Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/21/2020
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Avoid That Billion-Dollar Fine: Blurring the Lines Between Security and Privacy

While doing good for the user is the theoretical ideal, the threat of fiscal repercussions should drive organizations to take privacy seriously. That means security and data privacy teams must work more closely.

In the wake of companies such as British Airways, Marriott, and Facebook facing record privacy violation fines, organizations are seeing the ramifications of not having their privacy compliance under control. Clearly, the lines between data security and data privacy are blurring, and companies are beginning to establish their lines of defense for data security — and are still figuring out data governance and management.

The responsibility for helping companies comply with privacy regulations lies in a gray area between security teams and data teams. To avoid the billion-dollar fines that are becoming more common, privacy and security teams must collaborate to achieve compliance.

Formidable Fines
Last year, tech behemoths including Facebook, Google, Apple, and YouTube all came under investigation for violations of the European Union's General Data Protection Regulation, and some have been fined as a result. Facebook was hit the hardest, garnering the largest fine ever required of a tech company, $5 billion. In the EU to date, we've seen fines racking up to €372 million. The introduction of California Consumer Privacy Act will only raise the bar for these fines globally.

As a result, companies have established accountability with a data protection officer (DPO) and involved every employee in the privacy conversation. We can expect these practices to become more common, and security teams, as well as data management and governance teams, will be more involved in privacy-related matters. Additionally, while the tech giants have made the most spectacular headlines, we have also seen those fines and infringement repercussions trickling down to smaller companies across the globe, broadening the need for implementation of privacy best practices. 

Recent smaller fines include a $21,000 fine for a Swedish school after it conducted a trial in which the attendance of 22 pupils was tallied using facial recognition.

Similarly, a €500 million online food delivery company in Germany failed to comply with data subject access rights after not deleting accounts of former customers in 10 cases — even if they'd been inactive in the company's service platform for years. To make matters worse, eight former customers also complained about unsolicited advertising emails from the company. Specifically, a data subject who had objected to the use of his data for advertising purposes still received 15 additional advertising emails from the delivery service. In other cases, the company did not provide the data subjects with the required information or they did so only after the Berlin data protection officer intervened. This resulted in a nearly €200,000 fine, which is significant compared with the company's global revenue.

These cases illustrate that data privacy has become a very broad topic, spanning beyond the traditional data security vulnerabilities that we first think about. Every company must be prepared, no matter its size and business activities. In addition to the fines, repercussions for companies that fail to comply include:

  • Exposure to reputational and revenue risks as data privacy violations are breaking customer satisfaction and relationships: For example, the Information Commissioner's Office, the UK's independent authority on data privacy, said that 46% of the complaints it collects are related to the disrespect of the right for data access, rectification, and deletion.
  • Rising costs in their operations: For example, it has been shown that addressing subject rights requests, which gives individuals the right to obtain a copy of their personal data, with a manual process is not only error prone but can be very costly, with an average of $1.40 per request, according to a recent Gartner survey

Collaboration for Compliance
Privacy teams must establish the framework for data privacy, which includes, but is not limited to, data security and protection against data breaches. Typically, privacy teams are responsible for knowing where user data is and how it flows, proactively safeguarding it and making sure it is used for a purpose. One important role of the privacy team is to establish privacy by design, which means that each project within the company that needs personal data must understand and be accountable for the impact it has on privacy. This requires strong collaboration between the privacy, security, IT, and data teams to protect, monitor, and take action once a breach has occurred — whether it involves sensitive user, company, or customer information.

While the privacy and security teams are generally not intertwined, they certainly have overlap that needs to be addressed. To give companies the best chance of avoiding fiscal repercussions, data privacy teams must take stock of how data use can be interpreted as a personal privacy infringement and share their practices with security teams, which can take measures to protect the data where it lives before it is threatened.

Having a DPO who acts as an orchestrator, engaging both the privacy and security teams and educates employees is a best practice for ensuring compliance. Once a niche role, the DPO got a huge boost with GDPR, which made it mandatory, and today there are an estimated half-million DPOs registered in Europe alone! While the chief security officer (CSO) role is not a result of privacy regulations, it has become more widespread across the enterprise and was elevated to an executive level in the digital era.

Privacy is a different discipline from security though, and there needs to be accountability and practices that are deployed widely so everyone in a company understands and implements them. The CSO acts as a bridge between security and privacy to ensure this happens, especially in the US, where regulations do not mandate a DPO.

Not only is data privacy important for the good of the individual, but it must also be a top priority for companies, which risk losing billions of dollars. While doing good for the user is the theoretical ideal, the threat of fiscal repercussions should drive organizations to take privacy seriously — and this is best practiced through collaboration between security and privacy teams. Everyone from security and privacy teams to sales and marketing teams must be in compliance and understand their responsibilities. Educate every individual at the company and collaborate together on training and trust exercises. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "With International Tensions Flaring, Cyber-Risk Is Heating Up for All Businesses."

Jean-Michel Franco has dedicated his career to developing and broadening the adoption of innovative technologies and is currently the Senior Director of Product Marketing at Talend. He is an expert of GDPR, CCPA, and data privacy, working on the front lines with Talend's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.