Data Security – The Flip Side of Data Privacy
In the movie “The Truman Show,” Truman Burbank lived life in an almost perfect, if boring, setting. Arguably, his life is secure. Living your life as part of a carefully scripted reality TV show, watched by millions of people, is nothing if not secure. But privacy—that’s another matter altogether. In 1998, the movie was quite ahead of its time in laying out the tradeoffs between privacy and comfort and convenience. After realizing that his privacy has been violated and exploited his entire life, Truman Burbank didn’t like it one bit, and movie viewers largely empathized with him. It is ironic, though, to reflect back and think that the movie came at the beginning of an era where nearly the entire world traded their privacy for such conveniences as free email, free search, free video games and the like. Unbeknownst to most of us, we all have been living in some version of “The Truman Show,” in the first two decades of the 21st century. It is only recently that consumer privacy has become a cause célèbre around the world (certainly pioneered by GDPR and closely followed by CCPA in California and CPPA in Canada.
Thanks to the emerging regulatory environment, consumer awareness and internal realization, organizations are moving toward at least a ‘checkbox compliance’ approach to privacy. Cookie consent, consent management, opt-out/unsubscribe, privacy policies and annual privacy reminders are all examples of that. Consider for a moment, though, that there is absolutely no privacy regulation in the world. Organizations don’t have to care about giving consumers choices about using their data, sharing data, telling them about the data they carry or deleting that data upon consumers’ request. In such a scenario, should organizations stop caring even if their consumers’ data might become vulnerable and might get compromised?
The Interplay of Privacy and Security
It is easy to say that privacy and security are the two sides of the same coin. But let’s dig into this a bit further and consider two simple scenarios:
1. An organization does its utmost to adhere to privacy regulations. They care about their consumers’ right to access their own data and the right to be forgotten. They provide their consumers control over who their data may be shared with. They manage and track consumer consent properly so that their consumers are not getting bombarded with unwanted campaigns if they have already expressed their desire to avoid that. However, this organization routinely suffers from data breaches. Consumers’ data is here, there and everywhere within the organization with little visibility, little control and little security. As a consumer, would you feel comfortable doing business with such an organization and sharing your data with them?
2. An organization does its utmost to secure all sensitive data, including consumers’ data. They know exactly where all their consumers’ data is across structured and unstructured data repositories. They know who has access to the data within their organization(s) and who that data is getting shared with external to their organization. Data is always encrypted at rest and even in-flight to the extent possible without losing all utility of that data. With these controls in place, this organization rarely suffers from data breaches. However, this organization has yet to implement all the necessary checkboxes for privacy compliance capabilities. When it comes to giving consumers a choice with regard to right-to-access/delete/sharing controls, this organization is left wanting.
The question is simple: Which of these two organizations would you feel comfortable doing business with? Neither are ideal, obviously, but the question comes down to whether you care more about privacy checkboxes or about your data security? Looking at it that way, I’d prefer an organization that can assure the security of my data; they probably deserve my business more than someone adhering to all the checkboxes but failing on the most important, even if unregulated, duty.
A Model for Data Trustees Based on Privacy and Security
Driven by privacy regulations, there has been a mad rush to get all the privacy checkboxes in place while leaving the more important data security considerations underserved. Naturally, this feels like a problem. Why is that? Because we instinctively know that checkboxes help CYA but our ability to be trustees of our customer’s data is a function of both our privacy readiness and security readiness. Mathematically, this may be represented thus:
Data trustee index (DTI) = data security readiness x (1 + data privacy readiness); normalized on a scale of 0 to 100.
Data trustee index (DTI) for an organization can be between 0 and 100, both numbers inclusive.
Looking at it through this lens, data privacy readiness can be seen as a force multiplier to trust. However, if your data security readiness is missing, no matter how prepared you are for data privacy, customer trust in your business will be low. Note that one’s overall trust score may be influenced by a variety of factors such as positive advertising, environmental, social and governance (ESG) readiness, corporate social responsibility initiatives, length and depth of customer relationships and so on. A lack of data security readiness leading to security breaches and sensitive data exposure can start to wear away the hard-earned trust.
How do you get a quick understanding of your score as a data trustee from the perspective of data security and data privacy readiness? Let’s look into that next.
Data Trustee Maturity Model
As noted above, we have broken the data trustee index into privacy and security readiness. Let’s start with data privacy readiness. It’s worth noting that there are elaborate exercises that assess an organization’s privacy readiness (I am referring to the privacy impact assessments). Be that as it may, it is useful to keep a tally of your data privacy readiness with a simple model like this.
