Happy New Year to all the CPOs and CISOs, because these few quiet early days of January just might be the only peace they get for the rest of 2023. A recent survey said stress and burnout were driving CISOs from their job. And it’s not just CISOs. A study on the State of Mental Health in Cybersecurity said that 27% of security professionals report that their mental health has declined over the past year, and that stress levels are high and are rising, with 66% experience stress at work.
What Keeps Chief Data Privacy Officers and CISOs up at Night?
What’s causing all this stress? Well, if a CISO’s organization collects customer data, their job just got harder. Let’s dive into that. For companies that do business across the globe, it has become increasingly more complicated and resource-intensive in terms of collecting and protecting data (hello GDPR). Heck, forget across the globe, just doing business across state lines here in the US has become increasingly more complex, as a myriad of new and existing data privacy laws and regulations are causing compliance headaches. Further adding to a CISO’s list of things to worry about is the cost of NOT complying: see the Top 10 Fines Issued for Data Protection Violations.
In the US, five states’ laws are taking effect in 2023: The Colorado Privacy Act (CPA), The Connecticut Data Privacy Act (CTPDA), The Virginia Consumer Data Protection Act (CDPA), and The Utah Consumer Privacy Act (UCPA) and the California Privacy Rights Act (CPRA). For some reason, perhaps because I reside in California, it’s the CPRA on which I am most focused.
CCPA to CPRA
I am very familiar with CCPA as I have seen over the last two years the special “do not sell my personal info” links when surfing the internet on my PC or phone that my family back in Ohio does not get to experience. See a short collection of those notices below.
However, now that the clock has struck 2023, the CPRA appears to be replacing CCPA. Well… kinda. Actually, The CPRA should be more accurately described as an amendment of the CCPA , says Bloomberg Law, and “adds” new provisions, although Bloomberg Law was unclear at the writing in October if it will still be called CCPA or CPRA. My money is on CPRA, as that is what I have been reading lately since the New Year hit.
Why the Change from CCPA to CPRA Matters
One big difference with the jump from CCPA to CPRA is that the CPRA will notably remove the grace period, that is, the time an organization has to rectify a violation before being fined that was previously in place with CCPA now that it is 2023. The CPRA also creates two additional rights for consumers: the right to correct inaccurate personal information; and the right to limit use and disclosure of sensitive personal information.
Companies will need to be ready to meet strict privacy obligations for personal information from a broad range of individuals. We’re talking customer data, of course, but also the data of employees, contractors, job applicants, B2B customer contacts and prospects, and visitors to their web and mobile sites. With a laundry list of data that needs to be collected, classified, stored (or not), and protected, it’s no wonder CISOs are buying their weight in antacids.
It’s January, Let’s Celebrate Data Privacy Week!
The reason data privacy is on my brain is because January 22 -28 is Data Privacy Week. Data Privacy Week is an annual campaign to spread awareness about data privacy and educate individuals on how to secure their personal information. Last year it was hastily changed from Data Privacy Day to Data Privacy Week, which I agree with due to the rise of data breaches, up 70% globally in Q3 2022 alone.
The goal of Data Privacy Week is still the same, to raise awareness and promote data privacy and data protection best practices and is sponsored by the National Cyber Security Alliance (NCSA). Although this week is mostly to raise awareness for consumers, businesses are encouraged to keep consumer data out of hacker’s hands by understanding what are and where are the “digital crown jewels” that others want, learning how to protect those assets, detecting when something has gone wrong, and reacting quickly to minimize impact. CyberRes, a Micro Focus line of business, believes so strongly in promoting Data Privacy, that we are Data Privacy Week Champions.
Steps to Secure Your Data
We strongly encourage our customers to take a holistic, analytics-driven approach to securing what matters most—identities, applications, and data. Incidentally, identities have evolved beyond heartbeats, what with the Internet of Things (IoT) and a rapid increase in connected devices. The lack of proper identity and access management is a major concern. Businesses need to ask, who has access to what, and how are privileges managed?
To have a good understanding of where their data is, organizations need a comprehensive data discovery solution. Voltage File Analysis Suite (FAS) provides discovery, tagging, and context-aware analytics across unstructured repositories. An added bonus is that FAS can identify data subject information and organize data into subsets via Workspaces allowing Consumer Data Requests (CDRs) and Data Subject Access Requests (DSARs), for when all those data privacy laws start empowering consumers to request their info. Structured Data Manager (SDM) discovers sensitive structured data such as social security numbers, credit card data, and client names in on-premises, cloud, or hybrid systems and classifies data for disposition. (Check out our latest Data Privacy blog to learn more about Data Discovery for Data Subject Rights).
But knowing what is sensitive customer data and where the sensitive data resides is not enough. With cyber attackers lurking seemingly everywhere, external or even internal, enterprises cannot fully control and trust their data environment. They have to instead protect the data itself with data-centric security.
Voltage SecureData secures sensitive data with encryption wherever it flows—on-premises, in the cloud, and in big data analytic platforms.
Most of those privacy regulations mentioned above, such as the CCPA/CPRA and GDPR, recommend encryption and pseudonymization as techniques to protect personal data. Voltage encryption, tokenization, and hashing techniques retain meaning, context, and relationships in protected data, while dramatically reducing the risk of data breach and non-compliance with regulations.
What’s on Tap for 2024?
THE IAPP US State Privacy Legislation Tracker has a list of 22 other states that are debating their own data privacy laws. California is surely not making it any easier for CISOs and CPOs in 2024. Now they have The California’s Children’s Privacy Law, which will go into effect July 1, 2024, and applies to “businesses” that provide online services or features “likely to be accessed by children.”
Half the pundits are predicting that all 50 states will have some version of a data privacy bill on their books in the next year or two (See IAPP Data Privacy Law Tracker above), and the other half are predicting we will have a National Data Privacy law to rule them all, to paraphrase J. R. R. Tolkien. But you know pundits. Personally, I am betting on a National Privacy Law, as this hodge-podge of state laws is not sustainable.
Either way, on behalf of CISOs everywhere, please pass the Tums.
Show Your Support
One thing you can do right now is share your support for Data Privacy Week by following us on Twitter and LinkedIn and by using the hashtag #DataPrivacyWeek. Let us know the steps your org takes for data privacy by logging in or registering and commenting below.
Join our Community | Data Security User Discussion Forum| Tips & Info | What is Data Security?