Standard Data Privacy Protections in Crypto

--- title: Standard Data Privacy Protections in Crypto description: An introduction to the best standard privacy protection practices used in the cryptocurrency and exchange industry. lang: en html: en --- ###### tags: `tutorials`, `privacy`, `crypto` ![Title pic, "privacy protections for Crypto crats"](https://i.imgur.com/WUqr8Ue.jpg) # Crypto Industry | Privacy Protections 🔏 ## Table of Contents - [Why Privacy Matters](https://www.dcsa.mil/mc/isd/nisp/) What is **privacy**? Why should I care about data protection? Why is data protection important to my organization? By helping employees and Coworkers understand data protection and information security, you can **reduce errors** that often result in **data protection incidents**. - [Personal Information](https://www.ag.state.mn.us/consumer/publications/HowtoProtectYourselfAgainstHackers.asp) Recognizing **personal data** is a critical step in data protection. We'll need to review the **concepts** of *sensitivity, identifiability, masking, aggregating and truncating* to better recognize and process personal data. - [Handling Personal Information](https://mrash.co/comptia-a-plus-study-notes/) Data protection responsibilities begin the moment personal data enters your organization and continue until it is destroyed. Through a variety of scenarios, employees **understand** how to apply the data protection principles of transparency, consent, data minimization, purpose limitation, security and access throughout the **information life cycle**. --- ## "*Privacy is not the same thing as Security*" 🕵🏽 In the early days of working in crypto, many of today's founders worked online on Discord, Twitter and LinkedIn; By early, I mean 2023... 👎🏽 Though social media platforms allow remote workers to quickly communicate between one another, this data can be leaked if not handled with proper care. Also, we are naturally prone to making mistakes. If we receive personal or private data and pass information between others, we are likely to cause problems for our customers and for our organization. Passing data over a secure channel and maintaining the integrity of that data can save your company a lot of time and hassle. #### Tip #1 `Never add your own input to personal data, even for your co-workers. This may infringe upon customer privacy.` ###### Ask your team the following Questions. - Do you know why privacy is important to your organization? - Do you know the difference between data protection and data security? - Do you know the difference between data protection and data security? ![](https://i.imgur.com/Fb8Dr37.png) --- #### Types of Privacy? 1. **Bodily Privacy** - 'pat downs', drug tests, body scanners. * Wearable devices that track health or DNA analysis to locate long lost relatives. 2. **Territorial Privacy** - video surveillance to limit home intrusion, police search. * GPS tracks your location, while smart homes can track your energy consumption. 3. **Communication Privacy** - email monitoring, wiretapping, recording phone calls. * Mobile phones, emails and social networks generate a never-ending trail of communication. 4. **Information Privacy ("Data Protection")** - information identified to individuals such as public records, social media accounts, online tracking & employee files. * E-Commerce stores use personal address and financial information to complete online payments. Health and education records are usually encrypted when being passed between data providers. More often than not, you are more responsible to know how to protect your data than the storage providers administering your data. **As a friendly reminder, in Web3, everyone is responsible for how we read-write-OWN data** # If you attempt to store and *own* data in crypto, you must know how to protect ![](https://i.imgur.com/Wtp0wRh.png) In 2017, Equifax suffered a catastrophic cyber attack that exposed the sensitive information of nearly 150 million individuals, including their Social Security Numbers, dates of birth, and addresses. The company's handling of the breach was widely criticized and led to a deluge of class-action lawsuits. It was a disaster of epic proportions, akin to a raging inferno consuming a garbage receptacle ![](https://i.imgur.com/Ymnvyb6.png) In 2013 and 2014, Yahoo suffered two major data breaches that affected all of its 3 billion user accounts. The breaches exposed usernames, email addresses, dates of birth, and security questions and answers, among other information. The breaches had significant consequences for the company, including a decrease in user trust and a drop in its stock price. Yahoo worked to secure its systems and improve its data protection measures following the breaches, but the damage had already been done. The Yahoo data breaches are considered to be some of the largest and most significant in history. ![](https://i.imgur.com/3yNb2oE.png) In 2018, Marriott International, a hotel chain, announced that it had suffered a data breach that exposed the personal information of up to 500 million guests. The breach, which had been ongoing for four years, exposed guests' names, addresses, phone numbers, passport numbers, and other sensitive information. The breach had significant consequences for the company, including financial penalties and a drop in its stock price. # Processing Data **Laws**, **policies**, and **expectations** are important for guiding individuals and organizations in handling data in a secure manner. These guidelines help to ensure that personal and confidential information is protected, and that appropriate measures are taken to prevent unauthorized access, use, or disclosure. One way that laws and policies can guide data security is by setting standards for how data should be collected, stored, and used. For example, laws such as the **[General Data Protection Regulation](https://gdpr-info.eu/)** (**GDPR**) in the European Union and the **[California Consumer Privacy Act](https://oag.ca.gov/privacy/ccpa)** (**CCPA**) in the United States establish specific requirements for how companies must handle personal data. These laws often require organizations to obtain consent from individuals before collecting their data, to provide clear and concise information about how the data will be used, and to take steps to protect the data from unauthorized access or disclosure. In addition to laws and policies, organizations should also have their own **internal guidelines** and expectations for data security. These can include things like **security protocols**, *employee training programs, and policies for how data should be accessed and used*. By establishing clear expectations for data security, organizations can help ensure that their employees are aware of their responsibilities and are taking the necessary steps to protect sensitive information. Overall, **laws**, **policies**, and **expectations** play a crucial role in guiding individuals and organizations in handling data in a secure and responsible manner. By following these guidelines, individuals and organizations can help to protect personal and confidential information, and prevent unauthorized access, use, or disclosure. ![](https://i.imgur.com/Hk9d0ws.png) # What are the costs for getting data protection wrong? 