Data Privacy Day is not just a day anymore. For the first time, it’s Data Privacy Week — a week-long effort to empower individuals and enterprises worldwide to respect privacy, safeguard data, enable trust, and just as important, raise awareness and promote privacy and data protection best practices.
This year, the National Cyber Security Alliance (NCSA) promotes and encourages enterprises to respect privacy. According to the Pew Research Center, 79% of U.S. adults report being concerned about how companies are using their data — as such, respecting consumers’ privacy is a crucial strategy for inspiring trust and enhancing reputation and growth in your business by being open and honest about what data is collected, used and shared with third parties.
In addition, the NCSA is encouraging enterprises to take the following steps to achieve and maintain privacy:
- Conduct an assessment: Conducting a review of data collection practices is a critical step to understanding which privacy laws and regulations apply to your enterprise. Just as critical is maintaining oversight of partners and vendors as to how they collect and use consumers’ personal information.
- Adopt a privacy framework: Researching and adopting a privacy framework can help you manage risk and create a culture of privacy in your organization by building privacy into your business. Get started by checking out the following frameworks: NIST Privacy Framework, AICPA Privacy Management Framework, ISO/IEC 27701 – International Standard for Privacy Information Management.
- Educate employees: Organizations can create a culture of privacy by educating employees of the role they play in protecting assets and information.
To create dialogues among stakeholders, raise awareness and encourage compliance with privacy laws, Security compiled detailed perspectives, as well as some tips for better protection of sensitive corporate data, from the following security industry experts:
Erkang Zheng, Founder and CEO, JupiterOne:
The industry is grappling with a fragmentary approach to privacy, which has significant security implications. From a security standpoint, it’s a massive challenge because there is no single global privacy standard to build upon, which leaves room for errors.
Security is often a game of details, so as the privacy landscape becomes increasingly complex, it introduces more things that can go wrong. In addition, a patchwork approach makes operations difficult as security professionals must understand and implement the disparate privacy and compliance regulations from around the world and jerry-rig them together for business continuity.
Ideally, an international consortium would address these diverse privacy rules worldwide. New privacy rules create complexity and not just from a compliance standpoint. It also creates operational complexities for security teams.
We need to see greater simplification on the process side, driven by the unification of regulations. So many things sound great on paper, but how practical is it to implement security across so many different regulatory frameworks? At the very least, national rules will need to come together for organizations to implement a cohesive privacy framework for each country. By not reaching some consensus about privacy, we introduce greater risks for everyone to stand up with adequate security protections.
Corey O’Connor, Director of Products, DoControl:
Data privacy has been top of mind for both individuals and organizations alike. Global, national and local regulations require companies of all sizes and types to have the appropriate cyber security measures in place to prevent PII from making its way into the public domain. From a business perspective, the negative implications for non-compliance with some of these regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), are significant. At the individual or consumer level, people are more frustrated than ever with losing control over how their own PII is handled, manipulated and processed by businesses.
Software as a service (SaaS) applications are a critical data source for business today. These productivity and collaboration tools are what drive the business forward. PII files and data are enveloped in many of the SaaS applications the business utilizes. Whether it’s data within SFDC or files exchanged over Slack many of the tools and technologies being leveraged by organizations today are not granular enough to prevent data leakage or data exfiltration. There’s a need to go deeper down the stack and introduce granular data access controls across the SaaS application data layer.
Industry regulations evolve. Cyberattackers’ techniques improve and evolve as well. Organizations need to have the right people, process, and technology in place to stay one step ahead and establish a strong data privacy program that effectively mitigates the risk of non-compliance and a data breach.
Archie Agarwal, Founder and CEO, ThreatModeler:
A major part of data privacy is safeguarding the data. And when it comes to safeguarding data, we feel organizations should operate from a very simple paradigm: identify all the threats and then mitigate them.
Safeguarding data means different things to different organizations. But for those involved in developing software systems, we feel strongly that the best way to identify all the threats and mitigate them is by incorporating threat modeling right into their development lifecycle. It’s the most effective way to identify threats prior to deployment, which is obviously preferable.
Heather Paunet, Senior Vice President, Untangle:
In today’s connected era, people disclose personal data during dozens of daily interactions, from online shopping, healthcare portals, social media, wearable devices to streaming services. This data is used to create profile-specific experiences across a multitude of devices and mediums, resulting in personalized, effective marketing campaigns.
