Facing the Turbulent Twenties: Lessons from The Last Decade of Data Privacy
A new decade has arrived, ready or not. In the data privacy world, the past decade brought profound changes in the regulatory landscape and threats we could never have imagined ten years ago, but also growing awareness and new tools for dealing with the challenges we face. If the past teaches us anything, it is to expect the unexpected and that “ready or not” is not good enough.
In 2010 data breaches, paper documents, lost laptops, and insider theft were big factors in a privacy professional’s day to day life. No one could have anticipated how digital transformation would put everyone and everything online, the amount of personal data that consumers would be induced to share, or the millions of records that can now be lost in a single breach. We’ve seen the development of vast, shadowy criminal enterprises and state actors engaged in cyberattacks and surveillance, with sophisticated malware for sale and phishing attack botnets for rent on the Dark Web.
Where we once defended personal data through a shredder and firewall, we must also now defend through every portal and mobile app, every personal device an employee brings to work, and every industrial controller and IoT device in our buildings, our fleets, our service infrastructure. And in the midst of this digital transformation, employees remain our weakest link, as human error results in unintentional disclosures, and falling prey to malicious attacks has become commonplace.
How long will it be before the smart appliances in the lunchroom turn into data spies by nefarious actors?
Rising Tide of Regulatory Oversight and Enforcement
As we learned to fight the privacy battle on every front, regulations advanced on us from above. Before HIPAA passed in 1996, most privacy laws were in place specifically to grant financial institutions and government agencies the right to collect personal information (although a 1994 statute did stop motor vehicle departments from selling driver records to marketers).
Since then, we have seen an explosion in U.S. privacy regulation, including the Gramm-Leach-Bliley Act (GLBA) regulating the financial sector, the Children’s Online Privacy Protection Act (COPPA), the introduction of HIPAA data breach notification rule under the HITECH Act, and each state has its own data breach notification regulation in addition to some sector-specific state regulations.
Globally, there is the sweeping impact of the EU General Data Privacy Regulation (GDPR) and similar new laws from Brazil to Bahrain, Monaco to Malaysia. According to the United Nations, 107 countries now have data privacy legislation in place, and 50 U.S. states plus D.C., Puerto Rico, and the U.S. Virgin Islands have laws that require notification for breaches involving personal information. As the laws have grown, notification windows have shrunk, from months or weeks to as little as 72 hours.
Training an Eye On the Future
If there is good news in all of this, it is that we are more ready to meet these challenges than we were a decade ago. Whether motivated by mega-breaches in the news, reputational risks, or regulatory consequences, more organizations have recognized the need for data security and privacy. Privacy efforts are becoming more integrated: we are seeing better alignment between privacy and infosec teams on prevention and better cross-functional coordination on incident response.
There is also wide recognition of the need for corporate-wide privacy training programs, because human nature never changes, but the ability of criminals to exploit human weakness is now as ubiquitous as the Internet.
The digital transformation that brought us new threats has also brought us new tools to strengthen data privacy and handle regulatory requirements. We’re using AI and SIEM software to spot signs of trouble in our information systems. GRC software makes it easier to manage IT operations that are regulated. For incident response, we developed Radar to help organizations keep up with fast-changing global regulations; make fast, accurate notification decisions, streamline notification, and keep the documentation that regulators want to see.
The past decade in data privacy has been a mixed bag of pain and progress, and that trend will likely continue into the next decade. The twentieth century had its “roaring 20s”; I expect that people will look back on the next ten years as the “turbulent 20’s.”
In spite of continuing turbulence, there are positive signs. Consider the continuing improvement in data privacy practices and technical innovation that will give us stronger tools to face new threats.
Can we anticipate every challenge we will face? Certainly not. No more than we could have anticipated the rise of ransomware or the momentous technical progress and massive privacy risks of IoT and biometrics.
But with new learnings, with new tools, and with firm resolve, we will be ready.