In March of this year, the world watched as Facebook and Cambridge Analytica were outed for harvesting and using the personal data of more than 87 million users without their permission to build a massive, targeted marketing database. Not only did this scandal resonate in political and tech-centric circles, but it also acted as a wakeup call for consumers. Swiftly, Facebook users demanded to know what data had been mined and what companies had purchased the information.

As a result, users lost a significant amount of trust in Facebook worldwide, but it also got them asking questions about how their data is being used. In an age where consumers overshare and companies over collect, it’s important to know whose hands your data will fall into and why they need it.

Data supply & demand

Think about what shows up in your mailbox monthly – do you remember signing up for that catalog from a company where you’ve never shopped? Or what about the advertisements that flood your social media feed – how did they know you’re thinking about going on a tropical vacation soon? There’s a large market for selling aggregated data, and companies know just how to obtain it.

In the U.S., we’ve grown used to not owning our own data. We sign up for magazine subscriptions, perhaps overshare on social media, and blindly fill out forms without asking why the information is necessary to hand over in the first place. Companies collect all types of data – your name, address, date of birth, etc. – because they know it can be monetized by being sold to big marketing firms whose clients want your business, or even your votes.

Companies and advertisers have learned how to target individuals and collect information in a seemingly unobtrusive manner, knowing consumers willingly hand over valuable information. More importantly, there are no laws set in place prohibiting companies from gathering intelligence on users, and therefore, no incentive for them to stop doing so.

What are your intentions?

Simply because companies are casting a wide net to gather more data than necessary, doesn’t always mean it’s for the wrong reasons. These advertisers may have the best of intentions despite it not always looking that way to the customer.

Often, companies collecting data are simply using it to help make your life easier by highlighting goods and services you might be interested in based on previous activity. However, as the consumer, seeing an ad for car warranties after purchasing a new vehicle often seems intrusive and, frankly, creepy.

Additionally, companies are also gathering your information for their own business purposes to better identify and reach their target markets, as well as to invest their advertising dollars wisely. From a return on investment perspective, companies want to ensure they’re being effective in how they reach their audience, and don’t want to waste time or money soliciting someone who wouldn’t be interested in their product(s) or service(s).

However, consumers should be wary of who they are handing their information over to. Scammers are quick to take advantage of unsuspecting consumers. Always do your homework before offering up personal data and ask yourself, “Is this a trusted, legitimate source, and do they really need this type information to perform the task I’m requesting?” Companies may be looking to better their business practice, but threat actors are out for your identity.

Security in collecting customer data

Even with a lack of regulations and a wide-spread cultural acceptance for collecting mass amounts of data, U.S. companies need to take consumer data more seriously to ensure it’s secure. If over-collecting a customer’s information doesn’t diminish their trust in your organization, losing it in a data breach will likely do the trick.

There are three primary practices in safeguarding sensitive information and protecting against 90% of the risks facing your infrastructure:

  • Apply multi-factor authentication for anyone attempting to access sensitive data. A hacker may be able to successfully guess a password once, but having a second layer of authentication is sure to keep sensitive information locked down.
  • Stay updated on patching. The leading cause of organizations affected by malware is a lack of patching. Companies need to remain up to date on patching exposed applications, as to not roll out a welcome mat for threat actors looking to exploit vulnerable networks.
  • Encrypt your data with role-based access controls, as opposed to full-disk encryption. This type of encryption allows access to users based on their role within the organization. This also ensures data is not accessible to anyone without proper credentials.
  • Segmenting your sensitive data within your networks will create a secure enclave in your environment that’s not accessible from just anywhere. Think of this as a safe room in your house – it’s where you go in the event of a home (or virtual) invasion. A space no one knows about with an airtight password for entry.

This isn’t a bulletproof method, but it will thwart most attackers. This also gives employees access only to the data they need to do their job, eliminating potential risks caused by human error.

Last month, Facebook lost a whopping $100 billion (yes, you read that correctly) after company shares plunged 19% in wake of its Cambridge Analytica scandal. This indicates a positive shift in public concern regarding data privacy and ownership of one’s personal information. People are paying attention.

Next time you’re filling out a form at the doctor’s office, becoming a member on the newest social media platform, or subscribing to an email distribution list – consider where that information is going and don’t be afraid to ask why these organizations need so much of your personal data.