Article

NEOCOVA-ARTICLE

What To Prioritize This Data Privacy Day

Data Privacy Day is a global effort — taking place annually on January 28th — that generates awareness about the importance of privacy, highlights easy ways to protect personal information and reminds organizations that privacy is good for business.

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.

Individuals today feel an increasing lack of control over their personal data. In fact, according to a recent Pew Research Center study, 79% of U.S. adults report being concerned about the way their data is being used by companies.

Below, Security magazine compiled advice, tips and best practices for safeguarding data from many security executives.

Tim Wade, Technical Director, CTO Team at Vectra: “It is not by accident that social considerations of privacy have been at the center of the pursuit of justice, equity, and freedom as it relates to civil liberties and rights.  And as organic and digital existence converge, this continued frontier increasingly becomes anchored to how the data and digital footprints created by individuals are both respected and protected – by individuals themselves, and the awareness they bring to the importance of this matter, and by the organizations and institutions that come to steward what ultimately must still belong to its creator.

Too often, discussions of personal privacy tend to inject tension between the protections of an individual against the protections of society at large.  In reality, the erosion of personal protections for privacy are also erosions against the protections of society at large; undermining the protection, safety, and security of individual privacy degrades the cultural and social fabrics of trust, liberty, and fairness to the detriment of that society.  And as such, the erosion of the privacy of others around us is, in effect, erosion of our own wellbeing.

If there is a call to action on this topic, it is that we must be open eyed about the importance of data privacy – for ourselves, and for others – and that the choices we make will directly affect our lives and our livelihood, and the social fabrics we pass to the next generation.”

Rita Gurevich, Founder and CEO, SPHERE Technology Solutions: “In the enterprise world, there is an increased focus on protecting data from internal and external threats, especially across highly regulated corporations. Safeguarding sensitive data, including your employee and customer data, is not a “should do” concept anymore but a “must do” directive coming from the top. Whether its regulatory bodies or internal auditors enforcing the proper data privacy and data protection practices, the repercussions financially and from a reputation perspective, are reason enough for companies to focus their attention to implementing a Least Privileged Access model.

Proactive measures, such as ensuring only the appropriate personnel have access to only the data they need to perform their job functions, is a central theme. Cleaning up the mountains of inappropriate entitlements is step 1 and many organizations are recognizing that this foundational requirement is not as easy as it may superficially seem but a mandate that must be achieved. We predict that organizations will start to go back to the basics and fine tune their practices for basic inventory of all their data repositories with more in-depth analytics on the state of their access controls. Remediation and ongoing certification of entitlements will expand in coverage, automation will be critical, and the onus on the business to partake in these processes will be more of a business-as-usual expectation. This is actually a positive effect and forces not just IT and Security teams to accept this onus and will create a culture of Security First across all business units within an organization.”

Dirk Schrader, Global Vice President at New Net Technologies (NNT): “Users, consumers have far too often that notion of “I have nothing to hide” or “How much can they do with my data?” The inconvenient answer is “a lot” as there are many ways of using the gender, the age, the location (inferred from the IP address) can influence what kind of services are marketed, how often a user sees an ad just to name some less nefarious examples. This kind of profiling might seem harmless but overall it enables businesses to select which products, which services they offer and a what price levels. That is why the call to action for individuals “Own You Privacy” deserves a lot of Kudos.

For businesses analyzing the data they collect about users and consumers, the calls for Protection and Transparency should ring loud in the ears of those at the top. If data is the verbatim ‘new oil’ for digitalized business models, should a business not be doing its utmost to protect that from being stolen, copied, encrypted for a ransom. And if it is transparent about those data processing processes in place (the how’s and why’s), it not only earns some trust, but it also enables itself to protect the different processes according to their criticality for the business. And they should not stop to dig deeper in that transparency – at least for their internal purposes – and collect information about the systems in use for that processing, the status of these, how vulnerable they are, how often unexpected changes happen to them. That will build the solid base needed to protect the business process, which will help to protect the data of consumers, which will increase the trust of those consumers in the company, and – finally – make it easier for them to share more details with a trusted organization.”

