Data Privacy Day stands as a crucial reminder in an era rife with cyber threats, highlighting the importance of safeguarding personal information in the digital world. It emphasizes the need for robust data protection strategies amidst escalating cyber attacks, serving as an educational platform to raise awareness about privacy rights and practices. In the face of growing online vulnerabilities, Data Privacy Day is a call to action for proactive measures in protecting our digital identities and assets. Security and privacy experts from around the industry share how organizations can bolster their data practices to protect their customers and end users in 2024.
Viktoria Ruubel, Managing Director of Digital Identity, Veriff
“As consumers and employees, we have all seen or experienced biometric technology in action. Fingerprints or “selfies” have replaced passwords, granting access to our smartphones and other devices. In business settings, face scans can enable entry into controlled access areas or even the office. However, while these tools have made identity verification easier and reduced some of the friction of identification and authentication, there’s growing concern around bimetric data and privacy – biometric data is unique to each individual and permanent, making it one of the most personal forms of identification available.
As concerns mount and amid an escalation of regulatory action, users need greater transparency around collecting and using biometric data. Careful considerations are required to properly reflect the use of biometric data in public-facing policy and the approach to gathering and employing data around user consent and data security.
Data Privacy Week is a time to facilitate open dialogue around these risks and how to address them to strike a better balance between protecting users' privacy and demystifying their experience with technologies like biometrics. Organizations must be ready to balance user experience with effective security controls to ensure the highest levels of data privacy in all transactions.”
Theresa Lanowitz, Head of Evangelism at AT&T Cybersecurity
“Edge computing is the next generation of computing and is all about data. A characteristic of edge computing says that the applications, workloads, and hosting are closer to where data is being generated and consumed. And, edge computing is about a near-real-time and digital-first experience based upon the collection of, processing of, and use of that data.
This data needs to be free of corruption to assist with decisions being made or suggested to the user, which means the data needs to be protected, trusted, and usable. In response, strong data lifecycle governance and management will be a continued requirement for edge computing use cases.
Such data security is something a security operations center (SOC) will begin to manage as part of its management of edge computing, while working to understand diverse and intentional endpoints, complete mapping of the attack surface, and ways to manage the fast-paced addition or subtraction of endpoints.” Carla Roncato, Vice President of Identity, WatchGuard Technologies
“Advances in artificial intelligence (AI) and machine learning (ML) technologies are top of mind this Data Privacy Day, both for the potential benefits and troubling dangers these tools could unleash. Considering the widespread proliferation of AI tools in just this past year, it’s critical that we in the information security community seize this opportunity to raise awareness and deepen understanding of the emerging risk of AI for our data. As AI becomes a more integral – and infringing – presence in our everyday lives it will have real implications to our data rights.Remember, if a service you use is "free," it’s likely that you and your data are the product. This also applies to AI tools, so act accordingly. Many early AI services and tools, including ChatGPT, employ a usage model that’s similar to social media services like Facebook and TikTok. While you don’t pay money to use those platforms, you are compensating them through the sharing of your private data, which these companies leverage and monetize through ad targeting. Similarly, a free AI service can collect data from your devices and store your prompts, then use that data to train its own model. While this may not seem malicious, it’s precisely why it’s so crucial to analyze the privacy implications of processing scraped data to train generative AI algorithms. Say one of these companies gets breached; threat actors could obtain access to your data, and – just like that – have the power to weaponize it against you.
Of course, AI has potential upsides. In fact, many AI tools are quite powerful and can be used securely with proper precautions. The risks your business faces depend on your specific organization’s missions, needs and the data you use. In security, everything starts with policy, meaning that ultimately you must craft an AI policy that’s tailored to your organization’s unique use case. Once you have your policy nailed down, the next step is to communicate it, as well as the risks associated with AI tools, to your workforce. But it’s important to continue to revise or amend this policy as needed to ensure compliance amid changing regulations – and be sure to reiterate it with your workforce regularly.”
