Experts Share How Data Privacy Has Evolved, What We're Missing, and What's to Come

This post is part of our 2023 Data Privacy Week series. Data privacy is essential for maintaining trust in institutions that collect and use personal information. Without strong data privacy protections in place, individuals may not feel comfortable sharing their information, which can harm innovation and progress. Data Privacy Week raises awareness about the importance of data privacy and the protection of personal information. During this week, individuals, organizations, and governments come together to promote education and best practices for protecting personal data. We heard from data privacy experts from across the industry on how data privacy has evolved, what we're missing, and what could be on the horizon.

Eve Maler, CTO, ForgeRock

This Data Privacy Week, it’s critical to pay close attention to the increased use of artificial intelligence (AI) in the age of social media. Consumer-accessible AI is increasingly making its way into popular social media sharing applications. For instance, enhancing self portraits with AI to then share with followers on social media is the latest trend in photo editing applications. However, in doing so, consumers are handing over biometrically-significant data – a dozen or more photos of your face – to an unknown third party. The service’s privacy policy, security protections, AI model particularities, and trustworthiness gain new importance in light of the need to share so much data.

Biometrics have special requirements when it comes to keeping personal data safe and secure. Service providers need to make ethical management of biometric data a guiding principle. Pay special attention to meaningful user consent and to oversight of data management. Performing facial recognition also exposes the service to a wealth of derivable personal data, such as age, gender, ethnicity, and health. Decentralized device-based storage of biometric data is always safest.

Julian Zottl, Chief Technology Officer - Cyber Protection Solutions, Raytheon Intelligence & Space

There have been many breaches of consumer and personal information in recent years from hackers and ransomware cybercriminals attacking government, businesses and organizations looking for whatever data they can find to make money, protest, or prove themselves. What can the average person do?

• Be a knowledgeable consumer. Know when you opt into things that you are trusting your information to that business or organization. Always ask if you would want that information made public.

• Only provide the minimum information necessary.

• Create long unique passwords for each account. At least 12 characters preferably 20. Use passphrases instead of passwords to make it easier to remember.

• Use a password manager to create strong passwords and store them for you. Understand this can be breached as well.

• Turn on multi-factor authentication. Use an authentication app, and not text messages which can be more vulnerable, on your phone.

• Keep your phone, computer, tablets, browsers, etc. up to date with the latest software updates.

• Be a savvy user and be mindful of phishing attempts in every form of communication you have.

• Be wary of any devices that you bring in to your home and what information they might be sharing.
  

Alfredo Hickman, Head of Information Security, Obsidian Security

This year’s Data Privacy Week themes are about coming together on both an organizational and individual level to ethically leverage, store, and secure sensitive data. For organizations, this means acting transparently and in good faith when managing customer data, and respecting the vulnerable nature of the information if accessed by a malicious actor. It’s also important for companies to comply with regulatory oversight as most of the traction in improving data security, privacy, and ethics comes from regulation rather than market forces.

Individuals can do their part by providing the least amount of information required to engage with a business or service while taking the time to learn what is actually done with that information. Many don’t realize that their data is often shared with third-parties outside the direct control of the organization. In the future, I’m hopeful that states like California—who are adopting more stringent privacy regulations than others—will compel the federal government to follow their lead to avoid the growing Balkanized data privacy landscape we’re seeing in the US today. In the meantime, however, individuals must remain vigilant in understanding their data privacy rights and reading the fine print when choosing the organizations with which they are willing to share their story.

Mark Ailsworth, VP of Partnerships, Opaque Systems

This Data Privacy Week it is important to remember that privacy is more than just a set of rules AdTech must abide by -- It has become a critical part of AdTech's commitment to consumer safety, and is now woven into corporate mission statements, as it should be. But more must be done to regulate and mitigate data mishandling and malfeasance. Via the GDPR, Europe has maintained a strong approach to such regulatory needs, but the US market has a very long way to go. For example, just look at the massive fines that Meta faces for violating consumer control standards. Their approach to "contractual assumption" with users is not an issue in the US, but it soon will be. The emerging industry privacy laws at a state level will consume US-based privacy experts for the near term, affecting not only companies based in those states, but those advertising to consumers in those states.

Looking into the next year, the biggest advancement the industry will see is the merging of "confidential computing" principles with existing data governance regulation. There will be an array of PETs, or privacy-enhancing technologies, that come onto the scene and get evaluated by the industry. Some will be integrated into operating systems and browsers, but most will be enabled via ad hoc solutions like data clean rooms. For more on that see the IAB's PETs plan (https://iabtechlab.com/pets/). Given that a (mostly) free and open internet is (mostly) supported by ad revenue, ensuring that earning ad revenue is not overly complicated by privacy standards is vital to practically any company with a website. Organizations like the IAB are working on this, and the downstream effects on consumer data should be that personalization capabilities evolve while those engaged in nefarious practices will dissolve.