Mohit Tiwari, Co-Founder and CEO at Symmetry Systems: “You need not give up data privacy so that organizations can thrive off of personalized advertising or by hosting customer data in a Software-as-a-Service (SaaS) application. Road safety is a great example where protocols and training sets appropriate expectations among drivers, bikers, pedestrians, etc. Similarly, there is considerable research and new commercial tools for organizations to measure how customer data is used internally and safeguard it — and the recent exodus towards Signal shows that respecting customer privacy can actually be good for business.

Imposing reasonable fines is indeed a good way to make measuring and improving data risk a board-level priority. And this can only be good for both customers and enterprises that host their data.”

Joseph Carson, chief security scientist and Advisory CISO at Thycotic: “Data privacy will, and already is, evolving into a Data Rights Management issue. Citizens’ privacy will continue to be under the spotlight in 2021. The end of privacy as we know it is closer than you may think. Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens. In public and online, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions, and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby, and even algorithms that determine what your next action might be.

Regulations will continue to put pressure on companies to provide adequate cyber security measures and follow the principle of least privilege to protect the data they have been entitled to collect or process.

I believe the big question, when it comes to data privacy, is “How is citizens’ data being used, collected and processed?” Ultimately data privacy will evolve into Data Rights Management which means rather than giving up personal data for so called free use of internet services, citizens should and can get paid for allowing their personal data to be used for marketing purposes. It will become more about how the personal data will be used, and what monetization is resulting from the data.  In the future everyone will become an influencer this difference is how much is it worth.”

Heather Paunet, Senior Vice President at Untangle: “Data Privacy Day is a date well worth noting for businesses of all sizes.  It is easy to let a whole year go by after performing an assessment of data access privileges and user access privileges. Having a ring on the calendar is a reminder that puts the importance of this assessment back top of mind once a year. Software providers can use this day to review new features they are planning to deliver within the next six to twelve months and make sure that GDPR and similar requirements are included as part of the implementation.

Businesses can also review their own IT policies.  IT departments should review who has access to different types of data and remove access from anyone that doesn’t have to have that access. In a year, employees’ roles within a company can change and their responsibilities and what they need access to may also change. Data privacy is not only about stopping data from being stolen, but it’s also about trust of the information that we access and use in good faith.  If someone’s personal information can be stolen and used such that that person’s identity could be misrepresented, that can cause widespread knock on effects of misinformation.  For example, the Twitter accounts of Barack Obama, and Jeff Bezos were hacked in 2020.  Someone with their Twitter accounts would have the ability to reach and influence millions of people who have trust in the things they tweet.”

Tom Pendergast, Chief Learning Officer, MediaPRO: “The essence of Data Privacy Day to me is the realization that data privacy is everyone’s responsibility. From the boardroom to the loading dock, everyone has a role to play. From a training and awareness perspective (where I come from), one of the best ways to do this is to provide education that employees can use both at work and at home. For the majority of employees, many of the attributes of the sensitive data they handle as part of their job should be recognizable when it comes to keeping their own information secure. When an organization goes about educating their employees on their own data privacy requirements, I’ve seen success using a “golden rule” approach. That is, telling employees to treat the data they handle as part of their job the same way they’d want their own data treated. This more personal approach makes privacy more “real” and less theoretical.  Most employees do not need to know the letter of the law. What’s often best is taking a principles-based approach to data privacy that they can use both at work and at home. Whether you plan to recognize Data Privacy Day on just Thursday, January 28, or extend it into the entire week, this occasion is the perfect opportunity to reinforce the importance of handling sensitive data with respect, no matter where it’s found.”

Isabelle Dumont, Vice President of Market Engagement at Cowbell Cyber: “The digital footprint of people and businesses has expanded exponentially over the past year because of the pandemic and remote work. We spend more time online, connecting through video conferences, shopping on e-commerce sites, or sharing stories in online communities. Data Privacy Day in 2021 is a great reminder and an opportunity for all to assess and fine-tune how they engage online so that both personal and professional information remain safe.”