Sophie Stalla-Bourdillon, Senior Privacy Counsel & Legal Engineer, Immuta
“Privacy is now a top concern for individuals, while organizations still struggle to implement effective data protection safeguards when engaging in data analytics and AI practices. We’ve seen US states such as California passing their own privacy laws and drafting detailed regulations on cybersecurity audits, risk assessments, and automated decision making privacy by design in practice a must-do to be able to effectively respond to the demands of augmented privacy regulatory frameworks. At the global level, it's becoming obvious that attempting to redirect data movements from one location to another to try to avoid data protection obligations is not a viable strategy for a variety of reasons. By reviving core, but often denigrated data protection principles, such as purpose limitation and data minimization, with the recent take-off of purpose-based access control, new paradigms such as zero trust architecture and data mesh will help data teams to enhance transparency and accountability when building data architectures and organizational processes and to produce quality insights.”
Erik Gaston, CIO, Tanium
In an age when individuals produce almost 2MB of data every second, it is critical for companies to have proven, proactive and preventative security strategies in place to protect employee and customer data. It is also important to understand what data is coming in and out of the network and where it is being stored at all times.
Data breaches (both accidental and intentional), data mining, surveillance, and the potential misuse of personal data by corporations or governments all have the potential to expose personal information to unauthorized parties. To mitigate the risk, a few recommendations to achieve a proactive, preventative strategy – over one that solely relies on reactive data protection – include:
Actively managing passwords, authentication, social media and installed software / settings on personal devices
Choosing strong and unique passwords for all online accounts and updating them often
Having multi-factor authentication as an extra layer of security
Avoiding sharing ANY personal information online, especially on social media sites
Keeping software up to date
Understanding privacy settings on various devices and platforms and exercising your rights to control the collection and use of your data
Justin Daniels, Faculty at IANS Research “Despite an increasing number of privacy laws around the world, many people still have little understanding of how much information is collected about them every hour of every day. In the United States, Congress has yet to pass meaningful privacy legislation at the federal level, resulting in a patchwork of privacy laws that vary from state to state. This lack of clear federal data privacy guidelines makes it painfully difficult for individuals to make informed decisions about how and when to share their personal data and what level of data protection to expect from the companies collecting it.
Adding to the confusion, people are increasingly likely to encounter misinformation and opinions presented as fact. Spreading misinformation is easy and nearly instantaneous in today’s digital environment, reinforcing personal bias despite the availability of trustworthy evidence. Rapid advancements in AI have aggravated the problem by making it easy to create deep fake voices and videos quickly and cheaply. Determining what is real and who to trust with your personal information has never been more difficult — or more important.
As we mark another Data Privacy Day, one goal should be for individuals to become more cautious about sharing their data for a discounted price or minor perk. As they become more data-privacy conscious, brands that protect and manage customer data responsibly will build trust with customers online, offline, and around the world.”
Patrick Harding, Chief Product Architect, Ping Identity
“Privacy is really about choice, trust, and giving customers autonomy over how their data is managed. A disheartening 10% of consumers have full trust in organizations that manage their identity data – and it shouldn’t be that way. It’s up to organizations to ensure customers understand how data is collected and are given a clear opt-in or opt-out option to feel secure and respected. This transparency and accountability go a long way in instilling brand loyalty, long-term trust, and a positive customer experience.
Ultimately, customers just want to know their data is being protected and not exploited. The majority (61%) of global consumers report that having privacy laws enacted to protect consumer data and knowing that the website vendor is complying with those regulations makes them feel more secure when sharing their information online.
Data Privacy Week serves as a great opportunity to underline the value of decentralized identity management, which improves data security and privacy, and empowers individuals with control of their data while reducing resource and compliance burdens for enterprises."
