May 25th is the second anniversary of the General Data Protection Regulation (GDPR) and data around compliance with the regulation shows a significant disconnect between perception and reality.
Only 28% of firms comply with GDPR; however, before GDPR kicked off, 78% of companies felt they would be ready to fulfill data requirements. While their confidence was high, when push comes to shove, complying with GDPR and GDPR-like laws – like CCPA and PDPA – are not as easy as initially thought.
Data privacy efforts
While crucial, facing this growing set of regulations is a massive, expensive undertaking. If a company is found out of compliance with GDPR, it’s looking at upwards of 4% of annual global turnover. To put that percentage in perspective, of the 28 major fines handed down since the GDPR took effect in May 2018, that equates to $464 million dollars spent on fines – a hefty sum for sure.
Additionally, there is also a cost to comply – something nearly every company faces today if they conduct business on a global scale. For CCPA alone, the initial estimates for getting California businesses into compliance is estimated at around $55 billion dollars, according to the State of California DoJ. That’s just to comply with one regulation.
Here’s the reality: compliance is incredibly expensive, but not quite as expensive as being caught being noncompliant. This double-edged sword is unfortunate, but it is the world we live in. So, how should companies navigate in today’s world to ensure the privacy rights of their customers and teams are protected without missing the mark on any one of these regulatory requirements?
Baby steps to compliance
A number of companies are approaching these various privacy regulations one-by-one. However, taking a separate approach for each one of these regulations is not only extremely laborious and taxing on a business, it’s unnecessary.
Try taking a step back and identifying the common denominator across all of the regulations. You’ll find that in the simplest form, it boils down to knowing what data you actually have and putting the right controls in place to ensure you can properly safeguard it. Implementing this common denominator approach can free up a lot of time, energy and resources dedicated to data privacy efforts across the board.
Consider walking through these steps when getting started: First, identify the sensitive data being housed within systems, databases and file stores (i.e. Box, Sharepoint, etc.). Next, identify who has access to what so that you can ensure that only the right people who ‘should’ have access do. This is crucial to protecting customer information. Lastly, implement controls to keep employee access updated. Using policies to keep access consistent is important, but it’s crucial that they are updated and stay current with any organizational changes.
Staying ahead of the game
The only way to stay ahead of the numerous privacy regulations is to take a general approach to privacy. We’ve already seen extensions on existing regulations, like The California Privacy Rights and Enforcement Act of 2020. ‘CCPA 2.0’ as some people call it, would be an amendment to the CCPA. So, if this legislation takes effect, it would create a whole new set of privacy rights that align well with GDPR, putting greater safeguards around protecting sensitive personal information. It’s my opinion that since the world has begun recognizing privacy rights are more invaluable than ever, that we’ll continue to see amendments piggybacking on existing regulations across the globe.
While many of us have essentially thrown in the towel, knowing that our own personal data is already out there on the dark web, it doesn’t mean that we can all sit back and let this continue to happen. Considering, this would be to the detriment of our customers’ privacy, cost-prohibitive and ineffective.
So, what are the key takeaways? Make your data privacy efforts just as central as the rest of your security strategy. Ensure it is holistic and takes into account all facts and overlaps in the various regulations we’re all required to comply with today. Only then do you stand a chance at protecting your customers and your employees’ data and dodge becoming another news headline and a tally on the GDPR fine count.
British low-cost airline group EasyJet has revealed on Tuesday that it “has been the target of an attack from a highly sophisticated source” and that it has suffered a data breach.
The result? Email address and travel details of approximately 9 million customers and credit card details (including CVV numbers) of 2,208 customers were accessed.
How did the attackers manage to breach EasyJet?
EasyJet did not share in their official notice about the incident when it happened, but told the BBC that they became aware of it in January and that the customers whose credit card details were stolen were notified in early April.
They also did not say how the attackers got in, only that it seems that they were after “company intellectual property.” Grabbing customer info might have been an afterthought or a secondary goal, then.
Richard Cassidy, senior director security strategy at Exabeam, says that by looking at recent breaches in the aviation industry, the tools, tactics and procedures (TTPs) being used are largely the same ones that have led to significant breaches in other industries.
“Attackers need credentials to access critical data – we can be certain of this – and often it is social engineering techniques that reveal those credentials. They then laterally move through systems and hosts to expand their reach and embed themselves within the infrastructure, providing multiple points of entry and exit. If an attacker can achieve this – as we are seeing here – it is then a case of packaging and exfiltrating critical data,” he added.
“Some airlines are doing it right – implementing state of the art behavioural analytics technologies that learn the normal behaviour of the network and immediately notify the security team when anomalies occur. Many, however, still need to understand that there is a better way to manage security, risk and compliance requirements and it most certainly is not ‘what we’ve always done’. In an industry that has defined ‘automation’ and ‘process efficiencies’, applying the same to Information Security would quite literally revolutionise their ability to detect, respond and mitigate against the largely traditional raft of attack TTP’s we’ve seen targeted at aviation this past decade.”
Professor Alan Woodward of the University of Surrey noted that the stolen credit card information might have been the result of a Magecart attack:
— Alan Woodward (@ProfWoodward) May 19, 2020
It would not be the first time for an airline to be targeted by Magecart attackers – British Airways was hit in 2018.
Advice for affected customers
“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO [the UK’s data protection watchdog], we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing,” said EasyJet Chief Executive Officer Johan Lundgren.
“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.
Unsolicited communications may take the form of fake invoices, refund offers, requests for additional data, and so on.
“Always check the sender name and email address match up and if you’re being asked to carry out an urgent action, verify the legitimacy of the request by contacting EasyJet directly using details on their website,” advised Tim Sadler, CEO, Tessian.
“Cybercriminals have not missed a trick to capitalize on the COVID-19 crisis, and we’ve seen a huge increase in the number of cyber attacks and scams during this time. The travel industry especially has been severely impacted by COVID-19, and there’s no telling how much more damaging this cyber breach will be to EasyJet’s future. Moving forward, organisations should prioritise security protocols, implement sophisticated protection software, and ensure all employees are aware of security best practices, and carrying them out at all times.”
The UK National Cyber Security Centre (NCSC) has advised affected customers to:
- Be vigilant against any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further information
- Change their password on their EasyJet accounts (and other accounts that have the same password)
- Check if their account has appeared in any other public data breaches, and to
- Depending on their nature, report any fraud attempts to the police, the NCSC, and their bank’s fraud department.
It would be an understatement to say that 2020 is a monumental year for healthcare. The COVID-19 pandemic brought many aspects of care to the forefront – from technology and its ability to connect us, to the necessity for records to be quickly disseminated to patients and their providers, and patients’ rights to exercise informed control over their treatment.
In early March, as COVID-19 impacted areas of the U.S., new healthcare data rules were issued by the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) to “give patients unprecedented safe, secure access to their health data“ so that they can better manage their care.
Currently, many large healthcare organizations share patient information via health information exchanges (HIEs), which are strictly regulated by HIPAA and other similar laws. Under the new rules, patients can choose to have their health records shared with third-party applications that will use the approved API outside of HIPAA’s controls.
There are several federal agencies that will have influence over the development, implementation, and oversight of these applications. For example, if the application is considered a medical device (i.e., software-as-a-medical device), the FDA would oversee how these apps are developed.
Under the purview of HIPAA and new breeds of state privacy laws and regulations, these apps will need to be built with security and privacy in mind, governed with the right controls, and provide appropriate patient verification and authentication. This will fundamentally alter how health data is exchanged between insurers, patients and providers by broadening the scope, but could also open the door for large technology enterprises, many with questionable track records for consumer privacy, to enter the space.
The new rules are intended to empower patients to have greater control over their health data, access to their health information and share their information when and with whom they desire. Compiling health records from all healthcare providers into one application would provide a single source of truth to help patients see the full landscape of their treatments.
The changes to the ADT requirements will offer similar benefits for practitioners, as this would streamline information sharing between large healthcare systems, smaller practices, and specialists caring for the same patient. Combining the benefits of the API with the rapid event notification services, and the apps could provide the ability for providers to have the most current health information due to the real-time connectivity of these apps. This has the potential of enabling independent care teams a comprehensive, timely, and relevant platform to ensure the health and well-being of their patients.
