Data
Privacy Day, an international "holiday" that occurs each year on January
28, was created to raise awareness and promote privacy and data protection best
practices. The National Cyber Security Alliance (NCSA) assumed leadership of Data Privacy Day from the
Privacy Projects back in August of 2011. A nonprofit, public-private
partnership dedicated to promoting a safer, more secure and more trusted
Internet, NCSA is advised by a distinguished advisory committee of privacy professionals.
Data Privacy Day's educational initiative originally focused
on raising awareness among businesses as well as users about the
importance of protecting the privacy of their personal information online,
particularly in the context of social networking. In addition to its
educational initiative, Data Privacy Day promotes events and activities that
stimulate the development of technology tools that promote individual control
over personally identifiable information; encourage compliance with privacy
laws and regulations; and create dialogues among stakeholders interested
in advancing data protection and privacy.
With this in mind, VMblog has compiled some detailed
perspectives, as well as some tips for better protection of sensitive corporate
data, from a few industry experts on this Data Privacy Day 2020.
Rui Lopes, Engineering and Technical Support Director at Panda Security, a provider
of IT security solutions:
"Whether it's for legitimate business purposes or for the
next global cyber threat, data has never been more widely collected-or
valuable, sparking the need for a seismic shift in how businesses and
individuals protect their information. As Data Privacy Day 2020 approaches,
it's important for companies large and small to review their data-privacy
policies to ensure that these valuable assets are secure. Businesses should use
this day to ensure that they have visibility and
control over how users and applications access data across each device on their
network. Additionally, they should also review their own data-collecting
policies for clients as well as employees to confirm proper security protocols
are in place, and that they are in compliance with any applicable regulatory
guidelines."
Steve Durbin, managing director of the Information Security Forum,
a London-based authority on cyber, information security and risk management:
"The requirement for maintaining data privacy has increased
as privacy regulations have been adopted by many more jurisdictions since they
were first introduced. Fines for breaching data privacy regulations have
multiplied, and penalties can be more severe than fines. Increased public
awareness and media interest have led to potential commercial and reputational
consequences for non-compliance. The risk of private data being compromised has
increased as systems are increasingly accessible via connected devices and
vulnerable to cyber-attacks.
With all of the focus on breaches and the loss of personal
data, it is understandable that the main attention for organizations today
seems to have shifted to data privacy - after all, we are seeing a growth in
legislative requirements to protect personal information along with the
associated fines and sanctions for non-compliance.
Most governments have created regulations that impose
conditions on the protection and use of personally identifiable information
(PII), with penalties for organizations who fail to sufficiently protect it. As
a result, data privacy and the protection of PII, afforded protection under the
General Data Protection Regulation (GDPR) in the European Union (EU) the
California Consumer Privacy Act (CCPA) and the New York Privacy Act appear to be here
to stay.
What is
clear is that privacy is becoming more of an issue in the United States and
there is a very real need for a Federal law to avoid States introducing their
own variations and interpretations on privacy which adds a further compliance
burden to already overstretched businesses looking to understand and comply
with their obligations across the various regions in which they are transacting
business. The good news is that the formal enactment of the CCPA is
going to add momentum to endeavors within the United States to formalize a
sweeping federal law on data privacy."
Joseph Carson, chief security scientist at Thycotic, a
Washington D.C. based provider of privileged access management (PAM) solutions:
"It can be
argued that the end of privacy as we know it is closer than you may think.
In essence,
privacy allows citizens to be free and when you take away or constrain privacy,
you take away citizens freedom.
The reality
today is that almost everyone is being tracked and monitored 24/7 with
thousands of cameras recording your expressions, fashion, interactions and
speech to determine what you need, what you might be thinking and who you are
meeting. Algorithms can even determine what your next action might be.
Privacy
should be universal. However, we tend to have different definitions of privacy
in the digital world as opposed to physical world. EU GDPR has been a
ground-breaking change that set new regulations around digital privacy,
empowering citizens with clear cut rights around consent and transparency of
their personal information online. It was a step in the right direction and has
drawn a line in the sand into what's acceptable and what's not acceptable in
terms of data privacy, collection and processing.