Brendan O’Connor, CEO and Co-Founder at AppOmni: “The way organizations store data has shifted rapidly to the cloud. At the same time, SaaS vendors that house sensitive data have grown in scope and complexity. They have evolved into complex platforms that provide access not only to internal users, but also to external users, 3rd party apps, contractors, and managed service providers. In short, there are now many more access points to data housed in the cloud. Unfortunately, these relatively new access points are often unknown, or simply overlooked, by enterprise security teams. This has created a massive opportunity for attackers to exploit these applications, which is why we’ve seen so many successful hacks in recent weeks and months. To ensure data privacy for everyone, security teams need to take ownership of data governance in cloud applications.

“Specifically, organizations need to:

  • Have visibility to which 3rd party applications have access to their data, and actively manage that access on a continuous basis
  • Ensure that external users have the appropriate level of access to data. AppOmni has found that external users are over-provisioned and have access to sensitive data in over 95% of enterprises
  • Continuously review the permissions for internal users and ensure that they are not able to inadvertently expose sensitive data

Howard Taylor, CISO, Radware: “The growth of the digital economy, accelerated by the pandemic, has forced the world to provide more and more personal information online. With the interruption of face to face communication, customers, businesses, and governments must adjust to effectively manage personal relationships in the digital world. In short, these three bodies must work in harmony to develop a balanced, practical approach, enabling the beneficial flow of personal information, while stemming problematic or illegal activities.  I like to think of it as Zen and the art of Data Privacy. Here are a few of my observations and recommendations on how to achieve this balance:

  • The Customer – Must understand the privacy rights as defined by its government. This includes procedures to make “data subject rights” requests and how to raise formal complaints. Next, customers must read and understand the privacy policies posted by the companies and services they share their information with. It may be hard, but be prepared to “walk away” if you are uncomfortable with their policies.
  • The Business – The marketing and sales teams have two major challenges, the drastic reduction in in-person sales and the ever-tightening laws and regulations limiting reaching out to prospective clients.  Companies have to recognize the risk and avoid questionable ways to bypass these regulations. They must provide clear and accurate privacy statements suited to their customer base (eliminate the legalese).  When they capture personal information, only the minimum should be stored securely. This includes the use of encryption, controlled access, and deletion when it is no longer necessary. Companies must also be careful that if this information is to be shared, it is only be shared with the appropriate partners that maintain similar privacy policies.
  • The Government – Evaluate the costs and benefits of the current data privacy laws and regulations. Are they providing the intended level of data subject protection or are they ineffective? Governments and regulators must ensure that they facilitate desired, Digital Interaction while maintaining the data privacy of their constituents.

Adrian Moir, Technology Strategist and Principal Engineer, Quest Software: “With a change in working practices comes an opportunity to look closer at the impact of data privacy and privilege. With a distributed workforce, there are issues surrounding differing threat vectors and data usage that may compromise data privacy. While an organization can have a robust data protection and privacy policy, a substantial change in work practices can, over night, impact that policy such that it’s no longer effective. Consider, now that you may have hundreds or thousands of workers at home sharing their network with devices that do not meet corporate standards: Where do they store corporate data so it’s kept from prying eyes? How do they transfer that data, share data with other home workers? What’s the exposure of ‘just use a cloud storage solution to share data’? Sharing data and data use become simpler to do, but that can lead to not only data breaches but breaches in privacy policies too. Who can access what data, who can use what data and how can be changed with just a few clicks. Human involvement has a lot to do with a level of data or privacy breach.

“As your home workers become more adept at using new services and techniques to share data, they increasingly become a target for bad actors. Now your threat vectors are distributed like your workforce, except your workforce are unlikely to have enterprise grade protection of their home infrastructure. It’s important to educate your workers and reinforce your data protection and privacy policies, and provide the solution deemed suitable to sustaining the new working culture, so workers don’t need to or will not fall outside of your desired policy. Make this an easy thing for your workers so that the uptake is swift but controllable.”

