Helping users and organizations build an instinctive data privacy habit
Each year at the end of January, internet users are deluged with advice on how to keep their data protected and reclaim their online privacy. What started as Data Privacy Day has now become a Week, to match our increasing dependency on the internet and help us navigate treacherous online privacy waters.
Many organizations around the world engage in efforts to raise awareness about the importance of online privacy during that week, including the National Cybersecurity Alliance (NCA) – a non-profit whose goal is to demystify complex security topics to help consumers and businesses better understand the simple steps they can take to protect themselves.
But, as Executive Director Lisa Plaggemier told Help Net Security, NCA’s efforts don’t end in January.
[The answers have been edited and condensed for clarity.]
What do consumers and businesses “get” from the NCA?
There is a massive communication gap between cybersecurity professionals who work so hard every day fighting a war in cyberspace, and the general public who use technology (some of it very invasive) without a care in the world, in ways we never imagined just ten years ago. Our job is to close that communication gap, to translate, to educate, and to inspire behavior change.
We provide loads of helpful, free information for the public, small and medium sized businesses (SMBs), and materials training and awareness managers can use to fuel their programs, whether they’re at a large enterprise, academia, government, or an SMB.
How much are NCA’s activities and plans informed by actual needs expressed by the audience you serve? Do you have mechanisms for collecting this specific information?
We try to give people more of what they want, and less of what they don’t. We look at what’s working, what’s well attended and gets good engagement, and we do more. For example, some of our best attended webinars are those with information for families, especially parents helping their children stay safe online, so we make sure to have a steady stream of those types of topics.
If you know training and awareness managers, you know they are a vocal group. We get lots of ideas and input from people on social media, via our website “Contact Us” form and reaching out to us at email@example.com. We welcome that and review it all as a team weekly.
We prioritize understanding the security challenges and concerns facing consumers and businesses presently, coupled with current events (e.g., new federal regulations around cybersecurity, frequency and types of attacks targeting consumers and organizations, etc.) to inform our planning.
We also have several mechanisms in place to collect information from consumers and businesses, such as surveys, hosting focus groups, and soliciting feedback and engagement across our social channels. We also partner with organizations in the private (e.g., our board members) and public sectors (e.g., government agencies, industry leaders and consumer advocacy groups) to stay informed about the latest trends and challenges we should be addressing in the space.
We’re also not afraid to try new things. A few years ago, toward the end of the worst of COVID, we sensed some fatigue amongst training and awareness managers at the end of October, which is Cybersecurity Awareness Month (our “Super Bowl”). So, we decided to host a virtual “after glow” party and asked CISA Director Jen Easterly to speak. The troops really need a thank-you at the end of that campaign. We thank everyone for their hard work, chat and have games and prizes. It’s virtual and very informal, and people “pop-in” when they can. I think it’s going to become an annual tradition for us.
How do you measure the success of a campaign such as the one you initiated for this Data Privacy Week? Going by those standards, what past NCA campaigns have been particularly successful and why?
Although there’s no one-size-fits all measurement metric for engagement, there are a few guidelines we typically use. The first is tracking the level of engagement and participation from our stakeholders, including consumers, businesses, and other non-profit organizations we partner with. We look at the number of events and activities hosted (e.g., webinars, panel discussions, etc.) and how well attended those are, as well as media/social media mentions as a bellwether for gauge reach and impact of the campaign.
Additionally, we also measure success by the extent to which we’ve achieved the objectives and goals we set at the beginning of each campaign. It’s an abstract metric, but for Data Privacy Week, our mission is to raise awareness and educate individuals and organizations about the importance of protecting personal information and championing transparency by companies relative to how they collect, store, and use consumer data. If we see an increase in the number of individuals taking these steps or organizations retooling their privacy practices over time, then we can consider these campaigns successful.
This year, we had over 2,100 organizations and individuals sign up to receive and use our resources as “Champions”. Between those sign-ups, the number of people that attend our events and participants on social media, we see a consistent increase in the number engaged participants. Data Privacy Week and other campaigns continue to grow internationally as well. For example, during Cybersecurity Awareness Month in October 2022, our registered Champions grew by 90%, when compared to the previous year, and we had companies that participated from 129 different countries and all fifty states.
