What can be done about the digital trust deficit?

Broken trust

Data breaches are everywhere. They’ve become so common-place that according to a new Imperva research report, more than a quarter of us (27 percent) don’t even bother changing our passwords even if we know they’ve been compromised.

For many, insecurity has become the default — something that we just have to live with. The idea that hackers could steal our data, our money, even our identity is the cost we accept in order to live in the digital world. If we want to use services like online banking or social media, we have no choice but to give up our data in exchange.

But the new ‘No Silver Linings’ research from Imperva suggests that the status quo is, in reality, deeply unstable. Across the board, consumers’ trust in businesses to keep their data secure is at rock bottom. And the longer consumers feel forced to give up their data to organizations they don’t trust in order to access basic services, the greater their frustration and anger gets. Already we’re seeing significant techlash on both sides of the Atlantic, from the American Innovation and Choice Online Act in the US to the Digital Markets Act in Europe. But is the digital trust deficit something that companies are capable of addressing on their own, or are we headed into a new era of much more stringent regulation?

Fear and mistrust

It’s not hard to see why there is a growing digital trust deficit when nearly two-thirds of consumers (64 percent) believe they have no choice but to hand over their personal information in order to use digital services like online banking or e-commerce. Similar numbers (67 percent) say they have ‘no idea’ how many organizations have access to their data, while more than a quarter (26 percent) say that it’s ‘inevitable’ that their data will be compromised at some point.

All of this indicates that people around the world feel they have little to no control over their personal information, and these feelings of helplessness are leading to growing fear and mistrust. More than two-fifths of citizens (41 percent) say their faith in digital service providers’ ability to keep their data secure has decreased in the last five years. In the UK in particular, the percentage of people who trust retailers (5 percent), social media companies (3 percent), and online gaming platforms (2 percent) has hit virtually rock bottom.

Moreover, thanks to near-constant stories about breaches and cyber-attacks in the news, consumers are far more conscious of the risks of having their personal data exposed. Some of the biggest fears include having money stolen and never getting it back (58 percent), identity theft (53 percent), or being targeted with sophisticated scams (19 percent).

The Techlash is here

These figures show that, across the world, there are deep concerns around the extent to which businesses are actually protecting customers’ information and fears about how that data can be used against them, concerns which are now starting to translate into legislation.

Conversations about regulating tech companies aren’t new, but, since the landmark introduction of GDPR in 2018, there has been more momentum than ever from governmental organizations. In Australia, there have been moves to strengthen the 1988 Privacy Act, in the US, the California Privacy Rights Act (CPRA) is set to come into effect in 2023, and in the UK the Online Safety Bill appears set to become law, all imposing more requirements on businesses around how they protect citizens and their data.

Most importantly, the EU is forging ahead with a series of regulatory changes, including the Digital Markets Act, Digital Services Act, and the EU Data Act, aimed at protecting consumers and curbing the power of ‘Big Tech’.

A self-regulated future?

A great deal of regulation is already either in effect or coming into force in the near future. However, these requirements could only be the beginning. Right now, the future regulatory environment will depend a lot on the extent to which businesses can win back consumer confidence by demonstrating that they are able to properly protect customers’ personal information.

If the private sector can prove to consumers that the data they are giving up in exchange for digital services is genuinely secure, governmental bodies may decide that they don’t need to push such an aggressive regulatory agenda and that self-regulation can meet consumer demands. However, if public dissatisfaction continues to grow, the swathe of legislation we’re seeing now may only be the first phase in a long-term shift towards higher levels of data security being imposed on industry.   

Regaining consumer trust

For many businesses, rebuilding consumer confidence will require a significant shift in mindset. Currently, application security, data security, and privacy are too often seen as separate entities when in fact each element feeds into the other two. This reframing will help organizations see the linkages between all three aspects and develop security strategies that tackle them together in a cohesive manner.

From a practical perspective this means, at minimum, businesses need to have full visibility and control over all customer data that’s gathered — including structured, semi-structured, and unstructured – no matter where it sits in their environment, as well as oversight into all paths. Coupled with excellent data governance, auditing, and activity monitoring capabilities, these steps provide much more resilient protection and show that customers’ concerns around data security and privacy are being taken seriously.

The debate over privacy and data protection for consumers is at an inflection point. There is a great deal of consternation from citizens around the world about how much data they are having to give away to businesses, how that data is being used, and how it could be weaponized against them by malicious actors.

The extent to which consumers, and the governments that represent them, feel that more regulation is needed will be decided in large part by how responsible businesses prove themselves to be when it comes to data privacy. We may be headed for far greater legal scrutiny than has ever been applied before, or a more light-touch self-regulatory system. But either way, consumers are making it clear that the status quo is not one they are willing to accept forever.

Image Credit: Lane V Erickson / Shutterstock

Terry Ray is SVP and Field CTO at Imperva

Author: Martha Meyer