By Dan Seyer, CMO, Edgile
January 28 is Data Privacy Day, reminding us that privacy rules are in place not just for security and compliance reasons, but also to make your customers comfortable with sharing personally identifiable information (PII) with your company. As digital togetherness accelerates, the importance of managing privacy grows, and it needs to be grounded in consumer-centric principles.
The Wall Street Journal recently quoted a privacy expert who predicted that in addition to the myriad of pre-existing privacy mandates, as many as 25 U.S. states will likely create additional consumer privacy legislation in 2021. Even more new privacy rules are likely to spring up on the international stage. Will you be ready to comply with these new regulations?
Updating your enterprise approach
One of the top priorities for organizations is to stay updated with these new privacy laws—to fully understand them—and then take the right risk-measured actions. This could include creating or updating technical safeguards and processes or simply updating privacy policies and standards.
A privacy policy is not about goals and objectives, but rather it must state firm commitments that your enterprise is making to your clients, partners, shareholders and regulators. Stakeholders across your company, including C-level, Legal, Compliance and sometimes even the board, along with business unit chiefs, need to be consulted and sign off on their portion of the privacy promises. If someone is going to push back or, far worse, say they will deliver specific protections but then fall short, you need to solve that before you publish your commitments publicly.
There are a couple of legal reasons for this. First, the U.S. Federal Trade Commission (FTC) has a history of suing enterprises when their privacy policy substantially differs from actions. Second, that same deviation from promise to reality could easily prompt civil litigation from litigious customers.
Prioritizing data access
Another key privacy consideration is data access. How many of your employees or contractors really need access to sensitive employee purchase activity files? For analytical trends, would a tokenized version—scrubbed of real customer names—suffice? Depending on the usage, tokenized data may be ideal, but sometimes truncation or masking may make more sense. Either way, we predict a substantial increase of tokenization in the near-term to address complexities emerging from the rapid digital transformation underway.
Consider this risk example: A data analyst in a business department needs to crunch customer data. The analyst decides to log in, unencrypt what is needed and then download it into an Excel spreadsheet for more analysis at home over the weekend. That spreadsheet is then used on the analyst’s home computer. That computer is subsequently backed up by a consumer-grade backup service. That backup service is then breached and suddenly you have to explain to regulators how 20-GBytes of sensitive customer PII is now being sold on the dark web.
Integrating privacy with compliance and cybersecurity
Privacy is critical, but it must be permanently intermingled with cybersecurity and compliance. Following procedural privacy rules does little good if the security protecting your files is weak.
“Privacy rules are designed to protect both the enterprise as well as the enterprise’s customers. Customers need to be comfortable with your processes, to trust that your systems and people will protect them,” said David Deckter, Edgile Partner. “Compliance rules are the minimum but sometimes it’s appropriate to deliver a higher level of privacy. Do you really need to save that data? Data not saved can never be stolen. A well-executed privacy program can simultaneously boost compliance and security objectives.”
Data protection in the cloud often depends on the cloud provider. What are their disaster recovery and backup procedures? What protections are in place? An enterprise will be held liable if their data escapes, regardless of how it escaped. When privacy is working closely with cybersecurity and compliance, the enterprise is far more likely to be secure.
Securing mobile apps
Mobile apps add yet another layer of privacy strategy complexity. Although it’s true that many apps let the customer decide their level of information sharing, that decision doesn’t absolve the enterprise’s CISO of the obligation to protect any data that is shared. But do you necessarily control access to that data? That’s where mobile apps can get tricky and it’s an issue that must be thought out and enforced at the earliest stages of your internal app development, with privacy and cryptography minded professionals at the design table.
As regulators push for more opt-in privacy initiatives, some key tech players are changing their approach. For example, the next beta version of Apple’s iPhone and iPad operating systems will force app developers to ask permission to access the phone’s unique identifier—the device’s digital ID. Apple said it will roll out the updated OS in “early spring.” This opt-in change will have a variety of impacts on enterprise IT, such as having less access if consumers choose not to opt-in. Marketing and online sales operations that have grown to depend on that data will have to change their information gathering tactics. This change—the lack of access to a phones’ unique identifier—is particularly troubling to social media platforms and is starting an identity access war among tech giants.
Privacy in a pandemic
COVID-19 has raised a number of privacy considerations. Forrester Research reports that tracking, contact tracing and other tools needed to fight the virus spread are forcing a lot of highly sensitive information to be collected, with few rules to control how that information will be used beyond the COVID-19 efforts – potentially leading to liability blind spots for organizations.
“Privacy is back in the spotlight as countries implement massive vaccination programs and employers keep developing return-to-work strategies,” said Enza Iannopollo, a Forrester senior analyst covering security and risk. “From the creation of a vaccination certificate or passport, the race to build apps for people to demonstrate COVID-19 negative test results has started, sparking concerns of identity checks and other potential privacy abuses. As employers figure out if and how to leverage knowledge about their employees’ vaccination, they must be cognizant of what we learned so far about pandemic management and employee privacy.”
How should privacy frameworks play into these strategic privacy decisions? That has to be calculated based on your enterprise’s situation, especially in terms of which verticals you are in (or plan to be in soon), geographies and your need for long-term data. Identifying this framework foundation is one of the first things Edgile teams work out when starting a client security engagement. Edgile recognizes that privacy programs tightly integrated with cybersecurity programs are becoming business table stakes – as consumer trust becomes even more critical than compliance with a mandate.
Your privacy strategy—alongside your cybersecurity and compliance strategies—can become a powerful win for your business and a strategic differentiator. But it requires a lot of groundwork. Done properly, the benefits can impact your bottom line while simultaneously improving your organizations operational resiliency.