Data Privacy Day 2021: Aftermath - Part 2
Data privacy has drastically changed in the past year. Massive regulation fines were served and privacy culture rapidly evolved during the COVID-19 pandemic. We asked cybersecurity and data privacy experts for their take on the state of data privacy and what we should expect in the year ahead in this expert insights series.
Mike Kiser, Senior Identity Strategist, SailPoint:
"In the past year, consumers and enterprises alike elevated data privacy to a critical requirement for their digital lives—rising as an indicator of health and a safeguard against the risk of exploitation. This ‘assessment of health’ currently plays a role on both the individual and societal levels:
On the individual level, users are shifting rapidly to systems and applications that ensure their privacy. Enterprises such as Apple are beginning to emulate nutrition labels with their online store applications, providing end-users the opportunity to make ‘healthy’ choices. If there was any question about individual’s desire for privacy, the recent shift from WhatsApp to other messaging platforms such as Signal and Telegram (as many as 1.3 million in a single day) demonstrates that how identity data is protected is a key feature for the public at large.
On the societal level, while nations such as the United States wait on the creation of national privacy regulation, the discussion around data privacy is currently being driven by the worldwide pandemic. Covid19 and the subsequent vaccination initiatives raise new questions about the intersection of societal health and individual privacy. Covid19 contact-tracing applications present challenges for privacy; a trade-off is being made that exchanges some individual data to protect the population at large. A similar choice exists as vaccination becomes more widespread: how do you prove that you’ve been vaccinated without revealing more identity data than necessary? Organizations such as the Vaccine Credential Initiative seek to answer these questions in a standardized way (but these solutions raise questions of fairness and access to technology, which were already issues that surfaced by the pandemic).
Data privacy, then, has expanded its impact over the last twelve months, rising to become a ‘vital sign’ for the health of both society and individuals."
Greg Martin, VP & GM of Security, Sumo Logic:
“Data Privacy Day highlights an important issue that affects everyone in the world as we become fully digitalized in all aspects of our life, from social media to online shopping and in business. Digital privacy abuse spans much deeper than what we hear about constantly in the news with social media and tech companies, it's now become a core responsibility of any traditional company doing any part of their business digitally, and that's a huge responsibility that requires change and investment. The good news is that there is a new role rapidly appearing in corporate America, the "Chief Digital Privacy Officer," which typically has direct responsibility to the board.”
Joseph Carson, chief security scientist and Advisory CISO at Thycotic:
“Data privacy will, and already is, evolving into a Data Rights Management issue.
Citizens’ privacy will continue to be under the spotlight in 2021. The end of privacy as we know it is closer than you may think. Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens. In public and online, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions, and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby, and even algorithms that determine what your next action might be.
Regulations will continue to put pressure on companies to provide adequate cyber security measures and follow the principle of least privilege to protect the data they have been entitled to collect or process.
I believe the big question, when it comes to data privacy, is “How is citizens’ data being used, collected and processed?” Ultimately data privacy will evolve into Data Rights Management which means rather than giving up personal data for so called free use of internet services, citizens should and can get paid for allowing their personal data to be used for marketing purposes. It will become more about how the personal data will be used, and what monetization is resulting from the data. In the future everyone will become an influencer this difference is how much is it worth.”
Heather Paunet, Senior Vice President at Untangle:
“Data Privacy Day is a date well worth noting for businesses of all sizes. It is easy to let a whole year go by after performing an assessment of data access privileges and user access privileges. Having a ring on the calendar is a reminder that puts the importance of this assessment back top of mind once a year.
Software providers can use this day to review new features they are planning to deliver within the next six to twelve months and make sure that GDPR and similar requirements are included as part of the implementation.
Businesses can also review their own IT policies. IT departments should review who has access to different types of data and remove access from anyone that doesn’t have to have that access. In a year, employees’ roles within a company can change and their responsibilities and what they need access to may also change.
