Four easy steps for organizations to hand over data control

To stay connected with patients, healthcare providers are turning to telehealth services. In fact, 34.5 million telehealth services were delivered from March through June, according to the Centers for Medicare and Medicaid Services. The shift to remote healthcare has also impacted the roll out of new regulations that would give patients secure and free access to their health data.

hand over data control

The shift to online services shines a light on a major cybersecurity issue within all industries (but especially healthcare where people have zero control over their data): consent.

Hand over data control

Data transparency allows people to know what personal data has been collected, what data an organization wants to collect and how it will be used. Data control provides the end-user with choice and authority over what is collected and even where it is shared. Together the two lead to a competitive edge, as 85% of consumers say they will take their business elsewhere if they do not trust how a company is handling their data.

Regulations such as the GDPR and the CCPA have been enacted to hold companies accountable unlike ever before – providing greater protection, transparency and control to consumers over their personal data.

The U.S. Department of Health and Human Services’ (HHS) regulation, which is set to go into effect in early 2021, would provide interoperability, allowing patients to access, share and manage their healthcare data as they do their financial data. Healthcare organizations must provide people with control over their data and where it goes, which in turn strengthens trust.

How to earn patients’ trust

Organizations must improve their ability to earn patients’ confidence and trust by putting comprehensive identity and access management (IAM) systems in place. Such systems need to offer the ability to manage privacy settings, account for data download and deletion, and enable data sharing with not just third-party apps but also other people, such as additional care providers and family members.

The right digital identity solution should empower the orchestration of user identity journeys, such as registration and authentication, in a convenient way that unifies configuring security and user experience choices.

It should also enable the healthcare organization to protect patients’ personal data while offering their end-users a unified means of control of their data consents and permissions. Below are the four key steps companies should take to earn trust when users hand over data control:

  • Identify where digital transformation opportunities and user trust risks intersect. Since users are becoming more skeptical, organizations must analyze “trust gaps” while they are discovering clever new ways to leverage personal data.
  • Consider personal data as a joint asset. It’s easy for a company to say consumers own their own personal data, but business leaders have incentives to leverage that data for the value it brings to their business. This changes the equation. All the stakeholders within an organization need to come together and view data as a joint asset in which all parties, including end-users, have a stake.
  • Lean into consent. Given the realities of regulations, a business often has a choice to offer consent to end-users rather than just collecting and using data. Seek to offer the option – it provides benefits when building trust with skeptical consumers, as well as when proving your right to use that data.
  • Take advantage of consumer identity and access management (CIAM) for building trust. Identity management platforms automate and provide visibility into the entire customer journey across many different applications and channels. They also allow end-users to retain the controls to manage their own profiles, passwords, privacy settings and personal data.

Providing data transparency and data control to the end-user enhances the relationship between business and consumer. Organizations can achieve this trust with consumers in a comprehensive fashion by applying consumer identity and access management that scales across all of their applications. To see these benefits before regulations like the HHS regulations go into effect, organizations need to act now.

CPRA: More opportunity than threat for employers

Increasingly demanded by consumers, data privacy laws can create onerous burdens on even the most well-meaning businesses. California presents plenty of evidence to back up this statement, as more than half of organizations that do business in California still aren’t compliant with the California Consumer Privacy Act (CCPA), which went into effect earlier this year.

CPRA

As companies struggle with their existing compliance requirements, many fear that a new privacy ballot initiative – the California Privacy Rights Act (CPRA) – could complicate matters further. While it’s true that if passed this November, the CPRA would fundamentally change the way businesses in California handle both customer and employee data, companies shouldn’t panic. In fact, this law presents an opportunity for organizations to change their relationship with employee data to their benefit.

CPRA, the Californian GDPR?

Set to appear on the November 2020 ballot, the CPRA, also known as CCPA 2.0 or Prop 24 (its name on the ballot), builds on what is already the most comprehensive data protection law in the US. In essence, the CPRA will bring data protection in California nearer to the current European legal standard, the General Data Protection Regulation (GDPR).

In the process of “getting closer to GDPR,” the CCPA would gain substantial new components. Besides enhancing consumer rights, the CPRA also creates new provisions for employee data as it relates to their employers, as well as data that businesses collect from B2B business partners.

Although controversial, the CPRA is likely to pass. August polling shows that more than 80% of voters support the measure. However, many businesses do not. This is because, at first glance, the CPRA appears to create all kinds of legal complexities in how employers can and cannot collect information from workers.

Fearful of having to meet the same demanding requirements as their European counterparts, many organizations’ natural reaction towards the prospect of CPRA becoming law is fear. However, this is unfounded. In reality, if the CPRA passes, it might not be as scary as some businesses think.

CPRA and employment data

The CPRA is actually a lot more lenient than the GDPR in regard to how it polices the relationship between employers and employees’ data. Unlike for its EU equivalent, there are already lots of exceptions written into the proposed Californian law acknowledging that worker-employer relations are not like consumer-vendor relations.

Moreover, the CPRA extends the CCPA exemption for employers, set to end on January 1, 2021. This means that if the CPRA passes into law, employers would be released from both their existing and potential new employee data protection obligations for two more years, until January 1, 2023. This exemption would apply to most provisions under the CPRA, including the personal information collected from individuals acting as job applicants, staff members, employees, contractors, officers, directors, and owners.

However, employers would still need to provide notice of data collection and maintain safeguards for personal information. It’s highly likely that during this two-year window, additional reforms would be passed that might further ease employer-employee data privacy requirements.

Nonetheless, employers should act now

While the CPRA won’t change much overnight, impacted organizations shouldn’t wait to take action, but should take this time to consider what employee data they collect, why they do so, and how they store this information.

This is especially pertinent now that businesses are collecting more data than ever on their employees. With companies like the workplace monitoring company Prodoscore reporting that interest from prospective customers rose by 600% since the pandemic began, we are seeing rapid growth in companies looking to monitor how, where, and when their employees work.

This trend emphasizes the fact that the information flow between companies and their employees is mostly one-sided (i.e., from the worker to the employer). Currently, businesses have no legal requirement to be transparent about this information exchange. That will change for California-based companies if the CPRA comes into effect and they will have no choice but to disclose the type of data they’re collecting about their staff.

The only sustainable solution for impacted businesses is to be transparent about their data collection with employees and work towards creating a “culture of privacy” within their organization.

Creating a culture of privacy

Rather than viewing employee data privacy as some perfunctory obligation where the bare minimum is done for the sake of appeasing regulators, companies need to start thinking about worker privacy as a benefit. Presented as part of a benefits package, comprehensive privacy protection is a perk that companies can offer prospective and existing employees.

Privacy benefits can include access to privacy protection services that give employees privacy benefits beyond the workplace. Packaged alongside privacy awareness training and education, these can create privacy plus benefits that can be offered to employees alongside standard perks like health or retirement plans. Doing so will build a culture of privacy which can help companies ensure they’re in regulatory compliance, while also making it easier to attract qualified talent and retain workers.

It’s also worth bearing in mind that creating a culture of privacy doesn’t necessarily mean that companies have to stop monitoring employee activity. In fact, employees are less worried about being watched than they are by the possibility of their employers misusing their data. Their fears are well-founded. Although over 60% of businesses today use workforce data, only 3 in 10 business leaders are confident that this data is treated responsibly.

For this reason, companies that want to keep employee trust and avoid bad PR need to prioritize transparency. This could mean drawing up a “bill of rights” that lets employees know what data is being collected and how it will be used.

Research into employee satisfaction backs up the value of transparency. Studies show that while only 30% of workers are comfortable with their employer monitoring their email, the number of employees open to the use of workforce data goes up to 50% when the employer explains the reasons for doing so. This number further jumps to 92% if employees believe that data collection will improve their performance or well-being or come with other personal benefits, like fairer pay.

On the other hand, most employees would leave an organization if its leaders did not use workplace data responsibly. Moreover, 55% of candidates would not even apply for a job with such an organization in the first place.

Final thoughts

With many exceptions for workplace data management already built-in and more likely to come down the line, most employers should be able to easily navigate the stipulations CPRA entails.

That being said, if it becomes law this November, employers shouldn’t misuse the two-year window they have to prepare for new compliance requirements. Rather than seeing this time as breathing space before a regulatory crackdown, organizations should instead use it to be proactive in their approach to how they manage their employees’ data. As well as just ensuring they comply with the law, businesses should look at how they can turn employee privacy into an asset.