Andrea Amico, Founder and CEO of Privacy4Cars: “Cars today collect massive amounts of personal information through sensors in the vehicle, like GPS navigation, and by syncing our phones with handsfree and entertainment systems. This information can include records of your precise location data, contacts, photos, calls and text messages, as well as account passwords and garage security codes. Just as we must protect our privacy when using our phones or computers, we should also think of the information that may be collected, stored, or shared by our vehicles, whether it is a car we’ve owned for years or one we rented for the weekend, or only a few hours. Simply disconnecting from Bluetooth or the USB port is not sufficient to delete personal data, as records continue to be stored in the infotainment system until they are proactively wiped clean – a process that takes just minutes to complete but is often overlooked. So, think about the types of data you’d want to remove before giving anyone else access to your vehicle and make sure it gets deleted.”

Saket Modi, Co-Founder and CEO at Lucideus: “We are stepping into an era that is more digital-dependent than ever before. With PHI selling on the dark web for as little as a few hundred dollars, data is the new currency.  While to date, the ethical and moral responsibilities that come with its abundance have rested with governments and the corporate world, the end-user (consumer) has to start sharing the onus. From being prudent about what kind of information they are making publicly available, to knowing exactly which website, platform or service they are using has been breached – there is a lot the average person has to incorporate into their cyber-consciousness.

“Consumers need to take control of their digital footprint and privacy. They must know, objectively and in real-time, what they expose through their online identities, devices they own, applications & services they use, along with staying updated with the modern trends leveraged by cybercriminals to misuse data. To that end they can start safeguarding some of the most recurring pain points:

  • Take action over compromised credentials – While 72% of consumers frequently lose sleep over having their information stolen,  64% have never checked to see if they were affected by any  major data breaches. Understanding the effects of a data breach is paramount to take the appropriate steps. From changing passwords and security questions to checking any other accounts where you might have used the same credentials.
  • Set up Two-factor authentication or Multi-factor authentication – Enabling MFA or 2FA where possible will add an extra layer of security to your accounts, no matter if you are logging in from a computer or a mobile device. It creates an extra barrier for those trying to break into your accounts.
  • Secure your mobile devices – Malicious actors can get to your devices through several ways, which is why we recommend closing the loop on the main characteristics of your device. Always keep the operating system up to date and be sure to use antivirus technology – it’s not just for your computer. When downloading applications only do so from the official stores (App Store/Google Play).  Never download something directly from the internet where hackers can embed malware in apps offered for free. Finally, enable the encryption option on your phone, which makes it difficult for cybercriminals to recover your data if you lose your phone.
  • Protect your social media identity – With  50% of people using public and open social media accounts, the need for increasing cyber-consciousness has never been more important. Consumers need to understand that where they are logging in from and which devices have access to their information impact their ability to keep their accounts safe. Enabling notifications for unrecognized login alerts can also help manage these risks better.

Mike Kiser, Senior Identity Strategist, SailPoint: “In the past year, consumers and enterprises alike elevated data privacy to a critical requirement for their digital lives—rising as an indicator of health and a safeguard against the risk of exploitation. This ‘assessment of health’ currently plays a role on both the individual and societal levels:

  • On the individual level, users are shifting rapidly to systems and applications that ensure their privacy. Enterprises such as Apple are beginning to emulate nutrition labels with their online store applications, providing end-users the opportunity to make ‘healthy’ choices. If there was any question about individual’s desire for privacy, the recent shift from WhatsApp to other messaging platforms such as Signal and Telegram (as many as 1.3 million in a single day) demonstrates that how identity data is protected is a key feature for the public at large.
  • On the societal level, while nations such as the United States wait on the creation of national privacy regulation, the discussion around data privacy is currently being driven by the worldwide pandemic. Covid19 and the subsequent vaccination initiatives raise new questions about the intersection of societal health and individual privacy. Covid19 contact-tracing applications present challenges for privacy; a trade-off is being made that exchanges some individual data to protect the population at large. A similar choice exists as vaccination becomes more widespread: how do you prove that you’ve been vaccinated without revealing more identity data than necessary? Organizations such as the Vaccine Credential Initiative seek to answer these questions in a standardized way (but these solutions raise questions of fairness and access to technology, which were already issues that surfaced by the pandemic).

Data privacy, then, has expanded its impact over the last twelve months, rising to become a ‘vital sign’ for the health of both society and individuals.”

