Data Regs and Facebook Fines: Dragging Us Toward Better Security
“Be like Facebook.” That was the rallying cry in the early days of the big data boom, when companies were striving to monetize as much data as possible, and Facebook was the poster child of a new breed of company. But in light of the record $5 billion fine the FTC imposed on Facebook for data privacy violations last month and additional GDPR fines expected, perhaps the social media giant isn’t such a positive role model after all.
So far, EU regulators have gone relatively easy on companies when it comes to complying with the General Data Protection Regulation (GDPR), which unified the data privacy and security laws for all nations in the European Union and went into effect in May 2018. But it’s looking like the grace period is coming to an end, and Facebook could be held up as an example of what not to do.
According to the Wall Street Journal, regulators within the European Union are wrapping up their investigations of Facebook’s alleged violations of various provisions of GDPR, which requires companies to: properly secure data; to gain consent from consumers before using their data; to notify consumers when their data is lost or breached; to promptly reply to requests for data usage; and to delete consumers’ data at their request, among other things. The paper says European Union regulators could announce their proposed fines by the end of September.
Facebook isn’t the only company in the EU’s crosshairs. Marriott International was fined $123 million and British Airways was fined $230 million for 2018 data breaches that ran afoul of GDPR. The Greek subsidiary of PwC has also been sanctioned for violations of GDPR. But if EU regulators want to make a big splash by holding a big American tech firm to account for careless handling of data, Facebook makes a perfect target (but don’t think you’re in the clear yet, Google).
We’re at the very beginning of a cultural shift away from big data’s Wild West heyday and toward a period of businesses showing more respect for security, privacy, and governance, says Amandeep Khurana, co-founder and CEO of Okera.
“Facebook just happens to be right at the forefront of it and happens to be the one that’s getting a lot of attention, because their primary business model is based on using your and my data to create value for themselves,” Khurana says. “Broadly we’re seeing this move away from a completely open ecosystem and an open way of doing things to, Let’s be responsible, let’s be in control, because regulations are coming. Let’s comply with those.”
GDPR is just the tip of the iceberg when it comes to emerging regulations. Dozens of countries are forming their own data regulations modeled after the GDPR. And then there is the California Consumer Privacy Act (CCPA), which is set to go into effect in January 2020.
There’s no longer a debate over who owns the data. It’s the property of consumers, says Sovan Bin, CEO of Odaseva, which develops software to help Salesforce customers comply with emerging data regulations.
“The property of the data does not belong to the company that buys it. The ownership of the data belongs to the person, and this is not a right you can remove,” Bin says. “Today I think there is no debate about it. Every company is going in that direction. And every country is going in that direction too. Japan, Australia, Canada, Brazil – every big country in the world is modernizing their data privacy regulations. I definitely think this is a trend that’s not going to stop.”
Okera is one of a handful of software vendors helping to enable what Khurana calls “data-centric security,” which is when security and privacy policies are defined by the content of the data, not by which system it’s stored in.
For example, say a company is storing a Social Security number, which is a sensitive piece of personally identifiable information (PII). One of the company’s databases allows that Social Security number to be anonymized to reduce the security risk of housing it, but its big data file system does not.
“There’s an inconsistency and a disconnect,” Khurana says. “Your policy, your privacy constructs need to be data centric, because they’re a function of the data and not a function of the platform that you’re using to manage them.”
Big data platforms like Hadoop and AWS S3 can be secure, but they’re not secure out of the box. Both platforms have been implicated in data breaches that, if they impacted EU residents and occurred after May 25, 2018, would subject the data processors to sanctions under GDPR. With possible fines equaling up to 4% of the company’s annual revenue, there is a sizable incentive to comply with GDPR.
“If you look at Facebook, for example, Facebook has data lakes. They have lots of HDFS deployments. But HDFS by itself doesn’t give you any ability to protect data,” Khurana says. “If HDFS cannot do what you need it to do, you need to find a way to do it.”
Khurana, who previously worked at Cloudera, says Cloudera and AWS have largely tackled security for their own platforms, with Cloudera’s on-prem solutions so far outpacing AWS’s efforts with Lake Formation. Those security protections work fine when customers stay on the platforms, but they fall apart as soon as they go off the platform.
As data volumes grow, organizations are storing data in more on-prem and cloud systems. The number of data silos is increasing, not decreasing. Okera and other practitioners of data-centric security recognize that platform-centric approaches to security, privacy, and governance will result in more cracks in company’s regulatory walls.
“Cloudera’s offering will not help you protect data in a data warehouse or S3. They are not incentivized to do that,” he says. “In that world you need somebody who does not have any underlying incentive in which technology you use.”
Succeeding with Okera’s data-centric approach requires some discipline on the part of the company and its users. First of all, all requests for data must be made through Okera. If you bypass Okera and give a data scientist direct access to a data storage or processing engine – a common occurrence in big data’s Wild West heyday – then you lose control over what she does.
As we gain greater understanding of what we can do, we’re also learning the lessons of what we can but shouldn’t do, Khurana says. That education is painful, perhaps, but getting everybody in the organization to understand it will yield better results down the road.
“Protecting our customers’ data is not something that one person at the company should be thinking about,” he says. “Sure I can build a better machine learning model. I can drive more personalized experiences. But does that come at the cost of customers’ losing confidence in the brand? If that’s the case, maybe I should not do it.”
Smokey Bear reminds campers this time of year who is responsible for preventing fires. If Odaseva’s Bin had his way, AWS and other clouds would come with a reminder that only you can apply best practices around security, privacy, and governance in the cloud.
“It’s true that the cloud vendors will manage the data center, but the data governance will remain the customer’s responsibility,” Bin says. “No matter if you are using SaaS or on prem, you are always responsible for data as a customer.”
Bin was an architect in Salesforce’s Paris office when his interaction with the IT leaders at Schneider Electric gave him inspiration for Odaseva. Buoyed by seed funding from Salesforce and others, Bin set out to help eliminate the pain associated with complying with emerging regulations like GDPR.
Odaseva worked with a team of lawyers for two years to understand data regulations and map them into security policies that can be enforced through the Salesforce CRM system and downstream systems (the company plans to support other CRM and ERP systems in the future). As new data regulations come on line or existing ones change, Odaseva updates its enforcement systems, eliminating maintenance costs going forward for its customers.
For example, if one of Toyota’s customers clicks the button to request data under GDPR, Odaseva’s technology will work in the background to collect and package the required data from the impacted systems. By tracking changes to laws and data models, the software automates much of the manual work that would otherwise have to be done to comply with data laws.
“For the first time in history, technology is growing slower than regulation,” Bin tells Datanami. “Odeseva is there to change that. We bring back speed in technology to go faster than compliance. And any time there’s a change, our customers iterate from those changes since we’re updating our policy in the data compliance.”