As data privacy stays at the forefront of employees’ minds, businesses that can show they have a genuine privacy culture will be able to gain an edge when it comes to attracting and retaining talent and, ultimately, coming out on top.

Do Californians use CCPA to protect their privacy?

Californians regularly opt-out of companies selling their personal information, with “Do-not-sell” being the most common CCPA right exercised, happening nearly 50% of the time over access and deletion requests, DataGrail’s Mid-Year CCPA Trends Report shows.

CCPA use

Consumer rights under CCPA

The California Consumer Privacy Act gives California residents the right to:

  • Know what personal data businesses have about them
  • Know what businesses do with that information (to whom they sell it or disclose it)
  • Access their personal data
  • Refuse the sale of their personal data
  • Request that a business deletes their personal data

Do-not-sell requests are almost 50% of all DSRs

When CCPA went into effect in January 2020, DataGrail saw people exercise their rights immediately, with a surge of data subject requests (DSRs) going across its platform in January 2020.

Since the initial surge, DSRs have stabilized around 13 DSRs per million records every month, which is a substantial rate and confirms that organizations need an established privacy program.

Consumers are accessing their data (21%), deleting their data (31%) and requiring that businesses do-not-sell their personal information (48%).

Processing DSRs

Gartner data shows that manually processing a single DSR costs on average $1,406. At this rate, organizations can expect to spend almost $240,000 per million records to fulfill DSRs – if they are done manually.

Additionally, organizations could be on the hook for more DSR requests from fines that will likely begin appearing in October, if CCPA follows the same timeline as GDPR.

According to the research, B2C companies should prepare to process approximately 170 total DSRs per one million consumer records each year.

DataGrail has also found that three of every ten DSRs will go unverified, confirming the need for a robust and scalable verification method to prevent fraud (i.e., detect fraudulent requests being made to steal personal data).

Access requests (DSARs) make up 70% of the unverified requests, validating the concern that nefarious characters could be submitting access requests to gain access to another person’s personal information.

CISOs struggling to prep for security audits

Calendars for security and compliance audits are largely unchanged despite COVID-19, yet the pandemic is straining teams as they work remotely, according to Shujinko.

CISOs security audits

Moreover, CISOs are tasked with preparing for more than three audits on average in the next 6-12 months, but struggle with inadequate tools, limited budgets and personnel, and inefficient manual processes.

Furthermore, the results show that migration to the cloud is dramatically increasing the scope and complexity of audit preparation, obsoleting old methods and approaches.

“This survey clearly shows that CISOs at major companies are caught between a rock and hard place when it comes to security and compliance audits over the second half of 2020 and want automated tools to help dig them out. Unfortunately, they’re simply not able to find them,” said Scott Schwan, Shujinko CEO.

“Teams are cobbling together scripts, shared spreadsheets, ticketing systems and a hodgepodge of other applications to try to manage, resulting in inefficiency, lengthy preparation and limited visibility. More than two-thirds of CISOs are looking for something better.”

CISOs preparing for more than three audits

Despite changes in the economic climate due to COVID-19, CISOs are still tasked with preparing for more than three upcoming compliance audits across multiple security frameworks (e.g., PCI, SOC 2, NIST-CSF, ISO 27001, etc.).

Most common audits are for HITRUST, HIPAA and PCI DSS

51% of CISOs surveyed indicated they are preparing for a HITRUST audit in the next six to twelve months, 45% are preparing for HIPAA, 43% for PCI DSS, 41% for CCPA and 36% for an internal audit. In addition, 77% of companies preparing for SOC-2 audits were software companies.

CISOs are worried about doing more with less

COVID-19 has amplified CISOs’ concerns about doing more with less (both people and budget) with both teams and auditors working remotely. Worries over conflicting priorities, draining available resources and ensuring that evidence is complete round out their top five CISO concerns.

CISOs desperately want more automation

72% of security executives say they want to improve the automation of their audit preparation process, and automation was cited as the number one element most CISOs would change if they could. Team communication and collaboration rounded out the top three most desired improvements.

CISOs security audits

Two-thirds of CISOs dislike their current tool set

The survey found that CISOs are currently using a mix of home-grown scripts, spreadsheets, ticketing systems, shared documents, Sharepoint and e-mail to prepare for audits. No CISOs reported having a security audit preparation tool that they are completely satisfied with.

CISOs have poor visibility into the audit process

No CISOs rated visibility into key audit preparation steps a complete success and only one rated it a 4 out of 5 – suggesting poor executive line-of-sight into hitting audit deadlines.

Audit processes don’t fit a cloud development model

Only 1 percent of CISOs said that their audit preparation process completely aligns with the speed and agility that is needed for rapid cloud application development and frequent iteration.

Data protection critical to keeping customers coming back for more

Although consumers remain concerned about sharing personal data with companies, the results of a Privitar survey highlight an opportunity for businesses to take a leadership role and build brand loyalty by protecting their customers.

customers data protection

The report found that more than three-quarters of respondents are concerned or very concerned about protecting their personal data, with 42 percent of consumers saying they wouldn’t share sensitive data (e.g. name, address, email address, phone number, location information, health information, banking information, social security number) with a business for any reason.

As consumers grow increasingly apprehensive when it comes to their data, business success will depend on an organizations’ ability to prioritize and successfully execute on privacy initiatives.

Disconnect between consumer sentiment and actions surrounding data protection

When it comes to the management of their data, many consumers aren’t fully aware of how brands are securing their personal information. According to the survey, 43 percent of consumers don’t know if they’ve worked with a business that has been impacted by a data breach.

When it comes to privacy notices, 28 percent admit to not reading privacy notices at all and 42 percent admitted to only skimming the text. These findings point to a growing sentiment that data privacy should be the responsibility of the business – not the customer. With this, businesses have a tremendous opportunity to make data privacy a differentiator and way to build long-term loyalty.

Pandemic creating more data sharing opportunities, still consumers are wary

Despite the growing advancements on the data protection front, 51 percent of consumers surveyed said they are still not comfortable sharing their personal information. One-third of respondents said they are most concerned about it being stolen in a breach, with another 26 percent worried about it being shared with a third party.

In the midst of the growing pandemic, COVID-19 tracking, tracing, containment and research depends on citizens opting in to share their personal data. However, the research shows that consumers are not interested in sharing their information.

When specifically asked about sharing healthcare data, only 27 percent would share health data for healthcare advancements and research. Another 21 percent of consumers surveyed would share health data for contact tracing purposes.

As data becomes more valuable to combat the pandemic, companies must provide consumers with more background and reasoning as to why they’re collecting data – and how they plan to protect it.

Upcoming U.S. elections driving consumer awareness of data privacy

Recently, there’s been increased conversation about data privacy and protection legislation across the United States, especially as the CCPA is enacted and the CDPSA awaits its fate in Congress.

As the debate grows louder across the nation, 73 percent of consumers think that there should be more government oversight at the federal and/or state/local levels. While legislation can take years to pass, it’s important for businesses to overhaul their technology and processes now to quickly address consumers’ concerns and keep business running.

Businesses must drive data privacy action

Companies rely on brand loyalty to keep their operations up and running. While often referring to affordable costs and personalization as a means to keeping business moving, many overlook the importance of instilling a more personal sense of trust within their customer base.

When working with a business, 40 percent of consumers think the brand’s trustworthiness is most important when it comes to brand loyalty and 31 percent say it’s the brand’s commitment to protecting their data.

Evenly matched up with the 30 percent of consumers who believe customer service matters most, the results prove that data protection is just as critical to keeping customers coming back for more.

However, broken trust and lost responsibility for protecting that data have severe consequences, with 24 percent saying they have either stopped doing business or done less business with a company after it was breached.

As markets grow increasingly competitive in a fluctuating economy, it’s critical for businesses to keep customer loyalty high – and as such, be more open and transparent with how they’re using personal data.

“The global COVID-19 pandemic has underscored the importance of the trust relationship companies and governments need to build with consumers in an increasingly digital world,” said Jason du Preez, CEO, Privitar.