Doug Kersten, CISO, Appfire
“In today’s fast-paced, digital world, effectively sharing data between organizations is critical to business success, but there's a catch: You need to ensure that data adheres to privacy and compliance regulations. By complying with regulations such as GDPR and CCPA, organizations assure their users and other stakeholders that their privacy and data are adequately protected. This is critical to maintaining a high level of trust and transparency with customers, partners, and employees. But, remaining compliant has become increasingly complex for many enterprises especially since data privacy regulations have introduced more stringent requirements and regulations are constantly changing. Security reviews and audits are also becoming a necessity for enterprise SaaS companies to remain industry-compliant as the threat landscape evolves. AI has also had a significant impact on data privacy with regulators still working on what that impact means, so companies will need to make sure they are flexible, fast, and holistic in their response.”
Kevin Breen, Director of Cyber Threat Research at Immersive Labs
"As sensitive data is increasingly pushed to the cloud and stored in global data centers, data sovereignty and data security remain key issues facing CISOs and security teams this year. With the top cause for cloud data breaches being human error, it’s more important than ever to ensure that both security and DevSecOps teams continue to keep pace with the evolving threat landscape and continuously measure organizations' cyber capabilities and fill the skills gaps to better address such threats. This goes beyond knowing the tools and techniques threat actors are employing; it’s equally critical to know how to deploy and secure customer and personal data. This applies to both the architects behind data security and employees themselves.
First, as third-party SaSS and PaSS platforms that hold organizations' data come under pressure to ensure information is properly stored and controlled, it’s vital for architects and security professionals to work closer together to ensure a secure environment is designed from the outset. Security is paramount as ransomware continues to be a large data privacy factor as organizations are plagued with double extortion attempts. Just this past year, Caesars Entertainment paid $15 million to ransomware gangs specifically to avoid customer data being published online.
Second, in 2023, Haveibeenpwned identified around 40 websites that suffered significant data breaches resulting in tens of millions of data records and PII being made available to threat actors around the globe. This should sound alarms for organizations to not only keep their own data secure, but also be aware of how staff and users are impacted by data breaches on other sites. Poor password hygiene is a common contributing factor in cyber incidents where credential stuffing and phishing attacks can expose corporate data as well as personal users."
Pukar Hamal, CEO and founder, SecurityPal
“The landscape of data privacy is evolving rapidly, especially as AI technologies have magnified the value of data. Instances like the New York Times vs. OpenAI case underscore this transformation, illustrating how even news articles can be pivotal for training sophisticated AI models. Today, enterprises must prioritize not only protecting their data from malicious threats but also maintaining its integrity to preserve enterprise value. This requires a nuanced approach to data management, focusing on robust safeguards and a comprehensive understanding of data's evolving role.
Enterprises will develop more sophisticated methods to deploy AI, focusing on maintaining maximum control over their data and the technologies used. The growing abundance of AI solutions and the rapid democratization of this technology are shifting the market in favor of enterprises, offering them a range of choices to meet their specific privacy and operational needs. When selecting the solution and provider, enterprises should critically assess the provider's commitment to data security and their capability to sustain this commitment.
Data privacy is not a “set and forget” initiative. A proactive approach and constant re-evaluation of data protection strategies are necessary to keep organizations’ and individuals’ data private and secure – not just during Data Privacy Week, but year-round.”
Andrea Malagodi, CIO, Sonar
"Data privacy today is turning into an old challenge with “new clothes" thanks to the AI-provided solutions now available to employees (the upload of data to websites). The reality is, mostly due to lack of education, that "Convenience beats Security" — malicious actors would typically rely on this to provide conversion websites (JSON to CSV as an example) and use these sites to collect data for possible attacks. The new AI sites also ask you to upload or grant access to content, which may even be worse, but not in that they service malicious intents. Any data that is shared is unlikely to have any privacy guarantees attached to them and data shared is likely to be part of new training, as the AI services have an ever-increasing hunger for data.