Andrew Sellers, Chief Technology Officer & Co-Founder, QOMPLX: “This year’s Data Privacy Day will allow us a collective moment to reflect on how COVID-19 has impacted the privacy landscape. Companies have quickly responded to a new working culture as they faced economic uncertainty, social movements, and natural disasters. For many of us, working from home and contact tracing have become part of our new normal during this pandemic.  In our haste to address urgent needs, we as a society haven’t fully rationalized what controls assure us that private data held by corporations remains protected even though IT departments have largely discarded legacy assumptions of where and how data is accessed now that so much of the workforce is suddenly remote.  Sensitive business can be done over teleconference from our homes, but many of these solutions have been proven to be susceptible to eavesdropping.  Similarly, contact tracing has certainly saved lives and reduced infectious disease transmission during the pandemic.  But we should also consider that creating this capability to work so transparently and automatically was only possible because those that make mobile devices and apps are so well practiced at geolocality analytics.  In the age of Surveillance Capitalism, as Shoshana Zuboff has termed our times, many uses of these technologies are not anonymized and are far less benevolent.  Consumers are becoming more aware of these issues and are beginning to hold companies accountable with their purchasing patterns by demanding products that include end-to-end encryption that users can manage.  As wonderful and enabling as new technology has the potential to be, Data Privacy Day is yet again a good reminder that we must also be aware of what is at stake as we collectively work toward a better future.”

Ian Pitt, CIO of LogMeIn: “It’s no surprise that data privacy concerns continue to be a hot topic in the age of remote work. As data breaches continue to increase and advanced technology is deployed, many consumers have expressed their concerns about how companies are using and protecting their data. Organizations need to implement data protection best practices to ensure their customers’ data is secure. This year’s Data Privacy Day serves as another reminder that organizations need to implement best practices not just today, but every day. Below are some data protection tips for organizations to take to ensure trust and credibility with their consumers.

  • Start with basic security hygiene. Having the best collaboration tools and security software won’t do any good if the security basics are not implemented. In fact, many “hacks” exploit known vulnerabilities for which patches are available. Make sure all software deployed is updated; regularly update firmware and anti-malware and ensure that all data backups are up to date. Tracking all applications being accessed should also be part of the cybersecurity program, as many threat actors target unattended apps.
  • Develop a security aware culture. It can often be the human element that is the weakest link in security, with employees failing to change default passwords or using the same credentials across multiple accounts. This is especially true when no emphasis has been made on security and privacy awareness. Keep your employees educated on what is confidential and sensitive data, and the steps they can take to protect both their own and their customer’s information. Creating a stronger “cyber smart” security culture takes time and lots of education, but is critical to data security in a work from anywhere environment.
  • Implement an access management tool. Using enterprise password management and single-sign-on technologies will not only help reduce potential unauthorized login risks, but also provide the IT team further visibility into who has access to specific resources. Moreover, organizations are able to integrate their domain, SaaS applications and even customer applications, ensuring every entry point is secured.
  • Limit information shared on public channels. It’s tempting to share passwords with colleagues through email or messaging platforms, but attackers can easily compromise the shared information. Instead, call the coworker that needs the login details rather than writing it down, or utilize a secure password-sharing application that requires additional verification of a user’s identity before granting access.
  • Utilize passwords and end-to-end encryption for all video meetings. Virtual meetings also provide an opportunity for attackers to listen in on private information. Always mandate passwords when setting up new meetings and share that information with participants separately from the meeting invite itself. Most major videoconferencing providers now also offer end-to-end encryption for meetings, and utilizing this feature adds another layer of security, making it more difficult for anyone outside the meeting to access the conversation.

David T. Blonder, Data Protection Officer, BlackBerry: “The pandemic has forced many organizations to implement a long-term remote work strategy to meet the ongoing needs of their customers, partners and employees. To address the unprecedented challenges of a work-from-anywhere society, many organizations have looked to technological solutions to support their digital transformation efforts and enable a remote workforce. Along with this development, the global data protection landscape has undergone a seismic shift and continues to evolve. This can create significant regulatory risk if data protection best practices are always not top of mind within the C-Suite.

