Growing up in a big family means there are always a lot of things-lots of food, lots of noise and lots of fun. But there’s one thing that is always quite scarce … privacy. The more people in a family or group, the harder it is to keep things private. And when you expand that group to every person, everywhere across the world, your privacy is all but gone.
In the age of digital connectivity, information can be replicated, exfiltrated or deleted in a matter of seconds. This is why consumers and businesses need to implement steps to prevent, detect, respond to and remediate data breaches. However, the volume of new and changing regulations coupled with more sophisticated threat actors can be intimidating and confusing, leaving many questioning how they can keep up. Luckily, we can predict a lot about the future of privacy simply by looking at its history.
Privacy Over the Years
As we see the rapid increase in the volume of privacy regulations, it’s easy to think of this as a modern problem. However, US privacy legislation dates back to the constitution. According to the Fourth Amendment, United States citizens have the right to secure themselves and their property from unreasonable searches and seizures. Over a century later, a Harvard Law Review article titled The Right to Privacy outlined American citizens’ right to protect their privacy from “instantaneous photographs and newspaper enterprises” that they believed invaded the “sacred precincts of private and domestic life.” If only they knew what was to come!
In the mid-20th century, George Orwell published the dystopian novel 1984, which many believe prompted a flurry of scholarly articles, novels and torts expressing the criticality of privacy for citizens. But it wasn’t until the late 1960s that the US Supreme Court began ruling on privacy cases, including landmark decisions related to the right to marital privacy and the reasonable expectation of privacy.
When the Constitution was written, the concept of electronic assets was unheard of. However, in today’s world, electronic data is often more valuable than tangible assets. This is why in 1973, the Department of Health, Education and Welfare published the Records, Computers and the Rights of Citizens report that established the principles we still see today in modern privacy legislation. Throughout the rest of the 20th century, the US saw the creation of the Family Education Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and my favorite, the National Do Not Call Register, among others. One thing was clear, the US was focused on privacy!
The Pillars of Privacy
Although hairstyles and music have changed throughout that time, the pillars of privacy have been much the same over the decades. In 2002, the US congress passed the E-Government Act to modernize government information technology resources and improve access to government services online. And with it, the fundamental pillars of privacy evident in past legislation were formalized into clear guidelines.
- Appoint a Designated Individual: Generally called the Data Protection Officer or Privacy Officer, a designated individual must be appointed to maintain compliance and ensure data is kept secure. This individual’s primary responsibility is ensuring data processing and storage comply with relevant privacy legislation.
- Conduct Privacy Impact Assessments: Similar to control self-assessments, a privacy impact assessment (PIA) evaluates organizational processes for accessing, processing, storing and transmitting personally identifiable information (PII).
When it was signed into law in 2018, the California Consumer Privacy Act (CCPA) became the first state-specific statute regulating how businesses process personal data for residents of the state of California. California recently expanded its legislation to include the California Privacy Rights Act (CPRA), which outlines steps required for companies that collect personal data without the individual’s consent.
In 2021, Virginia and Colorado followed suit signing the Consumer Data Protection Act and the Colorado Privacy act, respectively. These three acts will go into effect in 2023. According to the International Association of Privacy Professionals, lawmakers in 29 states and the District of Columbia introduced or continued to discuss privacy regulations in 2022, each at varying stages of the law-making process.
Effective in 2023:
|Additionally, Michigan, New Jersey, Ohio and Pennsylvania have active bills under committee discussion that could be signed in the near future.|
But it’s more than just new regulations keeping security and risk professionals up at night. When planning for the future, businesses must also consider the humans involved with data privacy. As threat actors are getting more sophisticated, instances of purpose-built espionage are becoming more and more common. For example, several years ago, China aided the African Union in building its new headquarters. It was later discovered that the servers installed by China had an open back door which allowed for data exfiltration. Because the activity happened regularly each night, the behavior was not discovered for many years.
While China denies its involvement, the situation highlights a key weakness regarding privacy … humans. At the time, China’s willingness to help the African Union was seen as humanitarianism. But I say it was the ultimate act of social engineering. Those involved in this project believed China was there to help and were manipulated into making security mistakes such as vulnerability scans, code security reviews and activity monitoring. This is why having a strong privacy program with multiple levels of protection is so critical.
Your Path Forward
As each of these state-specific acts makes its way through the legislative process, you may wonder how you will keep up with all of the added requirements. The answer is simple, you probably already are! If you’re using a centralized application like the RiskOptics ROAR Platform, you can use the compliance activities you’re already doing to demonstrate adherence to the new legislation while simultaneously reducing the risk of privacy breaches.
Step 1- Forget about requirements, focus on risk reduction!
As I noted above, the pillars of privacy have not changed over the centuries since our forefathers drafted the US Constitution. Yet as each state passes its own unique privacy law, companies may feel like they are piecemealing a privacy program together. That is what happens when you take a compliance-first approach.
Companies are often so focused on the requirement’s unique and specific language that they don’t recognize that these laws aren’t completely dissimilar. That’s why I recommend creating a Data Privacy Assurance Program where you can scope in any and all privacy frameworks and cross-map them to a common control set, such as the Secure Controls Framework (SCF). This enables you to reuse evidence from control assessments to demonstrate risk reduction while complying with multiple frameworks.
Step 2- Find your highest risk
If you’re using the RiskOptics ROAR Platform, a pre-built risk register with default scores is provided to jump-start your assessments. It should be noted that every organization will view risks differently, so it is important to review the default scores and make adjustments as needed. When considering your risk, it’s important to frame it in the context of the pillars of privacy. Ask yourself, what is the risk associated with NOT maintaining an appointed data privacy officer, conducting privacy impact assessments or implementing sufficient safeguards to protect the data? Each of the risks is mapped to various controls that could aid in remediation.
Step 3- Automate, automate, automate!
Once you’ve identified your biggest risks, it’s time to remediate them. And this is where ROAR can save the day! When you created your Data Privacy Assurance Program, not only did we cross-map the requirements to a common control set, but we also mapped the risk register to those controls. This lets you see exactly what controls could help you reduce your risk! It’s a built-in treatment plan that guides you toward risk reduction. Beyond that, this interconnectivity enables you to conduct control assessments and automatically burn down your residual risk. The more effective controls in place, the lower your residual risk becomes.
But before you can assess those controls, you have to collect evidence. This is arguably the longest and most tedious part of control assessments. However, through connectors, the RiskOptics ROAR Platform can automatically collect evidence from outside systems such as hosting providers, HR information systems and software development tools. This allows you to remove the manual process of collecting the information while increasing the accuracy and frequency of your assessments. And in some cases, ROAR can assess the information received and determine if it effectively satisfies the control!
Step 4- Scalability
Although the threats and challenges related to data privacy have increased exponentially since the signing of the US constitution, the pillars of privacy have stood firm. That’s why building a Data Privacy Assurance Program now will solidify a foundation for scalable privacy practices long into the future. As new regulations come into effect, you can quickly and easily add them to your Data Privacy Assurance Program and obtain an instant gap analysis. And because the RiskOptics ROAR Platform frames everything in the context of your business, you are better enabled to communicate the risk to your data and the outcomes of your remediation efforts.