For example: All providers could be notified if their patient tested positive for a virus. Or in a medical emergency, receive a patient’s latest stats to provide lifesaving background information. It would also give organizations advance notice to prepare and triage patients during a significant health crisis.
An app that is developed to aggregate information collected from providers, payers, and the patient can notify anyone the patient wants to know.
With all the benefits and promises that this legislation provides, there are several considerations that must be weighed due to the inherent sensitivity of patient health information. Regulations such as HIPAA may not apply to third-party applications, which shifts the onus of privacy to the patients, and forces them to make informed decisions about trusting the organization that developed an application that offers these capabilities.
A patient would need to ask: “Do I trust that this app has the appropriate security and privacy safeguards?” It’ll be even more crucial that patients now read the fine print in those complicated and (seemingly) never-ending user agreements. These are where patients give permission for the app developer to store, share, sell, and use their most sensitive information.
Before granting permission, it will be increasingly important to understand how their data will be used and shared. Information is an extremely valuable asset. If the company behind the application is for-profit, then a patient should understand the motive of collecting and using their information.
For practitioners, there are still several unknowns around the mainstream execution and adoption of a third-party application system.
Healthcare organizations will eventually be required to utilize the API of these apps for secure data transfer which could be a burden for smaller practices, and there is industry interest in aggregating records into a single source to assist with diagnostics. However, how would corrections or changes be uniformly executed if the patient’s records are dispersed to multiple organizations or platforms? This could create confusion and misinformation without a clear authority to instate the modifications.
Additionally, the security of the app will be crucial to safeguard this information, along with the right controls and verification and authentication checks. A data breach from these types of applications could trigger catastrophic impacts, such as reputational damage if sensitive patient information is leaked, or fraud results from malicious access to financial information.
Today, a batch of highly-detailed healthcare data on the Dark Web is priced between $100 – 500, according to RSA. Compare that to stolen bank account credentials that range in price from $3 – 24 and you see why patient data is a target for cybercrime.
The convergence of healthcare and technology holds great potential to democratize patient information and enhance practitioners’ ability to provide comprehensive care.
But the complexity of this new legislation creates an opportunity for information privacy risks as the industry has never seen before. There are still many unanswered questions about the realities of broad technology adoption, and updated legislation and Federal oversight to reflect the current technology environment are needed to help close the gaps.
These changes in information sharing and care are inevitable and needed, so providers should take it upon themselves to ensure they are informed and prepared to adapt in order to best treat their patients. If we start seeing these capabilities embedded in consumer apps, and done so in a responsible, collaborative manner, then the patient will be put first, and as the CMS says, “[given] access to their health information when they need it most and in a way they can best use it.”
A surprising 51 percent of technology professionals and leaders are highly confident that their cybersecurity teams are ready to detect and respond to rising cybersecurity attacks during COVID-19, according to ISACA. Additionally, 59 percent say their cybersecurity team has the necessary tools and resources at home to perform their job effectively.
This presents a problem, as 58 percent of respondents say threat actors are taking advantage of the pandemic to disrupt organizations, and 92 percent say cyberattacks on individuals are increasing.
Remote work increasing data protection and privacy risk
While 80 percent of organizations shared cyber risk best practices for working at home as shelter in place orders began, 87 percent of respondents still say the rapid transition to remote work has increased data protection and privacy risk.
“Organizations are rapidly and aggressively moving toward new ways of doing business during this time, which is a very positive thing, but it can also lead to making compromises that can leave them vulnerable to threats,” says ISACA CEO David Samuelson.
“A surge in the number of remote workers means there is a greater attack surface. Remote work is critically important right now, so security has to be at the forefront along with employee education.”
More than 3,700 IT audit, risk, governance and cybersecurity professionals from 123 countries have been surveyed in mid-April to assess the impact of COVID-19 on their organizations and their own jobs.
Concerns about the wider impact
Most of these professionals believe their jobs are safe. Ten percent think a job loss is likely and 1 percent has been furloughed. However, while their own positions are stable, respondents are still extremely concerned about these wider impacts of the novel coronavirus:
- Economic impact on my national economy (49 percent)
- Health of family and friends (44 percent)
- Personal health (30 percent)
- Economic impact on my organization (24 percent)
The negative effects
While respondents report being highly satisfied with their organization’s internal communications, business continuity plans and executive leadership related to COVID-19, their organizations have not been able to avoid the negative effects, including:
- Decreased revenues/sales (46 percent)
- Reduced overall productivity (37 percent—more executives than practitioners think this is the case)
- Reduced budgets (32 percent)
- Supply chain problems (22 percent)
- Closed business operations (19 percent)
The majority of respondents expect normal business operations to resume by Q3 2020.
“It’s hard to predict what ‘normal’ will look like in the short term,” said ISACA CTO Simona Rollinson. “What we do know is that tech professionals, including the IT audit, risk, governance and security professionals in our community, are more necessary than ever to their enterprises, and they are well-positioned to adapt and even thrive, regardless of what changes may be in store.”
As many organizations are still discovering, compliance is complicated. Stringent regulations, like the GDPR and the CCPA, require multiple steps from numerous departments within an enterprise in order to achieve and maintain compliance. From understanding the regulations, implementing technologies that satisfy legal requirements, hiring qualified staff and training, to documentation updating and reporting – ongoing compliance can be costly and time intensive.
In fact, a report found that one-third of all enterprises (defined as businesses with 1000+ employees) spent more than $1 million on GDPR compliance alone.
As more states move to adopt GDPR-like regulations, such as California’s CCPA and Washington’s failed, but not forgotten Washington Privacy Act (WPA) legislation, organizations are having to look very closely at their data sets and make critical decisions to ensure compliance and data security.
But what can be done to minimize the scope of these stringent and wide-reaching regulations?
If an organization can identify all of its personal data, take it out of the data security and compliance equation completely – rending it useless to hackers, insider threats, and regulation scope – it can eliminate a huge amount of risk, and drastically the reduce the cost of compliance.
Enter synthetic data
Organizations like financial institutions and hospitals handle large quantities of extremely sensitive credit/debit card and personally identifiable information (PII). As such, they must navigate a very stringent set of compliance protocols – they can fall under the GDPR, CCPA, PCI DSS and additional laws and regulations depending on their location and the location of their customers.
Synthetic data is helping highly regulated companies safely use customer data to increase efficiencies or reduce operational costs, without falling under scope of stringent regulations.
Synthetic data makes this possible by removing identifiable characteristics of the institution, customer and transaction to create what is called a synthetic data set. Personally identifiable information is rendered unrecognizable by a one-way hash process that cannot be reversed. A cutting-edge data engine makes minor and random field changes to the original data, keeping the consumer identity and transaction associated with that consumer completely protected.
Once the data is synthetized, it’s impossible for a hacker or malicious insider to reverse-engineer the data. This makes the threat of a data breach a non-issue for even the largest enterprises. Importantly, this synthetic data set still keeps all the statistical value of the original data set, so that analysis and other data strategies may be safely conducted, such as AI algorithm feeding, target marketing and more.
What do the major data privacy regulations say about synthetic data
The CCPA does not expressly reference synthetic data, but it expressly excludes de-identified data from most of the CCPA’s requirements in cases where the requisite safeguards are in place. Synthesized data as defined is considered de-identified data. The CCPA also excludes from its coverage personal information subject to several federal privacy laws and comparable California state laws, including “personal information collected, processed, sold, or disclosed pursuant to Gramm-Leach-Bliley Act (GLBA) and the California Financial Information Privacy Act.”
Likewise, the GDPR does not expressly reference synthetic data, but it expressly says that it does not apply to anonymous information: according to UCL, “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” Synthetic data is considered personal data which has been rendered anonymous and therefore falls outside the material scope of the GDPR.
Essentially, these important global regulatory mandates do not apply to collection, storage and use of synthesized data.
A big solution for big struggles
As businesses continue to grow in size and number of customers, the amount and frequency of data that flows in also increases dramatically. With these vast streams of data comes a struggle to collect, store and use customer data in a private and secure manner. This struggle is also becoming more publicly known, as headlines of data breaches or compliance violations flood news feeds seemingly every week.
To effectively and efficiently manage the influx of sensitive data while staying compliant and secure, companies can implement synthetic data in their environments with zero risks. Companies can use synthetic data to dig into customer action likelihood, analytics, customer segmentation for marketing, fraud detection trends, and more without jeopardizing compliance or data privacy.
