As American citizens, one of the things that we cherish most
is our Constitutional right to privacy. Unless
we are required to by law, we have the right not to reveal any information to
anybody, and this is best exemplified under our right to remain silent,
especially when it comes to being charged with a crime.
But back then, nobody even thought of Cybersecurity, much
the less computers. But fast forward at
lightning speed to now, and we are in the digital world.
Every little thing that we say or do can come under scrutinization,
because of all of the technology and interconnectivity that we rely upon. Not only that, but even our own Personal
Identifiable Information (PII) datasets can be used for unknown marketing
purposes by other companies, and heck, even the Cyberattacker loves to target
this whenever they are out to get something.
Because of this, many so-called data privacy laws have been
passed, in an effort to protect the average, everyday citizen. Some of the more famous examples of these are
the CCCPA and the GDPR. These mandates
require extensive auditing and heavy financial penalties if a company has been found
negligent in not safeguarding the data.
While these legislations are good to have, they have been coming
at a sheer cost to businesses. As a Cyber
consultant, one of the biggest complaints I keep getting is that it costs too
much money to come into compliance with these laws, especially in the way of
testing and deploying new controls.
I can see this viewpoint as well, and the money that was
used to come into compliance could be used for other purposes for business
growth.
So the main point of contention is are these data privacy
laws too excessive? Here are some
reasons why they are being viewed this way:
1)
The laws are too broad:
In other words, this simply means
that they are open to too wide swings in interpretation. Because of this, many businesses feel that
they become prey on whim from the regulators and auditors. Defining if a company has done enough to protect
the PII datasets becomes quite murky.
For example, suppose a company is hit with a security breach, and a big
chunk of their data sets gets hijacked, then what? The CISO can always state they took every effort
to protect the data, but an auditor from the GDPR can always claim that they
did not, without having to show much proof for it. This is where the huge issue of subjectivity
comes into play. Who is right and who is
not? Is there some middle ground here? Remember, we are all prone Cyberattacks, no
matter how much protection we ensure to mitigate that risk from actually
happening. This is an area that is not
clearly spelled out in these data privacy laws.
Another area of huge dispute in this regard is the use of “Cookies” on
your web browser. These are tiny pieces
of code left by a website (especially an e-commerce based one) that track your
movements on the web. The premise here
is that by knowing where you have been the online store merchant can be in a
better position to offer you products and services that better fit your needs. Because
these are also considered pieces of PII, they too have become prone to both the
GDPR and CCPA. That is why now you will
see on just about every website that you visit you will see notices that
cookies are being used on your web browser.
Of course, you can accept or deny the usage of cookies, or just simply
move on. While this is good for the customer
or the prospect, it is very bad news for the digital marketing efforts of the various
businesses that depend upon this to market their products and services. As a result, a new tool called the “Unified
ID 2.0” has come out. With this,
tracking mechanisms are used that don’t require the explicit permission of the customer
or prospect. More information about this
can be seen at the link below:
https://www.thetradedesk.com/us/about-us/industry-initiatives/unified-id-solution-2-0
In fact, all of the major web browsers
of today (Edge, Chrome, Safari, Firefox, etc.) now have special features in them
that allow them to track the visitation habits without giving away the explicit
identity of the end user in question. Is
this bad or good? Again, this is open to
a wide range of interpretations. This
technique is also known technically as a “Fingerprint Alteration Technique”, and
the huge downside with this is that this uses stateless bits of data, a web browser
now cannot tell who is a legitimate end user and who is not.
2)
The bad and the good:
The last statement that we made now
segways into this major part. If
companies start to use this newer, stateless means of tracking people, how do
you know who is a good person, and one who is a Cyberattacker? What are the differentiators here? If these newer techniques were to be enhanced
even more, it could then give away the identity of the customer or prospect, thus
defeating its entire purpose all together.
So this brings up another point:
The data privacy laws that were created yesterday are much too slow to adapt
to the advances of technology today. But
of course, this is true of any technology law that is created and enforced.
My Thoughts On This:
Unfortunately, in the end, it is the responsibility of each
and every company to make sure that they are compliant with the GDPR and the CCPA,
no matter how much it may cost. But
there is a silver lining here if you dig deeper. These laws are now making companies aware of
the stewardship of the information and the data that they collect.
This will hopefully now make them more proactive in maintaining
a strong Cyber stance.
But here is also a tiny bit of advice from me: Companies should always be proactive, no
matter if they are bound to by the CCPA/GDPR or now. Taking a little bit of action everyday on a continual
basis will make your lines of defense that much stronger, and in the end cost
less when you do have to become compliant with the myriad of data privacy laws.
No comments:
Post a Comment