However, the information users give in exchange for a personalized experience can be very attractive to hackers, yet there is a growing concern about how companies are using information. As a result, many people want to trust that the companies they give their information to will keep it safe, but it also means consumers must take some privacy matters into their own hands to keep their data safe.
As more high-profile data breaches and cyberattacks come to light, customers are looking to businesses to strike a balance between data protection and collection.
To ensure compliance with current, and new regulations, businesses need to understand the data they’re taking in and who has access. Laws such as the Colorado Privacy Act (CPA), with similar versions in CCPA and CDPA, include a requirement to conduct a data protection assessment. This is an important first step that any business collecting consumer data should take. Businesses will need to understand what is being collected and how to protect customer data while continuing employee education about data ownership and protection.
In addition, businesses need an effective strategy to communicate how customer information is collected, used and when it may be sold or disclosed for business-related purposes. Transparency in data collection is a foundational pillar for businesses looking to maintain a trusting relationship with their customers.
Mohit Tiwari, Co-Founder and CEO, Symmetry Systems:
You do not need to give up data privacy so that organizations can thrive off of personalized advertising or by hosting customer data in a software-as-a-service (SaaS) application. Road safety is a great example where protocols and training set appropriate expectations among drivers, bikers, pedestrians, etc. Similarly, there is considerable research and new commercial tools for organizations to measure how customer data is used internally and safeguard it —and the recent exodus towards Signal shows that respecting customer privacy can actually be good for business.
Imposing reasonable fines is indeed a good way to make measuring and improving data risk a board-level priority. And this can only be good for both customers and enterprises that host their data.
Dan Frank, US Privacy leader, Deloitte Risk & Financial Advisory:
As CCPA-like privacy laws replicate domestically and GDPR-like privacy regulations replicate globally, many organizations are wondering how they can withstand the operational impacts. As increased amounts of individual rights requests, preference and consent changes, as well as privacy-by-design requests associated with business and technology innovation come in, there’s a lot to manage in data privacy today and in the future. Emerging technology and various third-party operational support services (e.g., co-sourcing, out-sourcing) will play a critical role in helping organizations keep up with constantly increasing data privacy demands. Emerging privacy technology will help automate historically manual privacy processes, making them less labor-intensive and time-consuming. Operational support services for more transactional privacy responsibilities will help alleviate the workload of internal resources, freeing them up to focus their time on more strategic organizational privacy needs.
Vikram Kunchala, Cyber Cloud leader, Deloitte Risk & Financial Advisory:
When organizations adopt a cloud-first strategy, it is critical that they understand the data they have, how it is used, who is using it, when it is in motion, and where it is located. In fact, after a pandemic-driven race to the cloud, leading organizations are now focusing on privacy-by-design to build and hone cloud security for data privacy and protection that addresses relevant current customer privacy, regulatory and data residency requirements. Once data privacy is addressed in cloud strategies, organizations can also discern what data can securely and permissibly be leveraged to drive business insight and agility, as well as to engender customer trust.
Naresh Persaud, managing director in Cyber Identity Services, Deloitte Risk & Financial Advisory:
One approach to data privacy cannot work for every organization, individual or geography, as expectations around privacy differ vastly. Despite the fact that many individuals share considerable amounts of personal data online, organizations are expected to provide strong data privacy and protection within increasingly more tailored digital experiences for customers. Trying to innovate without ensuring necessary privacy regulatory compliance, data privacy and protection guardrails are in place risks considerable brand loyalty damage and regulatory scrutiny.
Ricardo Amper, CEO and Founder, Incode:
There are many misconceptions about how facial recognition technology is currently used. However, despite the reported privacy mishaps and concerns, consumers have a true inclination to embrace this technology. Trust is essential and is often missing when consumers aren’t at the forefront of the conversation around privacy. The individual must be put first, which means getting their consent. The more individuals feel that they can trust the technology, the more open they will be to using it in additional capacities.
Troy Saunders, Chief Information Security Officer, CentralSquare Technologies:
As organizations collect and manage more data than ever before, data privacy regulations are becoming more critical to ensure citizen’s personally identifiable information is protected. It’s important to remember that access to data should not come at the expense of sacrificing data privacy and security.