Data privacy is not only about stopping data from being stolen, but it’s also about trust of the information that we access and use in good faith. If someone’s personal information can be stolen and used such that that person’s identity could be misrepresented, that can cause widespread knock on effects of misinformation. For example, the Twitter accounts of Barack Obama, and Jeff Bezos were hacked in 2020. Someone with their Twitter accounts would have the ability to reach and influence millions of people who have trust in the things they tweet.”
Rajesh Ganesan, Vice President of ManageEngine:
“Too often employees assume that privacy is the responsibility of a small handful of people, such as the IT department, and therefore are quick to blame them when a violation occurs. Data privacy is the responsibility of everyone and that each individual has both a privilege and duty to protect any data they are privy to.”
This year, Rajesh is urging people to take more responsibility to safeguard data by taking a “Personal Privacy Pledge” – a pledge he has coined in the hopes to create more individual accountability and get people to be more aware of their online behaviors. With this pledge, he also encourages company leaders to hold individual employees accountable for not doing their due diligence when it comes to securing data, and enforce measures such as mandated privacy checks and revoked access if employees violate security measures – both of which are deployed within ManageEngine and have helped to strengthen the companies’ overall security posture. In the pledge, Rajesh also urges business leaders to re-evaluate their companies “privileged access” accounts, noting just because someone has a C-Suite title, does not mean they should have full access permissions.
“Data has never been more ubiquitous. As it becomes more geographically dispersed and accessed across remote environments – it’s, unfortunately, never been more at risk. As the value of corporate and personal data continues to rise, and the lines continue to blur in storing and using this data across work and personal devices, different data can be pieced together and lead to large vulnerabilities. Whether a small business or a Fortune 500 enterprise, this moment in data privacy calls for improved digital hygiene, achieved through strong, unique passwords, two factor authentication, and hardening networking ports."
“Nobody likes surprises, and a data privacy matter is the least desirable surprise for an organization to face. To avoid any surprises, organizations should look to a few key techniques to ensure top-down data protection.
It starts with well-implemented identification techniques that help in understanding what data an organization has under management. Additional stages such as security protections, detecting and analyzing data for normal access, usage and integrity, will ensure the data meets its expected lifecycle. Should anything go awry with that data or how it is consumed, stored etc., organizations will be ready to respond and recovery from any incident that may occur – be it an external threat actor or an internal data mishap.
That said, the hard work happens on the front end with identification. Organizations can’t recover what they don’t know they had (or how it was used). This remains one of the biggest privacy challenges today, with the ever-increasing influx of data and a strong push for ubiquitous access from remote environments. My advice is to invest more on the front side of this framework to pave the way for more options in the later stages. The NIST cybersecurity framework should be a helpful asset for any organization.
As data privacy becomes more important than ever, these tips can help organizations to avoid those common pitfalls, and avoid any surprises in their data protection efforts.”
Jason Hodgert, Product Marketing Manager, Spirion:
“I think 2021 is when we will see the tipping point in a shift that has been building for a while. Individuals are more aware than ever of the transactional nature of their personal information. They are growing more and more conscious of how valuable their data is to the organizations that possess it.
The conversations people were having ten years ago centered around the collection and possession of data. This is evidenced by the focus of the regulations at the time that brought in things like cookie disclosure and opt-in – versus opt-out – checkboxes. While individuals have become more or less resigned to the fact that organizations will obtain pieces of their personal data in exchange for “free” services, they are becoming more acutely attuned to what is done with that data, including with whom it is shared and why.
Real transparency will no longer be optional in 2021. As people better understand the transactional aspects of their data, more and more will choose to do business with organizations that treat it properly and are open about how they do so.”
Scott M. Giordano, Esq., V.P. and Sr. Counsel, Privacy and Compliance, Spirion:
“A data inventory (a/k/a an Article 30 Record of processing activities or RoPA) is fundamental component of any privacy or data protection program. It is a living database of all personal data under an organization’s control or care and answers such questions as “Who has access to our personal information?” and “Wow is our personal information protected?” Every organization should endeavor to create an inventory, even if not legally required, because it enables privacy managers the ability to understand the state of their data processing activities and identify emerging risks. A properly maintained inventory is also invaluable in advancing compliance with a variety of data protection laws.”
