The California Consumer Privacy Act (CCPA) took effect on New Year’s Day, 2020, and was greeted with both approval and criticism. Some critics favor creation of a U.S. federal privacy law over state-led initiatives—though CCPA provides a push in that direction. For example, Microsoft pre-emptively applies CCPA to customers in all 50 US states, not only California, and other companies are expected to follow suit.
IT and security leaders have famously difficult roles supporting business initiatives, managing a large number of vendors, maintaining infrastructure, addressing regulatory compliance, and much more. With CCPA following closely on the heels of GDPR, they are also navigating between two powerful counter-trends: big data analytics to produce customer insights, and data privacy regulations to protect customer data from exposure.
Multiple 2020 predictions for the analytics/AI/machine learning market include references to data privacy and governance, for the first time. For example, towardsdatascience.com predicts, “In combination with the GDPR, this policy [CCPA] will force businesses to comply with data security, data handling, and consumer profiling.”
Can data privacy laws block customer analytics initiatives?
A year ago, 24% of surveyed enterprises said 40% of their corporate data resides on public cloud services, much of it sensitive and unprotected, as reported by ESG Research in their Trends in Cloud Data Security report. Cloud analytics is trending upward with growth in data, storage, and scalable cloud computing. If you consider the data behind personalized online advertising, we already live in a world of real-time predictive analytics. And we gave up control of our data in exchange for that personalization and many other conveniences.
Data privacy regulations need not block customer analytics, but tools are needed to help IT professionals effectively address both the analysis and the privacy of consumers’ personal data.
Is data privacy driving better cybersecurity?
Data privacy regulations are largely a response to cybersecurity breaches, although it’s widely recognized that “compliance does not equal security”. But Security and Privacy: Two Sides of the Same Coin?, also says “security is a necessary pre-condition of privacy”. In other words, you cannot have one without the other: the two are different aspects of the unified goal to protect information. Privacy is about what people who have lawfully collected your personal data can and should do with it, and what control you personally have over the retention and use of your data. Security ensures that your data is safeguarded from unlawful access by unauthorized parties.
Privacy laws have significantly increased the price to be paid for failures in security, and are driving better security practices with board-level support.
Could Data Masking be the proverbial Silver Bullet?
IT leaders need tools to balance data protection with data usability and utility. Data masking is a well-established, mature technique for data protection, with many use cases. Consider the need for protection of personal data in analytics use cases where secure re-identification is a requirement. Data masking is a one-way transformation only. Big data analytics deliver great new consumer products and services, but also allow new openings for data exposure. The 2019 Gartner Data Masking Market Guide provides insights to options—for example, also stating that big data analytics scenarios can make effective de-identification difficult due to the impact on data usability and utility, “…therefore consider approaches such as tokenization and format-preserving encryption (FPE).”
Tools like Voltage FPE enable secure analytics in use cases such as performing research on collections of otherwise sensitive data, where one-way transformations such as data masking can’t produce the needed insights.
Is data privacy a destination or a journey?
Data privacy and compliance with CCPA, GDPR, and new regulations as they are introduced should be thought of as a continuous program aligning people, processes, and technology. What’s needed is not a single technology, but an integrated portfolio of solutions, including data-centric format-preserving encryption, data access governance, User and Entity Behavior Analytics (UEBA), application security, data archiving, and more.
Global enterprises generally need consulting and legal services, and seek those best-aligned with technology providers like Micro Focus who offer integrated solutions to address comprehensive data lifecycle protection and governance.
Can there be any reward for the effort?
There is a reward for businesses that effectively address data privacy and protection: they have the opportunity to securely use data for needed insights into consumer preferences and buying behavior, and can also market their data privacy commitment to further develop customer trust and loyalty.
It is truly all about the data: knowing what you have, where it flows, governing access, deleting what’s redundant, obsolete, or trivial, and securely using high value data assets to drive value for the business.
…Signs of a smoother road ahead?
On a related note with a longer view, in his January 2020 ISSA Journal column (join, and you can read it all), our Luther Martin writes about information technology in general, the security industry and standards, and our collective role, saying: “We might even be at the beginning of yet another dramatic advance in technology, in which the efficiency gains from the clever use of computers and other information technology will one day create an increase in wealth and standard of living as dramatic as what the Industrial Revolution did…There will always be security vulnerabilities in both hardware and software, and our job is to ensure that those vulnerabilities don’t make the costs of using computers greater than the benefits from using them…The world is getting better and better. Let’s do our part to make sure that trend continues.”
Happy New Year!