“The results of the survey affirm the growing need for brands to focus on building and maintaining this trust, starting first and foremost with protecting customer data. As more businesses utilize the cloud to enable data driven insights, a firm commitment to data privacy will help to ensure long-term loyalty, consumer satisfaction and shareholder value.”

How AI can alleviate data lifecycle risks and challenges

The volume of business data worldwide is growing at an astounding pace, with some estimates showing the figure doubling every year. Over time, every company generates and accumulates a massive trove of data, files and content – some inconsequential and some highly sensitive and confidential in nature.

Throughout the data lifecycle there are a variety of risks and considerations to manage. The more data you create, the more you must find a way to track, store and protect against theft, leaks, noncompliance and more.

Faced with massive data growth, most organizations can no longer rely on manual processes for managing these risks. Many have instead adopted a vast web of tracking, endpoint detection, encryption, access control and data policy tools to maintain security, privacy and compliance. But, deploying and managing so many disparate solutions creates a tremendous amount of complexity and friction for IT and security teams as well as end users. The problem with this approach is that it comes up short in terms of the level of integration and intelligence needed to manage enterprise files and content at scale.

Let’s explore several of the most common data lifecycle challenges and risks businesses are facing today and how to overcome them:

Maintaining security – As companies continue to build up an ocean of sensitive files and content, the risk of data breaches grows exponentially. Smart data governance means applying security across the points at which the risk is greatest. In just about every case, this includes both ensuring the integrity of company data and content, as well as any user with access to it. Every layer of enterprise file sharing, collaboration and storage must be protected by controls such as automated user behavior monitoring to deter insider threats and compromised accounts, multi-factor authentication, secure storage in certified data centers, and end-to-end encryption, as well as signature-based and zero-day malware detection.

Classification and compliance – Gone are the days when organizations could require users to label, categorize or tag company files and content, or task IT to manage and manually enforce data policies. Not only is manual data classification and management impractical, it’s far too risky. You might house millions of files that are accessible by thousands of users – there’s simply too much, spread out too broadly. Moreover, regulations like GDPR, CCPA and HIPAA add further complexity to the mix, with intricate (and sometimes conflicting) requirements. The definition of PII (personally identifiable information) under GDPR alone encompasses potentially hundreds of pieces of information, and one mistake could result in hefty financial penalties.

Incorrect categorization can lead to a variety of issues including data theft and regulatory penalties. Fortunately, machines can do in seconds–and often with better accuracy–what it might take years for a human to do. AI and ML technologies are helping companies quickly scan files across data repositories to identify sensitive information such as credit card numbers, addresses, dates of birth, social security numbers, and health-related data, to apply automatic classifications. They can also track files across popular data sources such as OneDrive, Windows File Server, SharePoint, Amazon S3, Google Cloud, GSuite, Box, Microsoft Azure Blob, and generic CIFS/SMB repositories to better visualize and control your data.

Retention – As data storage costs have plummeted over the past 10 years, many organizations have fallen into the trap of simply “keeping everything” because it’s (deceptively) cheap to do so. This approach carries many security and regulatory risks, as well as potential costs. Our research shows that exposure of just a single terabyte of data could cost you $129,324; now think about how many terabytes of data your organization stores today. The longer you retain sensitive files, the greater the opportunity for them to be compromised or stolen.

Certain types of data must be stored for a specific period of time in order to adhere to various customer contracts and regulatory criteria. For example, HIPAA regulations require organizations to retain documentation for six years from the date of its creation. GDPR is less specific, stating that data shall be kept for no longer than is necessary for the purposes for which it is being processed.

Keeping data any longer than absolutely necessary is not only risky, but those “affordable” costs can add up quickly. AI-enabled governance can track these set retention periods and minimize risk by automatically securing or eliminating any old or redundant files longer required (or allowed). With streamlined data retention processes, you can decrease storage costs, reduce security and noncompliance exposure and optimize data processing performance.

Ongoing monitoring and management – Strong governance gets easier with good data hygiene practices over the long term, but with so many files to manage across a variety of different repositories and storage platforms, it can be challenging to track risks and suspicious activities at all times. Defining dedicated policies for what data types can be stored in which locations, which users can access it, and all parties with which it be shared will help you focus your attention on further minimizing risk. AI can multiply these efforts by eliminating manual monitoring processes, providing better visibility into how data is being used and alerts when sensitive content might have been shared externally or with unapproved users. This makes it far easier to identify and respond to threats and risky behavior, enabling you to take immediate action on compromised accounts, move or delete sensitive content that is being shared too broadly or stored in unauthorized locations, etc.

The key to data lifecycle management

The sheer volume of data, files and content businesses are now generating and managing creates massive amounts of complexity and risk. You have to know what assets exist, where they’re stored, the specific users have access to them, when they’re being shared, what files can be deleted, which need to be stored in accordance with regulatory requirements, and so on. Falling short in any one of these areas can lead to major operational, financial and reputational consequences.

Fortunately, recent advances in AI and ML are enabling companies to streamline data governance to find and secure sensitive data at its source, sense and respond to potentially malicious behaviors, maintain compliance and adapt to changing regulatory criteria, and more. As manual processes and piecemeal point solutions fall short, AI-enabled data governance will continue to dramatically reduce complexity both for users and administrators, and deliver a level of visibility and control that business needs in today’s data-centric world.

CCPA enforcement to put pressure on financial organizations’ IT resources

Enforcement of the California Consumer Privacy Act (CCPA), which begins on July 1, 2020, is going to put additional pressure on already overstretched IT resources and budgets, Netwrix reveals.

CCPA enforcement pressure

Increase in DSARs

According to the survey, 32% of financial organizations have already seen an increase in data subject access rights requests (DSARs) since the CCPA came into force on January 1, 2020.

73% of respondents stated that manual processing of these requests puts significant or moderate pressure on their IT teams. Every fourth organization (27%) noted that rising interest in execution of privacy rights has increased their expenses.

Gartner warns that fulfilling a single request takes most organizations two or more weeks and costs an average of $1,400 if done manually. This means that many financial organizations, which are already facing tough times, will need to allocate additional workforce and budget to ensure compliance with the CCPA.

Other findings

  • 33% of financial organizations discovered sensitive or regulated customer data outside of designated secure locations.
  • 40% of respondents admitted their IT teams granted direct access to sensitive data based solely on a user’s request in the past 12 months.
  • 75% of financial organizations that classify data can detect data misuse in minutes, while those who don’t usually need days (43%) or months (29%).
  • 70% of incidents of unauthorized data sharing within this vertical led to data compromise.
  • 44% of CISOs and CIOs don’t have or don’t know whether they have KPIs for IT security and risk.

“While organizations are unlikely to be flooded with data subject access requests on July 2, they do need to be prepared to process requests accurately and promptly. One missed deadline or incompletely fulfilled request could result in a thorough audit from the authorities and sizable fines.

“To ensure compliance while controlling costs and relieving the burden on IT, financial organizations need to automate the DSAR process,” said Steve Dickson, CEO of Netwrix.

Companies are rethinking their approach to privacy management

TrustArc announced the results of its survey on how organizations are protecting and leveraging data, their most valuable asset. The survey polled more than 1,500 respondents from around the world at all levels of the organization.

privacy management

“There are more than 900 global privacy laws to which organizations must adhere, making privacy management an ongoing and dynamic challenge,” said Chris Babel, CEO, TrustArc.

“The TrustArc survey highlights just how difficult it can be to comply with even a single new regulation, such as CCPA, let alone the entire list of existing laws. The results also show how the COVID-19 pandemic and its attendant technologies, such as video conferencing, have exacerbated an already difficult privacy challenge and forced respondents to rethink their approaches.”

CCPA compliance readiness mostly lacking, prior GDPR preparedness a boost

29% of respondents say they have just started planning for CCPA.

  • More than 20% of respondents report they are either somewhat unlikely to be, very unlikely to be, or don’t know if they will be fully compliant with CCPA on July 1.
  • Just 14% of respondents are done with CCPA compliance. Nine percent have not started with CCPA compliance, and 15% have a plan but have not started implementation.
  • Of respondents who reported as being slightly or very knowledgeable about CCPA and GDPR regulations, 82% are leveraging at least some of the work they did for GDPR in implementing CCPA requirements.

Privacy professionals still use inefficient technologies for compliance programs

Though 90% of respondents agree or strongly agree that they are “mindful of privacy as a business,” many privacy professionals are left building privacy programs without automation.

