Privacy is difficult to define, much less protect. In the business realm, data privacy is still regularly confused with data security and the titles of those charged with safeguarding it for customers vary widely. Meanwhile, many organizations continue to collect as much personal data as they can, just because they can.
It’s not a new story. But thanks to hard-nosed privacy legislation — primarily, Europe’s GDPR and California’s new CCPA — it’s one whose plotline has finally captured appropriate attention, according to Rita Heimes and Cathy Scerbo, who teamed-up for a 2019 CyberCrime Symposium session on cloud privacy. As general counsel and CIO of the International Association of Privacy Professionals (IAPP), respectively, they were well-qualified to outline legal and technical issues facing CPOs and CISOs as organizations take to the cloud and privacy takes center stage.
In emphasizing consumer data rights, GDPR greatly expanded the definition of personal data, and the CCPA borrows many of its principles. “Our laws are starting to embrace a much broader view of personal information, and that’s not something we’re used to in the US,” said Scerbo. “Organizations need to be ready to properly handle and safeguard that data.”
Failure to do so, said Heimes, will have major consequences. CPOs struggling to get funding to develop a comprehensive privacy protection strategy can highlight a score of surveys detailing the financial costs of breaches—and more specifically, those that compromised personal data.
Juniper Research, for example, estimates that the global cost of cybercrime-related breaches will exceed $5 trillion in 2024, and attributes much of the $2 trillion jump over 2019’s costs to heftier regulatory fines. In the U.S., according to an IBM report, the average total cost of breaches in 2019 was $8.19 million. Moreover, organizations operating in high data-protection regulatory environments incur long-tail costs, with expenditures continuing two or more years post-breach. Then there’s the 2018 British Airways breach, which saw attackers harvest the PII of some 500,000 customers — and the airline slapped with a $230 million fine by the ICO for GDPR infractions.
Beyond breaches, user data mishandling brings it own backlash, as Facebook learned in 2019 when the FTC fined it $5 billion for privacy violations.
Privacy by Design — and Default
For CISOs, the cloud can be a draw, as migration lets them offload at least some upgrading, patching, and similarly mundane security functions. For CPOs, there’s no such advantage, but they’ll be onboard as industry slowly makes its way toward a privacy-by-design (PbD) future. Already, GDPR requires organizational compliance with PbD’s seven foundational principles for new processes and systems.
Regardless of their place in the cloud universe, businesses starting to bake PbD principles into systems, services, and processes have an arduous journey ahead. However, said Scerbo, end-to-end privacy-by-design efforts will pay for themselves, and then some.
Embracing PbD requires risk mitigation, which means organizations must understand all their systems, data storage sources, and how data is mapped. It’s critical that they accurately map data assets — with particular attention on PII in all its forms — so they can apply appropriate security and privacy controls.
When considering CSPs, organizations will begin assessing how providers have built privacy into various offerings, and what that design allows them to do with their hosted data. For instance, will cloud systems allow them to give end customers ultimate control over their own data? “We're not there yet, but that’s coming,” said Scerbo.
Get in the Game — Now
While it’s too early to know how privacy complexities in multi-cloud environments will play out, Scerbo and Heimes provided attendees with some best practices, tips, and tools they can leverage now, while planning for future capabilities.
How do CPOs currently ensure their CSPs secure personal data in line with their organization’s requirements and regulatory dictates? According to a 2019 IAPP survey, 94% rely on contracts to enforce processor privacy compliance.
“Privacy leaders we surveyed said they write really good contracts, shifting risk through their documents,” said Heimes. Further, 88% said data protection/security warranties are their top consideration when assessing CSPs. If they require assurance through certification, most (44%) choose ISO/IEC 27001. However, since the IAPP released its findings, ISO/IEC published a more-targeted standard — 27701 — that provides guidelines for creating a privacy-centric info-security management system.
Other help is available from the privacy technology space, which is growing rapidly. New offerings help teams identify and understand the data assets they control, and provide the capabilities to manage them. IAPP’s 2019 Privacy Tech Vendor Report covers nearly 300 vendors and their product categories, from activity monitoring to enterprise privacy management platforms. That’s a big jump in market entrants since 2017, when the report listed about 50 vendors.
Scerbo also advised attendees to adopt the NIST’s soon-to-be-published Privacy Framework — a counterpart to its Cybersecurity Framework — and expects CSPs will do the same. “There are lots of synergies between the two frameworks and that’s intentional,” she said. The final draft framework recognizes the intersection of privacy and security — aka, the privacy breach — and security’s critical role in preventing that.
It Takes a Team
Indeed, security expertise is a critical asset to CPOs throughout the personal data lifecycle, which is why more enterprises are making PbD and related projects a team effort. Referencing the processor warranties CPOs depend on, Heimes said it’s difficult for them to truly know how CSPs handle personal data. That’s why they should partner with their security teams, starting with the vendor vetting stage.
“Infosec pros have survived situations where things have gone terribly wrong, so they know the questions to ask cloud providers,” Heimes added. They also survived early battles to convince CEOs and other decision-makers that they needed to care about security and invest accordingly, and can be allies for privacy leads facing similar challenges.
Those experiences can also serve as lessons on what the privacy profession can do differently. “I think engineers and data architects initially saw data security as a compliance checkbox, and not their concern,” said Scerbo. “If CPOs don’t get engineers, data architects, and business leaders in the same room to talk about privacy and include it in their requirements, they risk making it just another internal checkbox.”
In fact, privacy, like security, should be the job of every employee in the organization. The IAPP’s shifting membership reflects that shifting mindset. When it launched 20 years ago, said Heimes, members were almost exclusively CPOs, who were responsible for all privacy tasks. Today, its 52,000 members hold a range of positions.
“Privacy’s not just the job of the person in the lead role,” she said. Privacy functions are becoming the responsibility of employees in multiple business units across the enterprise — cybersecurity, IT ops, HR, and marketing, to name a few. It’s just one of the promising results of expanding definitions of personal information.
This is the sixth in our series of posts presenting key takeaways from our 2019 CyberCrime Symposium, held Oct. 17-18. The program — Cloud Security — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, don’t miss upcoming installments.