Securing the Digital World

Data is the New Currency - Own Your Data or Someone Else Will

Jan 22, 2019 | by Angel Grant, CISSP |

Monday, January 28th is National Data Privacy Day, a strong reminder of why it is critical to respect privacy, safeguard data and enable trust in our digital world. When reflecting upon last year's blog, it became clear that 2018 delivered a reality slap – opening our eyes that data really has become the new currency. Organizations and individuals alike started to see grave consequences for not adequately safeguarding their data. Much of this was amplified by the many high profile data privacy breach incidents and new data privacy regulations, like the EU's GDPR and the California Security Privacy Act, came into effect. These new regulations protect consumers and could potentially have a dramatic financial impact an organizations.

Much progress has been made and yet, much awareness, planning and consistent global regulatory data privacy guidance is still needed. Especially given we are rapidly expanding our digital footprints to the incredible tune of around 2.5 quintillion bytes of data created each day (yes – Quintillion!); 90% of which was created in just the past two years. I suppose this is why I'm starting to feel like a character in the Rockwell song "Somebody's Watching Me". Little did he know in 1984 how true this would become with the internet and now the IoT data explosion.

Many organizations revisited their privacy, compliance and audit practices in preparation for GDPR and now find themselves trying to determine the best approach to the many emerging ones. Based on a recent survey by RSA and Compliance Week, only 36 percent of organizations felt their data privacy programs were in compliance with state, national, and/or international regulations. This isn't surprising as there lacks a consistent privacy requirement standard leaving organizations to take differing approaches to issues like right to know, right to opt out/in, and the right to be deleted. All of these concepts need to be clearly communicated to consumers for consent depending on their state, and country.

All it takes is one cybersecurity incident for consumers – and employees – to lose trust, making risk management of data privacy a key business priority.

What Organizations should do to plan for privacy...

  • Identify critical data. If you don't know what sensitive information matters most, or where it resides, then you can't protect it. Organizations must determine what data matters most, classify it, make it useless to others, back it up, and then monitor it.
  • Understand that privacy regulations come with audits and expectations that must be part of your larger risk program. If you are required to respond in 72 hours, could you?
  • Clearly communicate to consumers how, when and by whom all data will be used.
  • Develop risk models responsibly – especially if it includes sensitive data. You must treat data responsibly and closely monitor how your risk model leverages the data to minimize developing bias.
  • Advocate for standardized industry privacy frameworks, such as the NIST privacy framework and Department of Commerce's National Telecommunications and Information Administration

What you should do for yourself...

  • Treat your personal information like money – because many organizations will monetize it – as will cybercriminals too!
  • Own your online presence – or someone else will. Think of all the places you post personal information (social media sites, gaming consoles, etc.) and critically evaluate how much you share.
  • Actually read privacy and security settings on your devices and whenever you sign-up for a new service. What permissions is that new mobile app asking for?
  • Lock down your login. Take advantage of the many simple, modern authentication methods that are secure and easy to use.
  • Take inventory of all internet connected devices in your house. Know which ones are active, what they are transmitting when you leave your house. ( e.g. car, watch, jewelry, etc) and change their default passwords.
  • If you no longer want a company that previously collected your personal info to do so – ask them to delete it.

2018 was the year of data privacy awakening; let's make 2019 the year of data privacy enlightenment – remember if you collect or share it, you must protect it.

# # #

Join in and help spread the word around the #PrivacyAware campaign.

Join RSA and Compliance Week's webinar on staying compliance with data protection laws.