Companies should develop a clear policy around Generative AI, educate employees, and ensure that the data classified at the highest tier stays safe from any sharing to AI services to help secure the data. Companies should also contract with providers that can create privacy protections around shared data. Gen AI is here to stay, so facing it fully and developing your strategy is key to the successful protection of your assets."
Larry Whiteside, Jr., CISO at RegScale
“Privacy is an evolving aspect of our digital landscape, and its significance has been shaped by a pivotal driver: consumers actively expressing the importance of their data, particularly in the aftermath of numerous breaches compromising consumer information. Additionally, companies have been avidly engaging in data collection to gain valuable insights into the consumers they serve. Consequently, organizations are now under greater pressure than ever to handle data responsibly, which is particularly daunting for those managing large volumes of data. However, by adhering to a few fundamental principles, organizations can effectively navigate the demands of privacy regulations.
Principle #1 – Understand Your Data: To comprehend the privacy implications for your organization, it is imperative to be aware of the data at your disposal. This requires a thorough investigation to identify the type of data, its location, users, and access. Although seemingly simple, this task can be complex, emphasizing the critical importance of Principle #2.
Principle #2 – Establish Ownership: Ownership is key for the execution of any program or process. To ensure accountability, assemble a team of stakeholders with board-level visibility to establish policies and standards governing the organization's use, collection, and maintenance of data.
Principle #3 – Implement Sensible Controls: At a high level, three control categories—physical, technical, and administrative—need consideration. These controls serve as the linchpin for determining how to handle Privacy Data effectively and align with Privacy Regulatory mandates.
Principle #4 – Minimize Unnecessary Data: Organizations often collect data for specific purposes without establishing processes for its proper disposal once it becomes obsolete. Failure to address this exposes companies to unwarranted risks. Following Principle #1 allows organizations to identify data that should be disposed of to mitigate potential risks.
Principle #5 – Continuous Improvement: Many organizations halt their efforts after completing these fundamental exercises, which can be detrimental. A "rinse and repeat" approach can ensure that privacy measures remain effective, adapting to evolving circumstances. Ceasing at this point risks rendering previous efforts obsolete, as the context of data evolves over time."
Jeff Reich, Executive Director at the Identity Defined Security Alliance (IDSA)
“More and more of us wake up every day realizing that the amount of control that we have over our digital identities is less than we believed yesterday. Not only do each of us need to take more effective control over our identities, but we also find that the custodians of our data, whom we trust, need to do more as well. While legislators and leaders take steps to address this issue, most are far enough removed from the actual goings-on that they don’t know how to create the appropriate laws. The time it takes to enact legislation means we are months, if not years, behind where we need to be.
The European Union’s General Data Protection Regulation (GDPR) was an excellent first step towards achieving this goal. Some US states have adopted their customized version of that. Federal laws are a patchwork, focused on specific verticals such as banking or healthcare. Adding this to the picture across the rest of the globe, and you can see the magnitude of the problem.
We have an underlying problem of poor security across many platforms and applications, leading to untrustworthy privacy provisions. This issue is compounded by the patchwork of privacy laws that drives many organizations to focus on compliance with whatever they feel applies to them. They may believe that compliance leads to security when, in fact, good security leads to compliance.
Adding AI into the equation means that we don’t know what needs to be done, by whom, and if that is even the identity that I think I am working with. Multi-Factor Authentication (MFA) is adding trust and friction at the same time. As a global society, we need to evolve to more seamless solutions that can add trust to identity management and confidence in what we do.”
John Allison, Director of Public Sector, CheckMarx
“Data Privacy Day occurs every year on January 28th, and is an international event to raise awareness regarding data privacy. Companies that store your data have legal, and I’d argue moral and ethical obligations to protect your data. These companies collect your data for a reason, to make money. This means that they will process your data with their software to meet their business objectives.
