Security Pros Need to Brush Up On Privacy Regulations in 2019
Eventually, the GDPR privacy-hammer was going to fall on American tech firms. On January 21, France's privacy watchdog used the European Union's General Data Protection Regulation (GDPR) to levy a 50-million Euro ($57 million) fine against Google, noting that the company's practices did not "sufficiently inform" users about how their data was being used by the company. (The search engine giant is already planning an appeal.) Since the European regulations became official in May 2017, most of the fines have been small-bore, with a couple of regulatory actions reaching into mid-six figures. However, many believed it was only a matter of time before the law was aimed at one of the Silicon Valley tech giants, with Google and Facebook being the most obvious choices. While it's easy to dismiss GDPR as a Euro-centric regulatory issue, the nature of data, especially consumer data that can move across boundaries thanks to any number of cloud services, means that security pros on both sides of the Atlantic (as well as across the globe) need to start paying close attention to how a new crop of regulation and compliance rules are changing the nature of their jobs. It's also not limited to Europe. In Asia, Vietnam has implemented a data protection law that also has U.S. tech firms in its crosshairs. Russia has several regulations to protect that country's consumer data, and China is following suit. And in the U.S., the California Consumer Privacy Act of 2018, which offers some modest fines for privacy violations, will become law on Jan. 1, 2020. Taken together, these new rules and regulations prompted Gartner analysts to list privacy as one of five major digital transformation strategies that CIOs and IT executives will need to focus on this year, along with more technical issues such as augmented intelligence (i.e., using software to augment human intelligence). And what happens in California, home of Silicon Valley, could reverberate through the U.S., as other states weigh different measures. If the federal government comes under the control of one political party again, and manages to push its vision of data regulation, it's likely that a unifying law of privacy protection could then supersede state rules. "GDPR has significantly raised the profile of privacy since going into effect," Paul Sonntag, the practice director for Global Privacy at Coalfire, a provider of cybersecurity advisory and assessment services, noted in an email to Dice. "Increasing public awareness, the threat of enforcement, and the regulatory focus on documenting data processing activities and privacy-by-design principles mean that privacy concerns have moved beyond the purview of legal to affect pretty much every aspect of operations, Sonntag added: "The impact will grow as additional privacy regulations arrive, which is happening at an increasing pace in the U.S. and around the world." Those sentiments were echoed by Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based security vendor. He notes that good data protection and privacy policies should form the basis of an enterprise's whole cybersecurity plan. This means that security-minded tech pros, and the CISOs that lead them, can't ignore government regulations just because they are based outside the U.S. "Every security professional needs to be able to identify what data an organization is generating, collecting, storing, sharing, and using," Morales noted in an email. "This means an essential skill set will be knowing how to establish a data classification policy, a data dictionary, and a data governance policy. These policies define data into specific classifications, such as public, proprietary, sensitive, personal data, and more. The impact should be better data governance for not just GDPR but for any compliance regulation like PCI, HIPAA, etc." With so many data privacy laws coming into focus, and changes to other rules and regulations being debated daily, how can the security team keep up? Nathan Wenzler, the senior director of Cybersecurity at Moss Adams, a Seattle-based accounting, consulting and wealth management firm, noted there are three simple, but important steps CISOs should encourage their staff to adopt.