NCA is currently working on launching a program to educate small and medium sized business owners and employees which will be heavily focused on creating and measuring behavior change. The program will consist of instructor-led classes with hands-on activities in a virtual classroom. By focusing on clear next steps and “homework,” participants will have what they need to bring what they’ve learned back to their business. Layer this with a consistent drip campaign to follow up and measure the actions these SMBs have taken, and we will not only have reach metrics, but also impact metrics.
In the long run, the success of these campaigns is determined by their ability to create a lasting impact and effect change. If we can make cybersecurity and data privacy an instinctual reflex in terms of how we use technology and design products and services, then that’s success.
How many participants have tuned into the Twitter #PrivacyChat you held during that week? What things have you learned from them? What feedback have you received from listeners and participants?
We had a total of 114 active participants during this year’s #PrivacyChat, resulting in more than 320 posts and approximately 5 million impressions. The #PrivacyChat provides an opportunity for organizations to share their advice and free resources. We find that participants are surprised by the vast number of resources available to them across the web.
What data privacy issues are rarely talked about or have just lately started surfacing?
I honestly feel like we don’t talk about any privacy issues enough. Technologies that may have become more ubiquitous can still skirt privacy laws and consumers still lack the adequate educational resources to keep their data safe.
Facial recognition and other biometrics are still collecting sensitive information, IoT devices are more pervasive than ever in homes, hospitals, and businesses – and more connectivity generates and transmits exponentially more personal data than ever before and AI is consistently learning our search habits, buying behavior, content consumption and more.
Even less talked about (though this is starting to change already) is the way we handle children’s privacy in virtual environments like the Metaverse or within online gaming environments. In the last few months alone, Fortnite developer, Epic Games was fined $275MM by the FTC for violating the Children’s Online Privacy Protection Act (COPPA) and Walmart’s been taken to task by consumer advocacy groups for deceptively marketing and advertising to children on Roblox.
Data protection/privacy legislation is being passed around the world at a steady pace, increasingly binding companies and protecting consumers (at least in theory). But legislation is only as good as states’ ability to enforce it and meaningfully penalize those entities that fall afoul of it. How well does this work in practice, in your opinion?
While the passing of privacy legislation is a step in the right direction, it’s crucial that these policies are effectively enforced to ensure the protection of both consumers and businesses. We need better coordination between state and federal agencies to improve the overall enforcement of privacy laws, as well as stronger penalties for companies that violate them to spur more compliance incentives.
I think there are several factors contributing to the inconsistencies in US privacy law enforcement:
1. Federal v. State: Since US privacy laws are primarily regulated at the state level, each state can have its own set of regulations, which creates a patchwork of different laws that make it difficult for companies to navigate and comply with across state lines.
2. Differing priorities: Each state may have different priorities when it comes to online privacy. For example, some may focus on protecting consumer financial information and others may prioritize protecting children’s privacy. Again, there’s a lack of uniformity that ultimately affects how well organizations are complying with respective laws.
3. Tech is evolving quickly: I think the pace of emerging technologies is outpacing the development and adaptation of said laws. If states are still seeing IoT as the “cutting edge” technology affecting user privacy, but have yet to delve into the complexities of online gaming and the Metaverse then regulations relative to the way people access technology are essentially lagging behind.
4. Politics: Privacy can often be a politically sensitive topic. Different political leanings can impact how state governments approach privacy legislation or even prioritize it to begin with.
Part of our mission is to also educate lawmakers on the Hill about the latest trends and technologies affecting online privacy today. Ensuring that they’re empowered with the knowledge and resources they need is key to advancing effective data privacy regulation that can sufficiently protect consumers and businesses alike.
On the flipside of the coin, it’s essential that consumers are also keenly aware of their digital privacy rights and that they have access to resources that help them more easily understand and advocate for their privacy. In fact, our own data from last year’s Oh Behave! Report found that nearly half of respondents felt frustrated during the process of securing their personal data, and more than a third were confused about how to find info to help them keep their personal data safe and private. If people can’t effectively find channels to help them navigate security and privacy with ease, that’s a major problem that needs to be addressed.