Underlying any company’s ability to protect your data is their, and their vendor’s application security programs. If they buy a firewall which has a poor application security program that resulted in exploitable bugs in their firewall, it isn’t much of a firewall. The same for the company's own application. If their application contains multiple exploitable vulnerabilities, or if their infrastructure is insecurely configured, the likelihood of your data being compromised increases. At this point I think everyone understands that there is no such thing as perfect security, but everyone should expect a minimal level of protection. This includes that those stewards of your data understand their legal, moral, and ethical obligations and have responded with an effective application security program. If they can’t at least do that, maybe, just maybe, they shouldn’t be storing anyone’s data.” Carl D’Halluin, CTO, Datadobi
“On January 28, we celebrate Data Privacy Day. Initiated in the United States and Canada in 2008 by the National Cyber Security Alliance, its aim is to raise awareness and promote privacy and data protection best practices.
I would say the number one data privacy best practice is pretty simple: make sure you can get the right data to the right place at the right time. Wherever the data is in its lifecycle, it should be protected and only accessible as needed. Of course, this tends to be easier said than done. But, there is perhaps nothing more critical and imperative than implementing the right strategies and technologies to do so. After all, while data is an organization's most valuable asset (in addition to its people), it also represents its greatest potential risk.
Balancing these two aspects is key. In other words, effective data management enables you to optimize your business intelligence, make faster and smarter decisions, and gain a competitive edge, as well as better meet business requirements such as internal governance and legal mandates, external regulations, and financial obligations and goals.”
Don Boxley, CEO and Co-Founder, DH2i
“Data privacy isn't just important for businesses - it is a matter of corporate survival. A company can make just one small mistake, neglect one small security check-box, and the consequences can be catastrophic. One small mistake could lead to a data breach that causes legal and regulatory fines, as well as irreparable damage to the company's reputation -- a nightmare from which recovery is near-impossible.
A software-defined perimeter (SDP) solution could be the answer! Many SDP solutions are engineered to provide secure network connectivity across on-prem, cloud, and hybrid environments. SDP enables its users to transform their traditional network-based perimeter security with a more sophisticated one that creates micro-perimeters around data. SDP enables secure connections between data centers and across private and public cloud platforms without needing a VPN or direct connect, thereby significantly reducing security vulnerabilities even further. In addition, for those focused on data protection and privacy, SDP enables the ability to create secure tunnels for specific applications, as opposed to entire network access. Ideally, such a solution would be streamlined and straightforward to manage, equipped with an intuitive interface that eases the configuration, and ongoing management of secure connections. This combination -- increased security, ease-of-use, and adaptability - makes SDP the ideal choice for protecting data and ensuring data privacy."
Steve Santamaria, CEO, Folio Photonics
“On Data Privacy Day, we are reminded of the business-critical importance of safeguarding sensitive information – both professional and personal – at a time when data breaches and cyber threats have become all too common. For data protection professionals, this should not be viewed as a gentle nudge but rather a polite - yet strong shove toward reviewing and fortifying the technology and policies that serve as the underpinnings of your data protection strategy.
How can anyone not admire those responsible for their organization’s data protection? As we in the business know – it's no walk in the park! The good news is of course, that smarter and more powerful technology solutions continuously enter the marketplace, ready to take their place in the data protection professional's arsenal. Active archives built on an optical storage foundation can offer an ideal data protection solution for several compelling reasons. Firstly, they provide a high level of security as data stored on optical discs is read-only, rendering it resistant to cyber threats like ransomware. Optical storage is also highly durable -- able to withstand physical damage from factors like magnetic fields, moisture, and temperature fluctuations, ensuring the safety of critical data. What’s more, optical storage media boasts a long lifespan, making it ideal for data archival and compliance requirements while also being cost-effective in the long term. And last but certainly not least, it can be easily air-gapped - adding a virtually impenetrable defense against a cyber-attack.
