Security Experts:

Industry Reactions to Data Privacy Day

Data Privacy Day

January 28 is Data Privacy Day, an international holiday whose goal is to raise awareness and promote privacy and data protection best practices.

The increasing number of incidents involving the exposure of personal data over the past years has led to data protection and privacy becoming more important to individuals, companies and governments.

Companies that have taken steps to protect sensitive information may be seeing other benefits beyond compliance, and organizations that have fallen behind are facing complaints and fines.

Industry professionals have commented on the importance of privacy and the implications of the failure to protect sensitive information.

And the feedback begins…

Rusty Carter, Vice President, Product Management, Arxan:

“Data privacy has been in the news a lot lately, from the EU’s General Data Protection Regulation (GDPR) to California’s Consumer Privacy Act (CCPA) -- but do these laws do enough to actually protect consumers? In short, no. The new privacy legislation still isn't doing enough because there's very little that's explicit about data security, using vague language defining ‘reasonable security’ and opening the door for confusion and misinterpretations. You really can't have privacy without security.


As we’re seeing, user credentials are already for sale on the Dark Web. From the dozens of large breaches we saw in 2018, we’ve learned that many enterprise backend systems and databases are vulnerable because of the applications accessing them. Companies can’t simply protect their networks to keep consumers safe, they must also implement strategies that include strong detection and reporting of the health and status of applications both inside and outside of their networks. Consumers need to increase their concerns and expectations of vendors around security; and security vendors must adopt a security by design (and by default) approach for the end-to-end data journey.


Protecting data doesn’t just fall on a company’s shoulders either -- legislators play a critical role too. Laws must provide specific penalties for data protection violations, similar to what the EU enacted last year. France recently fined Google $57 million for a European privacy rule breach, resulting in Google’s largest penalty ever. Suddenly we’re putting a real price tag on data protection, or least trying to do so. The U.S. needs to create similar privacy laws to help protect consumers. CCPA is a good first step, but augmenting it with specific penalties will force compliance. Compliance will inevitably force protection which will lead to both security and safety.”

Paul Madsen, Technical Lead, Hedera Hashgraph:

“Many people assume that with distributed ledger technology (DLT) granular privacy controls are not possible, and that their inherent immutability is incompatible with changing privacy regulation but, ultimately, privacy is giving the user meaningful control over their PII. Next generation DLTs must address this. As such, two particular mechanisms that may prove useful are — 1) a flexible permissioning model that allows for data to be removed from the consensus state and so support GDPR right to be forgotten, and 2) an opt-in model by which verified identities can be bound to a crypto account.”

Lorena Marciano, Data Protection and Privacy Officer, Cisco EMEAR:

“Organisations must embrace and capture new opportunities driven by digital transformation or risk being left behind. But this transformation need not come at a societal cost - data privacy is all about ethics, fairness and transparency.


Leveraging resources to be competitive and sustainable is reached by knowing how to curate data to help achieve business objectives, whilst remaining both trustworthy and accountable. Our research found organisations who have invested in data privacy are already feeling the financial and operational benefits. This, combined with the probability of losing more than $500,000 in a data breach stands at 37% for GDPR-ready businesses vs 64% for those expecting to be ready in over a year, highlights the importance of organisations taking data privacy seriously.


Innovation must advance hand-in-hand with thoughtful policies and practices that respect the human rights of all people, but it is also crucial businesses see regulation as a business advantage. It's not just about reducing risk, it's about curating data that boosts efficiency, effectiveness, creativity, and competitive value.”

Matthew Glickman, VP of Customer and Product Strategy, Snowflake:

“Whether at work or play, we’ve all become more dependent on digital data. As a result -- and due to some high-profile data breaches -- we’re starting to see more focus and requirements around how to secure data and networks, and how to give people more control over their personal data. The European Union’s recently enacted GDPR is one example of this trend.


Data privacy is important. But compliance on this front is no easy task. One challenge is the distributed nature of data. If I send an email to you, you may share it with two others, and they may send it to additional recipients. So, if you need to find that data later, it can be like herding cats. That calls for data consolidation, which creates a single source of truth. That way people don’t have to replicate data to share it. Instead, they can simply access a single data set.


Cloud technology and managed access can help enable that. When you move to a cloud-native data model, all of a sudden you can comply to requests for data at any time, without interrupting the production workflow. You don’t need to copy data so that others can process it in their own environments. And you always have the compute power you need to comply.”