Theresa Lanowitz, Head of Cybersecurity Evangelism, AT&T Business

Edge computing is all about data – collecting, using, and enriching. In 2023, we should expect more emphasis and focus placed on this data including its collection, management, use, and governance. This means that from a security perspective, we can expect to see solutions that focus on the data lifecycle to help ensure data governance policies are automated and enforced. As more edge applications are deployed, the sheer amount of data will multiply at a rapid scale. Data, at the heart of the edge app, needs to be protected, intact/trusted, and usable.

All of an organization's edges and edge use cases by design will connect across an increasingly distributed network architecture. Gone are the days in which enterprise network architecture included two distinct places in the network: the campus and the data center. Today's enterprise has an expanded geographic footprint, along with an increasingly global dispersion of applications, workloads, and employees. This reality requires a reexamination of network architectures and how network architectures align with current business dynamics, which includes planning for extraordinary volume, velocity, and variety of data, while determining what a data life cycle means for the organization. By placing IT resources on the edge, closer to where data is generated and consumed, organizations can more effectively drive business, technology, and operational outcomes. In response, it is critical to make sure that this data lifecycle is managed with the proper data governance policies.

Jason Keogh, Field CTO, 1E

Data Privacy Week should be a time for organizations to focus on striking a balance between driving a positive digital employee experience - or DEX - without compromising security. Not only do draconian security controls lead to bad DEX, but they also lead to users trying to find workarounds to security challenges – which can create a myriad of security and privacy implications for personal and organizational data. Users may try to circumvent security controls by creating or storing company data on personal devices or personal clouds, or accessing company apps or data from unprotected personal devices because they think their work device is restrictive. To address these challenges, organizations should implement real-time controls and exception handling in order to implement a successful DEX strategy without impacting data privacy and security.

Poojan Kumar, Co-founder and CEO, Clumio

In the last three months alone, there have been at least a dozen high-profile data breaches and ransomware attacks impacting school districts, higher educational institutions, and education technology companies (e.g., Chegg, McGraw Hill, and Illuminate). For a sector that is supposed to be a custodian of sensitive information for millions of students— including financial, demographic, health, and transcript data—its overall security practices have been woeful. Unfortunately, given the rampant use of unencrypted cloud databases, publicly accessible unstructured data buckets, and unsecure backups, these breaches are hardly shocking. Despite requiring adherence to the Children's Online Privacy Protection Act (COPPA) and the Family Educational Rights and Privacy Act (FERPA), many companies and institutions in the educational sector still continue to be lax about student data protection. Data Privacy Week is a time to refocus our attention on where security is needed most and what essential changes need to be made in 2023 and beyond. Any identifiable information needs to be encrypted, access controlled, and backed in immutable air gapped cloud vaults. This ensures that even if a data breach occurs, the information remains secure and cannot be accessed or tampered with, and there’s always a safe copy to recover from. Educational institutions and edtech companies must take these basic data security steps to protect the privacy of our students.

Following Data Privacy Week, Clumio will be hosting a virtual event on Protecting Student Data in 2023, where we will deep-dive into data security practices for educational institutions and edtech companies storing student information in the cloud.

Chad Peterson, Managing Director, NetSPI

Several privacy regulations (GDPR, HIPAA, FERPA, CPRA) are in place to protect data from being exposed to unintended recipients, however the increasingly sophisticated threat landscape means the focus in 2023 and beyond must be on on how to ensure that an environment remains in a state of security. The proliferation of social engineering attacks such as vishing and deepfakes makes employees and consumers particularly vulnerable to hackers, making the need for security education more and more important. By conducting regular penetration testing, an organization can check that they have successfully remedied known issues and identify any new concerns due to new equipment, configuration changes, or even missed patches on software or hardware.

Almog Apirion, CEO and Co-Founder of Cyolo

Data Privacy Day aims to increase awareness over the need to protect employee and customer data while adhering to regulatory laws such as GDPR or CCPA. Even if newer regulations are highlighting today's major need for data protection, this is not something new - in fact, the first legally binding international privacy and data protection treaty, Convention 108, was signed well before today’s regulations in 1981. Because of our greater reliance on digital technology to govern most of both individual and organization facets, it is important to reconsider what, when and where as well as with whom it is shared with others. Data Privacy Day is a component of the worldwide "STOP. THINK. CONNECT." campaign for online privacy, security and safety.

Strong data privacy is more critical than ever — particularly in response to the recent growth of cyberattacks and the expansion of data perimeters due to hybrid work. One way of mitigating today's vulnerabilities is to provide rigorous identity-based access control. To safeguard themselves, enterprises' collaboration and communications tools require a robust zero-trust framework to protect all forms of user data. Identity-based access control enables businesses to strengthen their security posture while also gaining visibility and control over their most critical systems. The reality is that hackers today don’t break in, they log in. Enterprises can get complete control and visibility of their entire IT infrastructure while mitigating against advanced threats by implementing a modern zero-trust solution and adopting stringent authentication requirements. As more risks emerge, organizations will be more prepared than ever to counter threats and safeguard data and business-critical infrastructure.

###