Data Privacy Readiness Assessment
Score your organization between a range of zero to four on each of these data privacy readiness criteria:
1. Cookie consent
On your website, visitors can opt out of accepting anything but the necessary cookies.
2. Consent management
Customers’ consent expressed through any channel is logged, managed and acted upon centrally.
3. Data subject access requests
Your customers can make a request to you to share any and all data you are carrying about them.
4. Right to be forgotten (RTBF)
Your customers can easily make a request to have you delete any data about them, subject to legal/regulatory reasons for data retention.
5. Consumer control over data sharing
Your customers control what data you share and with whom.
6. Records of processing activity (RoPA)
Your ability to conduct a regular sensitive data audit and generate a RoPA report.
Rate your organization zero if you have not yet had an opportunity to implement the process described above. On the other hand, if your process is largely automated, your consumers have the option to express choices and you can adhere to each consumer’s choices, rate your organization four on that parameter. On this scale, overall data privacy readiness will fall in the range of zero and 24.
Data Security Readiness Assessment
Once completed, move on to rating your data security readiness. Score your organization between a range of zero to four on each of these data security readiness criteria:
1. Attribute 360 (the what)
A complete view of all sensitive data your organization has on-premises.
2. Structured data map (the where, part one)
A complete view of all sensitive data stored in structured data repositories.
3. Unstructured data map (the where, part two)
4. Entity 360 (the who)
a. Whose data exists within your company.
5. Partner 360
a. How is your sensitive data getting shared (or getting leaked) outside of your organization?
6. Data automation
a. How are risks contained within your organization once detected?
7. Access automation for structured data
a. Policy-based authorization granting data access to the right individuals.
8. Access automation for unstructured data
a. Continuous monitoring of unstructured content being accessed by individuals.
Rate your organization zero if you have not had an opportunity to implement the data security process described above. On the other hand, if your data security process is largely automated with automatic detection and containment of risks, rate your organization four for that particular data security process. On this scale, overall data security readiness will fall in the range of zero and 32.
Data Trustee Index (DTI)
With this framework, your organization’s data trustee index should come between zero and 100 (both numbers inclusive).
● Data trustee readiness = data security readiness x (1 + data privacy readiness).
● Data trustee index (DTI) = data trustee readiness x 100 / 800.
(Where 800 is the maximum score possible for data trustee readiness.)
For a perfect organization scoring a 32 out of 32 on data security readiness and a 24 out of 24 on data privacy readiness:
Data trustee readiness (DTR) = 32 x (1 + 24) = 800.
Data trustee index (DTI) = DTR x 100/800 = 100.
For an organization that has implemented good privacy practices scoring a high of 16 out of 24 but has given data security short shrift, scoring 16 out of 32:
DTI = 16 x (1+16) x 100/800 = 27.
If you’d like to assess your organizational readiness and maturity toward becoming a data trustee, download this data trustee index model.
Conclusion: The Way Forward
Privacy is too important to be left to checkboxes. The data privacy journey that leads to winning your customers’ trust doesn’t and shouldn’t stop with cookie checkboxes for visitors to your website, checkbox-based manual data mapping exercises or even putting a comprehensive privacy policy in place for your customers. One can say those are necessary but not sufficient conditions. Truly caring about customers’ sensitive data will take you to places where you will ask for observability into every nook and cranny of your organization where data might be stored including engineering, marketing, finance and operations systems, among others. It will lead you down a path of figuring out what data you carry, whose data you have, where that data is stored, why you have that data, who has access to that data, who you are sharing it with and when you can get rid of it.
But observability is just the first step. Next, you can implement policy-based automation so that any data risk gets contained before it can do any damage. Unwarranted exposures will get acted upon automatically before a malicious actor can get their hands on that data. Furthermore, with a tabulated view of all sensitive data shared with each partner, you can automatically send notices to each of your partners asking them to delete shared data after 90 days (or however many days).
The manual processes that we all put in place to manage and adhere to data privacy regulations over the last decade were necessary; they were the best we could do. This decade, though, the need to focus on data security with the same rigor we apply to network security is critical. If network security is the first line of defense (for example, a firewall), data security discipline is the last line of defense that can help you keep your sensitive data secure on an ongoing basis even when the first line of defense falters.
