The Thin Line Between User Behavioral Analytics and Privacy Violation
Technology has supercharged marketing. The vast data at marketers’ disposal provides unparalleled insight into what customers want, why they want it, and how they use products and services. Behavioral analytics benefits businesses and consumers; it allows companies to drive sales and increase conversion rates while providing customers services tailored to their wants and needs.
Behavioral analytics is also an invaluable cybersecurity resource; artificial intelligence (AI) and machine learning (ML) tools analyze data to allow security teams to identify suspicious behavior patterns that could indicate malicious activity.
However, the use of behavioral analytics brings with it significant data privacy concerns. Not only does excessive data collection stand on shaky ethical ground, but it could also land organizations in regulatory hot water. This article will outline how organizations can reap the benefits of behavioral analytics without violating user privacy.
What is behavioral analytics?
Behavioral analytics involves collecting and analyzing data relating to how consumers use a digital product, such as an app or website. Organizations can then use this data to see exactly how users interact with the digital service and inform decisions on improvements.
Much of behavioral analytics is event-based, with organizations tracking behaviors or events to produce insights on user preferences, intentions, and habits. These events can include but are not limited to:
- Abandoning a cart
- Filling out a form
- Feature usage
- Purchasing a subscription
- Retention
Behavioral analytics relies on a combination of third-party and first-party data. Data brokers typically gather third-party data and sell it to other organizations. This information establishes who prospects and customers are, not what they want. First-party data refers to an individual’s unique digital product or service use. By combining first and third-party data, organizations can establish who their customers are and what they want.
In a cybersecurity context, behavioral analytics involves collecting data such as network traffic and access logs, database user activity records, and departmental usage habits and transforming it into a format that AI or ML tools can understand, establishing what normal behavior looks like. From there, AI or ML tools will detect and flag any behavior that deviates from the norm. For example, suppose an employee attempts to access or extricate data for no legitimate reason. In that case, AI and ML tools will flag this as a potential insider threat and notify security teams. The best AI or ML tools go further, automatically preventing unauthorized data exfiltration.
Behavior analytics privacy implications
Personal data is subject to some of the most stringent regulatory standards on the planet. Just this year, the EU slapped Meta, the owner of Facebook, with a 1.2 billion euro fine, the largest in GDPR’s history, for illegally transferring personal data from the EU to the US. Moreover, employees could view excessive internal behavior monitoring as an invasion of their privacy; considering nearly half of Americans wouldn’t wish their jobs on their worst enemy, organizations would be well advised to tread lightly to avoid overstepping and prompting a mass resignation.
Organizations must be well acquainted with the regulatory standards that apply to them to avoid misusing consumer data. The General Data Protection Regulation (GDPR) is the most far-reaching data privacy law, applying to any organization that handles the data of European Union (EU) citizens. While there is currently no federal equivalent to GDPR in the US, lawmakers are increasingly introducing data privacy regulation at a state level; California, Colorado, Connecticut, and Utah have detailed and wide-ranging data privacy laws. Organizations should also be aware of industry-specific regulations, for example, the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA).
Restraint and respect are paramount for organizations seeking to conduct behavioral analysis for cybersecurity purposes. Employees, understandably, will feel uneasy at the prospect of being monitored around the clock. Organizations must clarify that behavioral analysis is strictly for security purposes and not to gauge productivity or efficiency. Moreover, organizations should ensure that no one outside the security team can access behavioral data – especially not the HR team.
It’s important to note here that security solutions cannot rely on behavioral analysis alone; they must also utilize data analysis. Behavioral analysis alone is likely to produce countless false positives. For example, if an employee exfiltrates a picture of a colleague’s dog, a behavioral analytics solution would flag that as a potential insider threat as it cannot distinguish between unimportant and sensitive corporate data. Organizations should seek solutions combining data and behavioral analysis to avoid false positives and potentially unnecessary and invasive investigations.
Walking the line between effective behavioral analysis and privacy violations relies on an informed, restrained approach. Organizations should ensure they fully understand behavioral analysis, how it can benefit them, and its privacy implications. A comprehensive understanding of relevant data privacy regulations is crucial, and organizations must take a thoughtful approach to internal behavioral analysis to avoid infringing on their employees’ privacy.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.