The general focus of DPD is to inform consumers about the need to maintain the privacy of their data and to assist them in this quest. For corporations, their focus on privacy entails the need for companies to not only uphold privacy practices but also data security practices.
Let’s investigate what privacy means to both consumers and corporations a bit further below.
Privacy for Consumers and Organizations
Have you ever used a random story generator? Along with related poetry, lyric and song generators, they are lots of fun and can provide tons of laughter.
What isn't fun is when companies use the same kind of idea to protect their data. The ideas and input might be good, but when organizations randomize their policies and practices, regulations, engineering, DevOps, marketing, customer service operations instead of aligning them with the disparate privacy and security needs, the result is that user data is not protected with a 360-degree view of where that data resides. The end product is something that works for the moment but can actually result in monetary fines and lack of customer trust down the road.
Data privacy for individuals is somewhat linked to personal security practices. Individuals need to spend some time making sure that 2FA is enabled, enabling a PIN in case the device is stolen, not sharing passwords and maybe following a few other details. However, recent events (recent being, say, the last five years) have demonstrated that individual privacy has been violated en masse most often when companies holding customer data are breached and when those organizations have to admit (more often than is comfortable) that at least one of those typical foundational protections was lacking. Some examples include a lack of 2FA, an unprotected internet-facing database, improper privileges and bad key/certificate management.
What makes protecting user data and privacy so tough?
There’s some ambiguity surrounding concepts such as data collection, data storage, what defines personal data and what the economic value of certain data is. The number and complexity of regulations is determined by what industry an organization is in, where business is performed and how much and what types of data are collected. The regulatory landscape is ever-changing (e.g., the rise of CMMC and potential NYPA changes).
Why is privacy such a big deal?
This question can be phrased another way: How much does it cost when privacy regulations and policies are violated? Here are some examples:
- In 2020, a tech giant received a fine of €50 million ($56.6 million) for multiple GDPR violations.
- In 2019, another tech giant was fined $5 billion for violating consumers' privacy rights.
I'm leaving out the company names on purpose because the point of this post isn't to name-and-shame. It’s to point to the need for companies to do all that's possible to protect their customers' data.
Then there’s the fall of Privacy Shield. What invalidated it? The framework had great intentions, and the practices involved were very good, but there was a lack of trust in the actual legal protections purported to be provided to EU citizens. Such a ruling by the EU Court of Justice reveals that data privacy is important enough to be considered by many to be a human right.
How can corporations achieve privacy protection?
We can get ahead of the curve by defining these terms in black and white in our own companies and protecting them to the best of your ability. We can also take the strictest privacy and security regulations, even if they are not applicable to our company, and work toward them.
With that said, at least one person in each organization needs to play the role of Information Security and Privacy Leader. This is a title I just now made up, but whatever the title might be (CISO, CTO, CIO, ISO, etc.), someone needs to have a pivotal role in managing and delegating the various security and privacy needs. The role is pivotal because that person will need to be able to integrate with all of the other roles in the company (no pressure here, of course) and be able to provide both Strategic and Tactical leadership.
Some ideas for both of these areas of focus are as follows:
- Develop a roadmap of the upcoming security goals (e.g., Zero Trust, CCPA and PIPEDA compliance).
- Share this roadmap with involved parties.
- Participate in key corporate meetings (e.g., Engineering planning, Product development).
- Make a corporate security awareness training plan.
- Make a continuing education plan for those who interact with the data. (I see this question more and more on security questionnaires.)
- Develop/Update your GRC program.
- Define each term used (data collection, private data, entry points, etc.).
- Enable 2FA for all employees.
- Register your domain with haveibeenpwned.com.
- Remain on the lookout for regulatory changes.
- Write policies that align with regulations. (Everyone needs policies!)
- Where possible, use encryption instead of obfuscation, anonymization and pseudonymization.
- Check those permissions.
Securing data is a formidable task, and the proliferation of technology, the speed of data transfer and the increase in the number of regulations don't help one bit. But understanding the "why?" of protection will provide organizations with the impetus they need to search for and develop the necessary tools, technology and talent for the task.
About the Author: Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.