[BreachExchange] Consumer skepticism and stronger protections call for security changes

Destry Winant destry at riskbasedsecurity.com
Mon Oct 29 04:16:30 EDT 2018


2018 became the year where protecting personal information established
itself as a right that is wanted by and entitled to citizens. More
people started questioning who owns their data and why companies seem
to require so much information about their users to operate. It was
also the year that the world was formally introduced to the GDPR, a
new policy that brought topics like digital privacy and personal data
protection to the fore.

While GDPR was the most high profile regulation to go into effect, it
wasn’t the only notable data protection policy. In 2018 alone data
protection laws or amendments were either passed or proposed in
Argentina, Bahrain, Brazil, Canada, Chile, India, and Japan, among
many other nations. All of the laws are understandably different
around the edges, but stay aligned in their core principles:

- Security by design
- Consent
- The right to be forgotten
- Extraterritorial application

We anticipate that these new regulations around the world on how
consumer data is collected and protected will bring three key security
trends to businesses in 2019:

1. Consumers will become more selective about how they share information.
2. Lawyers will be more closely involved in product development.
3. New companies will provide a secure solution to the compliance puzzle.

Consumers will be more selective about which companies they share
their information with. Why?

Penalties for regulatory violations will become more high-profile.
Scandal followed Facebook in 2018. In April, founder Mark Zuckerberg
testified to Congress that Cambridge Analytica acquired the personal
information of millions of users; in September, Facebook announced a
security breach of 87 million users.

These scandals put conversations around data protection and ownership
in the news cycle. GDPR is sharpening its teeth and taking a first big
bite out of Facebook. If it is decided that the company violated GDPR
with its most recent data breach, the penalty may cost the company up
to $1 billion (4 percent global annual turnover). It is not
unthinkable that other countries who have users impacted by the breach
will follow suit.

There will be seemingly more data breaches than ever before. In the
first half of 2018 alone, researchers counted 945 data breaches that
caused 4.5 billion data records to be compromised. They project that
the number of reported data breaches will be even higher for the
second half of 2018 as GDPR came into effect in May 2018.

This does not necessarily mean there are more data breaches happening,
but we’ll certainly be hearing about more data breaches. GDPR requires
that companies follow a strict 72-hour window for public disclosure
following a data breach. Security mishaps that have stayed under wraps
in the past, such as the recent announcement of the 2015
vulnerabilities of Google+, must be announced within three days. We
also predict that more companies will be making hasty data breach
announcements with incomplete information in order to adhere to the
narrow disclosure window under GDPR.

Lawyers and the international court system will be driving more sprints in 2019

Corporate lawyers will be taking a closer look at data protection
court rulings.The tension between new consumer data protection laws
and the companies that require consumer data to do business will be
tested in the courts. These new data protection laws will be
challenged, and rightfully so, by companies that operate in this
space. As courts adjudicate, attorneys for companies that deal with
consumer data will be more involved in product development and
engineering than ever before to ensure compliance with an
ever-evolving set of precedents.

But it won’t just be private businesses following along; consumer
rights groups and countries with similar laws will be watching and
learning as companies and the courts work to establish reasonable
standards for consumer data protection.

Secure data compliance solutions will become a product in itself

Similar to what we saw in the credit industry with Payment Card
Security Data Security Standard (PCI DSS), we anticipate that new
companies will step up to solve the consumer data protection puzzle
and establish a reasonable standard for securing consumer data.

In short, consumer data drives business. But when that data contains
personally identifiable information (PII), it ought to be protected
using application(s) that are secure by design—meaning security is at
the forefront of how it is engineered.

Companies will benefit from a product that fulfills three principles:
(1) Security by design (2) Safeguards personal information of
consumers (3) Allows businesses to easily work with consumer data (4)
Achieves regulatory compliance. These components are necessary to
solving the headache that will follow the implementation of these
disparate global regulatory standards in 2019.

Companies that operate using special classes of data that are
protected by regulatory measures, such as protected health information
(PHI) under the stewardship of HIPAA in the United States, must make
security a top priority in order to operate within the bounds of the
law. But the law mustn’t be so strict as to force innovative products
to fold under the burden of compliance.

More information about the BreachExchange mailing list