Jordan Ellington, Founder, SecureReview:
“You may think that computer security is about locking down devices or keeping passwords safe. But there’s another aspect of data privacy that is often overlooked: the PC endpoint. To be sure that data leaks can’t occur, companies need to consider the human factor in cybersecurity.
Right now, WFH due to COVID-19 opens up a big opportunity for data leaks, because hackers understand that home computers are not as secure as internal networks. Companies that allow employees to work on unsecured home computers take a major risk. Consider all of the confidential information that people working at home are handling. Without proper protection, the risk is real. There is a highly effective way to stop the flow of private data. What is needed is a virtual bubble around the home PC where only authorized users can access documents and data. Technologies like machine learning and biometrics ensure that data stays safe so that everyone’s privacy is protected.”
Brendan O’Connor, CEO and Co-Founder at AppOmni:
The way organizations store data has shifted rapidly to the cloud. At the same time, SaaS vendors that house sensitive data have grown in scope and complexity. They have evolved into complex platforms that provide access not only to internal users, but also to external users, 3rd party apps, contractors, and managed service providers. In short, there are now many more access points to data housed in the cloud. Unfortunately, these relatively new access points are often unknown, or simply overlooked, by enterprise security teams. This has created a massive opportunity for attackers to exploit these applications, which is why we’ve seen so many successful hacks in recent weeks and months. To ensure data privacy for everyone, security teams need to take ownership of data governance in cloud applications.
Specifically, organizations need to:
Have visibility to which 3rd party applications have access to their data, and actively manage that access on a continuous basis
Ensure that external users have the appropriate level of access to data. AppOmni has found that external users are over-provisioned and have access to sensitive data in over 95% of enterprises
Continuously review the permissions for internal users and ensure that they are not able to inadvertently expose sensitive data
Tom Pendergast, Chief Learning Officer, MediaPRO:
“The essence of Data Privacy Day to me is the realization that data privacy is everyone’s responsibility. From the boardroom to the loading dock, everyone has a role to play. From a training and awareness perspective (where I come from), one of the best ways to do this is to provide education that employees can use both at work and at home.
For the majority of employees, many of the attributes of the sensitive data they handle as part of their job should be recognizable when it comes to keeping their own information secure. When an organization goes about educating their employees on their own data privacy requirements, I’ve seen success using a “golden rule” approach. That is, telling employees to treat the data they handle as part of their job the same way they’d want their own data treated. This more personal approach makes privacy more “real” and less theoretical. Most employees do need to know the letter of the law. What’s often best is taking a principles-based approach to data privacy that they can use both at work and at home.
Whether you plan to recognize Data Privacy Day on just Thursday, January 28, or extend it into the entire week, this occasion is the perfect opportunity to reinforce the importance of handling sensitive data with respect, no matter where it’s found.”
Isabelle Dumont, Vice President of Market Engagement at Cowbell Cyber:
“The digital footprint of people and businesses has expanded exponentially over the past year because of the pandemic and remote work. We spend more time online, connecting through video conferences, shopping on e-commerce sites, or sharing stories in online communities. Data Privacy Day in 2021 is a great reminder and an opportunity for all to assess and fine-tune how they engage online so that both personal and professional information remain safe.”
Tim Wade, Technical Director, CTO Team at Vectra:
“It is not by accident that social considerations of privacy have been at the center of the pursuit of justice, equity, and freedom as it relates to civil liberties and rights. And as organic and digital existence converge, this continued frontier increasingly becomes anchored to how the data and digital footprints created by individuals are both respected and protected – by individuals themselves, and the awareness they bring to the importance of this matter, and by the organizations and institutions that come to steward what ultimately must still belong to its creator.
Too often, discussions of personal privacy tend to inject tension between the protections of an individual against the protections of society at large. In reality, the erosion of personal protections for privacy are also erosions against the protections of society at large; undermining the protection, safety, and security of individual privacy degrades the cultural and social fabrics of trust, liberty, and fairness to the detriment of that society. And as such, the erosion of the privacy of others around us is, in effect, erosion of our own wellbeing.
