15 views on why the message of Data Privacy Day is more important than ever
Today, January 28, 2020, marks International Data Privacy Day, a day meant to focus attention on best practices around protecting the privacy and security of customer data.
The importance of this observance grows with each passing year, as do the threats – both external and internal – to data privacy and security.
Consider the following data points gathered by Bitglass’ research team. The researchers have studied hundreds of thousands of companies worldwide, and the below stats demonstrate the pitfalls of the surveyed companies, and how organizations must rethink their current security strategies:
- The top three breaches of financial institutions in 2019 compromised over 106 million individuals' records, demonstrating that many financial organizations are not taking the proper steps to secure customer data in the modern cloud environment.
- 86% of enterprises have deployed cloud-based tools, but only 34% have implemented single sign-on (SSO), one of the most basic and critically important cloud security tools - an indication that companies are not leveraging appropriate tools to keep consumer data safe.
- 52% of the Fortune 500 do not have any language on their websites about how they protect the data of customers and partners (beyond a legally required privacy notice).
- 75% of companies leverage multi-cloud solutions, but only 20% have visibility over cross-app anomalous behavior. With more organizations storing sensitive information in the cloud, adopting proper cloud security measures is critical to protecting data.
Information Management (a sister publication of Health Data Management) spoke with several leading IT and information security experts for their thoughts on the importance of Data Privacy Day. Here’s what they had to say.
Growing data, growing threats
"Data privacy is one of the hottest conversation topics spanning all industries and regions - for good reason. With exponential amounts of enterprise data only increasing, ensuring data privacy involves layered, complex challenges for any business. From a cloud hosting perspective, meeting evolving compliance and privacy regulations, such as the new CCPA law, is one of those layers. One of the most important steps organizations can take to guarantee they are on the right path towards compliance is to rely on hosting providers that have teams experienced with GDPR and CCPA regulations. These providers can guide the process needed to guarantee data is managed within current and upcoming privacy regulations, allowing organizations to focus on maximizing data usage and the experience for their customers.”
- Lex Boost, chief executive officer, Leaseweb USA
The new decade bring new attention and new regulations
“Data Privacy Day serves as a reminder to the technology industry that protecting your data is of utmost importance. This has been increasingly true with the recent implementation of the California Consumer Privacy Act (CCPA), which is shining a light on the rising regulation of data protection and privacy. With more organizations moving their workloads to edge computing and hyperconverged environments, businesses are looking to protect and recover these workloads, in addition to complying with data privacy regulations like CCPA. With this in mind, it is essential that these platforms include a variety of backup and disaster recovery features such as snapshots, replication, ransomware protection, failover and failback, so that organizations can help safeguard their digital assets today and in the future.”
- Alan Conboy, office of the chief technology officer, Scale Computing
Most organizations now suffer cyberattacks every year
“Last year, a survey showed that between 2017-2019, 83% of organizations were hit with a cyberattack. Cyberattacks have gone from targeting large enterprises to SMEs and individuals, and with the new decade comes new ways cybercriminals are going to try and get ahold of your data. In fact, it is predicted in the 2019 Official Annual Cybercrime Report that by 2021 a cyberattack will happen once every 11 seconds - so the first Data Privacy Day of the decade is a perfect time to revisit how you’re protecting your company’s and customers’ data.”
- Trevor Bidle, vice president of information security & compliance officer, US Signal
Data privacy and security safeguards should be built into all products
"Data Privacy is the present and the future. We are starting to hear from colleagues and our customers that data privacy be built into everything we do as service providers. Our clients understand that we have the keys to their network and will need to have controls in place to protect their data while at rest, during processing, and when in motion. Our colleagues demand we take the confidentiality of their personal data as a serious matter. They don't want to see their employer ignore the responsibility associated with their privacy; this is no longer a 'nice to have' but should be incorporated into everything we do.
“Service providers need to fully immerse themselves into the threat landscape and the best practices associated with securing data. Without cybersecurity, there can't be privacy. This deep dive includes the governance aspect of data protection as well as the technical and physical controls necessary for the confidentiality, integrity and availability of data.
“Consumers and businesses need to start asking the tough questions of their vendors. They need to understand the supply chain for the services they outsource and what those companies are doing to provide best in class cybersecurity protections. And if those vendors don't have a good answer or don't believe they are at risk, then it may be time to find a new provider.”
- Jay Ryerse, chief technology officer, security products, for Continuum, a ConnectWise company
Not all data can be protected, putting the focus on critical data
“Society is moving toward greater openness and broadly sharing information, including data that just a few years or decades ago was considered most sensitive. Sharing takes place via a wide variety of professional and social networks and public media. Governments are under social pressure to open more information as well.
“This combination of the: 1) growing volume of information, 2) complexity and ineffectiveness of protection technologies, and 3) growing openness, will lead to the realization that: A) it is impossible to protect it all, B) there is no need to protect it all.
