at all. You’re putting yourself more at risk if you do so by leaving your information with a third-party. Remember, the cybercriminals are always looking for the low-hanging fruit.
Q: If consumers can only heed one warning, what should that be?
Kevin Powers: Know that you are not secure and that cybersecurity is about reducing risk. If you reduce risk and make yourself a more difficult target to steal from, you will be better off. You lock your doors to your house at night. Do the same with your computers. Know what data you have, where you store it, monitor it regularly and follow best practices in securing it!
Q: What can businesses do to better protect their customers’ data online at this time?
Kevin Powers: Some of the best advice out there is made available by the Federal Trade Commission, which is the lead regulator for data protection in the United States. Per the FTC, a sound data security plan for a business to best protect customer data online involves the following 5 key principles:
- Take stock. Know what personal information you have in your files and on your computers.
- Scale down. Keep only what you need for your business.
- Lock it. Protect the information that you keep.
- Pitch it. Properly dispose of what you no longer need.
- Plan ahead. Create a plan to respond to security incidents.
Q: What do you see as long-term changes to cybersecurity as a result of the coronavirus pandemic?
Kevin Powers: With the move to remote work and telecommuting, which probably will be here well after the COVID-19 crisis, the question of how you truly secure a home office will be (and should already be) front and center. There are so many issues involved here that need to be worked out to not only protect the company’s data, but also the employee’s privacy and personal security. It was somewhat blurred with bringing your own device (BYOD) to work; now, under the current circumstances, the work office is, literally, our homes.