And with data being the key to actualizing machine learning and artificial intelligence engines, companies can also utilize synthetic data to gain valuable insights into their algorithm data and design new products, reduce operational costs, and analyze new business endeavors while keeping customer privacy intact.
With the GDPR and the CCPA now in full effect and more industry and region-specific data regulations on the horizon, organizations of all sizes that want to reduce the burden of compliance will look to use synthetic data technology to manage their privacy and data security-related legal obligations.
Synthetic data helps organizations in highly regulated industries put customer data security and privacy first and keep their data operations frictionless and optimized while minimizing the scope of compliance. The more organizations that adopt synthetic data, the safer personal information transactions become, and the more organizations are free to conduct business without having to worry about regulation.
42% of companies experienced a data loss event that resulted in downtime last year, according to Acronis. That high number is likely caused by the fact that while nearly 90% are backing up the IT components they’re responsible for protecting, only 41% back up daily – leaving many businesses with gaps in the valuable data available for recovery.
The figures revealed illustrate the new reality that traditional strategies and solutions to data protection are no longer able to keep up with the modern IT needs of individuals and organizations.
The importance of implementing a cyber protection strategy
The annual survey, completed this year by nearly 3,000 people, gauges the protection habits of users around the globe. The findings revealed that while 91% of individuals back up data and devices, 68% still lose data as a result of accidental deletion, hardware or software failure, or an out-of-date backup.
Meanwhile, 85% of organizations aren’t backing up multiple times per day, only 15% report they are. 26% back up daily, 28% back up weekly, 20% back up monthly, and 10% aren’t backing up at all, which can mean days, weeks, or months of data lost with no possibility of complete recovery.
Of those professional users who don’t back up, nearly 50% believe backups aren’t necessary. A belief the survey contradicts: 42% of organizations reported data loss resulting in downtime this year and 41% report losing productivity or money due to data inaccessibility.
Furthermore, only 17% of personal users and 20% of IT professionals follow best practices, employing hybrid backups on local media and in the cloud.
These findings stress the importance of implementing a cyber protection strategy that includes backing up your data multiple times a day and practicing the 3-2-1 backup rule: create three copies of your data (one primary copy and two backups), store your copies in at least two types of storage media, and store one of these copies remotely or in the cloud.
“Individuals and organizations keep suffering from data loss and cyberattacks. Everything around us is rapidly becoming dependent on digital, and it is time for everyone to take cyber protection seriously,” said Acronis Chief Cyber Officer, Gaidar Magdanurov.
“Cyber protection in the digital world becomes the fifth basic human need, especially during this unprecedented time when many people must work remotely and use less secure home networks.
“It is critical to proactively implement a cyber protection strategy that ensures the safety, accessibility, privacy, authenticity, and security of all data, applications, and systems – whether you’re a home user, an IT professional, or an IT service provider.”
Cyber protection changes the game
With increasing cyberattacks, traditional backup is no longer sufficient to protect data, applications, and systems, relying on backup alone for true business continuity is too dangerous. Cybercriminals target backup software with ransomware and try to modify backup files, which magnifies the need for authenticity verification when restoring workloads.
It makes sense, then, that the survey indicated a universally high level of concern about cyberthreats like ransomware. 88% of IT professionals reported concern over ransomware, 86% are concerned about cryptojacking, 87% are concerned about social engineering attacks like phishing, and 91% are concerned about data breaches.
Among personal users, awareness and concern regarding all four of these threat types were nearly as high. In fact, compared to the 2019 survey their concern about cyberthreats rose by 33%.
The survey also revealed a lack of insight into data management, exposing a great need for cyber protection solutions with greater visibility and analytics. The surprising findings indicate that 30% of personal users and 12% of IT professionals wouldn’t know if their data was modified unexpectedly.
30% of personal users and 13% of IT professionals aren’t sure if their anti-malware solution stops zero-day threats. Additionally, 9% of organizations reported that they didn’t know if they experienced downtime as a result of data loss this year.
To ensure complete protection, secure backups must be part of an organization’s comprehensive cyber protection approach, which includes ransomware protection, disaster recovery, cybersecurity, and management tools.
Cyber protection recommendations
Whether you are concerned about personal files or your company’s business continuity, there are five simple recommendations to ensure fast, efficient, and secure protection of your workloads:
- Always create backups of important data. Keep multiple copies of the backup both locally (so it’s available for fast, frequent recoveries) and in the cloud (to guarantee you have everything if a fire, flood, or disaster hits your facilities).
- Ensure your operating systems and applications are current. Relying on outdated OSes or apps means they lack the bug fixes and security patches that help block cybercriminals from gaining access to your systems.
- Beware suspicious email, links, and attachments. Most virus and ransomware infections are the result of social engineering techniques that trick unsuspecting individuals into opening infected email attachments or clicking on links to websites that host malware.
- Install anti-virus, anti-malware, and anti-ransomware software while enabling automatic updates so your system is protected against malware, with the best software also able to protect against zero-day threats.
- Consider deploying an integrated cyber protection solution that combines backup, anti-ransomware, anti-virus, vulnerability assessment and patch management in a single solution. An integrated solution increases ease of use, efficiency and reliability of protection.
With half of Americans lacking confidence in companies and government when it comes to protecting personal information, it’s no surprise three-quarters (74%) are more alarmed than ever about their privacy, according to a research from NortonLifeLock.
More than 10,000 adults online were surveyed in Australia, France, Germany, India, Italy, Japan, Netherlands, New Zealand, the United Kingdom and the United States about their attitudes and behaviors when it comes to cyber safety.
The individual consumer outranks government as most responsible
Americans are split on who should be held most responsible for ensuring personal information and data privacy are protected. Just over a third believe companies are most responsible (36%), followed closely by the individuals providing their information (34%), with slightly fewer holding the government most responsible (29%).
Half of Americans don’t give companies (49%) and government (51%) credit for doing enough when it comes to data privacy and protection. Notably, compared to the other countries surveyed, Americans are most likely to put the burden on individuals—in fact, it’s the only country where the individual consumer outranks government as most responsible.
“Americans are outliers compared to other countries surveyed in that they are willing to accept a lot of the responsibility in protecting their own data and personal information,” says Paige Hanson, chief of cyber safety education, NortonLifeLock.
“This could be the year Americans truly embrace their privacy independence, particularly with the help of new regulations like the California Consumer Privacy Act giving them control over how their data is used.”
Americans have lived up to their sense of self responsibility with 87% taking steps to protect their online activities and personal information—whether that’s limiting what they share on social media (38%), avoiding public Wi-Fi (33%) or using identity theft protection services (20%).
Americans are also 15% more likely to say they are proactively looking for better ways to protect their privacy compared to the global average (75% vs. 65%).
Protecting personal information: Additional findings
Three-quarters of U.S. consumers (74%) report being more alarmed than ever about their privacy: The top of consumers’ list of concerns include their personal information being exposed in a data breach and compromised by cybercriminals (52%) and their sensitive personal information being sold to third parties and used in decision-making processes without their consent (43%).
One in six Americans are concerned that their personal information will be used to inappropriately influence how they vote: While much lower on the list of top concerns, it’s worth noting in a presidential election year that 16% of Americans are concerned that their personal information will be used to inappropriately influence how they vote in an election, a concern that is shared equally among Republicans (18%) and Democrats (16%).
Americans who identified as Republicans and Democrats agree on the government’s role in data privacy: Despite the current tensions and political divide, data privacy and protection is one area where Republicans and Democrats are in sync—Republicans (47%) and Democrats (50%) are equally likely to feel that the U.S. government is not doing enough and that the U.S. is behind most other countries when it comes to data privacy laws, with Democrats at 55% and Republicans at 54%.
Despite the potential for abuse or misuse, most Americans support the use of facial recognition: 68% of Americans believe facial recognition will likely be abused or misused in the next year, and 47% believe it will do more harm than good—with the biggest concern being that cyber criminals could access and/or manipulate their facial recognition data and steal their identity (39%).
Nevertheless, after learning the advantages and disadvantages, the majority of Americans still support the use of facial recognition among law enforcement (67%), schools (65%), and to a lesser extent, retailers (54%).
58% of C-level executives at small and medium businesses (SMBs) said their biggest data storage challenge is security vulnerability, according to Infrascale.
