It's been over four years since the EU implemented its groundbreaking General Data Protection Regulation. The GDPR became the model for personal data privacy laws in many other countries, and for the California Consumer Privacy Act (CCPA), which took effect in 2020. New data privacy laws are set to take effect in four more US states in 2023, and six states are actively working on bills.

But in four years' time, little progress has been made at the federal level. The latest discussion draft of the American Data Privacy and Protection Act, released on June 6, has several unresolved issues that will likely stand in the way of bipartisan support. This lack of federal privacy regulation is costing US businesses money in ways they don't even realize.

Regulatory uncertainty and the lack of a single compliance standard is obviously costly, though the amount can be difficult to quantify. What's less obvious but more quantifiable is the explosion in crimes against businesses, specifically business email compromise (BEC) and ransomware. These crimes are being fueled by the widespread availability of very detailed, legally collected personal data. If the government won't act, it would behoove businesses to take steps to help employees protect their personal data and, in the process, protect themselves.

According to data from the IC3, the FBI's Internet Crime Complaint Center, BEC attacks cost businesses $2.4 billion in 2021, up from $1.8 billion in 2020. Furthermore, they dwarf all other types of cybercrime against businesses, accounting for 34% of 2021 losses from all types of cybercrime. Ransomware schemes cost businesses $49 billion in 2021, the IC3 says, more than doubling from $20 billion in 2020.

Those costs only reflect direct losses. According to research from the Ponemon Institute, the cost of loss productivity and remediation of compromised credentials and systems associated with these crimes can more than double the tab.

Working from home, where computing environments are less secure, has been a factor in the rise in these crimes. But so has the increase in the amount and variety of personal data available on the Internet.

Data fuels phishing, which is the gateway for these crimes. Phishing is typically done via email but also via text or instant messaging, social media, and even collaboration platforms. Criminals use data to pose as a trusted source communicating in one of these channels and convince the victim to click on a malicious link. That can lead to the installation of malware or ransomware, as well as the collection of login credentials or other sensitive data.

Phishing for Business

This can have devastating consequences for individuals, but phishing attacks are increasingly being used to gain entry to government and corporate systems. The IC3 received 323,972 phishing complaints in 2021, up from 25,344 such complaints in 2017 — a stunning 120% increase. According to Verizon's "2020 Mobile Security Index," 2% of employees click on a phishing link every day.

Once they gain access, bad actors can lurk inside company systems, studying workflows, monitoring communications, and waiting for an opportunity. Let's say an employee posts on social media while away on vacation. That's the opening a bad actor has been waiting for. They hop into the vacationing employee's email account, which contains a thread with a vendor's accounts payable department discussing payment of an invoice. The bad actor adds another message to the thread: "Can you also update our bank account and send the payment to the new account." According to the IC3 report, the average loss for a successful BEC attack like this was $120,000 in 2021.

Data Brokers Don't Help

Phishing is becoming ever more effective due to all the data criminals have to customize their communications. They don't even have to steal the data. They can get it on any one of about 150 people search sites, which is a segment of the data broker industry that has been growing both in size and in the type of information they collect.

These sites, which are largely unregulated, started out by collecting publicly available data, such as names, addresses, and phone numbers. Now they collect an even wider variety of data gleaned from a much wider variety of sources. Information such as a person's political views, dietary preferences, pets, and even a person's Amazon wish list can be easily found for a small monthly subscription fee. And it's all currently legal.

Personal data is a very sensitive tool that cybercriminals use to cause real harm to people whose data is publicly available on the Internet. But it's not just individuals who suffer. The payday from crimes against businesses can dwarf gains from crimes against individuals, making them especially attractive targets. Businesses are only as safe as their most digitally vulnerable employees.

It may be years before we have comprehensive federal legislation to protect data privacy. That is why organizational efforts to prevent cybercrime must include working with employees to reduce and remove their personal information from the Internet. That will make it more difficult for malicious actors to obtain employee data to leverage in their attacks.