IT Focus Area: security
February 21, 2019
Cybersecurity in the Age of Data Privacy: 3 Keys to Success
The EU Global Data Protection Regulation (GDPR) has effectively ushered in an era of user-controlled data. Companies across the globe climbed mountains of preparation in advance of the compliance deadline, scrambling furiously to update data protection practices and transform how they store and manage personal information.
Faced with the rule’s incongruous blend of complexity and lack of explicitness, and fines up to four percent of annual gross revenue for non-compliance, companies such as Facebook looked for ways around it. It didn’t work. On the first day of GDPR enforcement—May 25, 2018—Facebook and Google were sued for a total of $8.8 billion by a privacy advocate who accused them of coercing users into sharing data by forcing them to check a box, consenting to privacy policies before they could access services. This gave users an all-or-nothing choice, which the lawsuits claim violates the GDPR’s provisions around particularized consent.
Data protection authorities (DPAs) in EU member states have made it clear that they intend to enforce every aspect of the GDPR with “effective, proportionate, and dissuasive” penalties, and fines have already been levied under the regulation’s provisions. In January, French data regulator CNIL fined Google 50 million euros for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization".
The Erosion of Consumer Trust
Making matters worse, the severity of data breach incidents is escalating. During the first half of 2018, “mega breaches” involving one million compromised records or more exposed the records of more than 100 million people. A total of six social media breaches, including the Cambridge Analytica-Facebook incident, accounted for over 56 percent of total records compromised.
944 data breaches led to 3.3 billion data records being compromised worldwide in the first half of 2018, a 72% increase over the first half of 2017. That’s over 18 million records exposed every day, or 214 records every second, including credit card and/or financial data or personally identifiable information. –Gemalto First Half 2018 Breach Level Index Report
As questions and concerns about the way consumer data is being handled have deepened, the ability to protect it has become top of mind. The pressure on organizations to ensure stronger privacy for personal data is intensifying as individual states follow the EU’s lead in an effort to enact comprehensive data protection laws that mirror some of the protections in GDPR.
California Consumer Privacy Act
California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) in June of 2018, giving residents significantly more insight into and control over how their data is collected, used and handled. Its broad requirements are new to the U.S. and from an IT planning and management perspective, the January 2020 compliance deadline is right around the corner.
CCPA allows consumers to know what information companies are collecting about them, why it is being collected, and who they are sharing it with. It also enables them to tell technology companies such as Google and Facebook to delete their data, not to share it, or not to sell it. Californians can also opt-out of an organization’s terms of service, without losing access to its offerings. And companies that experience data breaches will be held accountable for failing to protect personal data; consumers can sue them for up to $750 for each violation, and the California attorney general can sue for $7,500 for each intentional violation of privacy.
The CCPA impacts every organization that collects personal information on California residents. Although it incorporates certain requirements that overlap with the GDPR’s individual rights requirements, it is not modeled after the GDPR. While GDPR compliance might make your efforts easier, it does not equal compliance with the CCPA.
In addition to the CCPA, 11 other U.S. data protection laws designed to give consumers greater control over their data have been passed in the last year. Some simply expand data breach notification rules, while others—like those passed in Colorado and Vermont—require companies to make substantial changes to the way they process data.
If you are unsure which of these regulations apply to your organization, you may need to engage the services of privacy consultants, and/or experienced privacy and technology-focused lawyers.
Addressing the Challenges
While these regulations represent efforts to ensure that the right steps are being taken to protect personal data, they present significant challenges to companies across the globe. For many businesses, achieving compliance will require them to revamp their data governance and protection capabilities.
Only half of US businesses affected by the CCPA expect to be compliant by the 2020 deadline, according to a PwC survey of more than 300 executives at US companies with revenues of $500 million or more.
How can organizations that are impacted by these regulations implement the necessary changes for compliance?
Three Keys to Data-Privacy Success
Whether it’s the CCPA, GDPR or other data protection and privacy regulations, efforts should be focused on discovering and identifying regulated data, and then managing and protecting it. While there is no “one-size-fits-all” approach, the majority of requirements in these regulations can be met through the development and/or maturation of programs many large enterprises have already begun to implement: data-centric security, incident response, and third-party risk management.
1. Data-Centric Security
It is no longer enough to focus IT security efforts on networks and endpoints. As IT changes continue to occur, organizations need to keep pace and advance their security by focusing on the data itself through a data-centric security program. The development of a robust data-centric security program is invaluable not only to the GDPR and CCPA requirements, but to all data protection and data privacy efforts.
A comprehensive data-centric security strategy includes the following components:
- Data discovery
- Data classification
- Data tagging & watermarking
- Data governance
- Data loss prevention
- Data visibility
- Encryption strategies
- Enhanced gateway controls
- Identity and access management (IAM)
- Cloud access
- Continuous education
Several aspects of data-centric security are particularly important to compliance readiness for regulations such as GDPR and the CCPA, including data discovery, data classification, IAM, data governance and encryption.
Many organizations don’t even know where their sensitive information is, which makes it extremely difficult to comply with requirements such as the GDPR “right to be forgotten”. You need to identify the regulated data you store and process, its location, its path from point A to point B, which systems it is being processed by, etc. Data discovery tools provide visibility into the location, volume, context and risk associated with sensitive, unstructured data across the enterprise—both on-premises and in the cloud.
Data classification policies and tools facilitate the separation of valuable information that may be targeted from less valuable information. Information is divided into predefined groups that share a common risk, and the corresponding security controls required to secure each group type are detailed. Data classification tools can be used to improve the treatment and handling of sensitive, regulated data, and promote a culture of security that helps to enforce data governance policies and prevent inadvertent disclosure. Classification metadata can be ingested by data loss prevention (DLP), encryption and other security solutions to determine which information is sensitive, and how it should be protected.