“As we celebrate Data Privacy Day this year, it’s important for organizations to understand that we all play a vital role in protecting privacy and personal data. To help protect personal data, organizations need to consider the following tips. First, organizations need to understand how broadly personal data can be defined; it’s nearly impossible to protect personal data without knowing how it is defined and this can vary. Second, organizations need to articulate and communicate to stakeholders a clearly defined legitimate business purpose for why they are collecting personal data. If organizations are collecting it, it is imperative for them to implement appropriate technical, organizational and security measures to adequately protect the information and keep it safe from unauthorized access. To have a connected future, organizations must secure, protect and respect the personal data of customers, partners and employees, not only to differentiate themselves, but to create a relationship of trust, confidence and loyalty.”

Stephen Manley, CTO, Druva: “Data Privacy Day is an annual reminder to review and refresh your privacy and data protection practices. As cyberthreats become more vicious and regulations more complex, organizations must evolve how they protect the personal data of their employees and customers. An effective data privacy policy will safeguard from GDPR and CCPA fines and build trust with customers who are wary of how organizations handle their data.

“On this Data Privacy Day, don’t just try to “get well” on your protection policy, but plan how to “stay healthy.” Over the next year, data will fuel your business growth, and protecting data privacy will help you build a company that your customers trust. To keep pace with the business, you must integrate data privacy and protection into your organization’s data management strategy because it takes only one wrong step to lose the customers’ trust. Data Privacy Day only comes once a year, but data protection matters every day. With an integrated approach to data protection and privacy, next year’s Data Privacy Day will be a reminder to celebrate your successes.”

Rick McElroy, Principal Cybersecurity Strategist, VMware Carbon Black: “As a privacy advocate, I commend governments like California for enacting the CCPA, now CPRA, as a means to strengthen data protection. Today, CISOs share responsibility for privacy enforcement, adding more pressure to the traditionally strained role. Moving forward, to allow security roles to learn more about privacy, organizations will either have to invest in automation and the proper tooling to bolster cybersecurity measures or appoint Chief Privacy Officers in a new role focused solely on data privacy. Overall, consumers will ultimately benefit from this shift, as it means their information is held to stringent protection standards and privacy is prioritized across the business.”

James Alliband, Security Strategist, VMware Carbon Black: “The merging of personal and professional life has created immense opportunity for nefarious cybercriminals. As a result, we’re seeing new phishing attacks where the adversary, understanding that individuals are constantly shifting between work and personal emails, target personal email aliases with malicious links asking for business credentials. It’s never been more important to take on a security-first mindset not just in business, but in personal life as well, for a stronger, more well-rounded security posture. Organizations can help make this possible by providing the necessary, regular training to empower employees, without feeling vulnerable. In the end, it’s all about providing people with the proper tools, assets and resources they need to do their jobs safely, and empowering them with the knowledge and responsibility to do so.”

Robert O’Connor, Chief Information Security Officer of Neocova“Data Privacy Day does a great job emphasizing the protection of sensitive data, which is especially important for banks as the U.S. starts to adopt more regulations in line with the European Union’s General Data Protection Regulation (GDPR). This policy is an important element of the EU privacy and human rights law, and it’s crucial for our digital economy and for shaping its evolution in the coming years. Some states in the U.S. – like California, Colorado and New York – have modeled new laws after GDPR, and banks should expect to see more of this in the near future.

Banks can help customers own their privacy by encouraging them to keep all software on internet-connected devices current to reduce the risk of infection from ransomware and malware; by requiring a strong passphrase that is at least 16 characters long; by enabling 2-factor authentication or multi-factor authentication; and by requesting and displaying only information that is required for the current transaction.

In turn, banks can help safeguard customer data by making sure they know where it is stored and processed; by minimizing the use of customers’ private data and deleting it as soon as it is no longer needed; by encrypting data and restricting access to only those who need to know; by using software to mask the sensitive information for use in application development; and by implementing the National Institute of Standards and Technology (NIST) Privacy Framework.”

