Data Privacy in the Crosshairs
2020 was a tumultuous year that saw a surge in Internet use as a result of the COVID-19 pandemic. This proved to be a windfall in some ways, i.e. acceleration of digital transformation. But it also exacerbated some existing problems, including data privacy (or the lack thereof). In honor of International Data Privacy Day, let us take stock of what we’ve accomplished in the name of data privacy, and where we may go next.
We’ve come a long way from the early 2010s, when the U.S. government was caught indiscriminately snooping on American citizens, with help from major telecommunication companies. Edward Snowden is still in exile for the role that he played in 2013 in exposing the huge data collection and analysis apparatus that was built in the name of national defense. The government tells us that it has stopped with those flagrant abuses of data privacy.
But how do Americans feel about it? According to Pew Research, they do not trust governments and companies to do the right thing with data. A 2019 survey found 81% of people feel they have very little or no control over data collected by companies, while 84% felt the same about government.
It’s important that people feel that they have control over their own data, according to the National Cyber Security Alliance, the Washington D.C.-based organization that has spearheaded the idea of making January 28 Data Privacy Day. They theme for this year’s celebration is “Own Your Privacy.”
Some folks are taking that “ownership” of data quite literally, in the sense that data is a currency that can be traded. For instance, a study conducted by Entrust found that a majority of consumers (64%) are willing to trade personal data in exchange for better personalization. What’s more, 83% of respondents said they’re at least “somewhat comfortable” with using or storing biometric data with apps and services.
Interestingly, youngers folks were more likely to share their personal data, such as their name, age, or location,, to get a more relevant, personalized, or convenient services. The survey found 69% of Gen Z and 70% of Millennials were willing to make these trades. However, only 60% of Gen X consumers, and 48% of Baby Boomer consumers said the same. Folks in the UK were also more trusting of the data collection of companies and governments than American cohorts, it found.
The willing erosion of personal privacy is a trend that won’t likely go away, according to Neil Correa, a cyber strategist at Micro Focus.
“Privacy controls will continue to erode, especially among young adults/teenagers,” Correa says. “Given that social interactions will be primarily online for the foreseeable future–social media accounts, online dating portals, location tagging, online banking etc.—[these interactions] will provide a wealth of information to build a digital profile of users for businesses and bad guys alike. Users will willingly give up their personal information for a seamless online experience as well as connect their accounts to ease authentication and account/password management.”
While consumers are willing to trade privacy for convenience, that doesn’t mean they’re not concerned about privacy. Nearly four out of five consumers who participated in Entrust’s study say they’re concerned about privacy, and nearly two-thirds say they’re more concerned now than they were a year ago.
Companies that don’t take the data privacy concerns of their customers seriously risk damaging their relationship with those customers, according to Or Lenchner, CEO of Luminati Networks. “Organizations of all sizes need to evaluate how they use data as the world becomes increasingly digital and ensure they take ownership for their own data protection and collection practices, otherwise they put themselves at great risk of losing the trust of their community and consumers,” he says.
Being proactive about data privacy, as opposed to being reactive, is another important element in gaining the trust of customers, according to Wim Stoop, a product director with Cloudera. A good way to put this into action, he says, is for businesses to recognize the sensitivity of data as soon as it hits their systems.
“Organizations need to close the gap when it comes to tracking, identifying, and classifying information, at scale, in real time,” Stoop says. “Doing this proactively, as the data enters the lifecycle, rather than retrospectively, is what will set them apart. After all, understanding what data is sensitive or not from the moment you have it, is key to making sure it is protected properly.”
Following local data privacy regulations is also important. In Europe, the General Data Protection Regulation (GDPR) spells out the steps that companies (and other types of data-using organizations) must take when handling individuals’ data. Many other countries around the world have created their own data laws based largely on GDPR.
In the United States, the toughest law, arguably, is in California, where the California Consumer Privacy Act (CCPA) went into force about seven months ago. However, in November 2020, California voters approved a new law, called the California Privacy Rights Act (CPRA), which in some ways is more closely aligned with GDPR. The CPRA goes into effect on January 1, 2023.