The research, conducted in March 2020, is based on a survey of more than 500 C-level executives. CEOs represented 87% of the group. Almost all of the remainder was split between CIOs and CTOs.
“Our research indicates that 21% of SMBs do not have data protection solutions in place,” said Russell P. Reeder, CEO of Infrascale. “That’s a problem, because every modern company depends on data and operational uptime for its very survival. And this has never been more important than during the unprecedented times we are currently facing.”
Data protection means different things to different people
Certain aspects of data protection are more important than others depending upon an individual’s unique experiences and position. But data protection clearly delivers significant value from many vantage points.
When asked what data protection means to them, 61% of the survey group named data security and encryption. The same share said data backup. Nearly as many (59%) defined data protection as data recovery, while 54% cited anti-malware services.
Forty-six percent said data protection addresses email protection. Data archiving and the ability to become operational quickly after a disaster each captured 45% of the survey group’s vote.
Meanwhile, 44% of the group said data protection means ransomware protection/mitigation. The same share named physical device protection for endpoints such as laptops and mobile phones. And 32% said that for them data protection involves processes that prevent user error.
“Data protection can come into play in a wide array of important ways – including data security and encryption, data recovery, email protection and data archiving. It also provides the ability to recover quickly from a disaster, protection from and mitigation of ransomware, and physical device protection. Plus, it can prevent user error,” said Reeder.
“All of the above are valuable for businesses. These benefits contribute to the success of many businesses today, and implementing data protection to these ends will better position organizations for the future.”
Opinions about data protection vary by industry as well
The research suggests there is significant variation in what top executives from different sectors consider the most important aspects of data protection.
On the legal space, 89% of executives said data protection provides data security and encryption. Seventy-one percent of the top leaders in the healthcare sector agreed. Data security and encryption was the top answer among retail/ecommerce and telecommunications leaders as well, although with lower shares – 67% and 52%, respectively.
Top executives in education see data backup and data recovery as the most important aspects of data protection. Sixty-one percent of this group said they hold this belief. For 57% of the top leaders in accounting, banking or finance, data backup is the key concern in data protection.
Cyberattacks are SMB leaders’ top overall data protection concern
The overall survey group said cyberattacks are the biggest data protection issue their companies are facing. Nearly half (49%) of the group voiced their concern about hacking.
Micro disasters such as corrupted hard drives and malware infections were the second most commonly indicated concern, garnering a 46% share from the group. System crashes (41%), data leaks (39%), ransomware attacks (38%), and human errors (38%) were next on the list.
There was some variation in sector response here as well. Top leaders in education (64%), telecommunications (63%) and healthcare (54%) said that micro disasters are their biggest data protection issues.
But more than half of the survey respondents in both the retail (54%) and financial sectors (53%) said cyberattacks such as ransomware are their leading data protection challenges.
“Cyberattacks like ransomware are a major challenge for businesses today,” said Reeder. “But organizations can put defensive measures in place to lower their susceptibility to attack.”
Most SMBs have data protection in place, but those that don’t remain unprotected
Views about data protection definitions – and what is most important to the protection of SMB data – may vary. But most SMBs clearly believe it is important to have a data protection and/or backup and disaster recovery solution in place, as 79% of the survey group said they already do.
However, while the majority has taken steps to protect data, the remainder – which represents a significant share at 21% – clearly has not. And 13% of SMB C-level executives said they do not have any data protection strategy in place. That leaves these businesses vulnerable.
“Each organization is different,” said Reeder. “But one thing all businesses have in common is a desire to eradicate downtime and data loss. Organizations can and should protect their data, and their businesses as a whole, by enabling comprehensive data protection with modern backup and disaster recovery solutions and strategies.”
The developments in the area of cybersecurity are alarming. As the number of smart devices in private households increase, so do the opportunities for cybercriminals to attack, according to TÜV Rheinland.
Key cybersecurity trends for 2020
Uncontrolled access to personal data undermines confidence in the digital society. The logistics industry and private vehicles are increasingly being targeted by hackers. Experts view these key cybersecurity trends as critical to understand in 2020.
“From our point of view, it is particularly serious that cybercrime is increasingly affecting our personal security and the stability of society as a whole,” explains Petr Láhner, Business Executive Vice President for the business stream Industry Service & Cybersecurity at TÜV Rheinland.
“One of the reasons for this is that digital systems are finding their way into more and more areas of our daily lives. Digitalization offers many advantages – but it is important that these systems and thus the people are safe from attacks.”
Uncontrolled access to personal data could destabilize the digital society
In 2017, Frenchwoman Judith Duportail asked a dating app company to send her any personal information they had about her. In response, she received an 800-page document containing her Facebook likes and dislikes, the age of the men she had expressed interest in, and every single online conversation she had had with all 870 matching contacts since 2013.
The fact that Judith Duportail received so much personal data after several years of using a single app underscores the fact that data protection is now very challenging. In addition, this example shows how little transparency there is about securing and processing data that can be used to gain an accurate picture of an individual’s interests and behavior.
Smart consumer devices are spreading faster than they can be secured
Smart speakers, fitness trackers, smart watches, thermostats, energy meters, smart home security cameras, smart locks and lights are the best-known examples of the seemingly unstoppable democratization of the “Internet of many Things”.
Smart devices are no longer just toys or technological innovations. The number and performance of individual “smart” devices is increasing every year, as these types of device are quickly becoming an integral part of everyday life.
It is easy to see a future in which the economy and society will become dependent on them, making them a very attractive target for cybercriminals. Until now, the challenge for cybersecurity has been to protect one billion servers and PCs. With the proliferation of smart devices, the attack surface could quickly increase hundreds or thousands of times.
Owning a medical device increases the risk of an internet health crisis
Over the past ten years, personal medical devices such as insulin pumps, heart and glucose monitors, defibrillators and pacemakers have been connected to the internet as part of the “Internet of Medical Things” (IoMT).
At the same time, researchers have identified a growing number of software vulnerabilities and demonstrated the feasibility of attacks on these products. This can lead to targeted attacks on both individuals and entire product classes.
In some cases, the health information generated by the devices can also be intercepted. So far, the healthcare industry has struggled to respond to the problem – especially when the official life of the equipment has expired.
As with so many IoT devices of this generation, networking was more important than the need for cybersecurity. The complex task of maintaining and repairing equipment is badly organized, inadequate or completely absent.
New targets for cyber attacks: Vehicles and transport infrastructure
Through the development of software and hardware platforms, vehicles and transport infrastructure are increasingly connected. These applications offer drivers more flexibility and functionality, potentially more road safety, and seem inevitable given the development of self-propelled vehicles.
The disadvantage is the increasing number of vulnerabilities that attackers could exploit – some with direct security implications. Broad cyberattacks targeting transport could affect not only the safety of individual road users, but could also lead to widespread disruption of traffic and urban safety.
Supply chains under attack
With the goal of greater efficiency and lower costs, smart supply chains leverage IoT automation, robotics and big data management – those within a company and with their suppliers.
Smart supply chains increasingly represent virtual warehousing, where the warehouse is no longer just a physical building, but any place where a product or its components can be located at any time. Nevertheless, there is a growing realization that this business model considerably increases the financial risks, even with only relatively minor disruptions.
Smart supply chains are dynamic and efficient, but are also prone to disruptions in processes. Cyberattacks can manipulate information about deposits. Thus, components would not be where they are supposed to be.
Threats to shipping are now reality
In 2017, goods with an estimated weight of around 10.7 billion tons were transported by sea. Despite current geopolitical and trade tensions, trade is generally expected to continue to grow.
There is ample evidence that states are experimenting with direct attacks on ship navigation systems. At the same time, attacks on the computer networks of ships used to extort ransom have been reported. Port logistics offers a second, overlapping area of vulnerability.
Many aspects to shipping that can be vulnerability to attack such as ship navigation, port logistics and ship computer network. Attacks can originate from states and activist groups. This makes monitoring and understanding a key factor in modern maritime cybersecurity.
Vulnerabilities in real-time operating systems could herald the end of the patch age
It is estimated that by 2025 there will be over 75 billion networked devices on the Internet of Things, each using its own software package. This, in turn, contains many outsourced and potentially endangered components. In 2019, Armis Labs discovered eleven serious vulnerabilities (called “Urgent/11“) in the real-time operating system (RTOS) Wind River VxWorks.
