We are now entering the era of personal data rights, meaning that the tide is shifting, towards individuals seeking to control their data rather than the companies that collect it. People across the globe are getting fed up with having their personal data misused, sold, or stored indefinitely, with little ability to take actions to control their own data. Increasingly, vendors are sharing personal data, sometimes to partners who have lower ethical or practical standards for data privacy. Worse is the constant news of data breaches, with people often learning about these breaches by reading the headlines and finding out that the company they entrusted their sensitive information to has inadvertently exposed it to hackers or the dark web where it can be exploited.
Some governments have heeded the increasing concerns of its citizens and taken action. Prominent among them is the European Union’s General Data Protection Regulation (GDPR) which protects individuals in the EU by regulating any organization doing business with EU customers. This regulation, now nearly a year old, has caused companies to up their cyber security game and address these issues head on, but it’s not the only regulation for them to navigate. Other countries have enacted their own laws, such as Brazil’s General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or LGPD) which goes into effect in 2020. As of March 2018, every U.S. state has passed a breach notification law and the California Consumer Policy Act (CCPA) became law last June as the first such law to specifically address the topic of data privacy.
A common definition has emerged for a data breach in the context of these regulations – a security incident in which sensitive data is stolen or taken without the knowledge or authorization of the organization holding the data. But these regulations stipulate that if the data has been protected and encrypted properly, the unauthorized access or acquisition of data does not need to be reported as a data breach. This gives compliant organizations the ability to correct any vulnerabilities without public scrutiny, because even though the data may have been compromised, it would have been unusable and have no value to the hacker.
These data protection regulations vary, but a common set of requirements are emerging, leading to best practices for companies hoping to maintain security and avoid running afoul of the regulations. Most regulations require encrypting the data where it is stored, and in addition providing controls over who can access the data. Strong policies limit who can access data to those that are specifically authorized, meaning that these policies can block attacks by Advanced Persistent Threats (APTs) which have already penetrated an organization’s data systems. Reporting of unauthorized access attempts is also required – so that the organization can quickly trigger an incident response and remediation.
Companies need to adopt these best practices. The EU has already levied fines for data privacy violations, and it’s risky to wait to see how aggressive they, or other governing bodies, are going to be in enforcing the new regulations.
As a vendor of security products, SecurityFirst has a great vantage point for this transformation and can see both sides. For individuals, no one wants to see their data exposed and most want to see companies held responsible for the privacy of their data. For companies offering services at massive scale, the security threat landscape continues to evolve, new regulations are appearing, and companies are challenged to provide meaningful protection while running their businesses.
As a private citizen, I’m encouraged that tech startups and other companies will have to take the privacy of my data seriously. As a security vendor partnering with these companies, I feel their pain. As society evolves and the notion of how to treat data privacy evolves, it’s time for companies to step up and make sure they are taking all necessary actions.