The Challenges of Data Security and Privacy in Product Delivery

Data security and privacy has emerged as paramount concerns in product delivery. The increasing frequency and sophistication of data breaches pose significant challenges for organizations, necessitating product strategies to protect customer data throughout the development lifecycle. Given this topic is nearing the end of our Top 10 Product Delivery Challenges, this one might not be one that product people really focus on or are aware of in their product delivery endeavors.

Challenges in Data Security and Privacy

In researching top issues with data security and privacy (as of this writing), it appears these are the top five. Naturally this is dependent on your specific market, organization, and product life-cycle, but a good list to start with nonetheless. We are even seeing some of these revisited from our Regulatory and Compliance Challenges post.

Increasing Data Breaches

The rise in cyberattacks has made data breaches more common and severe. These breaches can lead to significant financial losses, legal penalties, and damage to the organization's reputation. Product managers must constantly stay vigilant and ahead of potential threats. I found some industry data on breaches that are occurring in today's products.

• Frequency of Data Breaches: According to the Identity Theft Resource Center’s (ITRC) 2022 Data Breach Report, the number of data breaches in the United States continued to rise, with 1,862 breaches reported in 2021, affecting over 293 million individuals. This represented a 68% increase compared to 2020.

• Cost of Data Breaches: IBM’s "Cost of a Data Breach Report 2023" highlights that the average cost of a data breach globally reached $4.45 million in 2023. This was a significant increase from previous years, with costs continually rising due to more complex security environments and stricter regulatory requirements. The report also noted that breaches in the United States are the most expensive, with an average cost of $9.48 million per breach.

• Time to Identify and Contain Breaches: The IBM report indicated that the average time to identify and contain a breach was 277 days in 2023, comprising 207 days to identify the breach and 70 days to contain it. This timeline reflects the significant challenge organizations face in quickly responding to security incidents.

• Industry-Specific Costs: Healthcare remains the most costly industry for data breaches, with an average cost of $10.93 million per incident. Financial services, pharmaceuticals, and technology companies also experience high costs per breach, reflecting the sensitivity and value of the data they handle and the amount of data they handle is really just increasing at an exponential rate.

• Impact of Remote Work: The shift to remote work has also increased vulnerabilities, with the IBM report indicating that organizations with more than 80% remote work had an average cost of $5.54 million per breach, compared to $3.86 million for organizations with 20% or less remote work.

• Contributing Factors to Costs: Factors that significantly impact the cost of a data breach include the level of regulatory compliance failures, the complexity of the IT environment, and the presence of advanced security technologies and incident response capabilities. Organizations with fully deployed security AI and automation experienced lower costs, with savings of up to $3.58 million compared to those without these technologies.

Regulatory Compliance

With stringent regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and others worldwide (good list at iapp), organizations must ensure compliance to avoid hefty fines and legal consequences. Navigating these regulations and ensuring that products meet all legal requirements can be complex and resource-intensive.

Data Management Complexity

As products become more sophisticated, they often involve the collection, processing, and storage of vast amounts of data. Managing this data securely across various platforms and services while ensuring its integrity and confidentiality is a significant challenge. Let's take a look at some of the organizations that have faced a some of these complexity issues.

Uber's Data Breach and Management Challenges

In 2016, Uber faced a significant data breach that exposed the personal information of 57 million customers and drivers. The breach was compounded by Uber’s attempt to conceal it by paying the hackers $100,000 to delete the data and keep the breach quiet.

Data Management Complexity:

• Data Silos: Uber’s rapid growth led to data being stored in various silos across the organization, making it difficult to manage and secure effectively.
• Decentralized Data Access: Numerous employees had access to sensitive data without adequate oversight or controls, increasing the risk of unauthorized access and data breaches.

Mitigation Strategies:

• Centralized Data Management: Uber undertook efforts to centralize data management and improve data governance across the organization.
• Enhanced Security Protocols: Implemented stronger encryption and access controls to limit unauthorized access to sensitive information.
• Compliance and Transparency: Increased efforts to comply with data protection regulations and improve transparency about data usage and protection measures.

Uber’s efforts to overhaul its data management practices and enhance security protocols helped restore trust with customers and regulatory bodies. However, the company faced significant fines and legal challenges due to the initial mishandling of the breach.

Equifax Data Breach

In 2017, Equifax, one of the largest credit reporting agencies, suffered a data breach that exposed the personal information of approximately 147 million people, including Social Security numbers, birth dates, and addresses.

Data Management Complexity:

• Outdated Software: Equifax’s breach was attributed to an unpatched vulnerability in a web application framework (Apache Struts).
• Ineffective Monitoring: There was a failure to monitor and address security warnings effectively, allowing the breach to go undetected for a prolonged period.

Mitigation Strategies:

• Regular Software Updates: Implementing a stringent policy for regular software updates and patch management to mitigate vulnerabilities.
• Improved Monitoring Systems: Enhancing security monitoring systems to detect and respond to potential threats more effectively.
• Comprehensive Data Audit: Conducting regular audits to ensure that data protection measures are up-to-date and effective.