If there is a call to action on this topic, it is that we must be open eyed about the importance of data privacy – for ourselves, and for others – and that the choices we make will directly affect our lives and our livelihood, and the social fabrics we pass to the next generation.”
Rita Gurevich, Founder and CEO, SPHERE Technology Solutions:
“In the enterprise world, there is an increased focus on protecting data from internal and external threats, especially across highly regulated corporations. Safeguarding sensitive data, including your employee and customer data, is not a “should do” concept anymore but a “must do” directive coming from the top. Whether its regulatory bodies or internal auditors enforcing the proper data privacy and data protection practices, the repercussions financially and from a reputation perspective, are reason enough for companies to focus their attention to implementing a Least Privileged Access model.
Proactive measures, such as ensuring only the appropriate personnel have access to only the data they need to perform their job functions, is a central theme. Cleaning up the mountains of inappropriate entitlements is step 1 and many organizations are recognizing that this foundational requirement is not as easy as it may superficially seem but a mandate that must be achieved.
We predict that organizations will start to go back to the basics and fine tune their practices for basic inventory of all their data repositories with more in-depth analytics on the state of their access controls. Remediation and ongoing certification of entitlements will expand in coverage, automation will be critical, and the onus on the business to partake in these processes will be more of a business-as-usual expectation. This is actually a positive effect and forces not just IT and Security teams to accept this onus and will create a culture of Security First across all business units within an organization.”
Dirk Schrader, Global Vice President at New Net Technologies (NNT):
“Users, consumers have far too often that notion of “I have nothing to hide” or “How much can they do with my data?” The inconvenient answer is “a lot” as there are many ways of using the gender, the age, the location (inferred from the IP address) can influence what kind of services are marketed, how often a user sees an ad just to name some less nefarious examples. This kind of profiling might seem harmless but overall it enables businesses to select which products, which services they offer and a what price levels. That is why the call to action for individuals “Own You Privacy” deserves a lot of Kudos.
For businesses analyzing the data they collect about users and consumers, the calls for Protection and Transparency should ring loud in the ears of those at the top. If data is the verbatim ‘new oil’ for digitalized business models, should a business not be doing its utmost to protect that from being stolen, copied, encrypted for a ransom. And if it is transparent about those data processing processes in place (the how’s and why’s), it not only earns some trust, but it also enables itself to protect the different processes according to their criticality for the business. And they should not stop to dig deeper in that transparency – at least for their internal purposes – and collect information about the systems in use for that processing, the status of these, how vulnerable they are, how often unexpected changes happen to them. That will build the solid base needed to protect the business process, which will help to protect the data of consumers, which will increase the trust of those consumers in the company, and – finally – make it easier for them to share more details with a trusted organization.”
Mohit Tiwari, Co-Founder and CEO at Symmetry Systems:
"You need not give up data privacy so that organizations can thrive off of personalized advertising or by hosting customer data in a Software-as-a-Service (SaaS) application. Road safety is a great example where protocols and training sets appropriate expectations among drivers, bikers, pedestrians, etc. Similarly, there is considerable research and new commercial tools for organizations to measure how customer data is used internally and safeguard it -- and the recent exodus towards Signal shows that respecting customer privacy can actually be good for business.
Imposing reasonable fines is indeed a good way to make measuring and improving data risk a board-level priority. And this can only be good for both customers and enterprises that host their data."
David Levin, Head of Product, Satori:
"Companies who make their consumers privacy a top priority must embed the principles of responsible use of data across all aspects of their business. When doing so, companies have to balance data analysts' ability to execute their tasks with the default tendency to restrict data access on a need-to-know basis. In many cases, such restrictions are too complicated to map or implement, which creates an unmanageable data engineering reality. To overcome it, companies need to go through the exercise of abstracting the business principles behind access to data, which in turn will simplify data governance for data-driven companies."