  • 19% of respondents report they are most deficient in automating privacy processes.
  • Just 17% of all respondents have implemented privacy management software, which matches the 17% who are still using spreadsheets and word processors.
  • In addition, 19% are using open source/free software and 9% are doing nothing.
  • Even in the U.S., which boasts the highest rate of privacy management software adoption, just 22% of respondents use privacy management software as their primary compliance software.

Respondents understand the importance of data privacy and continue to invest in ongoing privacy programs. However, many are still attempting to implement these programs using manual processes and technologies that do not offer automation.

Moving forward, the companies that can leverage automation to simplify data privacy can protect their most valuable asset—data—and use it to drive business growth.

New technologies present additional challenges to compliance

With the move to all-remote workforces, companies are increasingly turning to technologies, such as video conferencing and collaboration tools. These tools present new avenues for data creation that privacy professionals must consider in their company-wide plans.

  • Twenty-two percent of respondents said personal device security during the pandemic has added a great deal of risk to their businesses. “Personal device security” received the highest proportion of “a great deal of risk” responses, compared to the other four response options.
  • A majority of respondents said that third-party data, supply chain, personal-device security, unintentional data sharing, and required or voluntary data sharing for public health purposes all added at least a moderate amount of risk to their businesses.
  • Seventy percent of respondents say video conferencing tools have required a moderate or great change to their privacy approach, and 65% of respondents say collaboration tools have required a moderate or great change to privacy approaches.

Despite financial impact of pandemic, privacy compliance remains a high priority

Though many respondents expect a significant decrease in their company’s revenues as a result of the COVID-19 pandemic, they are still prioritizing privacy-related investments.

  • Forty-four percent of companies expect a decrease or steep decrease in overall company revenues for the balance of 2020 as a result of COVID-19.
  • Just 15% of respondents report they plan to spend less or a great deal less on privacy efforts in 2020 as a result of the pandemic.
  • 42% of respondents plan to spend $500,000 or more in 2020 on CCPA efforts alone.

Boards of directors actively involved in privacy management

The mandate for increased privacy investments is coming from the very top of organizations.

  • Eighty-three percent of respondents indicate their board of directors regularly reviews privacy approaches.
  • An impressive 86% of respondents say that everyone from the board of directors to the front-line staff knows their role in protecting privacy.
  • Four out of five respondents view privacy as a key differentiator for their company.

CCPA privacy requests cost business up to $275k per million consumer records

Organizations who plan on manually processing CCPA data subject requests (DSRs) or data subject access requests will spend between $140k – $275k per million consumer records they have in their systems, according to DataGrail.

CCPA privacy requests

The CCPA went into effect on January 1, 2020, giving consumers the right to know the data collected about them, to delete data about them, and ensure their data is not sold to third-parties. The report analyzed the number of requests in Q1 2020 to understand how CCPA will impact organizations in the long-run.

The early learnings from the first few months of CCPA should help businesses plan and predict the future of privacy regulation.

Highlights

  • Privacy headlines (and COVID-related emails) in March & April likely drove an increase of CCPA privacy requests.
  • B2C companies should prepare to process approximately 100 to 194 requests per million consumer records each year.
  • Processing CCPA privacy requests will likely cost B2C companies $140,000 to $275,000 per one million consumer records, if done manually.
  • January 2020 saw a surge of privacy requests, most likely due to the law going into effect and privacy policy updates.
  • Deletion requests were the most popular requests (40%) in Q1 2020, followed by DNS (33%), and access requests (27%).
  • Do Not Sell (DNS) requests will likely become the most dominant privacy request after analyzing early trending data.

CCPA privacy requests

CCPA privacy requests expected to stabilize

Looking forward to the remainder of 2020, the number of CCPA privacy requests is expected to stabilize around the February and March numbers (8 requests per million consumer records).

However, as privacy related issues make headlines or a company updates their privacy policy, organizations should expect a surge of requests. For example, in April, the number of requests has been trending higher, most likely due to the number of COVID-related emails sent, and headlines about the privacy of remote work and conferencing apps.

In July and August we may see a surge once again as CCPA enforcement begins on July 1, 2020.

DNS requests expected to dominate

DNS requests will likely dominate, with deletion requests not far behind, which means companies should prepare for the complex task of reaching out to their network of processors and sub processors to successfully perform a hard delete. New regulations cause a lot of uncertainty and anxiety – especially when they involve a lot of complexity and associated fines.

Despite spending more on compliance, businesses still have basic IT weaknesses

There is a misalignment between data privacy regulation spending and business outcomes, according to a Tanium research. Specifically, as businesses spend tens of millions on compliance, over 90 percent have fundamental IT weaknesses that leave them vulnerable and potentially non-compliant.

businesses compliance

The global study of 750 IT decision makers revealed that organizations have spent on average $70.3 million each to comply with the GDPR, the CCPA, and other data privacy regulations over the past year.

Most businesses have hired new talent (81 percent), invested in workforce training (85 percent) and introduced new software or services (82 percent) to ensure continued compliance.

In addition, 87 percent of organizations have set aside or increased their cyber liability insurance by an average of $185 million each, to deal with the potential consequences of a data breach.

However, despite this increased investment, businesses still feel unprepared to deal with the evolving regulatory landscape, with over a third (37 percent) claiming that a lack of visibility and control of endpoints is the biggest barrier to maintaining compliance with regulations such as GDPR.

Increased spending not solving visibility challenges

This lack of visibility into how organizations see and manage endpoints such as laptops, servers, virtual machines, containers and cloud infrastructure causes major challenges. In fact, the study revealed major visibility gaps in the IT environment of most organizations prior to the pandemic.

Ninety four percent of IT decision makers have discovered unknown endpoints within their IT environment, and 71 percent of CIOs said they find new endpoints on a weekly basis.

Mass home working and employee use of personal devices is likely to exacerbate these problems, expanding the corporate attack surface. When compliance relies on understanding what tools you use, what endpoints you have and what data you hold across the entire organization, these visibility gaps are dangerous.

Chris Hodson, CISO at Tanium said, “While it’s encouraging to see global businesses investing to stay on the right side of data privacy regulations, our research suggests that their good work could be undermined by inattention to basic IT principles.

“Many organizations seem to have fallen into the trap of thinking that spending a considerable amount of money on GDPR and CCPA is enough to ensure compliance. Yet without true visibility and control of their IT assets, they’re leaving a backdoor open to malicious actors.”

What is causing visibility gaps?

The majority (91 percent) of respondents acknowledged fundamental weak points within their organizations that are preventing a comprehensive view of their IT estate.

These visibility gaps are being caused by a lack of unity between IT, operations and security teams (39 percent), a lack of resources to effectively manage their IT estate (31 percent), legacy systems which don’t give them accurate information (31 percent), shadow IT (29 percent) and too many tools used across their business (29 percent).

The research found that firms have implemented an average of 43 separate security and operations tools to manage their IT environments. Tool sprawl like this further limits the effectiveness of siloed and distributed teams, adding unnecessary complexity.

Tech leaders are concerned about the consequences

In the study, IT leaders cited concerns that limited visibility of endpoints could leave their company more vulnerable to cyberattacks (53 percent), damage the brand reputation (39 percent), make risk assessments harder (33 percent), impact customer churn (31 percent) and lead to non-compliance fines (23 percent).

Respondents also revealed a false sense of confidence when it came to compliance readiness. Ninety percent of IT decision makers said they were confident of being able to report all required breach information to regulators within 72 hours. But with nearly half (48 percent) reporting they have challenges in getting visibility into devices on their network, this confidence appears to be misplaced — a single missed endpoint could be a compliance violation waiting to happen.

Chris Hodson, CISO at Tanium concluded: “GDPR and CCPA represent the beginning of a complex new era of rigorous data privacy regulations. Although some regulators have postponed large fines due to the current pandemic, it doesn’t defer the requirement for companies to ensure personal information is stored and processed using the strictest safeguards.

“Technology leaders need to focus on the fundamentals of unified endpoint management and security to drive rapid incident response and improved decision making. The first step must be gaining real-time visibility of these endpoints, which is a crucial prerequisite to improved IT hygiene, effective risk management, and regulatory compliance. With most teams working from home these days and many having to use their own devices, this has never been more important.”