Another tool that organizations can use to help guide their data privacy activities is the new NIST Privacy Framework that was approved in 2020, says Robert Meyers, a channel solutions architect at One Identity.
“When building privacy programs it’s imperative to utilize the new tools, like the NIST Framework to build a privacy program, and build strong cybersecurity programs around privileged accounts, control data access, and implementing least privilege management tools,” Myers says. “With the NIST Framework privacy programs, privacy professionals and people who are interested in privacy now have a checklist. This is something we’ve never had at this level before, which makes the future look clear for the first time since privacy programs began.”
Data security and data privacy are two separate topics, but they overlap in important ways. For instance, without good security practices, an organization will raise the risk of breaching the privacy of its customers’ data, which is bad. Encryption is one widely used technique for securing data as it moves across the network. But good security—and hence avoiding bad privacy outcomes—demands that data be protected at rest, too.
That means protecting data as it sits in databases and applications, says Tim Mackey, the principal security strategist at the Synopsys Cyber Research Center (CyRC). “[T]he weakest point in the data lifecycle isn’t the network, but the application and any employees with access to the data,” Mackey says. “Solving for this requires that data be encrypted at all points where the data owner isn’t accessing it. End to end encryption is a security technique which ensures that user data is always encrypted, even when stored by a service provider.”
Another weak link emerged in the data supply chain in 2020: home-based workers. According to Adrian Moir, a technology strategist and principal engineer at Quest Software, the rise of work-from-home work was a boon for cybercriminals, and it’s going to take a lot of effort to shut the spigot off.
“Consider, now that you may have hundreds or thousands of workers at home sharing their network with devices that do not meet corporate standards: Where do they store corporate data so it’s kept from prying eyes? How do they transfer that data, share data with other home workers? What’s the exposure of ‘just use a cloud storage solution to share data’?” Moir says. “As your home workers become more adept at using new services and techniques to share data, they increasingly become a target for bad actors. Now your threat vectors are distributed like your workforce, except your workforce are unlikely to have enterprise grade protection of their home infrastructure.”
Unfortunately, there’s no easy solution for this data privacy/security challenge. It demands rigorous adherence to corporate data protection and privacy policies. Coming up with a way that meshes good security and privacy hygiene without impeding the flow of work from home is not easy, but it’s critical to avoiding lapses that bad guys can exploit.
“It’s important to educate your workers and reinforce your data protection and privacy policies, and provide the solution deemed suitable to sustaining the new working culture, so workers don’t need to or will not fall outside of your desired policy,” Moir says. “Make this an easy thing for your workers so that the uptake is swift but controllable.”
The COVID-19 pandemic had another big lesson to teach us in regards to privacy and security. Namely, would we sacrifice some of our personal freedoms (i.e. our data privacy) in exchange for greater security (from COVID-19)? In many Asian countries that place a higher priority on the well-being of the group over the individual, that question was easy to answer, and the use of contact tracing apps was mandatory. But in Western societies, where a higher priority is placed on the rights of the individual than the group, the debate rages on.
“We are fortunate to live in a world where technology can make us safer in extreme situations such as a pandemic, but it also comes at the cost of privacy,” says Gyan Prakash, head of information security at Altimetrik. “Today, data privacy laws have largely not changed (like GDPR, CCPA), but I do believe that many new laws will be introduced in the near future to ensure maximum protection of consumer data. We will also likely see stricter policies against using such data for any commercial purposes other than medical research and wellness.”
At the end of today, there will still be a lot more work to ensure that consumers’ data rights are being adhered to, and to discourage companies and governments from believing they can recklessly exploit people’s personal data for power or profit.
“Data Privacy Day’s main objective is to be a yearly call-to-action; one that spurs discussion, reevaluation and awareness about how people can keep themselves and their data safe, and to show organizations that accountability, transparency, and a commitment to fair and legitimate data collection practices will ultimately lead to enhanced public trust and better brand reputation,” says Kelvin Coleman, the executive director of the NCSA.