The changing landscape of privacy and compliance
In the past decade, privacy-related legislation has developed considerably. The 'privacy industry' has gone through a metamorphosis not seen in many other disciplines. Now, as we reflect on the future post-pandemic, we must recognize that being able to quickly access and share accurate data is fundamental to everyone.
When thinking about this, it’s important to remember that there’s a heavy overlap between business and personal aspects, an example of this is password managers. These will have both personal and work-related credentials saved to them, which can be hard to distinguish, and this is why corporate family use plans exist.
As an organization, how do you measure compliance within your business when growing amounts of data is being shared? And how do you decide when 'good enough' is actually good enough?
For individuals, how do you keep your information private?
An all or nothing equation?
Data as a commodity has grown from long-held views of structure and rigidity into big data information stores that are mostly accurate. These data stores can be used to understand individual’s behaviors, often for commercial purposes.
For example, you may start receiving advertisements about cars because you posted a picture of your new vehicle on social media. This is a subtle invasion of privacy if you don’t know this is happening (we call this requiring consent) and can be especially annoying if you're no longer in the car market and don't want to be targeted with such ads.
As individuals, we can be reassured that there is an effort by at least some big tech to apply privacy by default. This is invaluable, as it means that many of us can benefit from such privacy measures, such as those enacted by GDPR and CPRA, without even realizing it.
For businesses however, a lot more effort needs to go into this.
We often measure business success purely in terms of winning and losing, such as being in the black or the red, being compliant or non-compliant. For example, you cannot have an 80 percent balanced budget or a 90 percent safe medical device. Data doesn’t always play by these rules.
There will be notable exceptions for extremely high levels of accuracy for, say, nuclear organizations or military assets. By and large though, the commercial and public sector world have finite resources and need to choose wisely for the best return.
This is novel and can cause yes/no functions of a business to feel uncomfortable. Especially in the face of new technology (such as ChatGPT) and recently updated compliance standards (ISO 27001/2 2022) or new ones (NIST Announces First Four Quantum-Resistant Cryptographic Algorithms | NIST). It will mean picking and prioritizing what compliance frameworks to implement, what codes of conduct to follow, and which certifications to pursue.
What is 'good enough' for compliance and maintaining privacy?
This is a question that continuously challenges us. At what point should we consider our efforts satisfactory? There are two things to consider:
- How important to the overall strategy or life goal is your activity?
- What are the risks involved in the scenario?
Depending on where you are in your privacy journey, you will focus on different areas. As an individual, that may be as simple as understanding how to protect and manage your passwords and deleting or disabling social media accounts. Additionally, you could enable Apple’s Lockdown mode if you are a likely target of organized crime.
An organization may find they need to meet certain minimum certification or accreditation requirements in order to do business -- and there can be many different ones you need to meet! Often there are overlaps in these frameworks. A quick online search for a NIST to ISO 27001 mapping and several spreadsheets will show you that meeting one framework achieves 75 percent of the other.
Regardless of what framework you are focusing on, it is doing nothing about the gaps that would be a serious concern. If you are an SME, consider starting with the guidance on our website and the CISA and NCSC websites.
Improving employee behavior and getting comfortable with privacy
Have you ever sat through a staff briefing and near the end there is a brief statement that your compliance training is due next week? Chances are many employees will rush through it and forget much of what they just crammed in.
The trick to improving this process is not really a trick at all -- the key is being visible and engaged with your co-workers. Actively listen to their challenges and be prepared to change your opinion of how compliance can be achieved. (Remember, there is more than one way to gain compliance!). When your colleagues care even a fraction about security and privacy as you do, that is a positive moment and your human activated risk will be lower.
Getting comfortable with managing personal privacy is a learning curve for all of us. A few years ago, chatting about using a password manager was very uncommon. Unfortunately, the number of scams targeting vulnerable people is still increasing. Stopping to think and talk about what permissions an app requests on your smart phone is getting a little more common. This is thanks to a few things, not least awareness training in business, and those unfortunate victims of crime that have learned the hard way sharing those experiences in the press.
Whether it is the FTC, FCA, ICO, CNIL, Dept of HHS, or any other of the several public bodies that can bring enforcement, the consistent theme is the increasing size and frequency of fines. It is now difficult to not see a mainstream headline without noticing a breach or fine. Meta, Clearview AI, Nissan, LastPass, Amazon, Vodafone, Dialpad, and Yale University have all found themselves subject to either a hack or breaching their compliance obligations. Being found to not be investing in the tools, people, and design decisions to keep information private is not only becoming more important but also more expensive if you don’t.
Kevin Tunison is Data Protection Officer, Egress. Egress Defend, Egress Prevent, and Egress Protect products keep your information encrypted. For businesses, using Defend also means compliance is going to be much easier to demonstrate when renewing an ISO 27001 certification for Threat Intelligence.