Privacy pros expecting an increase in privacy rights requests as a result of COVID-19

92% of companies are concerned about new consumer rights under the California Consumer Privacy Act (CCPA) with 51% believing this is the hardest part of CCPA compliance and 64% planning to spend more than $100K on compliance in 2020, according to Truyo.

privacy rights requests

Despite changing IT priorities and tightening of spend due to COVID-19 measures, 56% of data privacy professionals are expecting there will be an increase in rights requests as a result of COVID-19.

The research found that consumers are actively exercising their rights under CCPA with 51% of companies receiving more than 10 requests a week and 20% receiving more than 100 requests a week. The research surveyed 221 data privacy decision makers at companies with more than 1000 employees between 3/31/20-4/13/20.

“With changed behavior due to the covid control measures Americans are increasingly online and on zoom sharing more data than ever before. What was already a compliance headache for privacy professionals is now only likely to increase with the additional requirements for employee data and a spotlight on companies to protect consumer privacy ahead of enforcement starting in July,” said Dan Clarke, President of Truyo.

What have companies done to address CCPA?

Companies are taking the new legal requirements seriously with 59% investing in new tools to address CCPA privacy rights. Product features and automation capabilities were the top requirements for executives when choosing a third-party provider with a focus on long term scalability through automation while managers were more focused on costs.

The research also revealed a chasm in understanding between IT and Legal departments on what’s involved in managing data with 55% of legal professionals saying their solution was fully automated and only 13% of IT.

Privacy rights requests: What next?

With the exemption for employee rights under the CCPA due to end on December 31, 2020, 92% of privacy professionals said they planned to extend privacy rights to employees with 62% planning to offer these to all employees not just those in California. Only 15% say they intend to wait until this is a legal requirement under the CCPA.

74% are tracking progress in the introduction of new state privacy legislation outside of California. For 64% additional state legislation is the biggest driver to introduce a third-party tool to support compliance.

GDPR, CCPA and beyond: How synthetic data can reduce the scope of stringent regulations

As many organizations are still discovering, compliance is complicated. Stringent regulations, like the GDPR and the CCPA, require multiple steps from numerous departments within an enterprise in order to achieve and maintain compliance. From understanding the regulations, implementing technologies that satisfy legal requirements, hiring qualified staff and training, to documentation updating and reporting – ongoing compliance can be costly and time intensive.

synthetic data

In fact, a report found that one-third of all enterprises (defined as businesses with 1000+ employees) spent more than $1 million on GDPR compliance alone.

As more states move to adopt GDPR-like regulations, such as California’s CCPA and Washington’s failed, but not forgotten Washington Privacy Act (WPA) legislation, organizations are having to look very closely at their data sets and make critical decisions to ensure compliance and data security.

But what can be done to minimize the scope of these stringent and wide-reaching regulations?

If an organization can identify all of its personal data, take it out of the data security and compliance equation completely – rending it useless to hackers, insider threats, and regulation scope – it can eliminate a huge amount of risk, and drastically the reduce the cost of compliance.

Enter synthetic data

Organizations like financial institutions and hospitals handle large quantities of extremely sensitive credit/debit card and personally identifiable information (PII). As such, they must navigate a very stringent set of compliance protocols – they can fall under the GDPR, CCPA, PCI DSS and additional laws and regulations depending on their location and the location of their customers.

Synthetic data is helping highly regulated companies safely use customer data to increase efficiencies or reduce operational costs, without falling under scope of stringent regulations.

Synthetic data makes this possible by removing identifiable characteristics of the institution, customer and transaction to create what is called a synthetic data set. Personally identifiable information is rendered unrecognizable by a one-way hash process that cannot be reversed. A cutting-edge data engine makes minor and random field changes to the original data, keeping the consumer identity and transaction associated with that consumer completely protected.

Once the data is synthetized, it’s impossible for a hacker or malicious insider to reverse-engineer the data. This makes the threat of a data breach a non-issue for even the largest enterprises. Importantly, this synthetic data set still keeps all the statistical value of the original data set, so that analysis and other data strategies may be safely conducted, such as AI algorithm feeding, target marketing and more.

What do the major data privacy regulations say about synthetic data

The CCPA does not expressly reference synthetic data, but it expressly excludes de-identified data from most of the CCPA’s requirements in cases where the requisite safeguards are in place. Synthesized data as defined is considered de-identified data. The CCPA also excludes from its coverage personal information subject to several federal privacy laws and comparable California state laws, including “personal information collected, processed, sold, or disclosed pursuant to Gramm-Leach-Bliley Act (GLBA) and the California Financial Information Privacy Act.”

Likewise, the GDPR does not expressly reference synthetic data, but it expressly says that it does not apply to anonymous information: according to UCL, “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” Synthetic data is considered personal data which has been rendered anonymous and therefore falls outside the material scope of the GDPR.

Essentially, these important global regulatory mandates do not apply to collection, storage and use of synthesized data.

A big solution for big struggles

As businesses continue to grow in size and number of customers, the amount and frequency of data that flows in also increases dramatically. With these vast streams of data comes a struggle to collect, store and use customer data in a private and secure manner. This struggle is also becoming more publicly known, as headlines of data breaches or compliance violations flood news feeds seemingly every week.

To effectively and efficiently manage the influx of sensitive data while staying compliant and secure, companies can implement synthetic data in their environments with zero risks. Companies can use synthetic data to dig into customer action likelihood, analytics, customer segmentation for marketing, fraud detection trends, and more without jeopardizing compliance or data privacy.

And with data being the key to actualizing machine learning and artificial intelligence engines, companies can also utilize synthetic data to gain valuable insights into their algorithm data and design new products, reduce operational costs, and analyze new business endeavors while keeping customer privacy intact.

With the GDPR and the CCPA now in full effect and more industry and region-specific data regulations on the horizon, organizations of all sizes that want to reduce the burden of compliance will look to use synthetic data technology to manage their privacy and data security-related legal obligations.

Synthetic data helps organizations in highly regulated industries put customer data security and privacy first and keep their data operations frictionless and optimized while minimizing the scope of compliance. The more organizations that adopt synthetic data, the safer personal information transactions become, and the more organizations are free to conduct business without having to worry about regulation.

Who’s responsible for protecting personal information?

With half of Americans lacking confidence in companies and government when it comes to protecting personal information, it’s no surprise three-quarters (74%) are more alarmed than ever about their privacy, according to a research from NortonLifeLock.

protecting personal information

More than 10,000 adults online were surveyed in Australia, France, Germany, India, Italy, Japan, Netherlands, New Zealand, the United Kingdom and the United States about their attitudes and behaviors when it comes to cyber safety.

The individual consumer outranks government as most responsible

Americans are split on who should be held most responsible for ensuring personal information and data privacy are protected. Just over a third believe companies are most responsible (36%), followed closely by the individuals providing their information (34%), with slightly fewer holding the government most responsible (29%).

Half of Americans don’t give companies (49%) and government (51%) credit for doing enough when it comes to data privacy and protection. Notably, compared to the other countries surveyed, Americans are most likely to put the burden on individuals—in fact, it’s the only country where the individual consumer outranks government as most responsible.

“Americans are outliers compared to other countries surveyed in that they are willing to accept a lot of the responsibility in protecting their own data and personal information,” says Paige Hanson, chief of cyber safety education, NortonLifeLock.

“This could be the year Americans truly embrace their privacy independence, particularly with the help of new regulations like the California Consumer Privacy Act giving them control over how their data is used.”

Americans have lived up to their sense of self responsibility with 87% taking steps to protect their online activities and personal information—whether that’s limiting what they share on social media (38%), avoiding public Wi-Fi (33%) or using identity theft protection services (20%).

Americans are also 15% more likely to say they are proactively looking for better ways to protect their privacy compared to the global average (75% vs. 65%).

Protecting personal information: Additional findings

Three-quarters of U.S. consumers (74%) report being more alarmed than ever about their privacy: The top of consumers’ list of concerns include their personal information being exposed in a data breach and compromised by cybercriminals (52%) and their sensitive personal information being sold to third parties and used in decision-making processes without their consent (43%).

