While governments pass privacy laws, companies struggle to change

Government agencies keep making new privacy rules while end users fall victim to malpractice and scams.

Bill Tolson, VP of Compliance and eDiscovery at Archive360, has spent many years consulting with regulators and advising businesses on concrete steps to enhance data privacy. In this Help Net Security interview, he discusses how organizations should ensure privacy is built into the design process, cybersecurity investments for better privacy, and much more.

What practical steps should companies follow to ensure privacy is appropriately built into the design process? What benefits will that have in the long run?

Let’s understand the ongoing shift in priorities. Traditionally, we’ve seen organizations building processes to preserve specific records to comply with specific mandates. These are usually limited in scope, affecting perhaps 5% of all data/records in-house. Now, it’s about everything—all corporate data, including information held and/or controlled by employees on their personal devices. Moreover, organizations are required to capture, index, secure, and dispose of all PII based on differing state, federal, and foreign data privacy laws.

None of this will happen without data privacy technologies, policies, and processes being deployed early. As CISA’s Jen Easterly noted, we need to distinguish between security by design and security by default.

Consider how this plays out with popular technologies. For example, our experience at Archive360 shows that many organizations push on-premises file shares into the cloud via Microsoft SharePoint Online. This provides two advantages: It allows a complete move to the cloud and offers enhanced access and data security. This is enabled by creating a file share in the organization’s SharePoint Online platform, which allows automatic syncing of specific folders on employee computers up to the SharePoint file share. It puts the right processes at the beginning: Policies are set up only to allow employee data to be stored in specific folders on the employee’s device, which is regularly synced to SharePoint Online. This data can have retention/disposition policies set for ongoing management; all new files can be scanned for PII content, and all PII can be automatically encrypted, even as role-based access controls are applied.

This is one example. In all cases, technologies and processes must be designed to encompass all data, with processes built-in early to simplify capture, scanning, retention, search, and retrieval.

While global data protection regulations forced organizations to pay more attention to how they handle PII, we still see massive breaches, and millions lose their privacy daily. Will individuals ever be able to control how their information is used? Is there anything they can do?

While we’re still far from the ideal, it’s good to see data privacy enshrined as a human right. From progenitor GDPR in Europe through the explosion of state-level mandates to (perhaps) a national standard, individuals’ rights are at the forefront.

That said, the laws of human nature dictate that we will always have evil actions from bad actors. What’s different now is that individuals can more easily acquire information about which organizations have a history of poor PII security and breaches and choose to take their business elsewhere. Otherwise, prescriptive data privacy laws and aggressive enforcement that force companies to invest in innovative technologies and best practices remain the best remedy to privacy violations.

This shift is driven by individuals increasingly conscious of their rights to data privacy. Just as public debates lead to new laws around the country, vendors change how they gather and use data on individuals—notification and collection of cookies on websites, more robust privacy settings, etc. These are incremental changes, but they are gathering momentum.

Knowledge is a powerful weapon, and new data privacy mandates add to the consumer arsenal. These include the private right to action, through which they can initiate lawsuits against organizations that failed to implement proper security protocols; and the data subject access request, through which they can ask a business for information about what data that company has on them, and how it’s being used. As these measures gain steam and fuel more legal actions, we will hopefully see fewer breaches and violations.

Are fines significant enough? For some companies, paying hundreds of millions in penalties is still a drop in the bucket compared to what they earn by mishandling their users’ data.

There’s general agreement that GDPR sanctions—up to 4% of global revenue or 20 million euros, along with the tidal waves of bad publicity—have captured the attention of even the largest organizations. However, many new state laws lowball the possible fines, and these don’t provide enough punishment to drive real change.

A breach is arguably different: While consumer data is compromised, the organizations take a big hit, too, including individual lawsuits, brand damage, loss in shareholder equity, and a decrease in business.

Let’s say an organization wants to handle sensitive data securely. What kind of cybersecurity investment are they looking at? Hardware, software, security awareness, etc.

No single approach can ward off all dangers—it takes a potent combination of technologies, policies, and practices, all with boardroom support. Remember, employees often represent the weakest link in the data security chain since a simple phishing email can bypass the most sophisticated defenses. Strong protection starts with practical training and enforcement.

Management can also help ensure every strategy builds on a solid foundation. Many enterprises are now engaged in major digital transformation and cloud migration initiatives. However, some still need help answering basic questions: Do we know where every piece of data in the house resides? Do we know how much of it contains PII, and who has access to it? How is the data managed in the cloud? What kind of encryption has been applied? Where are the encryption keys stored, and who has access to those?

Implementing a zero-trust architecture with accompanying entitlement can go a long way in limiting access to sensitive data. In certain situations, it’s also possible to deploy software for particular functions inside an isolated environment, which helps ensure network security, scalability, storage accounts, access controls and more. This way, there are no shared network resources, and the enhanced security is matched with greater flexibility to ensure a company-specific deployment—a dedicated cloud tenant and custom software to address specific needs.

Some argue that the regulations we have in place today are too harsh or need to allow more latitude for companies to work with data. What would define a set of realistic data privacy capabilities?

This premise is unacceptable: Current data privacy laws are not prescriptive enough, and don’t carry a downside large enough for many companies to take them seriously. The idea that we can’t work with data without violating data privacy rights is ludicrous, even offensive.

We need more enforcement, the possibility of individual data subject litigation, and larger penalties. Companies doing it right have nothing to worry about; strict sanctions can persuade the rest.