This post is from the Arxan blog and has not been updated since the original publish date.
Data Privacy Day: Will New Privacy Fines and Rulings Finally Drive Better Security?
Data privacy has been in the news a lot lately, from the EU’s General Data Protection Regulation (GDPR) to California’s Consumer Privacy Act (CCPA). But it is two recent court and regulatory rulings that should have every company really paying attention to privacy, and how they are actually protecting consumers explicitly against both data breaches as well as implicit gathering of personal data.
The EU is leading the way here. France recently fined Google $57 million for a European privacy rule breach, resulting in Google’s largest penalty ever. Suddenly we’re putting a real price tag on data protection, or least trying to do so. But perhaps more surprisingly, the Illinois Supreme Court recently ruled in favor of biometric privacy, in a ruling that likely surprised large data collectors, who weren’t directly involved and didn’t contribute to the defense. Used as precedence, this ruling could have significant impact on privacy and security policy and enforcement. It demonstrates that securing users and data will continue to become more critical, because not even a breach may be necessary to suffer brand damage and law suit.
It makes absolute sense that individuals be able to sue for violation, without requiring burden or proving damage — it's the equivalent of not being able to sue a car company for knowingly installing faulty seatbelts until you’ve been hurt by them in an accident. We would expect that lawyers in that state and others will start to bring more data privacy challenges to the courts in the coming months, increasing the risk that companies take on simply by holding specific customer data they may or may not need regular access to. With a tangible risk on the table, the risk/reward equation of holding and protecting data changes.
Protecting data doesn’t just fall on a company’s shoulders either — legislators play a critical role too. Laws must provide specific penalties for data protection violations, similar to what the EU enacted last year. New privacy legislation in the US still isn't doing enough because there's very little that's explicit about data security, using vague language defining ‘reasonable security’ and opening the door for confusion and misinterpretations. You really can't have privacy without security.
The U.S. needs to create similar privacy laws to those being applied in the EU, to help protect consumers. CCPA is a good first step, but augmenting it with specific penalties will force compliance. Compliance will inevitably force protection which will lead to both security and safety.
From the dozens of large breaches we saw in 2018, we’ve learned that many enterprise backend systems and databases are vulnerable because of the applications accessing them. Companies can’t simply protect their networks to keep consumer data safe, they must also implement strategies that include strong detection and reporting of the health and status of applications both inside and outside of their networks. Consumers need to increase their concerns and expectations of vendors around security; and security vendors must adopt a security by design (and by default) approach for the end-to-end data journey. With monetary penalties now on the table, and the tide seeming to shift towards a demand for privacy, perhaps 2019 will be the year that privacy finally moves security in the right direction.