Home » Security Bloggers Network » The Evolution of Privacy in Organizations Amidst COVID-19

The Evolution of Privacy in Organizations Amidst COVID-19

by "Ask Aleada" Blog - Aleada Consulting on May 15, 2020

We’re excited to share this article written by Aleada Advisor

Zulfikar Ramzan, CTO of RSA

On the evening of December 29, 1972, Eastern Airlines Flight 401 departed JFK heading to Miami. At the helm was Captain Robert Albin Loft, a 32-year veteran pilot who had accumulated nearly 30,000 flight hours. He was accompanied by First Officer John Stocksill, who had nearly 6,000 hours of flight experience under his belt. At 11:32pm, as the plane began to approach its destination, Stocksill noticed that the landing gear indicator, a green light, didn’t appear to be working.

The captain and first officer started troubleshooting. Soon, other crew members joined the effort. During this time, auto-pilot was accidentally disengaged, and the plane gradually lost altitude. The rate of descent was too slow to be observed by the crew, but meaningful enough to be noticed by the altitude warning system.

When the plane had descended 250 feet, the altitude warning system issued an audible chime. However, the entire crew was consummately distracted by the broken landing gear indicator light. Not a single person heard the warning bells. As the First Officer began another turn, he noticed that the plane’s actual altitude was much lower than anyone realized. In a state of disbelief and confusion, he and the pilot exchanged a few words. Less than 10 seconds after this final conversation, Eastern Airlines flight 410 crashed into the ground at 227 miles per hour — killing 101 of the 176 people on board.

Sponsorships Available

In the investigation that followed, it was discovered that the landing gear light that the entire crew obsessed about had simply burned out. It was a $12 light bulb.

The COVID-19 pandemic has put organizations in a Flight 401 situation. While everyone is hyper focused on the tactical issues of maintaining operations and enabling a remote workforce, they may ignore the risks associated with data privacy and security, which have only increased. Of course, addressing tactical issues is worth more than a $12 light bulb, but ignoring privacy and data security is an epic long-term mistake.

The Shifting Privacy-Risk Landscape

Pandemics induced by biological viruses are indifferent to the risks posed by data breaches. If anything, given the current circumstances, companies must now be concerned with different attack vectors such as those associated with remote employees, the use of new applications, creative phishing scams, and so on.

In addition, organizations have novel challenges when it comes to how they handle incidents stemming from malicious behavior (both from external threat actors and insiders) — especially if the security team handling these incidents is now working remotely. Incident response is important from a privacy perspective because there’s a distinction between intrusions and breaches. An intrusion means that a threat actor got through the front door. A breach means they walked out the back with your crown jewels. Given the complexity of most environments and the panoply of threats, intrusions are inevitable. But effective incident response can stymie intrusions before they lead to breaches.

These risks will only magnify as companies strive to transition staff back into physical offices. The digital devices that dutifully helped employees work remotely will have been minimally managed and monitored. These devices will make their return to the physical office in a sullied state. BYOD will be replaced with BYOM — Bring Your Own Malware. Intrusions will increase, and without adequate capabilities for threat detection and response, a rise in data breaches will follow suit.

It’s also important to bear in mind that breaches represent one situation in which data privacy is compromised, but they aren’t the only privacy-related consideration relevant to organizations. For example, if an organization founders on responding to data subject access requests from consumers, they may fail to meet compliance obligations. Addressing such requests is a challenge on its own, but when organizations must rely on an increasingly remote workforce to handle them, the difficulties only multiply.

Enforcement of Regulatory Compliance Regimes in the COVID-19 Era

Companies hoping for leniency during the pandemic when it comes to handling data privacy and security issues — particularly as it relates to regulatory compliance — should think twice.

For example, California’s Attorney General Xavier Becerra issued an alert in April to remind consumers that, despite the circumstances, they have privacy rights under CCPA.[1] This reminder acknowledges the importance of staying focused on these problems in a world where consumers have supplanted physical engagement with digital engagement, which leads to increased exposure of their sensitive data. Exacerbating the situation, there hasn’t yet been guidance on CCPA enforcement, which means that organizations must prepare for a variety of scenarios.