“On Data Privacy Day, governments, organizations and individuals should take a moment to reflect and realize that protection of all information is unrealistic, and the battle for it has been lost (actually, the victory has never been possible). They should explore their ability to protect somewhere around 25% of the information they own/handle. For that, they have to select the subset of the most valuable information that is worth protection and that is feasible to protect. They should be gradually, over the years, placing the remaining 75% of the information in the fully/partially open access realm.”
- Joseph Feiman, chief strategy officer, WhiteHat Security
Cyber threats come in all varieties. So should defenses
“IT security threats come in all different shapes and sizes, and just as quickly as we put up barriers to protect against them, cybercriminals find new ways to break through. Nowadays, simply relying on the traditional ways of backing up data is no longer sufficient and will lead to an increasing number of successful attacks.
“Organizations need to ensure all of their data and their customers’ data is protected to avoid any disruption to business operations or customer experience. Though many will prioritize investment in threat detection software, it is only half the battle. Cyberattacks will always get through eventually, and businesses must consider what to do when one does. A second line of defense is the smartest security decision – having a comprehensive range of security features, from encryption through to backup, archiving to recovery, can be what stands between a cybercriminal and your data.”
- Surya Varanasi, chief technology officer at StorCentric, parent company of Nexsan
The cloud adds openness, but vulnerability, to the picture
“This year’s Data Privacy Day is historic as it will be the first time it is recognized with the California Consumer Privacy Act (CCPA) enacted. Yet, companies still have a long road ahead to reach compliance, as most still have imperfect security strategies and cannot ensure the integrity of consumer data, especially in cloud environments. In fact, 86% of enterprises have deployed cloud-based tools but just 34% of those have implemented single sign-on (SSO), a basic yet critical cloud security tool. Additionally, 75% of organizations leverage multi-cloud solutions, but only 20% have visibility over cross-app anomalous behavior.
“Organizations continue to adopt cloud for its flexibility and cost-savings, and as a result, data is being accessed by a greater number of devices and stored more often in cloud apps than ever before. Unfortunately, the gap between the implementation of cloud tools and appropriate cloud security controls is a strong indication that most enterprises are at a high risk of suffering a data breach. This Data Privacy Day, organizations must realize that traditional, on-premises methods for securing data are not effective in the cloud, and they need to rethink their approach to cloud security.”
- Anurag Kahol, chief technology officer and co-founder, Bitglass
Customer involvement needs to be part of the defense strategy
“Consumers are sharing more information than ever before, but many are not aware of how their information is being used or exploited. Regulations like GDPR and CCPA demand that companies gather consent from individuals, empowering consumers to take control over their data. However, more consumers are becoming more sensitive about their personal data and will not be slow to take action if they have the slightest inclination that they are being taken advantage of.
“In order for enterprises and organizations to broaden their options for PII usage and build trust with skeptical consumers, they must "opt in" to consent as a business choice wherever possible, giving more transparency and authority to users. Given that failing to comply with privacy regulations can lead to significant economic consequences and worse, organizations need to apply comprehensive privacy and consent management solutions that scale across all of their applications and channels. By employing comprehensive identity management and robust consent management systems, organizations can ensure that there are not only mechanisms that act as their first line of defense for protecting consumer data, but also strengthen the bonds of digital trust for all service users.”
- Eve Maler, interim chief technology officer, ForgeRock
The role of automation in maintaining ever-ready defenses
“Data Privacy Day is all about raising awareness of how organizations put the vast amount of sensitive data they store at risk and encouraging everyone to take action to better protect this data. One major risk to data privacy is excessive access, which simply means that there are individuals, either internally or externally, who have unnecessary access to information on the mainframe. The more people with access to information, the more likely your data will be compromised. These issues can crop up inadvertently and go undetected for years, so organizations need to include excessive access checking in ongoing security processes.
“To mitigate this risk, excessive access checking should be included in an organizations security policy and done periodically to maintain a proper security posture. However, this is an arduous process that can uncover hundreds of thousands of findings, which the organization then must address. The good news is, automation can speed up excessive access checking and helps organizations drill down to the user level, to get a detailed report of who has access to what.
"Another tip for organizations to improve data privacy practices is to accurately inventory, classify, and define data ownership. For organizations beginning the data discovery and classification journey, visibility into the movement and usage of your firm’s most sensitive data can help uplift security programs significantly. When you know what you have, where it is, and who has access to it, you can develop the right policies around ownership and also target your strongest security controls such as encryption of that data.”
- Ray Overby, chief technology officer and co-founder, Key Resources
All data is created equal, but some is more equal than others
“Data is a new currency that individuals and organizations are mining and monetizing around the world. Some of the biggest technology companies in the world such as Facebook, Google, and Amazon use data they collect on their platforms for targeted advertisements, which is a main driver for their monopolistic profits. While many admire these companies as American pioneers, they should also realize that we are entrusting them with our personal data, which is a large responsibility.
