Virtualization Technology News and Information
Data Privacy Day 2020: Views and Tips from Top Industry Experts


Data Privacy Day, an international "holiday" that occurs each year on January 28, was created to raise awareness and promote privacy and data protection best practices. The National Cyber Security Alliance (NCSA) assumed leadership of Data Privacy Day from the Privacy Projects back in August of 2011. A nonprofit, public-private partnership dedicated to promoting a safer, more secure and more trusted Internet, NCSA is advised by a distinguished advisory committee of privacy professionals.

Data Privacy Day's educational initiative originally focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking. In addition to its educational initiative, Data Privacy Day promotes events and activities that stimulate the development of technology tools that promote individual control over personally identifiable information; encourage compliance with privacy laws and regulations; and create dialogues among stakeholders interested in advancing data protection and privacy.

With this in mind, VMblog has compiled some detailed perspectives, as well as some tips for better protection of sensitive corporate data, from a few industry experts on this Data Privacy Day 2020.

Rui Lopes, Engineering and Technical Support Director at Panda Security, a provider of IT security solutions:

"Whether it's for legitimate business purposes or for the next global cyber threat, data has never been more widely collected-or valuable, sparking the need for a seismic shift in how businesses and individuals protect their information. As Data Privacy Day 2020 approaches, it's important for companies large and small to review their data-privacy policies to ensure that these valuable assets are secure. Businesses should use this day to ensure that they have visibility and control over how users and applications access data across each device on their network. Additionally, they should also review their own data-collecting policies for clients as well as employees to confirm proper security protocols are in place, and that they are in compliance with any applicable regulatory guidelines."

Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management:

"The requirement for maintaining data privacy has increased as privacy regulations have been adopted by many more jurisdictions since they were first introduced. Fines for breaching data privacy regulations have multiplied, and penalties can be more severe than fines. Increased public awareness and media interest have led to potential commercial and reputational consequences for non-compliance. The risk of private data being compromised has increased as systems are increasingly accessible via connected devices and vulnerable to cyber-attacks.

With all of the focus on breaches and the loss of personal data, it is understandable that the main attention for organizations today seems to have shifted to data privacy - after all, we are seeing a growth in legislative requirements to protect personal information along with the associated fines and sanctions for non-compliance.

Most governments have created regulations that impose conditions on the protection and use of personally identifiable information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, data privacy and the protection of PII, afforded protection under the General Data Protection Regulation (GDPR) in the European Union (EU) the California Consumer Privacy Act (CCPA) and the New York Privacy Act appear to be here to stay. 

What is clear is that privacy is becoming more of an issue in the United States and there is a very real need for a Federal law to avoid States introducing their own variations and interpretations on privacy which adds a further compliance burden to already overstretched businesses looking to understand and comply with their obligations across the various regions in which they are transacting business. The good news is that the formal enactment of the CCPA is going to add momentum to endeavors within the United States to formalize a sweeping federal law on data privacy."

Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions:

"It can be argued that the end of privacy as we know it is closer than you may think.

In essence, privacy allows citizens to be free and when you take away or constrain privacy, you take away citizens freedom. 

The reality today is that almost everyone is being tracked and monitored 24/7 with thousands of cameras recording your expressions, fashion, interactions and speech to determine what you need, what you might be thinking and who you are meeting. Algorithms can even determine what your next action might be.

Privacy should be universal. However, we tend to have different definitions of privacy in the digital world as opposed to physical world. EU GDPR has been a ground-breaking change that set new regulations around digital privacy, empowering citizens with clear cut rights around consent and transparency of their personal information online. It was a step in the right direction and has drawn a line in the sand into what's acceptable and what's not acceptable in terms of data privacy, collection and processing.

Some governments are looking to abolish privacy from their citizens altogether - citing terrorism as the reason. Ironically, these same governments have also stated the need for end to end encryption to protect against new risks; with Huawei's involvement with 5G being a prime example. Encryption is a citizen's right to have digital privacy just as we do in the physical world. 

