A Data Privacy Day Call to Arms: The Shared Responsibility to Protect Customer Data

This blog was originally published by JupiterOne here.

Written by Melissa Pereira, JupiterOne.

Today, millions of people worldwide are becoming aware of how their personal data is collected, shared, and monetized in our modern digital economy. Studies show that Americans are becoming increasingly concerned about personal data privacy, with 75% choosing to limit their online activity over privacy fears. Many consumers feel powerless when it comes to businesses protecting personal data. They are concerned about security breaches and the malicious actors that put private information at risk.

A Game of Knowns is Never Enough

Security is a game of details. As the privacy landscape becomes increasingly complex, it introduces new vulnerabilities and new opportunities for things to go wrong. When organizations are forced to use a patchwork approach to security, it makes protecting those operations difficult. In today's disjointed regulatory environment, security professionals must understand and piece together a jigsaw puzzle of privacy mandates from around the world—PSD2, GDPR, CCPA, and more.

Because there is no universal privacy standard to build upon, the security industry is forced to grapple with this fragmented approach to privacy, which has significant implications, leaving far too much room for errors. Amid growing regulatory fervor, each new privacy rule creates additional complexities, not just from a compliance standpoint but also from an operational one. There has to be a better way.

Needed: A Coordinated Global Effort

Ideally, an international consortium would address these diverse privacy rules worldwide and create an agreed-upon, universal standard. It is crucial for technologists to collaborate with legislators to develop rigorous, standardized global privacy frameworks.

“People who understand…technology need to be part of public-policy discussions,” writes cryptographer and privacy expert Bruce Schneier, in 'Public-Interest Technology Resources'. “We need public interest technologists.”

There are constant reminders of vulnerabilities inherent in our current security landscape. Over the past year, supply chain disruptions, never-ending ransomware attacks, security resource shortages, and protracted workforce gaps, the growing complexities of security and compliance operations negatively impact data security. These complex problems significantly impact privacy and are likely only solved by richer collaboration around standardized best practices, policy, and legislation.

The result has been a harrowing series of large-scale cyberattacks, including the massive SolarWinds hack and the Log4j vulnerability that has shown up in 44% of corporate networks worldwide. In 2021, we saw an increase in ransomware attacks and the largest ransoms ever paid out in history. This risk increased over previous years, and it has cascaded beyond just impacting companies to affect the lives of ordinary consumers whose personal data is taken hostage by threat actors.

More than half of all companies were struggling amid the ongoing cybersecurity skills gap, according to a research report by ESG and ISSA. Of the impacted companies, 62% said it led to increased workloads for already overburdened staff; 38% cited unfilled open job requisitions, and an equal number reported increased burnout and attrition rates.

The 281.5 million personal data files stolen through more than 1,200 major data breaches in just the first quarters of 2021 are testament enough to the challenges faced by every organization in protecting data. Better collaboration on privacy is in the best interest of everyone.

Privacy by Design and Default

The privacy and security landscapes demand that organizations change their approach to privacy engineering and “shift left” privacy to the earliest possible stage of the software development lifecycle. This concept is core to the GDPR, with the European Commission urging “Companies…to implement technical and organisational measures, at the earliest stages of the design” process of their products and features. Treating privacy as an afterthought negatively impacts both cost and security risk, making it imperative for businesses to adopt new approaches to privacy-first engineering.

A key concept for organizations to adopt in custom development is “meaningful consent,” or the idea of fully-informed consumer consent to data processing. The Office of the Privacy Commissioner of Canada writes that checklist approaches to consent are discouraged. Templates rarely include the right amount of nuance or detail for customers to truly understand how their data is collected and processed, especially when organizations have a diverse customer population. Organizations need to create better feedback loops between customers and development teams for opt-in processes tailored to their own customers’ perspective.

Data Security, Simplified by Universal Standards

As a growing number of companies are discovering, creating a strong, dynamic approach to security and privacy posture requires a lot of visibility and context. Visibility and context can be achieved with cyber asset attack surface management (CAASM), cloud security, endpoint security, and application security to protect against breaches and ensure customer data privacy.

To strengthen privacy protections even further, organizations need more significant simplification on the process side, driven by the unification of today's disparate and sometimes counterproductive privacy regulations. By not reaching some consensus about privacy, we introduce more significant risks. It is everyone’s responsibility to collaborate in public interest conversations, and shift privacy left in the engineering lifecycle. Only by following essential security practices backed by universal privacy standards will organizations be in better shape to honor the essence of Data Privacy Day on every single day of the year.