Some
governments are looking to abolish privacy from their citizens altogether -
citing terrorism as the reason. Ironically, these same governments have also
stated the need for end to end encryption to protect against new risks; with
Huawei's involvement with 5G being a prime example. Encryption is a citizen's
right to have digital privacy just as we do in the physical world.
Privacy,
security and trust must come as a package; they are all related and needed in
order to build a cyber resilient society. If you sacrifice privacy you are also
sacrificing security and ultimately ends in a lack of trust.
We hear the
term ‘data is the new oil' however I disagree with this. Humans are the new oil
- we are the ‘product' and data is the commodity which is transacted to create
value, so it stands to reason that technology companies are data hungry and
want as much of this information as possible."
Heather Paunet, Vice President of Product Management at Untangle, a San Jose,
Calif.-based provider of comprehensive network security for SMBs:
"Data privacy has become a hot topic over the last few
years, especially with the abundance of large-scale data breaches. It is
important that organizations of all sizes take data privacy seriously and
proactively ensure personally identifiable information (PII) is protected.
Protecting data in the event of a breach is crucial to maintain the trust and
respect of the public. Businesses can take some simple steps to protect the
data they are collecting. Storing the private data on a network or server that
is separate from the public, or even separate from the main corporate network,
can provide an extra layer of protection. Encrypting the data, especially PII,
is another standard practice to comply with a variety of regulations like PCI
and HIPAA in the United States and GDPR in Europe. With GDPR and CCPA in
full effect, data privacy and transparency is now more relevant than ever.
Businesses must realize that the GDPR rules are not a hindrance, but a chance
to show consumers that they can trust them and that they are taking a proactive
approach to data privacy.
On a consumer level, protecting your data is becoming more
and more difficult as apps and websites demand the information. However,
consumers can be proactive and choose what they share. For example, don't fill
out social profiles completely (address, high school/college, birth date are
all considered PII). Breaches on social media sites, such as Facebook, are a
prime example of sharing too much information through a "fun, free
quiz"; those participants' information was sold to advertisers without
their knowledge. Sharing your social security number is never a good idea. The
only businesses that need that information are your work, bank and possibly
your healthcare provider; anyone else asking is just phishing for more of your
PII."
Ali Golshan, CTO and co-founder at StackRox, a Mountain View,
Calif.-based leader in security for containers and Kubernetes:
"Considering the volume and range of data being collected
from services and users, targeting and reaching the user has become a very
personal experience. We can clearly see the negative impacts of this in
politics and the American culture as a whole.
Analytic infrastructures allow for powerful insights into
data, but they create compliance and security risks for companies because data
is often dumped into data lakes without proper labeling, auditing, or policy
enforcement. We are seeing companies such as Apple building trust with
customers by providing visibility and transparency into how that data is used.
Due to development timelines, developers often have to delay
building granular privacy permissions into their applications. Such permissions
enable individual customers to define how their data can be used, or the right
to be forgotten - both of these parameters are cornerstones of GDPR compliance.
One key feature for data privacy is ensuring up-to-date
controls and configurations around access. To ensure data is protected from
unauthorized access, systems need controls such as identity and authentication
of users. Limits to access must also extend to developers of platforms as well.
All services working with personal and private data should
apply crypto best practices for data in motion and data at rest or stored.
Beyond encryption, the best way to secure data is to not collect it, so
applying principles of minimal data collection or applying additional layers of
obfuscation. One method of obfuscation is differential privacy, which allows
providers to offer customized services for users while maintaining privacy for
individual users."
Shahrokh Shahidzadeh, CEO at Acceptto, a Portland,
Oregon-based provider of Continuous Behavioral Authentication:
"Today, everyone must assume that each and every one of
their credentials have already been stolen. This includes those credentials
that haven't even been created yet.
Due to the frequency of data breaches, we all must operate
under the assumption that it's only a matter of time that we become aware of
the fact that our credentials and personal information are compromised.
Protecting our citizens' identity and privacy requires new regulatory
measures and the collaboration of private and public sectors including all
(large or small) companies that today are taking overt advantage of harvested
consumer data that is readily available for corporate welfare but not well
protected.
I believe that 2020 will be the year of new solutions that
employ a combination of multi-modal and contextual controls that
continuously and accurately protect user identity and privacy with the
assumption that all your online credentials are already compromised."