One in six Americans are concerned that their personal information will be used to inappropriately influence how they vote: While much lower on the list of top concerns, it’s worth noting in a presidential election year that 16% of Americans are concerned that their personal information will be used to inappropriately influence how they vote in an election, a concern that is shared equally among Republicans (18%) and Democrats (16%).

Americans who identified as Republicans and Democrats agree on the government’s role in data privacy: Despite the current tensions and political divide, data privacy and protection is one area where Republicans and Democrats are in sync—Republicans (47%) and Democrats (50%) are equally likely to feel that the U.S. government is not doing enough and that the U.S. is behind most other countries when it comes to data privacy laws, with Democrats at 55% and Republicans at 54%.

Despite the potential for abuse or misuse, most Americans support the use of facial recognition: 68% of Americans believe facial recognition will likely be abused or misused in the next year, and 47% believe it will do more harm than good—with the biggest concern being that cyber criminals could access and/or manipulate their facial recognition data and steal their identity (39%).

Nevertheless, after learning the advantages and disadvantages, the majority of Americans still support the use of facial recognition among law enforcement (67%), schools (65%), and to a lesser extent, retailers (54%).

Businesses can avoid fines if customer data is encrypted or redacted

Encryption provides the best defense against any fines that might be levied for violations or data breaches under CCPA, according to ESG and Fortanix.

protect data encryption

What can you do?

The report also revealed that CCPA applies data breach sanctions only if companies fail to protect personal data with encryption or redaction. If personal information is protected with appropriate data security measures, it cannot be used by unauthorized parties, so consumers are left unharmed.

Encrypted data that is stolen remains unintelligible, protecting the identity and personal information of its owner and mitigating risk for the business.

“Encryption is a security strategy that will protect sensitive data such as the personal information covered by CCPA,” wrote Christophe Bertrand, ESG senior analyst.

“It protects an organization from scenarios like a devastating breach where hackers gain access to systems containing personal data. It is important to implement encryption throughout the data lifecycle, including while data is at rest in a storage layer, while it is in transit over networks, and while it is in use by applications in the memory of the operating system.”

“Also, consider that personal customer data should be encrypted whether it exists in public cloud storage, in software-as-a-service (SaaS) applications such as CRM, or throughout your supply chain, in addition to your internal data center systems,” Bertrand continued in the report.

“Organizations need to implement advanced data classification, data anonymization, data masking, encryption, security, and access controls in order to set themselves up for successful compliance. ESG believes that many organizations are only ready on the surface – with marketing opt-in/out processes, for example.”

Protecting customer data privacy a strategic imperative for businesses

The CCPA is landmark consumer privacy legislation. Often compared to GDPR, CCPA protects consumers from mismanagement of their personal data and gives them control over what data is collected, processed, shared, or sold by companies doing business in California. This act is the strongest privacy legislation enacted in any state, giving more power to consumers with regards to their private data.

With many experts predicting that other states will pass similar legislation in the coming years, companies across the US that take proactive steps today to better protect consumer data will be best equipped for future regulations.

“With the increase in regulatory penalties and devastating data breaches we have seen, protecting the privacy of customer data is a strategic imperative for business,” said Ambuj Kumar, CEO of Fortanix.

“The most reliable and efficient method of both protecting customer data and avoiding regulatory penalties is to encrypt all customer data throughout its lifecycle while at rest, in motion, and while in use by applications.”

How financial services firms are handling data privacy

One-third of financial services organizations lack a clear plan or the resources to address privacy risks related to customer data in the next 12 months, according to a report by Accenture.

financial services data privacy

The report is based on a survey of 100 privacy executives in the banking, insurance and capital markets sectors in North America and Europe. It focuses on how companies should rethink how they use, store and protect customer data as recently implemented regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), give consumers explicit privacy rights.

An increased need for a clear privacy strategy

According to the report, seven in 10 respondents (70%) see privacy as a key risk for their firms, increasing the need for a clear privacy strategy. Noting that nearly three-quarters (72%) of respondents’ companies use consent to tailor customer-facing products and services, the report suggests that financial services firms incorporate privacy into the overall customer journey by giving customers more control over their data and deleting personal information upon request.

“Given the renewed regulatory focus and threat of significant financial fines, it’s not surprising that financial services firms are making privacy a top priority,” said Ben Shorten, a managing director in Accenture’s Strategy & Consulting group.

“But these institutions should think beyond the compliance risks and consider the broader opportunity to elevate the customer experience around privacy. Consumers are willing to share information if there’s value in it for them, whether personalized offers, better services or more competitive pricing. Firms that understand how customers perceive and value data privacy have a clear opportunity to differentiate themselves.”

Building consumer trust

When asked which privacy risks will require the most effort to remediate over the next year, respondents most often cited privacy risk monitoring (51%), the accuracy and maintenance of records processing/ information asset registers (44%), and records management and data retention/deletion (41%).

These risks are heightened by the “right to erasure” requests under GDPR and CCPA, which empower consumers to ask companies to delete their personal data upon request, making proper records management critical. One way that firms can achieve this, according to the report, is by using automated tools to aid with data discovery.

The report notes that while three-fourths (76%) of respondents plan to increase their privacy investments over the next year, companies without a clear privacy strategy could fail to reap the expected value from these investments — while those that create clear strategies and infuse a culture of privacy awareness across their organizations will differentiate themselves and build consumer trust.

In addition, as firms increasingly focus on demonstrating ethical and responsible use of data in their artificial intelligence and machine-learning algorithms, a new class of privacy risks related to data ethics could emerge.

This presents another opportunity for firms to build consumer trust by providing greater transparency around automated decisioning models and introducing ethical guide rails for the use of personal data.

Employees aware of privacy risks, but unsure of how they affect the workplace

62 percent of employees are unsure if their organization has to comply with the recently-enacted CCPA, which gives California residents enhanced consumer data privacy rights, according to a survey of more than 1,000 employees conducted by Osterman Research.

aware of privacy risks

Results reveal a similar lack of awareness regarding the GDPR, in effect since 2018.

Employee cybersecurity and privacy engagement

The findings reveal progress in cybersecurity awareness. However, many respondents continue to hold false impressions about malware, phishing, and cloud file-sharing, putting their personal and employers’ data at risk.

“The benefits and rewards of digital technology are many, but so are the risks. As states race to address cybersecurity and data privacy risks with new compliance measures, businesses are under more pressure than ever to educate their employees, or prepare to face increasingly negative outcomes,” MediaPRO Chief Strategist Lisa Plaggemier said.

“To adequately protect consumer data, companies must quickly transform employees from bystanders into security advocates, and that begins with awareness programs that engage employees and reinforce behaviors that align with security and compliance goals.”

The survey assessed employee engagement with and understanding of good cybersecurity and privacy practices (or lack thereof) across multiple risk areas. Overall results show more than 50 percent of respondents fall within the “vulnerable” side of the spectrum regarding their reported practices and attitudes.

“The survey revealed a number of key issues that decision makers should address right away,” said Michael Osterman, Principal Analyst of Osterman Research. “Among them is the need for more and better security awareness training, and improving employees’ perception of their role as a key line of defense for both security and privacy compliance.”

Confidence and security awareness remain lacking

Awareness of seemingly basic cybersecurity threats and best practices remains insufficient among many employees, putting them and their organizations at risk. More than a quarter admitted struggling to identify a phishing email, while just 17 percent felt “very confident” they could identify a social engineering attack.

Only 27 percent of employees can identify at least two warning signs that malware has infected their computing platform, and two in five employees are unable to describe to senior management the negative impacts posed by cybersecurity risks.

Misinformation and misconceptions abound

Cybersecurity awareness requires the ability to correctly distinguish cybersecurity fact from fiction, yet many employees have distorted ideas. For instance, one in seven employees believe that – much like the flu passes among people – malware can spread among devices in close physical proximity.

A full 39 percent of employees mistakenly believe that simply leaving their computer unlocked can also result in a malware infection.

Privacy regulations remain challenging

Many employees require a better understanding of the privacy regulations and guidelines impacting their organizations, and the requisite steps to protect data.

A majority of employees (more than 60 percent) don’t know if their organization needs to comply with most privacy rules and data protection guidelines such as the CCPA, PCI DSS, and GDPR.

In fact, nearly three in five employees (58 percent) don’t believe storing sensitive data in an unsecured location or on their desktop / laptop computers or mobile devices (69 percent) could pose a potential policy violation.