On the other hand, President Jair Bolsonaro of Brazil has issued an order to postpone the enforcement of the LGPD, the Brazilian General Data Protection Law.[2] It’s unclear if the postponement will materialize. Even if it does, the reprieve is only temporary, and organizations will still need to comply eventually. The extra breathing room is no cause for celebration; organizations who aren’t in the throes of feverishly preparing for LGPD are already far behind.

These issues notwithstanding, efforts to establish new regulations continue. For example, Washington State is working towards developing the Washington Privacy Act and has come close to passing it during its last two legislative sessions. The state of New York has the SHIELD act, which goes into effect later this year.

It’s clear that privacy regulations are here to stay, and they represent a complex and dynamic terrain that organizations must navigate thoughtfully and deliberately.

Navigating the Terrain

Given the situation, companies are increasingly responding to privacy compliance requirements, such as GDPR, CCPA, LGPD, and other state and country privacy laws. The fines and reputational impact for non-compliance together with the need to respond to customer requests that demonstrate compliance and privacy best practices are driving boards and management to look even more closely at privacy.

There has consequently been increased effort to build privacy into product development in the early stages. Not only are there important compliance requirements, but customers (and potential customers) expect it as part of their due diligence process. The business value in this effort is clear.

Unfortunately, there’s no privacy and cybersecurity pixie dust that can be sprinkled on top of organizations to ease their woes. To have effective programs around privacy and data security, organizations must introduce these elements early on and create the right foundations. At the heart of these efforts, it’s crucial to understand data pipelines and information flows. Companies should create a data flow and governance architecture that facilitates the implementation of effective privacy, cybersecurity, and risk controls. Organizations will need to have effective measures to lower the chances of a material cybersecurity or data privacy incident, and they will need ways to prove to others that they have implemented the right measures. Data security and privacy programs are deliberate efforts, they cannot be divined out of thin air.

To get a better grip on these issues, any company handling sensitive data (i.e., pretty much every organization today) should build in-house privacy and data security expertise, or they should work with consulting firms that have strong privacy and data security practices — or ideally do both. The privacy landscape is constantly morphing, especially from a regulatory compliance perspective. It’s increasingly easy to be caught off guard and increasingly difficult to mount an effective response when that happens.

Having an in-depth understanding of the issues early on is crucial. Questions surrounding data ownership, sovereignty, and security are deceptively easy to ask and yet are notoriously difficult to answer — unless the right pipelines have been implemented to facilitate effective data management and governance. It’s also important to recognize the convergence between data privacy and data security. The people respectively responsible for covering these areas should be collaborating. Anyone familiar with the Westrum topology for modeling organizational culture[3] will recognize the importance of striving for a generative culture that: (1) encourages cooperation among individuals; (2) fosters the creation of bridges; and (3) promotes the idea that failures should lead to inquiry.

Going beyond the organizational perspective and considering the societal perspective, it’s crucial to encourage a healthy discussion of privacy at a policy level. The COVID-19 pandemic is the single greatest accelerant of digital transformation in recent times. Digital interactions now permeate nearly every aspects of our lives, including how we buy groceries, collaborate with colleagues, take classes, celebrate birthdays, attend weddings, and even mourn the loss of loved ones.

Every time we go online, we leave a trail of digital breadcrumbs. When looked at individually, these digital traces seem inconsequential, but when considered in aggregate, they create a comprehensive digital dossier that stands to expose the most intimate parts of our lives. Against this backdrop, we have to double down on our efforts to pass legislation that incentivizes organizations to adequately care for and protect the data they collect about us. The stakes have never been higher.

Acknowledgement

I want to convey a monumental thanks to the fantastic team at Aleada (https://www.aleada.co/), a women and minority owned boutique privacy and data protection consulting firm in Silicon Valley, for sharing their invaluable insights on privacy and how to navigate the corresponding complex regulatory landscape.

[1] https://oag.ca.gov/news/press-releases/attorney-general-becerra-reminds-consumers-their-data-privacy-rights-during

[2] https://iapp.org/news/a/brazilian-president-orders-lgpd-delay-to-may-2021/

[3]https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1765804/pdf/v013p0ii22.pdf

Zulfikar Ramzan is CTO of @RSASecurity Cybersecurity, Security Analytics, Identity, Malware, Cryptography, Machine Learning / AI. This article is also posted on his Personal Medium account.