Privacy, security and trust must come as a package; they are all related and needed in order to build a cyber resilient society. If you sacrifice privacy you are also sacrificing security and ultimately ends in a lack of trust.

We hear the term ‘data is the new oil' however I disagree with this. Humans are the new oil - we are the ‘product' and data is the commodity which is transacted to create value, so it stands to reason that technology companies are data hungry and want as much of this information as possible."

Heather Paunet, Vice President of Product Management at Untangle, a San Jose, Calif.-based provider of comprehensive network security for SMBs:

"Data privacy has become a hot topic over the last few years, especially with the abundance of large-scale data breaches. It is important that organizations of all sizes take data privacy seriously and proactively ensure personally identifiable information (PII) is protected. Protecting data in the event of a breach is crucial to maintain the trust and respect of the public. Businesses can take some simple steps to protect the data they are collecting. Storing the private data on a network or server that is separate from the public, or even separate from the main corporate network, can provide an extra layer of protection. Encrypting the data, especially PII, is another standard practice to comply with a variety of regulations like PCI and HIPAA in the United States and GDPR in Europe. With GDPR and CCPA in full effect, data privacy and transparency is now more relevant than ever. Businesses must realize that the GDPR rules are not a hindrance, but a chance to show consumers that they can trust them and that they are taking a proactive approach to data privacy.

On a consumer level, protecting your data is becoming more and more difficult as apps and websites demand the information. However, consumers can be proactive and choose what they share. For example, don't fill out social profiles completely (address, high school/college, birth date are all considered PII). Breaches on social media sites, such as Facebook, are a prime example of sharing too much information through a "fun, free quiz"; those participants' information was sold to advertisers without their knowledge. Sharing your social security number is never a good idea. The only businesses that need that information are your work, bank and possibly your healthcare provider; anyone else asking is just phishing for more of your PII."

Ali Golshan, CTO and co-founder at StackRox, a Mountain View, Calif.-based leader in security for containers and Kubernetes:

"Considering the volume and range of data being collected from services and users, targeting and reaching the user has become a very personal experience. We can clearly see the negative impacts of this in politics and the American culture as a whole.

Analytic infrastructures allow for powerful insights into data, but they create compliance and security risks for companies because data is often dumped into data lakes without proper labeling, auditing, or policy enforcement. We are seeing companies such as Apple building trust with customers by providing visibility and transparency into how that data is used.

Due to development timelines, developers often have to delay building granular privacy permissions into their applications. Such permissions enable individual customers to define how their data can be used, or the right to be forgotten - both of these parameters are cornerstones of GDPR compliance.

One key feature for data privacy is ensuring up-to-date controls and configurations around access. To ensure data is protected from unauthorized access, systems need controls such as identity and authentication of users. Limits to access must also extend to developers of platforms as well.

All services working with personal and private data should apply crypto best practices for data in motion and data at rest or stored. Beyond encryption, the best way to secure data is to not collect it, so applying principles of minimal data collection or applying additional layers of obfuscation. One method of obfuscation is differential privacy, which allows providers to offer customized services for users while maintaining privacy for individual users."

Shahrokh Shahidzadeh, CEO at Acceptto, a Portland, Oregon-based provider of Continuous Behavioral Authentication:

"Today, everyone must assume that each and every one of their credentials have already been stolen. This includes those credentials that haven't even been created yet.

Due to the frequency of data breaches, we all must operate under the assumption that it's only a matter of time that we become aware of the fact that our credentials and personal information are compromised. Protecting our citizens' identity and privacy requires new regulatory measures and the collaboration of private and public sectors including all (large or small) companies that today are taking overt advantage of harvested consumer data that is readily available for corporate welfare but not well protected.

I believe that 2020 will be the year of new solutions that employ a combination of multi-modal and contextual controls that continuously and accurately protect user identity and privacy with the assumption that all your online credentials are already compromised."

