Planning a Trip to the Metaverse?  Sounds Cool, but You’ll Need More than a Passport to Keep Data Secure Along the Journey.

Planning a Trip to the Metaverse? Sounds Cool, but You’ll Need More than a Passport to Keep Data Secure Along the Journey.

It’s not surprising that there’s major buzz about educating through the metaverse! Learning about the human body by venturing into a realistic model of a brain to poke around and see what happens used to only be achievable via a fictional magic school bus, and now it’s at our fingertips as a tangible alternative to reading facts from a textbook. Not only is this uniquely interactive new form of education fascinating in its formulation for piquing students’ interest, but it appeals to the business side of educational institutions as well. Enrollment in higher education has been down due to the pandemic, and this adventurous learning method – a cutting-edge and creative step beyond the typical web-based classroom – may be a way to attract people who don’t want to do brick and mortar but would be open to online learning.  

 

With new frontiers to explore, however, there are also new privacy risks. These can absolutely be mitigated, but it is necessary to keep them in mind as you set forth on this journey. Here are some of Kuma’s Senior Director of Privacy, Theo Wills’, top tips for school administrators thinking about making the metaverse a part of your educational resources:

 

  • Plan ahead. 

Just as you wouldn’t travel without enough money saved up and free time worked into your schedule, don’t start your metaverse journey without a solid and comprehensive privacy and security program in place.  The challenges ahead will only be amplified, and your risks will go through the roof if your organization hasn’t already embedded a data aware culture.  When is the last time you assessed your program against an industry recognized framework such as NIST or AICPA?  What’s the status of your mitigation plan?  Are you deploying role-based training?   How many years has your workforce been taking the same annual training?   

 

  • Research your destination and plan your itinerary. 

Where are you going and how are you getting there?  What is the use case for your initiative?  How will it support your core mission?  Can you confidently document how and what data will be collected, used, stored, and disposed?  How are you informing individuals about this data collection and use? Will data be used to make decisions or inferences about individuals?  If so, has that decision making been vetted against potential equity and bias issues?   

 

  • Know what’s in your luggage. 

Understand the data involved.  What type of personal data will you be collecting?  Multiple processes may be involved that require various sensitive data collections, for example identity authentication data points, biometrics related to facial recognition, movement, behavior and reaction patterns, and the inferences made based on that data.  Based on your understanding of the data you can then begin to assess compliance with statutory and regulatory privacy requirements.  

 

  • Screen your travel companions. 

How well do you know your travel companions?  Build strong data protection clauses into vendor contracts. Explicitly identify the data owner and data rights. Document where data will be stored, who will have access and how long the data will be retained.  State required security and privacy controls and your methods for continuous monitoring.  Include reporting and mitigation requirements in cases of suspected or actual unauthorized access.  

 

  • Get the travel insurance. 

What if your travel plans don’t go as expected?  Develop, document, and test your incident response plan.  Conduct training to ensure everyone knows their role if the worst case happens.  Review your cyber insurance.  Are there gray areas where you need to confirm coverage?  Finally, in case you decide the journey didn’t deserve the five-star rating, develop an exit strategy now.  Contractually bind vendors to return data in a specific format or to provide written certification of data destruction. 

 

Whether it is the metaverse, your day-to-day practices or your overarching strategy, Kuma is standing by to help you navigate your data protection journey.  Our credentialed and experienced team can craft strategies and execute plans customized for your environment and budget. Contact us for a complementary consultation today.

More news