Social media and file-sharing security awareness is high

The majority of employees (more than 50 percent) understand that oversharing on social media is a bad idea, as it can give cybercriminals the information and opportunity to craft more targeted attacks.

More than half of employees understand using personal webmail for work purposes poses a risk to their organization, and 90 percent recognize the risk associated with using personally managed file-sharing or similar cloud solutions for work purposes.

Employees possess password savvy

The majority of employees are mindful of password best practices, using a unique password for every device and application (52 percent). When working from home 61 percent of employees agree it’s important to change their router’s default password before accessing corporate data or email.

Urgency of updates is understood

Software updates serve an important role in protecting devices from viruses and malware, and ensuring security holes are quickly patched before cyber thieves can exploit them.

The vast majority of employees (84 percent) understand that regularly installing software upgrades help protect against cybersecurity threats and prevent security breaches.

“Safely navigating the digital world remains confusing for many. Add to that an ever changing roster of seemingly byzantine rules and regulations and the effort can seem almost insurmountable,” said Tom Pendergast, Chief Learning Officer at MediaPRO.

“This survey shows we still have a long way to go toward resolving employee clarity and consistency on cybersecurity and data privacy obligations and best practices; however, we’re encouraged that many of our respondents appear to be on the right track in putting their cybersecurity knowledge into action day-to-day.”

What the government infosec landscape will look this year

The information security landscape seems to evolve at a faster clip each year. The deluge of ever-changing threats, attack techniques and new breaches making headlines can be challenging to track and assess. That’s why each year the WatchGuard Threat Lab takes a step back to assess the world of cyber security and develop a series of predictions for what emerging trends will have the biggest impact.

government infosec landscape

Following the worldwide controversy over hacking that influenced the 2016 presidential election and the many widely publicized privacy and security incidents that have taken place since, we believe the government information security sphere is the stage upon which we’ll see two major security developments play out in 2020.

The first is that bad actors will target voter registration systems with the intent to generate voting havoc and trigger voter fraud alerts. The second is that we’ll see multiple states enact privacy regulations inspired by GDPR and the CCPA. Let’s take a look at how these two issues will unfold in 2020 and what you need to know to be prepared.

Impending voter registration systems hacks

Security researchers have proven many times over that voting machines are hackable, but most of them don’t expect threat actors to expend the vast amount of time and resources needed to successfully hack the 2020 presidential election voting results directly. Instead, these online adversaries will use subtler tactics in the coming months to tamper with the voting process at the state and local level.

The culprits behind previous election-related attacks are state-sponsored actors that are happy to execute highly effective, politically motivated misinformation campaigns across social media platforms, but appear to draw the line at actually altering the voting results themselves. In 2020, they’ll seek to build on the success they achieved in 2016. We believe they will target US voter registration systems to make it more difficult for legitimate voters to cast their ballot and attempt to cause widespread mistrust in the validity of vote counts. Indirectly influencing the election by creating confusion, fear, uncertainty and doubt will be their MO.

What can we do about it? For state and local government departments managing voter registration systems it will be important to perform security audits and find and fix potential vulnerabilities before the bad guys have a chance to exploit them.

While there’s not a tremendous amount the average voter can do to ward off election hacking attempts by state-sponsored cyber criminals, there are some basic things you should keep in mind to make sure your voice is heard on election day. First, double-check the status of your voter registration at least a week before the election. Monitor the news for any updates about voter registration database hacks leading up to the election and be sure to contact your local state voter authority if you’re concerned. Lastly, bring a printed confirmation of your completed voter registration and multiple forms of ID on election day (just in case).

An upsurge in state-level privacy legislation

The European Union made a global splash when it implemented the GDPR. Designed to provide better privacy for its citizens’ data (regardless of the location of the organizations with access to it), the historic law was initially met with cynicism and uncertainty (and even panic in some cases) due to its stringent criteria and heavy penalties for noncompliance.

That said, since its inception, the level of privacy the law provides for individuals has been well-received. People welcome the comfort of knowing that organizations are finally being incentivized to protect their privacy and held accountable for mishandling their data. It goes a long way to inspire confidence in the public when organizations like Google and Marriott are fined millions of euros for GDPR violations.

Massive organizations like Facebook continue to neglect their obligation to safeguard user data and America’s appetite for privacy seems to be growing with each passing data breach and scandal involving the sale of user data. That’s why in 2020 you should expect to see 10 or more states to enact privacy laws similar to GDPR.

In fact, California has already passed its own CCPA and will begin rolling out fines for violations by mid-year. Given that most states passed mandatory data breach disclosure laws in the mid-2000s and lawmakers still haven’t been able to pass a federal version to date, it’s unlikely that the movement to enact a federal privacy law will gain enough steam to pass in the near term. That said, the rising public outcry for data privacy makes it highly likely that individual states will take it upon themselves to follow in California’s footsteps and pass privacy acts of their own.

This momentum will grow in 2020, so it will be critical for businesses across the country to carefully study the CCPA requirements and prepare to make adjustments. Other states will use the CCPA as a reference point for developing similar regulations of their own. If you’re concerned with your own personal data privacy, contact your local representatives to push for state-level legislation and federal action as well.

The road ahead

The changing conditions within the government information security landscape impact every American business and individual in one way or another. We simply can’t afford to be ignorant or apathetic when it comes to matters of public privacy and security.

Whether it be state-sponsored attempts to interfere with the next election, emerging security and privacy regulations, or some other development, we should all strive to become more informed about and engaged in these issues.

How CISOs can justify cybersecurity purchases

Sometimes a disaster strikes: ransomware encrypts critical files, adversaries steal sensitive data, a business application is compromised with a backdoor… This is the stuff that CISOs’ nightmares are made of. As devastating as such incidents can be, for the short time after they occur, the enterprise usually empowers the CISO to implement security measures that he or she didn’t get funding for earlier.

Of course, waiting for disastrous events is a reckless and unproductive way to fund cybersecurity purchases. How can you make a proactive business case for justifying expenses that advance your security program? I have a few suggestions based on my prior consulting experience and my recent work as a CISO at a cybersecurity firm.

Security practitioners used to point to the need for defense-in-depth when explaining why the organization should fund yet another cybersecurity measure. Unfortunately, this principle alone doesn’t clarify how many layers are sufficient. Without business-relevant details and the right context, the people reviewing your request won’t understand its necessity and significance to the organization.

The request itself: What details to include?

You might know why the organization needs a given security measure, but how do you relay its significance to others? At the very least, your funding request should cover:

  • Risk: How does the measure mitigate or otherwise address a meaningful risk? Explain the relationship between this risk and the organization’s business objectives. Clarify what might happen if you don’t address the risk and how likely this is to happen.
  • Cost: How much will the security measure cost? Include upfront and ongoing expenses. Account for the fees you’ll pay to third parties (software as well as infrastructure) and internal costs related to people’s time. Discuss the costs of alternative ways of addressing the risk.
  • Context: What role does your request play as part of the organization’s other initiatives and priorities? Also, discuss how other companies similar to yours handle such risks. Describe the way in which the risk fits into the current threat landscape that’s relevant to your organization.

The details above are essential, but they are not sufficient. The decision makers also need to understand that this is not merely a one-off request, but that it’s a part of a reasonable plan to strengthen the company’s security programs. This is where modern frameworks can help.

Your security program: A method to the madness

If you’re just starting a cybersecurity program, a good way to pick minimum security measures is CIS Critical Controls. This list and the accompanying guide provide practical consensus-based recommendations. If any of these controls are missing from your company, you can point to CIS Critical Controls to justify your request to fund the corresponding initiative. If you’re at a young tech company, consider as another reference the Security4Startups Controls Checklist, which was created by a group of experienced security professionals.

When requesting funding for security projects in organizations that require more sophistication than the lists above offer, take a close look at the NIST Cybersecurity Framework (CSF). It provides a comprehensive listing of security measures that enterprises should implement and has gained traction among government and commercial organizations in the US and world-wide.

Another reference to consider when deciding what security measures your enterprise needs is the Cybersecurity Defense Matrix, created by Sounil Yu. It offers a convenient way to understand the role that your various security tools play and helps identify portfolio gaps. This uses CSF categories to classify cybersecurity controls and reminds you to understand their capabilities with respect to your devices, applications, networks, data, and users. It’s handy for identifying areas that might have too many or too few security measures.