Retrieving data from optical storage is quick and reliable due to fast read speeds, making archived data readily accessible. And if that isn't enough -- it is environmentally friendly, consuming less energy and having a lower carbon footprint compared to alternative storage options.”
Kris Lahiri, co-founder and CSO of Egnyte
"As we head into 2024, organizations and individuals are beginning to navigate an increasingly complex data privacy landscape, with companies storing more personally identifiable information (PII) while adhering to modern data privacy regulations enacted nationwide and globally, with 71% of countries today having some legislation currently in place.
More customers are considering how companies will use and store their data before agreeing to do business with them, especially with the recent advancements companies are making with AI, so on Data Privacy Day, it is vital to review your data privacy policies and how to serve your customer base best.
As AI technology becomes more commonplace, users will try to leverage these tools with their company data, much like during the "shadow IT" era. While heavily regulated companies may create explicit blocks on these tools, a more prudent approach is to review how these technologies protect the data privacy of the data that they use. Consider adding a company-wide AI policy to complement your data privacy policy.
In the U.S., 12 state consumer privacy laws are active today, with more plans to be enacted by the end of the year. This momentum around privacy regulations is going strong, so take the time to review new data privacy regulations and how they apply to your business. Don't wait for a formal compliance request to get your privacy practices in order – stay one step ahead.
Stay proactive by updating your data privacy policies and mapping your company data. Understand where your structured and unstructured data lives, how it is used, and who has access to it. By having a complete picture of the data that your organization stores, you can also see the potential risks that may arise so that you can bolster your cybersecurity defenses." Lakshmikant Gundavarapu, Chief Innovation Officer, Tredence “In an era dominated by big data, businesses are increasingly harnessing the power of AI models such as ChatGPT to revolutionize efficiency and elevate customer service standards. However, this surge in AI adoption comes hand in hand with substantial data privacy concerns, particularly prevalent in data-intensive sectors like banking and consumer goods. The pivotal challenge lies in effectively leveraging these advanced AI tools without compromising the confidentiality of sensitive information or violating stringent privacy regulations.
Enterprises must embrace robust data privacy strategies to navigate this complex landscape successfully. This involves meticulous data classification to identify and safeguard sensitive information, minimizing the data input into AI models and implementing advanced techniques like data masking and encryption. Equally essential are stringent access controls and secure data-sharing practices to thwart unauthorized access attempts.
A standout solution in this intricate ecosystem is synthetic data. By crafting data that mirrors authentic patterns yet contains no sensitive information, businesses can confidently train and test AI models without risking privacy breaches. This innovative approach presents a dual advantage: It not only fortifies privacy safeguards but also preserves the utility of data for diverse AI applications.
In essence, businesses must strike a delicate balance—capitalizing on the vast potential of AI while safeguarding data privacy. The incorporation of synthetic data emerges as a prudent step in this direction. In our digitally-driven world, responsible AI usage is not just a strategic choice but a technical necessity. It forms the bedrock for upholding customer trust and maintaining industry reputation in an increasingly interconnected and privacy-conscious landscape.” Marcus Scharra, CEO of Senhasegura
"As we enter 2024, it's clear that modern privacy regulations are on track to encompass most consumer data, reshaping how organizations manage and protect this valuable asset.
It is crucial to note that data privacy is not merely a compliance checkbox but also a strategic asset. However, few organizations are working in this direction. According to Gartner, by the end of 2024, modern privacy regulations will cover the majority of consumer data. However, less than 10% of organizations are expected to leverage privacy as a competitive advantage effectively.
Forward-thinking companies recognize that robust privacy programs can set them apart from competitors, developing trust with customers, partners, investors, and regulators while enabling more effective and responsible data usage. As the regulatory landscape continues to evolve, with regulations like GDPR, CCPA, and LGPD, non-compliance is no longer an option. Embracing proactive and comprehensive data privacy measures is now integral to business strategy in the digital age, offering a path toward success and resilience in an era of increased data security concerns."