Six of these flaws exposed an estimated 200 million IoT devices to the risk of remote code execution (RCE) attacks. This level of weakness is a major challenge as it is often deeply hidden in a large number of products.
Organizations may not even notice that these vulnerabilities exist. In view of this, the procedure of always installing the latest security updates will no longer be effective.
Customer demands for increased data protection and privacy, the ongoing threat of data breaches and misuse by both unauthorized and authorized users, and preparation for the GDPR and similar laws around the globe spurred many organizations to make considerable privacy investments – which are now delivering strong returns, Cisco reveals.
The study is based on results from a double-blind survey of over 2,800 security professionals in organizations of various sizes across 13 countries.
Privacy ROI: Organizations experiencing positive returns
Organizations, on average, receive benefits 2.7 times their investment, and more than 40 percent are seeing benefits that are at least twice that of their privacy spend. Privacy ROI is real, it’s time for organizations to realize the benefits.
Operational and competitive advantages
Up from 40 percent last year, over 70 percent of organizations now say they receive significant business benefits from privacy efforts beyond compliance, including better agility, increased competitive advantage and improved attractiveness to investors, and greater customer trust.
Higher accountability translates to increased benefits
Companies with higher accountability scores (as assessed using the Centre for Information Policy Leadership’s Accountability Wheel, a framework for managing and assessing organizational maturity) experience lower breach costs, shorter sales delays, and higher financial returns.
82% of organizations see privacy certifications as a buying factor
Privacy certifications such as the ISO 27701, EU/Swiss-US Privacy Shield, and APEC Cross Border Privacy Rules system are becoming an important buying factor when selecting a third-party vendor. India and Brazil topped the list with 95 percent of respondents agreeing external certifications are now an important factor.
As markets continue to evolve, organizations should consider prioritizing their privacy investments on:
- Improving transparency about processing activities – be up front and clear about what you are doing with data and why
- Obtaining external privacy certifications – ISO, Shield, CBPRs and BCRs have all become important factors in the buying process by streamlining vendor due diligence
- Going beyond the legal bare minimum – privacy is a business imperative and most organizations are seeing very positive returns on their spend
- Building strong organizational governance and accountability to be able to demonstrate to internal and external stakeholders your privacy program maturity.
As state houses and Congress rush to consider new consumer privacy legislation in 2020, Americans expect more control over their personal information online, and are concerned with how businesses use the data collected about them, a DataGrail research reveals.
In a OnePoll online survey of 2,000 people aged 18 and above, 4 out of 5 Americans agreed there should be a law to protect their personal data, and 83 percent of people expect to have control over how their data is used at a business.
The request for more control over their personal data comes after many Americans experienced, first-hand, existing protections not working – 62 percent of people continue to receive emails from a company after unsubscribing.
In addition, more than 82 percent of people have concerns about businesses monitoring or collecting data from their phone’s microphone, laptop webcams, home devices (such as Google Home, Alexa, etc.), or mobile devices (phone, laptop, etc.) with location tracking.
Consumers do not feel safe from privacy infringements
Further, the research shows consumers do not feel safe from privacy infringements wherever they may be: 85% of those polled said they were concerned that businesses could be monetizing their laptops’ location.
In response to Americans’ demands, state regulators are listening. Several states have developed their own regulations, including California, Nevada and Maine, with Washington, New York and several other states following suit.
The California Consumer Privacy Act (CCPA) that went into effect Jan. 1, 2020, is one of the most consumer-forward, comprehensive and prominent data privacy laws. However, only 24 percent of Americans are familiar or have heard of it.
“As people put more of themselves online, they expect to have more control and transparency over their personal information,” said Daniel Barber, CEO of DataGrail.
“The good news is that businesses are responding. Brands are already making big moves to show their dedication to privacy, and it’s paying off. Those that proactively update preferences and consent will end up with a more loyal customer-base.
“However, we still have a lot of education to do. It’s clear people want the regulations. Our research shows that 50% of people would exercise at least one right under the CCPA.”
Control personal data: Data security over affordability
If all Americans were given the rights included in the CCPA:
- 65% of people would like to know and have access to what information businesses are collecting about them.
- 62% of people would like the right to opt-out and tell a business not to share or sell personal information.
- 58% of people would like the right to protections against businesses that do not uphold the value of their privacy.
- 49% of people would like the right to delete their personal data held by the business.
People are also more than willing to take their wallets elsewhere, even if it meant breaking their shopping preferences if they discovered their private data was not protected or that their data was being sold. The survey found that 77% would not shop at their favorite retailer if they found they did not keep their personal data safe.
Additionally, consumers said they would be willing to pay more for better privacy protections: 73% of people polled said they would pay more to online services companies (retailers, ecommerce, and social media) to ensure they didn’t sell their data, show them ads, or use their data for marketing or sales purposes.
Seventy-nine percent of companies store sensitive data in the public cloud, according to a McAfee survey.
Anonymized cloud event data showing percentage of files in the cloud with sensitive data
While these companies approve an average of 41 cloud services each, up 33 percent from last year, thousands of other services are used ad-hoc without vetting. In addition, 52 percent of companies use cloud services that have had user data stolen in a breach.
By leaving significant gaps into the visibility of their data, organizations leave themselves open to loss of sensitive data and to regulatory non-compliance.
Cloud services have replaced many business-critical applications formerly run as on-premises software, leading to a migration of sensitive data to the cloud. Use of personal devices when accessing cloud services, the movement of data between cloud services, and the sprawl of high-risk cloud services drive new areas of risk for companies using the cloud.
For organizations to secure their data they need a thorough understanding of where their data is and how it is shared – especially with the rapid adoption of cloud services.
As part of this report, McAfee surveyed 1,000 enterprise organizations in 11 countries and investigated anonymized events from 30 million enterprise cloud users to gain a holistic view of modern data dispersion.
Shadow IT continues to expand enterprise risk
According to the study, 26 percent of files in the cloud contain sensitive data, an increase of 23 percent year-over-year. Ninety-one percent of cloud services do not encrypt data at rest; meaning data isn’t protected if the cloud provider is breached.
Personal devices are black holes
Seventy-nine percent of companies allow access to enterprise-approved cloud services from personal devices. One in four companies have had their sensitive data downloaded from the cloud to an unmanaged, personal device, where they can’t see or control what happens to the data.
Accessing cloud services: Intercloud travel and risk
Collaboration facilitates the transfer of data within and between cloud services, creating a new challenge for data protection. Forty-nine percent of files that enter a cloud service are eventually shared.
One in 10 files that contain sensitive data and are shared in the cloud use a publicly accessible link to the file, an increase of 111 percent year-over-year.
Anonymized cloud event data showing percentage of files shared in the cloud with sensitive data using a public access link
A new era of data protection is on the horizon
Ninety-three percent of CISOs understand it’s their responsibility to secure data in the cloud. However, 30 percent of companies lack the staff with skills to secure their Software-as-a-Service applications, up 33 percent from last year. Both technology and training are outpaced by the rapid expansion of cloud.
“Security that is data-centric, creating a spectrum of controls from the device, through the web, into the cloud, and within the cloud provides the opportunity to break the paradigm of yesterday’s network-centric protection that is not sufficient for today’s cloud-first needs.”
Patients and consumers deserve better access to personalized, actionable health care information to empower them to make better, more informed decisions – but it should not drive up health care costs or compromise the privacy of their personal health data, according to a poll of patients and consumers from Morning Consult and America’s Health Insurance Plans (AHIP).
Personal privacy outweighs increased transparency
A strong majority (62%) of patients want their data and privacy protected more than ever, even if it means foregoing easier health data access. Further, 3 in 4 adults would not support a new federal regulation that makes it easier to find the cost of medical procedures if it also raises insurance premiums.
Other major takeaways from the poll include:
- The vast majority (82%) of adults want their health care information delivered in a way that is more concise and simpler to understand.
- An overwhelming majority (90%) reported they want technology companies held to the same high standard and scrutiny as health insurance providers when it comes to protecting their information.
- A strong majority (66%) of adults said that they would consider making an appointment with a different specialist if they knew they would receive the same quality of care, but at a lower cost.