Additional justifications: Legal and privacy considerations

If you need additional ammunition to justify must-have cybersecurity measures, your company’s attorneys might help. Get their guidance regarding picking the baseline controls you must have to exercise due care and avoid negligence. Work with them to understand the relevant laws and regulations. Don’t forget to consider privacy obligations, such as CCPA and GDPR. Ask whether CIS Critical Controls or another framework provides a reasonable starting point.

Speaking of CCPA and GDPR… When explaining how your funding request is a part of a larger plan that benefits the organization, look at the NIST Privacy Framework. This methodology (and others like it) is especially relevant to organizations formalizing their privacy program. Though the scope of a privacy program goes beyond cybersecurity, there is a substantial overlap between the two worlds. You can strengthen the case for your security measure if it addresses cybersecurity as well as privacy risks.

The various frameworks above help you to explain how your security measure – and the associated funding request – fits into your broader plans for securing the organization. Discussing your request as part of the overarching plan explains how this request contributes toward the evolution of your cybersecurity program. It also prepares the organization for the subsequent requests that you will need to submit later.

50% of people would exercise at least one right under the CCPA

As state houses and Congress rush to consider new consumer privacy legislation in 2020, ​Americans expect more control over their personal information online, and are concerned with how businesses use the data collected about them, a DataGrail research reveals.

control personal data

In a OnePoll online survey of 2,000 people aged 18 and above, ​4 out of 5 ​Americans agreed there should be a law to protect their personal data, and ​83 percent ​of people​ ​expect to have control over how their data is used at a business.

The request for more control over their personal data comes after many Americans experienced, first-hand, existing protections not working – ​62 percent ​of people continue to receive emails from a company after unsubscribing.

In addition, ​more than 82 percent ​of people have concerns about businesses monitoring or collecting data from their phone’s microphone, laptop webcams, home devices (such as Google Home, Alexa, etc.), or mobile devices (phone, laptop, etc.) with location tracking.

Consumers do not feel safe from privacy infringements

Further, the research shows consumers do not feel safe from privacy infringements wherever they may be: ​85%​ of those polled said they were concerned that businesses could be monetizing their laptops’ location.

In response to Americans’ demands, state regulators are listening. Several states have developed their own regulations, including California, Nevada and Maine, with Washington, New York and several other states following suit.

The ​California Consumer Privacy Act​ (CCPA) that went into effect Jan. 1, 2020, is one of the most consumer-forward, comprehensive and prominent data privacy laws. However, only ​24 percent​ of Americans are familiar or have heard of it.

“As people put more of themselves online, they expect to have more control and transparency over their personal information,” said Daniel Barber, CEO of DataGrail.

“The good news is that businesses are responding. Brands are already making big moves to show their dedication to privacy, and it’s paying off. Those that proactively update preferences and consent will end up with a more loyal customer-base.

“However, we still have a lot of education to do. It’s clear people want the regulations. Our research shows that 50% of people would exercise at least one right under the CCPA.”

Control personal data: Data security over affordability

If all Americans were given the rights included in the CCPA:

  • 65% of people would like to know and have access to what information businesses are collecting about them.
  • 62% of people would like the right to opt-out and tell a business not to share or sell personal information.
  • 58% of people would like the right to protections against businesses that do not uphold the value of their privacy.
  • 49% of people would like the right to delete their personal data held by the business.

People are also more than willing to take their wallets elsewhere, even if it meant breaking their shopping preferences if they discovered their private data was not protected or that their data was being sold. The survey found that ​77%​ would not shop at their favorite retailer if they found they did not keep their personal data safe.

Additionally, consumers said they would be willing to pay more for better privacy protections: 73%​ of people polled said they would pay more to online services companies (retailers, ecommerce, and social media) to ensure they didn’t sell their data, show them ads, or use their data for marketing or sales purposes.

Top 10 policy trends to watch for globally in 2020

The 10 top trends that will drive the most significant technological upheavals this year have been identified by Access Partnership.

policy trends 2020

“Shifts in tech policy will disrupt life for everyone. While some governments try to leverage the benefits of 5G, artificial intelligence, and IoT, others find reasons simply to confront Big Tech ranging from protectionism to climate urgency.

“Techlash trends highlighted in our report lay bare the risks of regulatory overreach: stymied innovation and economic growth for some and an unfair advantage for others,” said Greg Francis, Managing Director at Access Partnership.

Report highlights: Top policy trends for 2020

  • AI regulation taking shape in the EU and the U.S.
  • EU-based Digital Services Act (DSA) as the newest power grab since the GDPR
  • New wave of tech protectionism in Europe
  • China as a supply chain liability; other Asian nations filling in
  • Spectrum sharing likely to become more mainstream with 5G
  • 5G security to take an important position with shift to control functions
  • U.S. privacy laws taking bipartisan note from California’s CCPA
  • Data sharing regs to heat up, as balance with innovation becomes more critical
  • IoTs, SIMs and eSIMs: who’s responsible for setting regulation?
  • Rise of ‘green’ technology policy: another balancing act with industry emissions vs. the industry’s potential ability to solve climate change

Francis continued: “In just one year, we’ve seen dramatic changes in the regulatory and policy landscape for technology companies, originating in Europe but deeply affecting U.S. and other major global players.

“The report notes that while divisive impeachment proceedings in America create a blockage in new legislation pipelines, there is surprising bipartisan agreement on tech policy — Republicans are moving to protect companies from growth-killing regulation, and Democrats are seeking to pre-empt state-level measures.

“We expect to see new regulatory models emerging in the U.S. and other nations in reaction to the EU’s push for digital sovereignty.”

NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance

Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk.

NIST Privacy Framework

Version 1.0 of the NIST Privacy Framework

The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. Developed from a draft version in collaboration with a range of stakeholders, the framework provides a useful set of privacy protection strategies for organizations that wish to improve their approach to using and protecting personal data.

The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework.

“Privacy is more important than ever in today’s digital age,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan.

“The strong support the Privacy Framework’s development has already received demonstrates the critical need for tools to help organizations build products and services providing real value, while protecting people’s privacy.”

Personal data includes information about specific individuals, such as their addresses or Social Security numbers, that a company might gather and use in the normal course of business. Because this data can be used to identify the people who provide it, an organization must frequently take action to ensure it is not misused in a way that could embarrass, endanger or compromise the customers.

Helping organizations manage privacy risk

The NIST Privacy Framework is not a law or regulation, but rather a voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them, such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation. It helps organizations identify the privacy outcomes they want to achieve and then prioritize the actions needed to do so.

“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” said Naomi Lefkovitz, a senior privacy policy adviser at NIST and leader of the framework effort.

“If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”

Privacy application still evolving

Privacy as a basic right in the USA has roots in the U.S. Constitution, but its application in the digital age is still evolving, in part because technology itself is changing at a rapidly accelerating pace.

New uses for data pop up regularly, especially in the context of the internet of things and artificial intelligence, which together promise to gather and analyze patterns in the real world that previously have gone unrecognized. With these opportunities come new risks.

“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years,” Lefkovitz said, “or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit. That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

The Privacy Framework 1.0 has an overarching structure modeled on that of the widely used NIST Cybersecurity Framework, and the two frameworks are designed to be complementary and also updated over time.

Merely adopting a good security posture is not enough

Privacy and security are related but distinct concepts, Lefkovitz said, and merely adopting a good security posture does not necessarily mean that an organization is addressing all its privacy needs.

As with its draft version, the Privacy Framework centers on three sections: the Core, which offers a set of privacy protection activities; the Profiles, which help determine which of the activities in the Core an organization should pursue to reach its goals most effectively, and the Implementation Tiers, which help optimize the resources dedicated to managing privacy risk.

The NIST authors plan to continue building on their work to benefit the framework’s users. Digital privacy risk management is a comparatively new concept, and Lefkovitz said they received many requests for clarification about the nature of privacy risk, as well as for additional supporting resources.

“People continue to yearn for more guidance on how to do privacy risk management,” she said. “We have released a companion roadmap for the framework to point the way toward more research to address current privacy challenges, and we are building a repository of guidance resources to support implementation of the framework. We hope the community of users will contribute to it to advance privacy for the good of all.”