Cindy Provin, senior vice president of Entrust Datacard and general manager and Peter Galvin, CSO at nCipher Security:

"The California Privacy Act gives new teeth to Data Privacy Day," said Cindy Provin, senior vice president Entrust Datacard and general manager of nCipher Security. "We as an industry need to do more than just live up to the mere letter of the law. Based on our research, 79% of Americans care how a company uses their private information. That means consumers want reassurances that their private data is not at risk. It is the industry's responsibility to build that trust by putting a comprehensive security strategy in place that leverages encryption and key management best practices. Then it's up to industry to educate consumers about how and why a company should earn their trust."

"We're hooked on data," said Peter Galvin, CMO, digital security at nCipher Security. "While 61% of Americans are not okay with companies sharing their private data, we also know that Americans love the benefits of data sharing such as on-target product recommendations. The key is ensuring the right balance between fulfillment and security. As we observe Data Privacy Day, we as an industry need to strengthen trust with consumers that their data security is ironclad."

Steve Grewal, Chief Technology Officer, Federal at Cohesity:

"The California Consumer Privacy Act is an important step towards greater digital privacy. The law is modeled after the UK's General Data Protection Regulation (GDPR) that requires companies to share how personal data is collected and used, and gives consumers the option to have their data deleted. We believe it will have a positive impact on customers' privacy, and how enterprises store and share consumer data across their business.

However, CCPA differs from GDPR in that it doesn't apply to backup copies of data. Therefore, enterprises need to be aware of potential compliance violations when using backups to restore primary systems -- as the backup data may contain personal data that requires extra scrutiny to assure CCPA compliance..

Given you never know when backups need to be utilized, it's imperative for organizations to deploy software that can locate personal data across all data sets -- including backup copies -- to ensure organizations minimize their compliance risks at all times."

Darrell Long, Vice President of Product Management, One Identity

"We see companies across all industries struggle with the implementation of proactive data privacy practices and policies. GDPR, the recently introduced California Consumer Privacy Act (CCPA) and other regulations in the works are designed to punish those organizations that are handling personal data with negligence. These regulations require organizations to demonstrate the implementation of proper data protection practices. The reality is that privacy begins with identity management. Though the concept is simple, companies that fail to implement practices such as identity governance & administration and privileged access management are considered negligent and thus exposed to higher fines and stronger punishments.
We currently see many companies paying catch-up with new regulations, working to implement the right security tools and practices after a breach. Hopefully, Data Privacy Day becomes a good initiative to remind companies to think ahead and maintain a proactive stance on privacy before a cyber incident occurs."

Nigel Tozer, Solution Marketing Director EMEA at Commvault

"Data Protection Day, or as it’s become known internationally, Data Privacy Day, arrives this January in a new decade, where the world is waking up to the threats our digital world places on our personal privacy. If any proof was needed, atexactly the same time as the new decade dawned, so did the  California Consumer Privacy Act (CCPA). Many consider CCPA to be a ‘lite’ version of Europe’s privacy regulation, GDPR, but this really isn’t the case. While the scope of who CCPA applies to is narrower, the two are incredibly alike in many respects, and as enforcement is handled by courts and not regulators, as in Europe, expect it to hit the headlines much sooner. CCPA is also likely to push the rest of the US closer toward a federal privacy law, along with other states that are taking similar action independently.
So what can you do as a citizen and as a business this Data Privacy Day to make a difference?  As individuals, laws that protect your privacy will vary by location, but there’s a lot you can do yourself to protect your personal data. Firstly, search online to see what privacy settings you can change on your phone that will help – your phone is the #1 way your data gets monetized. Delete unused apps (they can leach personal data) and take a look at privacy-centric search engines and browsers. And remember, free services and social media platforms are generally funded by selling your data.
As a business, again it depends on your location. If you’re international and find yourself covered by CCPA, GDPR and more, go for compliance with ‘super-set’ of the regulations and be aware, some countries will have specifics you will need to take account of. For this reason, you really do need legal help with experience in this area. Trying to comply with privacy laws is the very definition of a people, process and technology problem – there is no black-box answer or quick fix solution. Finally, I always recommend that data be considered as much a liability as it is resource, so profile/map out your data and understand it. Until you do this, you don’t know what your liability is or how you can start to fix it."

Published Tuesday, January 28, 2020 6:30 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2020>