“These findings from patients and consumers are significant,” said Matt Eyles, AHIP President and CEO. “When it comes to transparency in health care, patients overwhelmingly want two things – for the information to be clear, concise, and customized, and for their privacy to be protected. Any new rules must ensure we protect patient privacy, reduce health care costs, and get personalized information into the hands of patients.”
Health insurance tools
Today, health insurance providers already offer tools and services that ensure the people they serve have personalized, actionable information to help them make the best health decisions for them and their family. These tools include:
- Cost estimator tools
- Prescription drug cost tools
- Online provider directories
- Telehealth services
The 10 top trends that will drive the most significant technological upheavals this year have been identified by Access Partnership.
“Shifts in tech policy will disrupt life for everyone. While some governments try to leverage the benefits of 5G, artificial intelligence, and IoT, others find reasons simply to confront Big Tech ranging from protectionism to climate urgency.
“Techlash trends highlighted in our report lay bare the risks of regulatory overreach: stymied innovation and economic growth for some and an unfair advantage for others,” said Greg Francis, Managing Director at Access Partnership.
Report highlights: Top policy trends for 2020
- AI regulation taking shape in the EU and the U.S.
- EU-based Digital Services Act (DSA) as the newest power grab since the GDPR
- New wave of tech protectionism in Europe
- China as a supply chain liability; other Asian nations filling in
- Spectrum sharing likely to become more mainstream with 5G
- 5G security to take an important position with shift to control functions
- U.S. privacy laws taking bipartisan note from California’s CCPA
- Data sharing regs to heat up, as balance with innovation becomes more critical
- IoTs, SIMs and eSIMs: who’s responsible for setting regulation?
- Rise of ‘green’ technology policy: another balancing act with industry emissions vs. the industry’s potential ability to solve climate change
Francis continued: “In just one year, we’ve seen dramatic changes in the regulatory and policy landscape for technology companies, originating in Europe but deeply affecting U.S. and other major global players.
“The report notes that while divisive impeachment proceedings in America create a blockage in new legislation pipelines, there is surprising bipartisan agreement on tech policy — Republicans are moving to protect companies from growth-killing regulation, and Democrats are seeking to pre-empt state-level measures.
“We expect to see new regulatory models emerging in the U.S. and other nations in reaction to the EU’s push for digital sovereignty.”
The California Consumer Privacy Act became effective on the first day of 2020 and will affect millions of consumers and tens of thousands of companies.
The advent of the CCPA and other similar regulations marks a sea change in how companies need to manage data and consumer privacy. As with many other regulations, organizations may view CCPA as a compliance burden. Forward-thinking companies, though, may view the law as an opportunity to increase customer personalization.
The CCPA is considered to be the most comprehensive of any state privacy law. In 2018, the General Data Protection Regulation (GDPR), the biggest remake of data privacy rules affecting European citizens in more than 20 years, required similar actions.
Effectively, the CCPA gives regulatory power to the individual because consumers can opt out of having their data sold and have the right to be forgotten. To achieve compliance, companies need to adjust, and switch from a one-size-fits all mindset on data management to a highly agile, personal approach for consumer data.
This means that companies need data policies that sit with and follow the data so that a consumer can opt to share one piece of data about themselves with company A, but not company B, and another piece of data about themselves for some purposes, but not others.
The data about the data
Being able to do that sounds like a daunting prospect, and it is: legacy technologies and ways of handling data can’t do it. But next generation database technologies allow companies of all sizes to get specific with data.
In effect, the CCPA and the GDPR require companies to have a 360-degree view of their data. Achieving that means breaking data out of silos and integrating it in a central hub where it can be governed according to consistent policies and accessed appropriately.
This governance and management of data depends on being able to also manage metadata. Metadata is the data about the data. When that metadata sits with the data – versus a separate and disconnected repository of data rules – companies get to the granular level that new regulations require.
For example, if data includes an email address, companies need metadata spelling out what consent has been given for its use. If consent is given for it to be used for billing but not for marketing, the data hub makes it available only for billing and not for marketing.
It’s difficult to ensure trust and accountability in data when data is sourced from different silos and applied to many different use cases. However, when governance policies regarding such things as restricted access to personal information are embedded in a central data hub, they can be applied to any use case, ensuring that the data is always fit for purpose. This allows for more standardized, automated and audit-able application of data governance policies, without having to educate everyone in your organization every time a policy changes.
Companies can pursue these changes incrementally, as well. Metadata can be attached to data even if the data stays in a silo. A bank, for instance, can consolidate a metadata index around customer data for a loan, and the policies regarding privacy will stay with the data in that case, too.
Metadata also enables companies to know where data came from, when it arrived, if, how and when it was changed, and who changed it. This provides the context necessary for an accurate view.
Lean into data regulations
Because use cases, regulations and policies change frequently, modern data management systems provide the flexibility to support changing regulations and business needs. But whether companies change incrementally or with a new data structure, they’ll sell themselves short if they only get into compliance with CCPA and GDPR.
Rather than view data as a regulatory compliance liability, leading enterprises succeeding at addressing regulatory compliance look at data as an asset and regulations as compelling events to better leverage those assets. Indeed, when companies know their customers’ preferences so well that they can abide by detailed privacy preferences, they know their customers very well.
That knowledge will enable them to tailor offers, extend targeted services and provide suggestions to the consumer like never before. Also, that company will be well positioned to confidently share data to further enable personalization of the customer experience.
Companies that achieve a better customer experience – more personalized and more enduring relationships based on transparency and trust—will experience a big upside. Eight in ten consumers say they’re more likely to do business with a company if it offers personalized experiences, and nine in ten people find personalization appealing, indicates research from Epsilon.
Forward leaning posture
In the old days, TV networks blasted everyone with the same commercials. Now, commercials are targeted toward preferences that consumers signal by where they shop, what they buy, when they go online, what they watch, what they listen to, and many more data points collected behind the scenes.
For the most part, companies have had a free ride collecting and using that consumer data. Now, that free ride is ending. The GDPR alone is estimated to impact 740 million consumers. According to the Internet Association, a trade association for Internet companies that is pushing for more consistent federal regulation, 29 US states have now passed laws related to data privacy, and there’s no doubt more will come.
Companies that shift from a defensive crouch regarding regulatory requirements and adopt a forward leaning posture will create a platform that’s respectful of consumer data and wishes—and mindful of how consumers shop and the services they seek. This will be a winning formula for both consumer and company.
Organizations are starting to take a much more considered approach to data protection as high-profile regulatory action for data mishandlings has raised both the stakes and interest in data privacy operations.
Since the EU General Data Protection Regulation (GDPR) came into force in May 2018, data protection has risen to the top of the news agenda. Simultaneously, the GDPR has raised the profile and highlighted the importance of the Data Protection Officer (DPO) internationally as, under this legislation, certain entities are under legal obligation to appoint a DPO.
Noncompliance with the GDPR carries hefty fines and is generally associated with a wave of negativity when public trust is compromised. Moreover, there is a growing global awareness that data protection matters, and people expect organizations to handle their personal data with care. It is for this reason that legislators around the world are actively seeking new ways to protect the security and privacy of personal data.
Organizations should strive for ethical handling of personal data
The global movement for an ethical handling of personal information is multidimensional. Investor activism and customer scrutiny – over the way their data is collected, processed and used – is putting the pressure on organizations to act ethically and on legislators to enact laws that effectively deal with rapid technological changes. Issues related to corporate governance and accountability are at the center of this movement.
Every day at HewardMills we speak with more and more organizations recognizing the value of in-depth knowledge and the need for total autonomy in this area. Businesses understand that their reputation is closely aligned with the processes around privacy and data protection in place. As a result, clearer lines are being drawn around departmental responsibilities to better operationalize data protection regulations.
Similar to other data specialist skill sets, demand for qualified and experienced DPOs is raising. This is a result of the role being both legally required for certain entities and organizations realizing the value of fostering a data protection culture.
The DPO role is a cornerstone
The DPO can be internal or external, but they must be allowed to function independently. They are the link between the organization, the supervisory authorities and the data subjects. Thus, it is important that the DPO strike a careful balance to meet their own obligations toward all parties involved.
DPOs play a pivotal role in an organization’s data management health and are required to report directly to the highest level of management. Some tasks that fall under the DPO role include advising on issues around data protection impact assessments (DPIAs), training, overseeing the accuracy of data mapping and responding to data subject access requests (DSARs). These things are all mandated under the GDPR.
