Data privacy has drastically changed in the past year. Massive regulation fines were served and privacy culture rapidly evolved during the COVID-19 pandemic. We asked cybersecurity and data privacy experts for their take on the state of data privacy and what we should expect in the year ahead in this expert insights series.
Mike Kiser, Senior Identity Strategist, SailPoint:
"In the past year, consumers and enterprises alike elevated data privacy to a critical requirement for their digital lives—rising as an indicator of health and a safeguard against the risk of exploitation. This ‘assessment of health’ currently plays a role on both the individual and societal levels:
On the individual level, users are shifting rapidly to systems and applications that ensure their privacy. Enterprises such as Apple are beginning to emulate nutrition labels with their online store applications, providing end-users the opportunity to make ‘healthy’ choices. If there was any question about individual’s desire for privacy, the recent shift from WhatsApp to other messaging platforms such as Signal and Telegram (as many as 1.3 million in a single day) demonstrates that how identity data is protected is a key feature for the public at large.
On the societal level, while nations such as the United States wait on the creation of national privacy regulation, the discussion around data privacy is currently being driven by the worldwide pandemic. Covid19 and the subsequent vaccination initiatives raise new questions about the intersection of societal health and individual privacy. Covid19 contact-tracing applications present challenges for privacy; a trade-off is being made that exchanges some individual data to protect the population at large. A similar choice exists as vaccination becomes more widespread: how do you prove that you’ve been vaccinated without revealing more identity data than necessary? Organizations such as the Vaccine Credential Initiative seek to answer these questions in a standardized way (but these solutions raise questions of fairness and access to technology, which were already issues that surfaced by the pandemic).
Data privacy, then, has expanded its impact over the last twelve months, rising to become a ‘vital sign’ for the health of both society and individuals."
Greg Martin, VP & GM of Security, Sumo Logic:
“Data Privacy Day highlights an important issue that affects everyone in the world as we become fully digitalized in all aspects of our life, from social media to online shopping and in business. Digital privacy abuse spans much deeper than what we hear about constantly in the news with social media and tech companies, it's now become a core responsibility of any traditional company doing any part of their business digitally, and that's a huge responsibility that requires change and investment. The good news is that there is a new role rapidly appearing in corporate America, the "Chief Digital Privacy Officer," which typically has direct responsibility to the board.”
Joseph Carson, chief security scientist and Advisory CISO at Thycotic:
“Data privacy will, and already is, evolving into a Data Rights Management issue.
Citizens’ privacy will continue to be under the spotlight in 2021. The end of privacy as we know it is closer than you may think. Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens. In public and online, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions, and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby, and even algorithms that determine what your next action might be.
Regulations will continue to put pressure on companies to provide adequate cyber security measures and follow the principle of least privilege to protect the data they have been entitled to collect or process.
I believe the big question, when it comes to data privacy, is “How is citizens’ data being used, collected and processed?” Ultimately data privacy will evolve into Data Rights Management which means rather than giving up personal data for so called free use of internet services, citizens should and can get paid for allowing their personal data to be used for marketing purposes. It will become more about how the personal data will be used, and what monetization is resulting from the data. In the future everyone will become an influencer this difference is how much is it worth.”
Heather Paunet, Senior Vice President at Untangle:
“Data Privacy Day is a date well worth noting for businesses of all sizes. It is easy to let a whole year go by after performing an assessment of data access privileges and user access privileges. Having a ring on the calendar is a reminder that puts the importance of this assessment back top of mind once a year.
Software providers can use this day to review new features they are planning to deliver within the next six to twelve months and make sure that GDPR and similar requirements are included as part of the implementation.
Businesses can also review their own IT policies. IT departments should review who has access to different types of data and remove access from anyone that doesn’t have to have that access. In a year, employees’ roles within a company can change and their responsibilities and what they need access to may also change.
Data privacy is not only about stopping data from being stolen, but it’s also about trust of the information that we access and use in good faith. If someone’s personal information can be stolen and used such that that person’s identity could be misrepresented, that can cause widespread knock on effects of misinformation. For example, the Twitter accounts of Barack Obama, and Jeff Bezos were hacked in 2020. Someone with their Twitter accounts would have the ability to reach and influence millions of people who have trust in the things they tweet.”
Rajesh Ganesan, Vice President of ManageEngine:
“Too often employees assume that privacy is the responsibility of a small handful of people, such as the IT department, and therefore are quick to blame them when a violation occurs. Data privacy is the responsibility of everyone and that each individual has both a privilege and duty to protect any data they are privy to.”
This year, Rajesh is urging people to take more responsibility to safeguard data by taking a “Personal Privacy Pledge” – a pledge he has coined in the hopes to create more individual accountability and get people to be more aware of their online behaviors. With this pledge, he also encourages company leaders to hold individual employees accountable for not doing their due diligence when it comes to securing data, and enforce measures such as mandated privacy checks and revoked access if employees violate security measures – both of which are deployed within ManageEngine and have helped to strengthen the companies’ overall security posture. In the pledge, Rajesh also urges business leaders to re-evaluate their companies “privileged access” accounts, noting just because someone has a C-Suite title, does not mean they should have full access permissions.
Response from Dave Russell, VP of Enterprise Strategy, Veeam:
“Data has never been more ubiquitous. As it becomes more geographically dispersed and accessed across remote environments – it’s, unfortunately, never been more at risk. As the value of corporate and personal data continues to rise, and the lines continue to blur in storing and using this data across work and personal devices, different data can be pieced together and lead to large vulnerabilities. Whether a small business or a Fortune 500 enterprise, this moment in data privacy calls for improved digital hygiene, achieved through strong, unique passwords, two factor authentication, and hardening networking ports."
Response from Rick Vanover, Senior Directo