The recent news about a proposed bill to create a central data privacy enforcing body shines another spotlight on the high-risk, high stakes shifting ground that many businesses operate their engines of growth on – consumer data collection, analysis, and retention. The news will no doubt be a hot topic at the forthcoming RSA show where the theme of “Human Element” couldn’t be more relevant to this proposed bill – almost everything businesses collect today is about the human being and our mind-boggling data relationship, and many of the biggest data risks come from humans, human data handling, and human failures.
So, what about this new proposed bill? Despite years of debate and data security regulations enacted by the US States over a very long 16 years from 2002, we still see massive compromises from willful attackers, human error, and nation-state exploits. Now, privacy concerns stretch the need for security controls and appropriate operational processes even further to avoid the risk of identity data bleeding from “traditionally secure” operations, data stores and applications. Even the best intentioned organizations are at risk to privacy incidents like the recent WAWA case. In that scenario, investigators recently revealed the double-edged nature of data privacy risks with breached consumer analytic data reported to be available on the dark web – well beyond narrow scope payment data as originally suspected and under traditional data security regulations like PCI DSS. But to a modern retailer, personal and behavior data collection is critical and essential to compete – a critical ingredient to the future success of a business and the consumer relationship. It’s the very data that can drive innovation and optimize consumer experience but also brings privacy breach risks to a boiling point if modern data security controls are not in place for contemporary and constantly evolving threats.
So perhaps it is time for the equivalent of the European GDPR’s Data Protection Authority (DPA) approach for the US as a call to action to embrace a comprehensive privacy-by-design method to data protection, security, and privacy. The EU DPAs have shown their very effective teeth in the last 12 months, issuing fines exceeding $100M, with even bigger ones pending for the airline and hospitality industry breaches that are three times that early total – in just the UK. That’s enough for enforcers to re-invest in more action and change business behavior, and we will no doubt see increasing actions into 2020 and beyond. But is more enforcement really the answer to stem the tide of data compromise putting consumer privacy at risk?
Fines aren’t the only concern to the enterprise when the impossible becomes possible and mass consumer data finds its way to the dark streets of the criminal exchanges for a quick illicit buck at the expense of innocent victims. Business integrity, reputation, litigation, disruption, and reparation costs are all familiar unwanted and unplanned budget grabbers and massively burdensome. It’s no surprise then to find CISOs' stress levels are at an all-time high given what is expected of them with limited resources, and so something has to change to help empower them to defend their data assets and find budget to innovate at the same pace as attackers. Can any business really afford not to? The shadows of the $2Bn Equifax breach are long, with effects still deeply resonating across the political and regulatory landscape. That breach, the trigger for States enacting tougher privacy laws, is a CISO’s worst nightmare – and all too possible without new security and risk reduction strategies.
As a government response to data collection concerns and continued breaches, contemporary US data privacy regulations, starting with California’s ground-breaking CCPA, have pushed from an enterprise-as-owner-of-data approach to a consumer rights centric model. This in itself adds a huge list of new processes to the already stressed compliance budget. The right to deletion, the consumer right to data, children’s data handling, new data safeguards and de-identification, data minimization, and retention policy loom large on the compliance roadmap. With each state creating their own “CCPA” variation, the regulatory matrix for compliance gets more expensive to meet. A central enforcement body could, potentially, bring a cohesive approach to compliance that could ease its implementation, assuming laws remain strong and in line with threats – which is key. Avoiding State-by-State privacy compliance is desirable as well as potentially a way to fuel simpler privacy budget requests for CISO’s. But that cannot come at the expense of dilution of intent, and ultimately the protection of the weary and oft-breached American consumer.
If regulations alone aren’t enough for today's stressed CISO, there are new even more complex risks to juggle. Enterprises are on their second phase hybrid cloud journey that’s another seismic shift for compliance strategy: juggernaut-level digital transformation projects pushed by the pressure of business model innovation and competitive aggression are moving data into new risky territory. The dynamic, agile, hybrid cloud migration fueled by cutting edge technologies like Kubernetes and serverless compute create a very attractive platform for growth and change with great economics, but bring new risks. Gone are the days where data had a convenient boundary, a place where it lived, and clarity over controls. Today’s consumer-facing applications collect and push massive amounts of data into transient compute instances, they burst to the cloud, move it into a machine-learning pipelines for instant results, and store it for on-going analysis like never before. The sheer quantity and exposure risk of private data is at the very heart of CISOs' stress, not to mention the concern in governments world-wide from exposure risk and potential for inappropriate use pushing regulatory envelopes even further.
So, what should be done? Are we ready for technologies like homomorphic encryption at the pace digital transformation demands? Long term, perhaps, but today - not yet, and its eventual use might be very limited. However, new data security and privacy methods exist right now that are proven and effective that take data out of reach of compromise as well as reduce regulatory burden while enabling cloud-native initiatives and modern machine learning systems. Advances in contemporary data tokenization have made it possible to live in the “new normal” of privacy-aware processes – at scale, in the cloud, and with massively reduced risk – and CISO stress. It’s an effective weapon of choice for risk reduction, compliance, and enterprise defense.
While tough new privacy laws and corresponding enforcement bodies can bring the stick and carrot to business responsibility, no forward-thinking business today can endure the risk of data compromise, litigation, espionage, and reputation damage from human error or direct attack, especially those well into their modern hybrid journey. Business units riding the new crest of powerful yet emerging technologies to compete and grow puts data into completely new risk states if it’s not thoroughly protected at its most fundamental level - data itself, so that’s precisely where protection – and privacy - must stay too.
Come meet us at RSA!
Visit Booth 5671E at the RSA show to talk to privacy experts who’ve already taken the world’s leading companies through their privacy and cloud journey spanning the strict and pioneering German Data Privacy Laws (BDSG-new), PCI DSS, HIPAA, HITECH, GDPR, and now CCPA.