1. Damage to your brand. 2. Loss of consumer confidence. 3. Major Financial loss. In the end, your competitors win and your operation suffers tremendously. Read my other article on [Security Operations in Crypto](/BHCABcyOTTqWhpzij3VYIQ) to see what you can do to best protect individuals from being attack vectors in your company. I advise that you write your own internal Security & Privacy policy to mitigate risk of data breaches as soon as possible. If you're looking for who to copy a standard data protection policy from that relates to your business's needs, then check out Cloud storage providers, Data protection consulting firms, Cybersecurity companies and Data protection software services to write a policy of your own. `"CIA Triad"` ![CIA Triad](https://i.imgur.com/U3tNggw.png) ### Data protection is about determining the proper use of data. Anyone who touches personal "Protected" data must know how to handle it with care. Your brand, consumer base and entire financial backbone relies on making sure data is protected when running a crypto business. --- # Personal Information *"Any information relating to an identified or identifiable individual"* [![The Age of Surveillance Capitalism](https://i.imgur.com/uSQN04x.png)](https://www.amazon.com/dp/B01N2QEZE2?ref=KC_GS_GB_US) [**Surveillance capitalism**](https://en.wikipedia.org/wiki/Surveillance_capitalism) is a business model in which companies profit by collecting and analyzing personal data on a large scale, using it to target users with **personalized advertisements** that *manipulate their behavior*. This model has become prevalent with the growth of the internet and the widespread use of online services, which often collect data on users' activities and preferences in order to provide "customized experiences". Cryptocurrency companies, like other companies that operate online, are beginning to collect and analyze **personal data** in order to provide **MaaS** to their users. Module as a service (MaaS) is a design pattern in which a self-contained piece of code is designed to be run as a standalone service, separate from the main application, in order to improve modularity, reusability, scalability, and performance. One way that personal data for cryptocurrency companies is at risk is through archival data breaches, in which hackers or other unauthorized individuals gain access to personal data that has been collected and stored by the core engineers or relevant 3rd party. Another risk is that the company may use personal data in ways that are unexpected or undesirable to users. We want to avoid selling user data to third parties without their user's knowledge or consent. Additionally, the vast amounts of personal data that are collected and analyzed by cryptocurrency companies can be used to create detailed profiles of individuals and to predict and influence their behavior. [![MetaMask Wallet Picture](https://i.imgur.com/52iDjCR.png)](https://reclaimthenet.org/metamask-starts-tracking-user-ips/) [**Meta Mask starts tracking users IP Address**](https://reclaimthenet.org/metamask-starts-tracking-user-ips/) [* Pastejacking Smart Contracts: Replacing Wallet Addresses to Steal Data](https://forkbomb.io/blog/pastejacking-smart-contracts) --- ## "Sensitive information" **Special Categories** of personal data include your *health, genetic, biometric, religious, political affiliation and intimate relations* information like sexual orientation or your past / present partnerships. Data is valuable because it can be used to change behavior, and with it comes more strict laws and regulations. If and when wallets are associated with Fingerprint unlocks, this data would fall under "sensitive information." You will be subjected to the harshest punishments the law can offer if you willingly take advantage of Sensitive information. The ways we can protect personal data is either by **Removing** it, **Masking** it or **Aggregating** it. The best approach is a prepared one; know/create your company's definitions and sensitivity designations for handling personal data as soon as possible. # Handling Personal Information Processing information is when we pull(receive), enter, generate, send(push) or share data with others in our organization. ![](https://i.imgur.com/pfVWWXB.jpg) ## Data Lifecycle: (unordered) 1. **Collecting** - Submissions, forms, applications. 2. **Storing** - Internal reviews (HR, BD, PR, Executive...) 3. **Using** - Screening, analysis, organizational purposing 4. **Sharing** - Internal & External : sending of personal data 5. **Archiving** - Long term storage 6. **Destroying** - Two year destruction ### Data Protection Principles 1. **Transparency** - Notices (pop-up's) for how data will be collected and processed. 2. **Consent** - User agreement (signature) 3. Data Minimisation - Personal data limited to only what's needed (specific information) 4. **Purpose Limitation** - Without consent, personal data should not be shared for other purposes without the user knowing it. 5. **Security** - Ensuring a safe connection and file sharing and notices of personal data information handling. (*Confidentiality and integrity*) 6. **Access** - The ability to view, challenge, edit, delete, or receive copies of *personal data.* ## Internal Policy If your company does not have a "data protection Policy", you may need to communicate the importance of having one before handling consumer data. In it, you should outline the guide lines for employee confidentiality, and computer / network use or document retention. This can be highlighted or labeled on your team's website that provides statements such as the organization's privacy notice for outside individuals. This can be applied to inform job applicants and general users / customers as well. # Thank you ### [Dylan Kawalec](https://www.linkedin.com/in/dylankawalec/) > Technology Evangelist Binance Smart Chain (United States, CA) [<img style="padding: 10px 0px 10px 95px;" src="https://i.imgur.com/C31vGGg.png" width="50" height="50" hspace="100px"/>](https://github.com/DylanCkawalec) [<img style="padding: 20px 0px 20px 65px;" src="https://i.imgur.com/rRlVRwI.png" width="50" height="50" hspace="100px"/>](https://www.linkedin.com/in/dylankawalec/) ##### Binance Smart Chain | Dat Privacy Protection analysis and review. ###### If you found this informative or insightful, please share this document with your team.