Equifax faced significant financial penalties, legal actions, and a loss of consumer trust. The company has since made substantial investments in cybersecurity infrastructure and processes to prevent future breaches.

Facebook-Cambridge Analytica Scandal

The Facebook-Cambridge Analytica scandal in 2018 revealed that the data of millions of Facebook users had been harvested without consent and used for political advertising purposes.

Data Management Complexity:

• Third-Party Data Access: Facebook’s API allowed third-party developers extensive access to user data, which was exploited by Cambridge Analytica.
• Lack of User Consent: Users were unaware of how their data was being collected and used, violating privacy expectations and regulations.

Mitigation Strategies:

• Stricter Data Access Policies: Implementing stricter data access policies for third-party developers and conducting regular audits of data use.
• Enhanced User Controls: Providing users with greater control over their data, including more transparent consent mechanisms and privacy settings.
• Regulatory Compliance: Enhancing efforts to comply with global data protection regulations such as GDPR.

Facebook faced intense scrutiny, significant fines, and a major reputational hit. The company has since overhauled its data privacy practices, improved transparency, and restricted third-party access to user data.

Third-Party Integrations

Many products rely on third-party services and integrations, which can introduce additional vulnerabilities. Ensuring that these third-party providers adhere to the same security and privacy standards is critical but challenging.

Target Data Breach (2013)

Background: Target, one of the largest retail chains in the United States, suffered a massive data breach during the 2013 holiday shopping season. Hackers accessed Target's network through credentials stolen from a third-party HVAC contractor.

Third-Party Integration Issue:

• Security Weakness: The third-party HVAC contractor had insufficient security measures, which hackers exploited to gain access to Target's network.
• Network Segmentation: Target's network was not adequately segmented, allowing the attackers to move laterally and access sensitive customer data.

Impact:

• Data Compromise: Personal information of approximately 110 million customers, including credit and debit card information, was compromised.
• Financial Losses: Target faced significant financial losses, including $18.5 million in a multi-state settlement and over $200 million in costs related to the breach.

Mitigation Lessons:

• Vendor Risk Management: Implementing strict security requirements for third-party vendors and regularly auditing their security practices.
• Network Segmentation: Ensuring critical systems are isolated from less secure third-party integrations to prevent lateral movement of attackers.

Marriott Data Breach (2018)

Background: Marriott International discovered that its Starwood reservation database had been compromised since 2014, leading to the exposure of personal information of up to 500 million guests.

Third-Party Integration Issue:

• Inherited Vulnerability: The breach originated from Starwood Hotels' systems, which Marriott had acquired. The compromised system was not sufficiently scrutinized and secured during the acquisition.

Impact:

• Data Exposure: Exposed information included names, addresses, phone numbers, email addresses, passport numbers, and payment card information.
• Regulatory Fines: Marriott was fined $123 million by the UK’s Information Commissioner’s Office under GDPR.

Mitigation Lessons:

• Due Diligence in Acquisitions: Conducting thorough security assessments of acquired systems and integrating them into the company's security framework.
• Continuous Monitoring: Implementing robust monitoring and intrusion detection systems to identify and respond to breaches promptly.

User Trust and Expectations

Consumers are increasingly aware of their data privacy rights and expect companies to protect their personal information. Failing to meet these expectations can lead to loss of customer trust and loyalty.

• Facebook faced a $5 billion fine from the Federal Trade Commission in addition to a widespread public outcry and distrust in Facebook's handling of data. To this day they struggle to implement tighter regulations that are user friendly.
• Equifax settled for $700 million with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 US States/Territories. The breach also lead to severe loss of consumer trust and confidence in Equifax's ability to protect sensitive data not to mention significant costs associated with breach notification, credit monitoring services, and legal fees.
• Target incurred $18.5 million in a multi-state settlement and over $200 million in costs related to the breach. Target had to invest heavily in improving its cybersecurity infrastructure.
• Wells Fargo Fake Accounts Scandal cost them $185 million in penalties and faced numerous lawsuits. The scandal severely damaged Wells Fargo’s reputation and led to a significant loss of customer trust which forced must of their top executives to resign and restructure its culture.

Obviously, some of these instances are relatively aged in today's tech standards. Keep in mind that it can be months to years before these are exposed which also affect the cost of the cleanup. The moral to this story is to make sure you pay attention to the risks.

One CTO I worked with in technology constantly reiterated "It's not IF we are hacked and breached, it is WHEN". His mantra was to have a clean-up strategy prepared so that when it did happen we could execute against it quickly. Many product people are so focused on the market demands and "new feature, new feature, new feature", they quickly loose sight of the sleeping giant in technology products; breaches and hacks. Do your best to educate yourself and/or surround yourself with smart people who understand these risks.