Data Privacy Week reminds us of the value of data to empower governments to make informed decisions and collaborate across jurisdictions and state lines. Whether it be through GDPR, HIPAA, FERMA, PPRA, or state and local data privacy and protection legislation, public and private sector organizations must work together to balance privacy, security and trust to build smarter and safer communities for the future.
Craig Lurey, CTO and Co-Founder, Keeper Security:
People’s personal data has become a hot commodity. As a result, we have seen a record number of cyberattacks and data breaches in recent years as cybercriminals will stop at nothing to get their hands on people’s data. Personal data is used for advanced social engineering attacks, password stuffing attacks and ransomware attacks against companies and individuals.
Despite this, people and companies do not pay enough attention to the tools and software that access their personal and corporate data. Rigorous vetting of software installed by end-users on mobile and desktop devices is not taking place in many cases, which may inadvertently place user and corporate data at risk.
As we mark Data Protection Day, it is therefore critical to highlight the importance of using powerful and sophisticated tools that properly secure people’s data. Users should pay particular attention that the software has strict privacy policies and utilizes a zero-knowledge architecture, which ensures that the company developing the software cannot access or decrypt the user’s data stored within. This is key if consumers and business users want to make sure their personal and sensitive data is — and continues to be —well protected.
Joseph Carson, chief security scientist and Advisory CISO, ThycoticCentrify:
The notion of real ‘privacy’ is perhaps something that no longer truly exists. Internet-connected device usage has exploded in recent years, bringing huge changes to our society, but this has come with risks as we’re all tracked and monitored 24/7.
It means we need to consider not just data privacy, but the safeguards that govern how data is collected and processed. Thanks to stricter regulations, the public now has a greater say on how their data is used, but regulatory bodies need to continue to pressure companies and governments to maintain good cybersecurity practices, incorporating the principle of least privilege to protect collected data and provide users with transparent access to such data.
Our personal data is becoming more and more profitable, and many will begin to ask how citizens will be incentivized, or perhaps paid, for their data? What will the future hold for personal data’ renting’?
Ryan Abraham, virtual CISO, Wisetail:
Data privacy is incredibly important in the HR industry. HR professionals are entrusted with employees’ sensitive data — from social security numbers to phone numbers to home addresses and more — so it’s vital that every company takes the proper steps to ensure that data is safe.
One important step here is to certify your organization as SOC 2 compliant. SOC 2 is based on five factors — security, availability, processing integrity, confidentiality, privacy — and the certification tells users that your organization maintains a high level of information security and handles their data responsibly. Additionally, SOC 2 compliance ensures that your organization has implemented security practices to defend itself from cyberattacks and breaches.
Another great way to honor Data Privacy Day this year is to start regular employee training on data privacy best practices, which can be easily created and assigned to your team through a learning experience platform (LXP). These training courses can educate employees on how to spot a phishing attack, create strong passwords, avoid suspicious and dangerous websites, and more. Your employees are your first line of defense against data privacy threats, so it’s essential that they are equipped to keep themselves and your business safe.”
Software bots — little pieces of code that do repetitive tasks — exist in huge numbers in organizations around the world, in banking, government and all other major verticals. The idea behind them is they free up human staff to work on business-critical, cognitive and creative work, but also help improve efficiency, accuracy, agility and scalability. They are a major component of digital business.
The privacy problem arises when you start to think about what these bots need so they can do what they do. Much of the time, it’s access: If they gather together sensitive and personal medical data to help doctors make informed clinical predictions, they need access to it. If they need to process customer data stored on a public cloud server or a web portal, they need to get to it.
We’ve seen the problems that can arise when humans get compromised, and the same can happen to bots — and at scale. If bots are configured and coded badly, they can access more data than they need to, the output might leak that data to places where it shouldn’t be.
Likewise, we hear about insider attacks and humans being compromised to get at sensitive data virtually daily. Machines have the same security issues; if they can access sensitive data and they aren’t being secured properly, that’s an open door for attackers — one that can put individuals’ privacy at risk. Attackers don’t target humans to get to data; they just target the data. If machines-especially those in charge of automated processes (think repeatable tasks like bank transfers, scraping web data and moving customer data files) are the best path to take to get to it, that’s the one they will choose.