Cindy Provin, senior vice president of Entrust Datacard and general manager and Peter Galvin, CSO at nCipher Security:
"The California Privacy Act gives new teeth to Data Privacy Day," said Cindy Provin, senior vice president Entrust Datacard and general manager of nCipher Security. "We as an industry need to do more than just live up to the mere letter of the law. Based on our research, 79% of Americans care how a company uses their private information. That means consumers want reassurances that their private data is not at risk. It is the industry's responsibility to build that trust by putting a comprehensive security strategy in place that leverages encryption and key management best practices. Then it's up to industry to educate consumers about how and why a company should earn their trust."
"We're hooked on data," said Peter Galvin, CMO, digital security at nCipher Security. "While 61% of Americans are not okay with companies sharing their private data, we also know that Americans love the benefits of data sharing such as on-target product recommendations. The key is ensuring the right balance between fulfillment and security. As we observe Data Privacy Day, we as an industry need to strengthen trust with consumers that their data security is ironclad."
Steve Grewal, Chief Technology Officer, Federal at Cohesity:
"The California Consumer Privacy Act is an important step towards greater digital privacy. The law is modeled after the UK's General Data Protection Regulation (GDPR) that requires companies to share how personal data is collected and used, and gives consumers the option to have their data deleted. We believe it will have a positive impact on customers' privacy, and how enterprises store and share consumer data across their business.
However, CCPA differs from GDPR in that it doesn't apply to backup copies of data. Therefore, enterprises need to be aware of potential compliance violations when using backups to restore primary systems -- as the backup data may contain personal data that requires extra scrutiny to assure CCPA compliance..
Given you never know when backups need to be utilized, it's imperative for organizations to deploy software that can locate personal data across all data sets -- including backup copies -- to ensure organizations minimize their compliance risks at all times."
Darrell Long, Vice President of Product Management, One Identity
"We see companies across all industries struggle with the implementation of proactive data privacy practices and policies. GDPR, the recently introduced California Consumer Privacy Act (CCPA) and other regulations in the works are designed to punish those organizations that are handling personal data with negligence. These regulations require organizations to demonstrate the implementation of proper data protection practices. The reality is that privacy begins with identity management. Though the concept is simple, companies that fail to implement practices such as identity governance & administration and privileged access management are considered negligent and thus exposed to higher fines and stronger punishments.
We currently see many companies paying catch-up with new regulations, working to implement the right security tools and practices after a breach. Hopefully, Data Privacy Day becomes a good initiative to remind companies to think ahead and maintain a proactive stance on privacy before a cyber incident occurs."
Nigel Tozer, Solution Marketing Director EMEA at Commvault
"Data Protection Day, or as it’s become known internationally, Data Privacy Day, arrives this January in a new decade, where the world is waking up to the threats our digital world places on our personal privacy. If any proof was needed, atexactly the same time as the new decade dawned, so did the California Consumer Privacy Act (CCPA). Many consider CCPA to be a ‘lite’ version of Europe’s privacy regulation, GDPR, but this really isn’t the case. While the scope of who CCPA applies to is narrower, the two are incredibly alike in many respects, and as enforcement is handled by courts and not regulators, as in Europe, expect it to hit the headlines much sooner. CCPA is also likely to push the rest of the US closer toward a federal privacy law, along with other states that are taking similar action independently.
So what can you do as a citizen and as a business this Data Privacy Day to make a difference? As individuals, laws that protect your privacy will vary by location, but there’s a lot you can do yourself to protect your personal data. Firstly, search online to see what privacy settings you can change on your phone that will help – your phone is the #1 way your data gets monetized. Delete unused apps (they can leach personal data) and take a look at privacy-centric search engines and browsers. And remember, free services and social media platforms are generally funded by selling your data.
As a business, again it depends on your location. If you’re international and find yourself covered by CCPA, GDPR and more, go for compliance with ‘super-set’ of the regulations and be aware, some countries will have specifics you will need to take account of. For this reason, you really do need legal help with experience in this area. Trying to comply with privacy laws is the very definition of a people, process and technology problem – there is no black-box answer or quick fix solution. Finally, I always recommend that data be considered as much a liability as it is resource, so profile/map out your data and understand it. Until you do this, you don’t know what your liability is or how you can start to fix it."
##