The importance of Data Protection and Privacy can be gauged from the rising coverage and popularity of the World Data Privacy Day. 25 years after the signing of Convention 108 in 1981: the first international treaty to deal with privacy and data protection, it was in 2006, when the Committee of Ministers of the Council of Europe decided that Data Protection Day would be observed on January 28 each year. This is internationally known as World Data Privacy Day outside of Europe. The last few years and especially during the pandemic, have highlighted the importance of Data Security, Privacy and Regulatory Compliances, besides leveraging Data, Analytics, Business Intelligence and Data Sciences for business.
What were the tenets of Data Privacy, Policies and Regulations in the Pre-Pandemic world?
The early days of computerisation were typically based on on-premise computing and data centres. CIOs had the responsibility of data policies, storage, privacy along with design of Information Technology Architecture and its constituent servers, personal computers, software, networking and security systems. Parallel to the rising usage of the Internet, the late 1990s also saw the advent of the EU Data Protection Directive (EU GDPR’s predecessor), HIPAA Health and Privacy Act for healthcare establishments, the COPPA Children’s Online Privacy Act, the Gramm Leach Bliley Act for Financial Institutions, the Privacy Officers in Federal Governments and the E-Government Act of 2002 in the US. Cyber Security was evolving as well in the early 2000s with Anti-Virus, Data Leakage Prevention, Database Security, Firewall Management, Web Application Security, Intrusion Detection and Prevention solutions safeguarding against external and internal threats.
The 2nd decade of the 2000s saw the rapid adoption of Cloud with its IaaS, PaaS and SaaS systems coupled with mobility, Bring-Your-Own-Device (BYOD) and IoT device revolution thus causing a paradigm shift in the whole IT landscape impacting data privacy, policies, compliances and cyber security. As workloads and systems shifted out of the Trusted Organisational Network, CISOs were managing privacy and security aspects in the world of cloud, mobility and IoT, handling increasingly sophisticated hackers and insider threats, and managing the more stringent privacy and security guidelines especially related to sensitive data. Data encryption, anonymisation, robust Password management have been some of the fundamental tenets of this evolution in cybersecurity.
Parallelly, from the governance perspective, there has been a rising importance of acts such as Federal Information Security Management Act of 2002, the Department of Defense Strategy for Operating in Cyberspace guidelines of 2011, NIST IT standards, the Homeland Security Act and the Cybersecurity National Security Action Plan (CNAP) of the United States, ENISA, the NIS Directive and the EU GDPR. Cloud Security Frameworks encompassed those covering governance (COBIT), architecture (SABSA), management standards (ISO/IEC 27001) and NIST’s Cybersecurity Framework. Rising globalisation also led to dealing with different regulations, compliances and policies across geographies with added nuances of managing intra and intercompany data sharing.
The Pre-pandemic period also saw significant penalties and fines for customer and sensitive data breach especially the cases of Uber, Marriott, Equifax, Home Depot, Capital One, Morgan Stanley, Yahoo, Microsoft, British Airways and several others. This research by Deloitte in 2017 estimated compliance costs to be a significant 10% of a typical banks’ overall operating costs.
What was the impact of the pandemic on Data Privacy, Policies and Regulations?
The COVID-19 induced digital transformation accelerated the already rising growth in data generation speed, volume and variety. Against the global population of under 8 billion in 2021, the corresponding number of mobile devices and IoT Devices is 15 and 22 billion respectively. As per this research by Statista, the total worldwide data amount rose from 9 Zettabytes (1 Zettabyte = 1 trillion gigabytes) in 2013 to over 27 Zettabytes in 2021, and the prediction is this growing to well over 180 Zettabytes in 2025. Web 3.0 and Metaverse along with 5G and Edge Computing will also contribute their share to this growth along with IoT, Mobility and rise in decentralised and distributed cloud computing.
CISOs and CIOs have now embraced a culture of Cyber Resilience basis Zero Trust Architecture. This is due to the rising breadth and volume of attack surfaces emanating from rapid adoption of cloud, mobility, IoT devices, IT penetration in automotive, consumer durables, telecoms, smart cities, utilities, healthcare and other verticals also covering customers and supply chains, along with the proliferation of 5G and Edge Computing. Moreover, the rise of gig and remote/ hybrid working has also added to the mass of attack surfaces and vulnerabilities.
Despite advances in Cybersecurity measures, cyber-attacks have increased by 3 X in some countries covering Work From Home endpoints, Video Conferencing services, malware, ransomware and the Dark Web as mentioned in this research by Deloitte. Some of the notable high-profile breaches and data leakages were the Sunburst SolarWinds attack, the Estee Lauder customer database leakage, the discovery of Facebook and MGM Resorts confidential data on the Dark Web, the resurgence of WannaCry, Revil and other ransomware attacks, along with the Mozi BotNet. Additionally, there have been widely publicized attacks on critical infrastructures as mentioned in this World Economic Forum Article as well. Ransomware-as-a-Service (RaaS) has also crystallised as a serious ongoing threat. Besides attacks on customers and critical infrastructures, there have been incidents across the digital supply chain, especially leveraging vulnerabilities such as Log4j.
According to a Gartner prediction, by 2025 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. Besides these high-profile external attacks, in 2020, Gartner had reported a close to 50% increase in insider incidents and an 85% more likelihood of employee file and data leakage compared to the pre-COVID era. This point has also been stressed upon in this research by McKinsey which states that 50% of cyber breaches are attributed to accidental and intentional insider threats.