Nathan Coffey, Senior Vice President of Privacy & Compliance of Teleperformance“Over the past year COVID-19 has massively accelerated the move to remote working: in Teleperformance we moved from 7,000 to 200,000 employees working from home across over 80 countries in just 90 days! This sort of transformation presents significant privacy challenges. Educating clients and employees on the risks. Identifying the appropriate information security controls to protect clients and their customers’ data against the risks of unauthorized access or misuse. Leveraging webcams and other collaboration tools to enable employees to continue to engage and feel part of the team in a remote space.

“Engaging with Information Security and developers as well as human resource experts at the earliest stage to find ways to build in privacy and security by design. Responding at speed to the changing demands, whilst of course, always ensuring that the privacy rights of all stakeholders are properly balanced and privacy regulations respected. To ensure privacy it is not enough to primarily focus on data protection, the trinity of Confidentiality, Integrity & Availability; as the capabilities of new technology increases ensuring appropriate data use – transparent, lawful and ethical – is increasingly vital.”

Stephen Banda, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions: “Privacy regulations, such as GDPR and CCPA, have laid the groundwork for organizations to understand what data privacy is all about and how to protect it. They advise organizations to have the right policies, procedures, and technologies in place to protect the personal information of your employees and your customers. Some regulations call it ‘personal information’ others refer to it as ‘personal identifiable information’, and there are some differences. But at the end of the day, it’s all about protecting the data that could be used to identify an individual.

“With these regulations as a foundation, data privacy has taken center stage this past year as organizations find themselves supporting more remote employees due to the pandemic. Now at home, employees use their own smartphones and tablets to connect to work as they balance the demands of their work and home life. These very personal devices are loaded with apps that may know your location, when you sleep, when you workout, what you eat, what you drive, what pictures you take, and the websites you visit, just to name a few. So it goes without saying that privacy has to be top of mind when it comes to mobile devices.

“Mobile device providers and services are more aggressively addressing the data privacy issue as well. This past year, TikTok ignited the global conversation around what data apps collect and how that data is used. Since then, Apple has mandated that developers list the data their apps collect and have made it more transparent to the end user. Lookout has always put privacy first and we continue to do so. Balancing security and privacy is essential and can only be achieved by providing security without inspecting message content. With a large enough data set of devices, apps and threat telemetry, your security provider will know what ‘good’ looks like, so that they can spot and protect you against the ‘bad’ without infringing on your privacy.

“The onus is largely on organizations to comply with privacy regulations and conduct good business by respecting end-user privacy. But end-users can take some simple precautions, as outlined in our most recent privacy day blog, to protect their data and privacy.”

Adam Mayer, Senior Manager, Qlik:  “Real-time data is one of the most valuable resources for modern businesses; it enables organizations to make the right decisions in the business moment. However, businesses need a clear strategy on how they can democratize employees’ access to real-time data, while ensuring that the insights can be trusted and that access is appropriate to their role. A holistic approach to data governance is needed to ensure that organizations are able to harness real-time data insights without data privacy issues arising. Understanding the data lineage, managing user access through a data catalogue, as well as providing data literacy education so that people understand how to responsibly draw from and use different data sources, are key to ensuring that operating at the speed of business won’t contribute towards creating new compliance concerns.

“Data Privacy Day is also a timely reminder to take a look beyond the usual access controls, and think about how analytics could be used to support with compliance. Analytics programs can help IT teams visualize and manage who has access to what information and if that remains relevant to their role. For instance, this could be through bringing together disparate data sets on user access controls and HR lists of leavers, starters and changers to ensure that there are no anomalies where people retain access to information that is no longer appropriate to their role. This helps businesses introduce real intelligence into the management of data privacy to reduce the risk of human error and streamline processes for IT teams.”

Michael Borromeo, Vice President of Data Protection, Stericycle, the provider of Shred-it information security solutions: “The COVID-19 pandemic has presented many challenges for companies when it comes to protecting sensitive and proprietary information, which is only made more difficult by the need to have a remote workforce. This Data Privacy Day, I strongly encourage organizations around the world to assess their information security and privacy policies, training and awareness efforts, and their incident and data breach response plans. Whether employees are working remotely, on-site, or in a hybrid model, it’s an opportune time to re-educate employees on their responsibilities for protecting information, including how to properly collect, use, share and dispose of it.”

 

Originally Posted to: Security Magazine