Shahrokh Shahidzadeh, CEO, Acceptto:

“Assume all of your credentials have already been stolen, even those credentials that haven’t been created yet.


Due to the frequency of data breaches, we all must operate under the assumption that it’s only a matter of time that we become aware of the fact that our credentials and personal information are compromised. Protecting our citizens' identity and privacy requires new regulatory measures and the collaboration of private and public sectors including all (large or small) companies that today are taking overt advantage of harvested consumer data that is readily available for corporate welfare but not well protected.


2019 is the year of new solutions that employ a combination of multi-modal and contextual controls that continuously and accurately protect user identity and privacy with the assumption that all your online credentials are already compromised.”

Joseph Carson, chief security scientist, Thycotic:

Is Data Privacy Day turning into Data Privacy Remembrance Day? Is it even reversible? The answer is yes. The end of privacy as we know it is closer than you may think. Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens. In public, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby and even algorithms that determine what your next action might be. All of this is used to help provide a custom experience unique to everyone as well as predict and prevent security threats. The term “if you have nothing to hide you have nothing to fear” is quickly becoming reality and privacy and could certainly disappear in the near future. Can we ever regain back our privacy?”

Rikesh Thapa, Co-founder and CTO, Blockparty:

“From the basic consumer's perspective: The key to keeping data that one deems private is literally that — keeping it private. There is no tech out there that can fully promise privacy of information unless it’s blockchain-based data with strong encryption that has direct access to the chain itself (so no dapps that have a company or app managing data entry). There is never any guarantee that a company truly keeps your data secure, let alone private. Most companies or applications will always have a God view or a super-admin access and that in itself is risky (take Uber for example); Although this is the case with nefarious companies with bad moral compasses, even companies with no bad acting employees may not have the security sophistication or security budgets to fully protect user information and data.


This is a bleak outlook on the state of security in the industry — however blockchain security and trustless ownership of user data is a significant leap forward. If it catches on, the industry can revolutionize how data is stored, accessed, permissioned and used. We also need a trusted 3rd party authority that evaluates the security status of every company that stores valuable user information similar to GDPR standards set by the EU (except better and more reputable).”

David Ginsburg, Vice President of Marketing, Cavirin:

“Data Privacy Day is upon us, and there is no need to mention the our just concluded ‘Annus horribilis,’ and I’m not talking about US or EU politics. Over the last twelve months, we’ve endured a constant barrage of news regarding the latest hacks, vulnerabilities, or organizations paying the price for just plain stupidity. Though IoT and critical infrastructure vulnerabilities as well as foreign attacks were top of mind, ongoing thefts of confidential financial, healthcare, and other PII data presented greater risk to enterprises and individuals. As related at BlackHat, the hackers are definitely on the offensive, with organizations playing catch-up across an increasingly complex hybrid cloud infrastructure. However, 2019 doesn’t need to be a repeat of 2018.


The intent of Data Privacy Day is to raise the awareness of data privacy within organizations as well as for individuals. Focusing on the former, recommendations in fact follow the universal five-phase approach outlined in the NISF CSF – Identify, Protect, Detect, Respond, and Recover. This approach is in fact a great baseline for organizations of any size, from the corner dentist to the Fortune 100.”

Rob Norris, data privacy expert, PA Consulting:

Comprehensive training and awareness campaigns will be the hallmark of 2019 as organisations look to change their employees’ mindsets when it comes to personal data. Encouraging employees to be more aware and consciously think about data protection will go far in reducing data breaches caused by human error. However organisations may need to start looking at technology solutions, such as Data Loss Prevention tools, to supplement and enhance their capabilities whilst their employees improve their data protection awareness.


There remains a disconnect between the loss of data relating to millions of people and the impact on a personal level. Over the next year we expect to see organisations and regulators emphasise the risks on an individual basis and promote more awareness of how individuals can be better protected. With a better understanding of the personal risks associated to a large-scale data breach, we expect to see an increase in negative sentiment towards data breaches. We will then ultimately see an increase in the volumes of customers abandoning their relationship with an organisation, citing the data breach as the reason.


GDPR fines could contribute to the general public’s understanding of the scale and severity of a data breach. This will inform them of the risk to them as individuals, and they can use the fines as a yardstick to decide whether to abandon an organisation once the fine is levied. With several large-scale investigations ongoing across the European data protection regulators, it is likely we will see greater levels of punishments being handed out to repeat offenders; the financial toll of this is likely to be multiplied as customer trust and loyalty also quickly ebbs away.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.