Resilience Frameworks such as FISMA, The Cyber Resilience Review (CRR), the National Institute of Standards and Technology (NIST) FIPS 199, 200 and especially the 800-160 Volume 2 publications treat adverse cyber events as both resiliency and security issues and identify 14 techniques to enhance resilience. These frameworks also encompass Insider Risk Management, as this article by Deloitte highlights. In May 2021, as a response to the SunBurst SolarWinds breach, the Biden Administration in the US issued an executive order mandating strict adherence by the U.S. Federal Agencies to NIST 800-207 as a fundamentally required step for Zero Trust implementation. Another example is of Zoom during the early days of the pandemic in which it had agreed to enhance its security and privacy aspects, on direction from the Federal Trade Commission (FTC)
Artificial Intelligence, Machine Learning, Cyber Data Lakes, Security Information and Event Management (SIEM), Security Orchestration and Response Systems (SOAR), Extended Detection and Response (XDR) and other technologies are playing their part in adhering to the Zero Trust Architecture, Proactive threat hunting and monitoring, minimising false positives and ensuring the already overworked and stressed cyber security teams are handling apt and real incidents and optimising their time.
This article by McKinsey highlights that Data Protection and Privacy and adherence to regulatory compliance enhances organisational reputation, customer trust and builds a solid business advantage. Data Mapping and Classification is the cornerstone of this ethos of proactive customer privacy and data protection steps.
What are the important aspects that companies are considering in 2022?
This research by Gartner states that three fourths of all organizations will restructure risk and security governance for digital transformation in the light of the imploding cyber security threats, insider activity, and increase in attack surfaces and vulnerabilities. This research by EY states that Fortune 500 companies will be together shelling out close to USD 8 billion annually for GDPR compliance.
CISOs, CROs, CDOs, Legal, Risk and Governance Teams have been working together along with business in a cross functional approach to draw up detailed risk categories and assessments across data, people and other ecosystems, estimating cost of breaches and damages, implementing cyber security frameworks and technologies, and crystallising cyber insurance policies. This is even more important for companies who have underage customers such as those in the gaming, retail and entertainment verticals. Technologies such as Artificial Intelligence and blockchain and cybersecurity mesh architecture are being harnessed by companies to have more automated, intelligent and stringent adherence to compliance regulations.
It is of paramount importance for CISOs and leaders to have an in-depth knowledge of country specific data privacy laws, especially for Multinational enterprises and those handling sensitive end customer and employee data. Aspects such as customer/ employee/ stakeholder consent and rights, data storage, retention and transmission policies, clear guidelines in case of infringement, and others must be carefully comprehended. Leaders must keep abreast of all developments across the world, especially across the states in the US, the AI Act, Digital Services and Market Acts of Europe, the new regulations across the Middle East, Japan, Thailand and so on and so forth
A very critical aspect to be considered is organisational culture. Leadership teams must clearly communicate and involve their teams with the goals, privacy policies, operational and compliance aspects, besides deploying technologies and checks. Clear communication, collaboration, gamification, training, rewards and recognitions are some of the tools by which CHROs in Asia and worldwide are assisting the CIOs/ CDOs/ CPOs in this area
What are the trends for 2022 and beyond?
There is little doubt that data focussed and driven enterprises have huge competitive advantages. This research by McKinsey highlights that some organisations which are already seeing contributions of AI to be amounting to 20% of their earnings, are highly likely to have robust data practices. With co-existence of humans and Artificial Intelligence in Super Teams, organisations which imbibe data literacy as well as leverage data and AI driven automation across low risk and daily processes, will have human intelligence focusing on higher risk, value and critical decisions. Focus on Data driven architectures, decisioning, fabrics, lifecycle management, automation driven compliance, and top management focus shall be the keys to unlocking value.
This research by Gartner highlights the 5 top data privacy trends throughout 2024, and anticipates 3/4th of Earth’s population shall have its personal data covered under a modern privacy and compliance regulation. With hybrid and remote working here to stay, Data Localization and Privacy Enhancing Computational Strategies, Robust AI Governance, and Self-Service UI for Privacy are expecting to be critical for the future. This article by Gartner predicts that by 2024, organisations will spend over USD 15 Billion in Data Protection and Compliance Technology on account on Privacy compliances.
With data, assets, users and entities across on-premise data centres and the hybrid/ multi- cloud across the extended enterprise, the trends of globalisation, decentralised risk and decision making, moving from Compliance and Security functions to Security Behaviour and Culture programs (SBCPs), consolidation and convergence of cyber security solutions and of vendors along with Cybersecurity Mesh Architecture (CSMA) help provide a proactive, uniform and integrated data and security framework and posture.
There shall be continuing threats on account of ransomware and its emerging models along with the increased attack surfaces on account of Metaverse and the Web 3.0. As far as IoT devices go, Governments, Institutions and Enterprises will continue to work on governance frameworks of uniform baseline standards for consumer and industrial IoT devices across users, supply chains and the extended enterprises incorporating shared security principles, certifications and regulations. It is expected that these guidelines shall encompass hardware encryption, software architecture and design and to also be taken into account during supplier compliance and assessment exercises as well.
Although commercial Quantum Computing is some distance away, CISOs are already considering future proofing and working on algorithms that are opaque to Quantum Computers and the threat to public key cryptography by incorporating Confidential computing, quantum safe cryptography, and fully homomorphic encryption. The National Institution of Standards and Technology (NIST) is already working on encryption and other resources and tools to ensure security and cyber resilience in the Quantum Computing era, as this article indicates. Also, the World Economic Forum has recently published the principles of quantum computing governance to minimise data theft, ensure compliance and mitigate risk. Proactively addressing Data Privacy, Policies and Regulations shall most certainly ensure in resilient, competitive and differentiated organisations with great reputations.