Data Privacy Day: Putting Good (and Bad) Practices in the Spotlight
Thanks to the rapid digitization of work and play, Americans are more sensitive to businesses’ data practices than ever before. With today’s arrival of Data Privacy Day, businesses around the world are sharing thoughts on how they can get ahead of the privacy curve, and stay there.
Keeping up with the vast scale of data generation is extremely difficult, according to Barry Cook, the privacy and group data protection officer for VFS Global, a provider of visa and consular services. When you consider how much value this data has, for both legitimate and illegitimate uses, it becomes extremely hard to curtail its use and spread.
“Over 2.5 quintillion bytes of storable information is developed every 24 hours and the pace, and value, of this will only increase with the rise of automation and digitalised technologies,” Cook says. “Although we may not appreciate it, personal information has become a prime commodity in our global economy. It provides a snapshot of our day-to-day lives, and can be used by organisations for targeted advertising and for determining the future behaviours of consumers.”
There are multiple threats to the privacy of Americans, including unscrupulous business practices, hackers, data breaches, and just an overall lack of awareness of how much data they’re sharing. The arrival of the California Consumer Privacy Act (CCPA) at the beginning of the month is a significant indicator about the degree to which people want to protect their privacy.
But just complying with CCPA (which some companies are gaming) isn’t good enough, says , Cindy Provin, senior vice president Entrust Datacard and general manager of nCipher Security. “Based on our research, 79% of Americans care how a company uses their private information,” she says. “That means consumers want reassurances that their private data is not at risk.” Good encryption is a big part of the answer, she says.
Security plays a role in privacy. But nothing can replace good governance, according to Jitesh Ghai, a senior vice president and general manager with Informatica. “Businesses are failing to appreciate that data governance is the bedrock for data privacy,” he says. Because in reality, he continues, “data governance enables greater data democratization while supporting data privacy.”
Many consider CCPA to be a ‘lite’ version of Europe’s privacy regulation, GDPR, says Nigel Tozer, a solution director at Commvault. But that may be selling the Californian law short, he says.
“While the scope of who CCPA applies to is narrower, the two are incredibly alike in many respects, and as enforcement is handled by courts and not regulators, as in Europe, expect it to hit the headlines much sooner,” he says. “CCPA is also likely to push the rest of the US closer toward a federal privacy law, along with other states that are taking similar action independently.”
Will CCPA spur the creation of a national data privacy law? That’s the big question, of course. And according to a survey of 2,000 American consumers by DataGrail, 82% of respondents think there should be a national privacy law. What’s more, the survey found that two-thirds of Americans are “creeped out” by webcams and cover the webcam on their laptop. It also found that 49% of people have had their personal data involved in a large corporate data breach.
Due to the rapid evolution of technology, data privacy has become a human right, according to Manu Fontaine, the CEO of Hushmesh, and formerly the head of safety, security, and privacy products at AOL.
“Data privacy is a human right essential to self-determination and freedom of choice,” Fontaine says. “Unfortunately, pervasive profiling, identity theft and data breaches continue to strip people of agency over their digital lives. Privacy can only be achieved with personal data security.” Eliminating passwords and instead using private keys for authentication and encryption is the answer, Fontaine says.
Go back 10 years ago, and the cloud was widely considered too unsecure. The big public cloud and software as a service (SaaS) providers responded and tightened up their security, and now cloud services are often considered more secure than on-prem equivalents. However, with so many SaaS and cloud offerings proliferating, some businesses may be getting ahead of their skis when it comes to security, McAfee says.
According to new research sponsored by the security software company, 52% of companies use cloud services that have had user data stolen in a breach. What’s more, 25% of companies have had their sensitive data downloaded from the cloud to an unmanaged personal device, McAfee says. The average company has more than 35,000 data loss incidents per month, but few have implemented solutions to prevent data loss.
“The force of the cloud is unstoppable, and the dispersion of data creates new opportunities for both growth and risk,” said Rajiv Gupta, McAfee’s senior vice president for cloud security. The solution is to create “data-centric” security tools, rather than network-centric tools, that can control the sharing of data from the Web and the cloud all the way down to individual devices, Gupta says.
But don’t overlook the risk for data loss posed by emails, according to Tessian. The email security startup has conducted research that found the average large enterprise sends about 7,000 misdirected (i.e. doesn’t reach its intended recipient) per year. “These numbers are particularly troubling given the serious consequences of sensitive corporate data falling into the wrong hands and the hefty fines that come with GDPR violations,” the company says.
Regulations like GDPR and CCPA will help consumers get handle on how much sensitive data they’re really sharing throughout the day, and get a leg up on companies that would previously have exploited their unintended sharing, says Eve Maler, the interim CTO at ForgeRock, which develops digital identify management solutions.
“Consumers are sharing more information than ever before, but many are not aware of how their information is being used or exploited,” Maler says. “However, more consumers are becoming more sensitive about their personal data and will not be slow to take action if they have the slightest inclination that they are being taken advantage of.”
When it comes to data access, the word of the year may be “consent.” Anurag Kahol, CTO and co-founder of cloud security firm Bitglass, says businesses that aim to be data-driven should build data-gathering and data-sharing processes around that all-important concept.
“In order for enterprises and organizations to broaden their options for PII usage and build trust with skeptical consumers, they must ‘opt in’ to consent as a business choice wherever possible, giving more transparency and authority to users,” Kahol says. “Given that failing to comply with privacy regulations can lead to significant economic consequences and worse, organizations need to apply comprehensive privacy and consent management solutions that scale across all of their applications and channels.”
Thanks to GDPR and CCPA, the tide of customer sentiment is moving towards greater privacy and security, says Jack Mardack, a vice president at big data analytics firm Actian.
“With regulations like CCPA and GDPR we’re seeing a movement take shape, one that’s pushing brands to become more responsible custodians of their customer data,” Mardack says. “Additionally, these types of laws are also pushing consumers to care more about their personal information and rethink how their interactions on the Internet, and what they share about themselves, puts them at risk – and not just from a financial standpoint.”
Above all else, don’t stick your head in the sand when it comes to data privacy, says Stan Christiaens, CTO and co-founder of data intelligence provider Collibra.
“Looking at how businesses can improve, the answer is simple: don’t be lazy, pay attention and ask questions,” Christiaens says. “Claiming not to know and remaining ignorant of the main issues behind privacy and compliance is no longer an excuse. Taking the road of least resistance and doing just enough to comply is simply the wrong attitude towards doing businesses in the 2020s.”
We are way past the point that yet another checkbox on your website is sufficient, he continues. “Data is the lifeblood of any organization and if it is not protected and monitored correctly, it can cripple an organization,” Christiaens, says. “Instead of thinking of CCPA as an extra annoying daily exercise you have to do to comply with a new fad diet, it should be thought of as a fundamental health concern to keep your vitals in check. And remember, boards will measure those vitals.