Identity and Access Management (IAM)
Organizations with a strong IAM strategy in place are better able to provide secure access to resources across a globally connected web of users—including employees, partners and customers—who are accessing IT environments wherever, whenever, and however they choose. Supportive IAM technologies such as risk-based multi-factor authentication (MFA), identity governance and administration (IGA), privileged access management (PAM), user and entity behavior analytics (UEBA) and systems for cross-domain identity management (SCIM) can help you proactively manage the identities and entitlements of people, services and devices, and more effectively protect personal data. From a business point of view, the ability to manage customer identities is important not only for compliance, but also to help improve your organization’s insight into its customers.
Ensuring the confidentiality, integrity, and availability of information and information systems is the predominant focus of effective cybersecurity. Organizational practices should be driven towards defining and implementing policies, processes, and standards for the effective use and management of data (structured/unstructured) and information systems. Utilizing governance, risk management and compliance (GRC) tools can help you automate governance processes, and optimize the business value of data. Effective data governance enables organizations to address data privacy and data protection requirements no matter where the data is collected, resides or is consumed.
End-to-end encryption maximizes data protection regardless of whether the data is in a public or private cloud, on a device, or in transit. It can be invaluable in the effort to combat advanced threats, protect against IoT-enabled breaches, and maintain regulatory compliance. Enterprise key management solutions are an important accompaniment to encryption tools, helping to securely generate, store and monitor keys, and streamline ongoing administration. In the case of the GDPR, organizations that experience a personal data breach that have encrypted the data will be able to demonstrate that the breach is unlikely to affect the rights and freedoms of the data subjects; breaches of encrypted data, therefore, may not require data subject notification.
2. Incident Response
All 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have enacted breach notification laws. The GDPR, the New York State Cybersecurity Requirements for Financial Services Companies and the South Carolina Insurance Data Security Act all contain strict 72-hour notification mandates, which require dramatic changes to the plans of organizations not accustomed to responding to security incidents within strict timelines.
77% of surveyed IT professionals said their organizations do not have a formal cybersecurity IR plan. 26% have only an ad-hoc or informal process, and 27% do not apply their IR plan consistently across the enterprise. —Ponemon Institute Third Annual Study on the Cyber Resilient Organization
How can you gauge your organization’s IR capabilities?
Consider the following questions:
- Do you have an incident response program in place?
- Are employees aware of what constitutes an incident to begin with, and how to report and manage an incident?
- Does the executive team know their role and what is expected of them?
- Have you optimized the tools you’re using today to protect against and detect incidents?
- Has your program been updated and tested to support today’s cyber threats and compliance with breach notification requirements?
- Do you have the tools and relationships in place to accelerate your response to a serious security incident for containment and public management?
- Does your plan include considerations for retaining forensic, and public relations firms that directly align with your cybersecurity insurance policy?
Professional services such as security program assessments can help organizations focus on their ability to detect and respond to security incidents, formally document the workflow required to triage and manage the incidents impacting the environment, and improve the processes that support current incident concerns. Compromise assessments help to determine if there has already been an incident or an incident is currently in progress. Additionally, interactive tabletop exercises and breach simulations—in conjunction with forensic and incident response “emergency services” partnerships—can also be of great value.
A comprehensive incident response plan will enable your organization to respond aggressively to an attack, maintain compliance, minimize damage and align defenses to mitigate future intrusions.
3. Third-Party Risk
Third parties can present your greatest area of risk exposure—both for data security, and for regulatory compliance. It is therefore important to extend your focus beyond the organization’s figurative four walls, and consider the impact of your “extended enterprise”. The ramifications of compliance requirements broaden significantly when you think about all of the third parties that are essential to your daily operations.
Carefully monitor the security practices of partners and vendors—engaging in third-party due diligence and periodic assessments—to ensure that cybersecurity requirements have been met throughout your supply chain.
Under the GDPR, third parties may be considered regulated “data processors”, and are thereby subject to the directive. For example, if you are a retailer that collects customer information, which you then share with a third-party call center, then under GDPR you are the data controller, and the call center is the data processor; you both need to maintain compliance.
Elements of a Third-Party Risk Program
Developing and implementing a third-party risk/compliance program is essential not only to your compliance efforts, but to your overall security posture.
Third-party security tools can enhance your efforts by providing automated vendor risk assessment, and continuous vendor threat monitoring. Additionally, security scoring tools can help to assess both third-party security, and your own by using predictive analytics and security risk assessment tools to issue either FICO-like scores, or grades ranging from A to F to help predict the organization’s likelihood of a breach.
People, Process & Technology
In order to successfully address data protection and privacy regulations and maintain a competitive advantage, the critical components of all enterprise initiatives should be well-considered: people, process and technology.
Professional security assessments are a best practice that is required by regulations such as GDPR. These services can help your organization determine an actionable roadmap for achieving compliance, and maturing your overall data protection capabilities.
The Benefits of Being Prepared
For many organizations, building and operating a cutting edge data protection program hasn’t been a top priority. Growing consumer concerns and requirements such as the GDPR and CCPA have ushered in a new era of accountability, in which every regulated organization that collects, stores and uses sensitive customer data needs to raise the bar to meet new standards. As arduous as this may seem, there are benefits. Organizations that mature their data protection capabilities with robust data-centric security, incident response and third-party risk programs can enhance their brand reputation, and are likely to be more resilient going forward. Taking extra care in how you collect, store, and use personal data will help you stay prepared as the regulatory landscape continues to evolve, win consumer trust, and reduce the likelihood and impact of data breaches on your business.