Ever since EU lawmakers enacted the block’s groundbreaking General Data Protection Regulation (GDPR) framework in May 2018, data privacy laws have sparked conversations among IT and security professionals (as well as consumers) over how organizations can best secure and store users’ data.
The ongoing debate over users’ data privacy is only expected to intensify in 2022, as a number of U.S. states, along with federal lawmakers from both parties in Congress, consider a raft of privacy and consumer protection laws designed to safeguard personal data.
This greater emphasis on data privacy and protection also has meant that IT and security professionals have started to change their approach. Businesses and other organizations can face significant fines and other sanctions if there is a breach or misuse of the personal data they collect from users.
Consider how developers must now consider the security of their applications to ensure that users’ data is protected. “A major part of data privacy is safeguarding the data. And when it comes to safeguarding data, we feel organizations should operate from a very simple paradigm: identify all the threats and then mitigate them,” Archie Agarwal, founder and CEO of security firm ThreatModeler, recently told Dice.
“Safeguarding data means different things to different organizations,” Agarwal added. “But for those involved in developing software systems, we feel strongly that the best way to identify all the threats and mitigate them is by incorporating threat modeling right into their development lifecycle. It’s the most effective way to identify threats prior to deployment, which is obviously preferable.”
Creating secure code is one part of the equation, but IT and security professionals are also now confronted with a patchwork of state laws throughout the U.S. that have been created to ensure users’ data is kept secure. Add into the mix international regulations, such as GDPR, and keeping up with these sometimes-conflicting demands becomes even more difficult.
“We need to see greater simplification on the process side, driven by the unification of regulations. So many things sound great on paper, but how practical is it to implement security across so many different regulatory frameworks?” said Erkang Zheng, founder and CEO at JupiterOne. “At the very least, national rules will need to come together for organizations to implement a cohesive privacy framework for each country. By not reaching some consensus about privacy, we introduce greater risks for everyone to stand up with adequate security protections.”
State Laws Complicate Privacy Protections
A complex web of state-level data privacy and consumer protection laws, experts note, is probably one of the biggest concerns IT and security professionals are likely to confront this year.
The most well-known of these state laws is California’s Consumer Privacy Act, which was signed into law in 2018 and went into effect on Jan. 1, 2020. The law applies to any organization that has access to Californians’ personal data, regardless of that organization’s location.
The CCPA has since inspired or provided the model for other state laws, including recent ones enacted in Colorado, Virginia, Maine and Nevada. In addition, lawmakers in more than a dozen states, including New York, Texas and Florida, have introduced similar measures aimed at bolstering data privacy and security, according to the International Association of Privacy Professionals (IAPP), which tracks data privacy developments.
What could help streamline this patchwork approach to data privacy is a superseding federal law, and while there are several measures under consideration in both the House and Senate, it’s not clear whether any of these proposals would have enough support to pass both chambers and make it to President Joe Biden for his signature.
While these state-level initiatives have added much-needed protections for consumers’ data, the complexity associated with various laws that change from state-to-state add to the burdens of IT and security professionals who have to make sense of this legal landscape, noted Zheng.
“Security is often a game of details, so as the privacy landscape becomes increasingly complex, it introduces more things that can go wrong. In addition, a patchwork approach makes operations difficult, as security professionals must understand and implement the disparate privacy and compliance regulations from around the world and jerry-rig them together for business continuity,” Zheng told Dice.
“Ideally, an international consortium would address these diverse privacy rules worldwide. New privacy rules create complexity and not just from a compliance standpoint. It also creates operational complexities for security teams,” Zheng added.
Getting More Granular
In the years since GDPR helped bring data privacy and protection issues mainstream, more and more consumers are opting for protections for their data such as multifactor authentication and strong passwords, said Heather Paunet, senior vice president at security firm Untangle.
Although most consumers understand that companies will continue to collect some amount of personal data from them, Paunet noted these new state-level laws are an attempt to strike a balance between securing users’ data and businesses’ ability to conduct operations that rely heavily on analyzing consumers’ data.
This balance between security and conducting business is where IT and security professionals need to focus their efforts. “To ensure compliance with current and new regulations, businesses need to understand the data they’re taking in and who has access. Laws such as the Colorado Privacy Act, with similar versions in CCPA, include a requirement to conduct a data protection assessment,” Paunet told Dice. “This is an important first step that any business collecting consumer data should take. Businesses will need to understand what is being collected, and how to protect customer data, while also continuing employee education about data ownership and protection.”
Businesses also need better ways to communicate more effectively with their customers about why data is being collected and for what purpose. “Businesses need an effective strategy to communicate how customer information is collected, used and when it may be sold or disclosed for business-related purposes. Transparency in data collection is a foundational pillar for businesses looking to maintain a trusting relationship with their customers,” added Paunet.
Corey O’Connor, director of products at security firm DoControl, noted that as businesses continue to push more data into the cloud (while also investing more in SaaS applications in a world where work-from-home is still the norm), knowing more about how these modern systems work and what data they can collect will help IT and security teams meet these new state-level requirements and laws.
“These productivity and collaboration tools are what drives the business forward. Personally identifiable information files and data are enveloped into many of the SaaS applications being utilized by the business,” O’Connor said. “Whether it’s data within [Salesforce] or files exchanged over Slack, many of the tools and technologies being leveraged by organizations today are not granular enough to prevent data leakage or data exfiltration. There’s a need to go deeper down the stack and introduce granular data access controls across the SaaS application data layer.”