Even the best intentions fall flat without the right execution
Organizations may have good intentions to achieve best practices and meet their legal obligations, but the data protection process does not stop there. Practical knowledge on how to operationalize legal obligations is the key to success. For example, if an organization is not adequately prepared to respond to DSARs, it may miss the one-month GDPR deadline or respond in an incomplete manner.
Since the GDPR came into effect, supervisory authorities have actively sought greater transparency. This means that there is a particular focus on accurate privacy notices, data protection impact assessments and legitimate interest assessments. Given the global trend toward accountability, it is safe to argue that investing in data protection and privacy will win the trust of individuals, be the customers or employees. Organizations that foster a culture of integrity are at a competitive advantage in a world where privacy and data protection matter. For those that do not, the financial, legal and public opinion risks can be significant.
Getting ahead of the risks
Being responsive to GDPR data subject requests helps to build trust with individuals and demonstrates a serious dedication to data protection obligations. The DPO is the contact point for data subjects who are exercising their rights. As such, DPOs must be easily accessible, be it by telephone, mail or other avenues. Lack of resources is not an excuse for neglecting legal obligations and denying data subjects their rights. A consultant or outsourced DPO role can provide a cost-effective way to fill this gap.
DPOs help organizations to prioritize risks. While they themselves must address highest-risk activities first, they must also educate on how DPIAs are reached. This allows controllers to know which activities should be prioritized. Ultimately, ensuring data controllers are informed about the perceived risks relating to different processing activities. For instance, the DPO could flag data protection audits, the need for enhanced security measures, or gaps in staff training and resource allocations.
The insurance policy of an autonomous partner
To maintain the level of autonomy needed to act as an independent body, job security has been built into the DPO appointment. The DPO can be disciplined or even terminated for legitimate reasons. However, they cannot be dismissed or penalized by the controller or processor as a result of carrying out their duties. In other words, the organization cannot direct the DPO or instruct them to reach a certain desired conclusion. The DPO must also be given the resources required to achieve this level of independence and carry out their duties. Typically, these resources are budget, equipment and staff.
One of the benefits of using an external DPO is that conflicts of interest are less likely. Organizations should strive to give the DPO the necessary autonomy to successfully act as a bridge between data subjects, the organization and the supervisory authorities. The DPO should not be assigned tasks that would put them in a position of “marking their own homework”. Used correctly, the DPO is a partner that helps navigate the organization toward an ethical handling of personal data.
Faced with meeting strict obligations under GDPR, organizations controlling and processing personal data must empower and embrace their DPOs and work closely with them. Organizations should view DPOs as a type of insurance policy for data risk and not think of them as the regulators’ undercover watchmen.
Work around data seems to never end. Between collection, sharing and use – the burden of this falls onto the shoulders of the CISO, the broadness of which, seems to be increasing year-on-year. The question that must be asked is, can we expect the CISO to prosper when the essence of data itself seems to be out of control?
Complex issues can be broken down into simpler parts to help resolve them. This may be true in the case of data security. In terms of the state of data, it can be reduced to who owns data, aka, data ownership equates to data control.
This approach then leads to more nuanced layers of consideration:
- When does data ownership change hands?
- How does data ownership impact security choices?
- What aspects of data governance and regularity compliance are affected?
In turn, further layers of the data onion will peel away to reveal more questions, such as, who owns the responsibility in complying with data regulations? And where does the responsibility for data security actually lie? If a customer uploads an image to your site – who owns that image? And, who is responsible for keeping it safe?
These questions open a moral dilemma around data security responsibility – and nuanced questions can lead to fuzzy answers. Any fuzziness in ownership can be used to off-set responsibility. If a CISO is swamped with work, it is a natural next step to ‘pass the buck’. Understanding the finer aspects and nature of data can give us a more detailed analysis to work from.
Where the data buck stops?
The data ownership vs. data processing dichotomy is a great place to understand where the data buck stops. It can help to use the GDPR principles around data. Article 4 of the GDPR provides the definitions of data processing and control to allocate responsibility; whilst the two are intrinsically linked and there may be some overlap, you can say:
Data controller: Referring to Article 5 of the GDPR sets out the data controller must act in a manner of “lawfulness, fairness and transparency”. The data subject rights such as data consent and access rights are under controller remit. Controllers should also protect the accuracy and confidentiality of personal data. In doing so, the controller will need to ensure the data processor is up to the job.
Data processor: This is an entity that processes the data on behalf of the controller. For example, if a user removes consent, then the controller will handle this request, but the processor would be responsible for removing the data from their servers. What is important to note is that a data processor has a strong security perspective; however, if cloud providers aren’t exposed to data, they won’t be labeled processors under GDPR.
The CISO may similarly have to set up their own “internal GDPR” equivalent to delegate ownership and help share data responsibility. The data onion, as you can see has many layers.
How data ownership contracts can help
The CISO is not an island and vendors are part of the data lifecycle. The data onion has touchpoints across technology, legal, and social. The legal argument can be headed off using Data Ownership Contracts with your vendors. Cloud vendors, for example, may offer these types of contracts. The contracts typically have clauses that cover data privacy and security. Various aspects of data protection are handled by these contracts, this should include:
1. Technological measures used to protect data.
2. Data breach notification procedures.
3. Compliance with any data protection regulations, such as GDPR and industry specific ones.
4. Third-party liabilities (this is the extended vendor ecosystem which adds yet another layer to the data lifecycle).
5. Data breach indemnity support.
The bottom line here is that there are many cogs in the ‘data lifecycle wheel’ and contracts can go so far. However, we must be able to address the underlying issue of data ownership and movement to ensure all parts of this data lifecycle wheel are well lubricated.
The work of the CISO is never done but data governance can help
Cloud computing, the regulatory landscape, and changing customer expectations have changed data security choices and needs. The CISO has to fit all of these moving parts together and keep everyone happy.
Gartner has predicted that through 2025, 99% of cloud security failures will be the customer’s fault. They recommend that CIOs can combat this by implementing and enforcing policies on cloud ownership, responsibility, and risk acceptance. In addition, 60% of enterprises with proper Cloud Governance will see one-third fewer security incidents.
Layers of cloud complexity for the CISO
Whilst cloud computing is important, the way it is being handled creates further complexity. By using a SaaS offering, IT infrastructure giants, like VMWARE and IBM, organizations basically initiate vendor lock-ins as they migrate to their cloud infrastructure and embrace the multi-cloud ethos.
The result is that the CISO must encompass ‘cloud-thinking’ into a model of security that embraces the cloud, SaaS, vendor ecosystems, compliance requirements, and customer needs. The data onion has many layers but having a comprehensive security approach that utilizes encryption across a broad spectrum of at rest, in transit, and in use, can take care of the vagaries of data ownership, preventing a ‘pass the buck’ culture.
We’re all actors in the data protection play
Protecting data that is at rest, in transit, and in use covers the spectrum of our ‘theatre of data’. A broad-brush approach to security covers the bases of the entire cast in the data protection play. This approach can give us the technological tools to protect data no matter who owns it, where it resides, or where it ends up. The ownership of data in a world where cloud and SaaS are ubiquitous is complicated with many stakeholders.
The CISO can turn this on its head by using encryption across the data lifecycle, no matter where the data goes, where it is stored, how it is used, if the encryption is part of the whole journey of the data, ownership becomes mute.
With the advent of laws like the EU’s GDPR and California’s CCPA, which are sure to be portents of things to come (i.e., more and better data privacy legislation), companies with a global presence are starting to think about whether they should implement different user data privacy protection regimes for each region or whether it would be easier to globally comply with the strictest of the existing laws.
Microsoft, for example, chose the latter course of action. In May 2018, the company announced that it will extend the rights that are at the heart of GDPR to all of their consumer customers worldwide. More recently, it decided to honor California’s digital privacy law all through the U.S.
For companies like Microsoft, who offer services to enterprise clients, the decision is a no-brainer: they are getting a leg-up on competitors as organizations look for solutions that have compliance to the most progressive data privacy laws baked in by default.
Data collection balancing act: Privacy and trust
More and more companies are using privacy as a selling point by offering products that are privacy-friendly, says Cassandra Moons, Data Privacy Officer at TomTom, the Dutch multinational company developing location and navigation technology for both the consumer and business market.
