The recent news about a proposed bill to create a central data privacy enforcing body shines another spotlight on the high-risk, high stakes shifting ground that many businesses operate their engines of growth on – consumer data collection, analysis, and retention. The news will no doubt be a hot topic at the forthcoming RSA show where the theme of “Human Element” couldn’t be more relevant to this proposed bill – almost everything businesses collect today is about the human being and our mind-boggling data relationship, and many of the biggest data risks come from humans, human data handling, and human failures.
So, what about this new proposed bill? Despite years of debate and data security regulations enacted by the US States over a very long 16 years from 2002, we still see massive compromises from willful attackers, human error, and nation-state exploits. Now, privacy concerns stretch the need for security controls and appropriate operational processes even further to avoid the risk of identity data bleeding from “traditionally secure” operations, data stores and applications. Even the best intentioned organizations are at risk to privacy incidents like the recent WAWA case. In that scenario, investigators recently revealed the double-edged nature of data privacy risks with breached consumer analytic data reported to be available on the dark web – well beyond narrow scope payment data as originally suspected and under traditional data security regulations like PCI DSS. But to a modern retailer, personal and behavior data collection is critical and essential to compete – a critical ingredient to the future success of a business and the consumer relationship. It’s the very data that can drive innovation and optimize consumer experience but also brings privacy breach risks to a boiling point if modern data security controls are not in place for contemporary and constantly evolving threats.
So perhaps it is time for the equivalent of the European GDPR’s Data Protection Authority (DPA) approach for the US as a call to action to embrace a comprehensive privacy-by-design method to data protection, security, and privacy. The EU DPAs have shown their very effective teeth in the last 12 months, issuing fines exceeding $100M, with even bigger ones pending for the airline and hospitality industry breaches that are three times that early total – in just the UK. That’s enough for enforcers to re-invest in more action and change business behavior, and we will no doubt see increasing actions into 2020 and beyond. But is more enforcement really the answer to stem the tide of data compromise putting consumer privacy at risk?
As a government response to data collection concerns and continued breaches, contemporary US data privacy regulations, starting with California’s ground-breaking CCPA, have pushed from an enterprise-as-owner-of-data approach to a consumer rights centric model. This in itself adds a huge list of new processes to the already stressed compliance budget. The right to deletion, the consumer right to data, children’s data handling, new data safeguards and de-identification, data minimization, and retention policy loom large on the compliance roadmap. With each state creating their own “CCPA” variation, the regulatory matrix for compliance gets more expensive to meet. A central enforcement body could, potentially, bring a cohesive approach to compliance that could ease its implementation, assuming laws remain strong and in line with threats – which is key. Avoiding State-by-State privacy compliance is desirable as well as potentially a way to fuel simpler privacy budget requests for CISO’s. But that cannot come at the expense of dilution of intent, and ultimately the protection of the weary and oft-breached American consumer.
So, what should be done? Are we ready for technologies like homomorphic encryption at the pace digital transformation demands? Long term, perhaps, but today - not yet, and its eventual use might be very limited. However, new data security and privacy methods exist right now that are proven and effective that take data out of reach of compromise as well as reduce regulatory burden while enabling cloud-native initiatives and modern machine learning systems. Advances in contemporary data tokenization have made it possible to live in the “new normal” of privacy-aware processes – at scale, in the cloud, and with massively reduced risk – and CISO stress. It’s an effective weapon of choice for risk reduction, compliance, and enterprise defense.
While tough new privacy laws and corresponding enforcement bodies can bring the stick and carrot to business responsibility, no forward-thinking business today can endure the risk of data compromise, litigation, espionage, and reputation damage from human error or direct attack, especially those well into their modern hybrid journey. Business units riding the new crest of powerful yet emerging technologies to compete and grow puts data into completely new risk states if it’s not thoroughly protected at its most fundamental level - data itself, so that’s precisely where protection – and privacy - must stay too.
Visit Booth 5671E at the RSA show to talk to privacy experts who’ve already taken the world’s leading companies through their privacy and cloud journey spanning the strict and pioneering German Data Privacy Laws (BDSG-new), PCI DSS, HIPAA, HITECH, GDPR, and now CCPA.