“On Data Privacy Day, it’s important to remember that sensitive information needs safeguarding more than ever before. Some information that particularly needs to be protected by companies includes personal health data as this is very sensitive information that most people don’t want to be shared or used against them for future decisions they may want to make. Some startups are pioneering new ways to make sense and drive productivity through data analytics and mining such as App Annie and Tamr. We anticipate investments in this space will only continue to grow alongside the growth of global data.”
- Anis Uzzaman, chief executive officer and general partner, Pegasus Tech Ventures
Encryption adds a valuable layer to data security efforts
“In today’s sophisticated threat landscape, customers expect that the enterprises they’re doing business with are protecting their data and privacy, no matter where in the world they are located. These expectations are shifting how businesses must now operate, especially considering they also need to adhere to an ever-widening set of data privacy regulations, including GDPR. While meeting these compliance regulations is complex and challenging, they cannot be ignored. A key part of this will be for businesses to plan their infrastructure, and data handling and storing processes accordingly.
“Most enterprises managing customer data are likely leveraging at least one form of cloud – which becomes increasingly complicated when different service providers have their own processes for remaining compliant. Enterprises can’t count on their providers’ compliance alone – they must ensure their own forms of protection as well. In order to still reap the benefits of cloud, enterprises seeking to uphold the highest standard of data privacy will increasingly turn to encryption to protect their critical information. As such, securing encryption keys becomes a necessary layer of added security.”
- Patrick Lastennet, director of enterprise, Interxion
Data privacy and security best practices are a ‘must have’ strategy
“As we are mindful of Data Privacy Day this January, we are reminded even more of how companies and their clients or customers need to stay hyper aware of ensuring that their data is safe and protected. This rings especially true when it comes to digital transformation and data migration as the complexity of these processes leaves important data vulnerable and opened to the risk of getting lost or hacked. When companies make the move to new application systems, it is essential to ensure a smooth transition by implementing best practices such as conducting thorough inventory to determine no personal data is being collected, adequately backing it up, and properly protecting it with appropriate security platforms.”
- Steele Arbeeny, chief technology officer, SNP Group
Organizations must walk the walk, not just talk the talk, when it comes to protecting data
“Privacy is now front of mind for consumers and businesses. The GDPR has handed down financial penalties over the last year; combine that with the regulation in the States that has already emerged (CCPA) and the six or seven different legislative initiatives for securing consumer data, and the public is beginning to expect enterprises to protect their data.
“For enterprises to meet these rising expectations and comply with new legal guidelines, they’ll need to prove that they are investing in privacy. Companies who want to capitalize on this moment should seek to collect as little data as possible to reduce regulatory overhead and communicate clearly how that data is being used. This can be particularly challenging if it’s used in proprietary machine learning, but algorithmic transparency demonstrates that an enterprise is conscientious when it comes to data privacy. Companies should seek to embed data privacy as one of their core technological values and communicate this value as part of its customer-facing messaging, as several organizations have already been doing. (Apple has several ads out, for example, and has invested in privacy-related advertising at venues such as CES.)”
- Mike Kiser, global evangelist, SailPoint
Vendors and third parties can be your weakest link in data protection
“Data breaches often occur as a result of risk introduced by a business’s expanding third-party vendor ecosystem. This vulnerability has proven to be extremely costly – especially for healthcare providers, as third-party risks alone costs the healthcare industry $23.7 billion a year. To combat these risks, organizations need to continuously work to prevent or mitigate the severity of a vendor related breach. To do this, it’s crucial to assess the risk being introduced to your end users by third parties regularly, and to work closely with vendors to ensure they’re protecting your end users’ data as stringently as your organization is.”
- Ed Gaudet, chief executive officer and founder of Censinet
New regulations are causing many organizations to rethink data protection programs
“With regulations like CCPA and GDPR we’re seeing a movement take shape, one that’s pushing brands to become more responsible custodians of their customer data. Additionally, these types of laws are also pushing consumers to care more about their personal information and rethink how their interactions on the internet, and what they share about themselves, puts them at risk – and not just from a financial standpoint. Regulations like the CCPA expand the rights of consumers – specifically it gives them the right to transparency and the right to make more educated choices about the information they share and want shared.
“For example, even before CCPA, California already instated a new law requiring organizations to disclose to consumers whenever they are engaging with a bot – or non-human agent. The growing number of companies using bots within their customer experience has implications to consumer data privacy compliance, as more companies are now storing and processing data from customer interactions in order to make these autonomous systems work. The need to protect privacy and anonymity, as well as comply with data deletion requests, will put new demands on AI-driven systems that make conversational bots work.”
- Jack Mardack, vice president at Actian