Apple has, for example, made every effort to stand out from the competition in all arenas by incorporating privacy-preserving features from the get-go in many of their products.
Take Apple Maps, for example: in summer 2018, the company detailed its efforts to rebuild and improve the web mapping service and explained how, even though it collects navigation data from iPhone users, it manages not to intrude on users’ privacy.
Apple Maps also still uses data collected by third parties like TomTom but, as Moons notes, anonymizing location data is the foundation of their relationship with their customers.
“It’s crucial that we retain our customers’ trust. For example, we need them to know that we only use their data to deliver meaningful improvements, not to sell them ads or direct them past a sponsor restaurant. That’s why we anonymize all data by disconnecting the link with the customer and their GPS traces,” she told Help Net Security.
“TomTom internally performs Privacy Impact Assessments (PIA), a framework for deciding what data we truly need to gather and how to prioritize user privacy (privacy-by-design). The PIA also governs our data-sharing relationships with third parties, ensuring we’re not just compliant with GDPR but that we’re being truly transparent with (and protective of) our users by vetting third-parties.”
What’s the right amount of data collection?
The “right” amount of data depends on the sensitivity of the data, the volume and what you want to use the data for.
“GDPR recognizes the principle of data minimization, which means one should only collect personal data ‘adequate, relevant and limited to what is necessary in relation to the purposes for which the personal data are processed’. In the end, though, it’s on the individuals who had their data collected to determine the ‘right’ amount. If a company is able to explain to individuals why its data collection is in line with this principle, it’s fair to assume you have collected the ‘right’ amount of data,” she pointed out.
But the issue of privacy should never be addressed in the Terms and Conditions, she feels, because no one ever reads those.
“Privacy should always be a standalone communication. It should be completely clear what a user is signing up to. A user should be well-informed about which data is being collected, should have control over which data can be used and be aware of the purposes for which a company uses their data,” she opined.
True ethical data management can be a business practice for a company that relies on user data in order to run and improve their products, she says. “When a company has embedded ethical values such as preventing user discrimination and putting the user first when it comes to privacy, ethics and big data collection will align and move together in the same direction.”
How will the collection of data for driver apps evolve?
As apps move from phones to cars and power the connected driving experience, driving apps will rely much more on the community to keep them updated, she says.
“To be successful, driving apps need to be trustworthy and reliable, they must protect user data, and they should be completely transparent about how this information is being used. Moving the traditional data gathering and use model from mobile apps to driving apps simply won’t work,” she added.
“In order to maintain reliability, app developers need to work with the community to be sensitive about their legitimate concerns, and show that they are using their data securely and wisely to bring services that add real value to drivers everywhere. The collection of data always needs to comply with relevant privacy laws, including appropriate user control standards, no matter the type and volume of personal data.”
Organizations aren’t moving quickly enough on cybersecurity threats linked to the drive toward using personal mobile devices in the workplace, warns a QUT privacy researcher.
QUT’s Dr Kenan Degirmenci
BYOD security challenges everywhere
Dr Kenan Degirmenci from QUT’s Science and Engineering Faculty’s School of Information Systems said workers worldwide expected to take their work with them whenever and wherever. But he warned Bring Your Own Device (BYOD) had opened up a can of worms for employers and employees alike.
“The breakneck speed of digital transformation brought with it opportunities as well as threats,” he said.
“Organizations don’t appear to be keeping up with the pace of change, deliberately putting the brakes on digital transformation because it comes with security challenges.”
Dr Degirmenci said, nonetheless, by 2021 the BYOD and enterprise mobility market which incorporates segments such as software, security, data management and network security is estimated to grow to $73 billion globally.
Data breaches including stealing of personal information are also on the rise for all kinds of businesses and workplaces.
Often employees use their personal devices, but many don’t know if their employer has a policy in place to protect their data and usage.
“Some organizations wary of malware or theft of data can track employees’ locations during work and non-work hours, wipe data, as well as access private emails and photos,” Dr Degirmenci said.
The research involved a case study of two multinational companies and a survey of almost 550 employees from the United States, Germany and South Korea about BYOD to work.
Taking on BYOD risks
Dr Degirmenci said the multinational companies from the survey used mobile device management (MDM) to monitor, manage and secure devices of employees.
“American employees placed greater emphasis on BYOD risks compared to Germany and South Korea,” he said.
Australia ranked similarly to the United States in terms of its “individualist-type culture” and while workers wanted increased flexibility there were drawbacks to using their own devices. New technologies and digital capabilities are also omniscient across the education sector with schools enacting BYOD.
“We’ve recommended BYOD security management be improved, particularly for countries like America and Australia.”
In the light of the General Data Protection Regulation (GDPR), the challenge of proper application of pseudonymisation to personal data is gradually becoming a highly debated topic in many different communities, ranging from research and academia to justice and law enforcement and to compliance management in several organizations across Europe.
Pseudonymisation and personal data challenges
The ENISA “Pseudonymisation techniques and best practices” report, amongst other, especially discusses the parameters that may influence the choice of pseudonymisation techniques in practice, such as data protection, utility, scalability and recovery.
It also builds on specific use cases for the pseudonymisation of certain types of identifiers (IP address, email addresses, complex data sets).
There is no easy solution
One of the main outcomes of the report is that there is no single easy solution to pseudonymisation that works for all approaches in all possible scenarios.
On the contrary, it requires a high level of competence in order to apply a robust pseudonymisation process, possibly reducing the threat of discrimination or re-identification attacks, while maintaining the degree of utility necessary for the processing of pseudonymised data.
58% of surveyed businesses worldwide failed to address requests made from individuals seeking to obtain a copy of their personal data as required by GDPR within the one-month time limit set out in the regulation, reveals updated research from Talend.
GDPR compliance rate: 2018 and now
In September 2018, Talend released the results of its first GDPR research benchmark, which was aimed to assess the ability of organizations to achieve right to access and portability compliance with the European regulation. At that time, 70% of the companies surveyed reported they had failed to provide an individual’s data within one month.
One year later, Talend surveyed a new population of companies, as well as the companies which reported a failure to comply in the first benchmark, in order to map improvement. Although the overall percentage of companies who reported compliance increased to 42%, the rate remains low 18 months after the regulation came into force.
“These new results show clearly that Data Subject Access Rights is still the Achilles’ heel of most organizations,” said Jean-Michel Franco, Senior Director of Data Governance Products at Talend. “To fully comply with GDPR it is necessary to understand where the data is, how it is processed and by whom, as well as ensure that the data is trusted.”
Organizations are struggling to meet requests
The research revealed that only 29% of the public sector organizations surveyed could provide the data within the one-month limit. With an increasing use of data and new technologies – facial recognition, artificial intelligence – by the public sector to improve the citizen experience, the need for more integrated data governance is a must-have for 2020 and beyond.
The same observation applies to companies in the media and telecommunications industries. Only 32% of these organizations reported that they could provide the correct data on time.
Many firms barely reach an average success rate
Compared to last year, retail companies improved their success rate with 46% of such companies reporting they provided correct responses within the one-month limit. A greater proportion of companies in this industry started to take a customer-centric approach to both improve the experience and internal processes.
The same situation occurs with organizations in finance as well as in travel, transport, and hospitality industries. In addition, the latter are considered as the best performers as companies in that industry represent 38% of all the organizations who provided data in less than 16 days.
The lack of automation remains a barrier to success
One take-away from this new benchmark is the lack of automation in processing requests. One of the main reasons companies failed to comply was the lack of a consolidated view of data and clear internal ownership over pieces of data. In the financial services industry, for example, clients may have multiple contracts with a company that may not be located in one place making it difficult to retrieve all necessary information.
Processing the requests thus remains very manual and often Involves the business users, e.g. the insurance representatives in the case of an insurance company. In addition, processing Subject Right Requests can be very costly; according to a recent Gartner survey, companies “spend, on average, more than $1,400 to answer a single SRR.”
ID proof and requesting process should be improved
The research also highlights the lack of an ID check during the data request process of the individual requesting data. Overall, only 20% of the organizations surveyed asked for proof of identification. Moreover, of the companies surveyed that reported asking for proof of identification, very few use an online and secure way of sharing ID documents. Instead, most of the time, copies of identification were provided by email. The requesting process also remains cumbersome with reported difficulties including finding the right email address to send the request, and follow up emails because the data is incomplete or because the files can’t be opened.