In recent years, data privacy efforts and their associated regulations have become an important concern for CISOs as security is increasingly called upon to manage customer information protection.
As part of a new report, the Internet Society’s Online Trust Alliance analyzed 1,200 privacy statements for common themes in the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and Canada’s Personal Information Protection and Electronic Documents Act. The report is titled “Are Organizations Ready for New Privacy Regulations?” and according to Kenneth Olmstead, internet privacy and security analyst at the Internet Society’s Online Trust Alliance, the answer is a resounding no.
Olmstead noted that although the organizations audited for the report were mainly based in the U.S. and do not yet have a legal obligation to meet all of the requirements, these regulations represent general benchmarks for consumer privacy that are common in new privacy laws. He added that, while many organizations simply do not have processes in line with the privacy regulations being applied worldwide, implementing simple steps can help keep data protected. In this Q&A, Olmstead discusses where CISOs and other security leaders are lacking in their data privacy efforts, and what they can do to prepare for upcoming privacy regulations.
Based on the OTA’s analysis, which data privacy areas were companies found to be lacking?
Kenneth Olmstead: The biggest place where they are going to have a problem is in the details of data sharing. We’ve always advocated that companies hold their vendors to the same standards they have [internally]. We found that a little more than 50% of companies say that they do actually hold vendors to the same standards, but that is actually a requirement now, and is useful for general security purposes as well. In many cases where there is a data breach, it’s not the original company but a third-party vendor that is compromised, so companies are going to have to be much more vigilant.
All of these laws require that they list the category of companies they share data with. For example, if they share data with third-party vendors for payments, they have to actually say that in their statement.
Almost none of the companies did that. That’s a requirement in CCPA, a requirement in GDPR, and many other privacy regulations. Data retention was the one other one that was hugely lacking — around 2% said they had data retention language. That is also a requirement in most of these laws.
What are some ways CISOs can avoid the privacy risks that come when customer data is handled by a company’s third parties such as vendors or contractors?
Olmstead: The simplest way is that whenever signing up with a third-party vendor, be clear that your standards are their standards. Whatever your company’s data collection standards are — hopefully they are high — any company you work with has to have standards at least as high. That is probably the easiest way, because then you don’t have to go through and analyze each vendor. Go to them and say, ‘Look, you have to do just as well as we do, period.’
The report mentions the importance of company-issued privacy statements. Why are these statements important, and what should they include?
Olmstead: They are important for two reasons. We can all acknowledge that most people don’t read them. However, they are important, and they need to be there if consumers choose to see what the companies’ standards are and how they can protect their data.
The other important reason is a legal one. These statements are required by all of these laws. They are also required to have very specific details in them, and if companies don’t have them, they leave themselves open to fines. What has changed is that what they need to include is really simple. They basically need to include what data they are collecting, how they are collecting [it] and who they are sharing it with. Those are the three major things, and we see a lack of that in a lot of places.
The biggest problem with these privacy statements is that they are too vague. For example, in the data-sharing language, they all say that they share data, but one thing that is required now in most of these new laws is that users are told not each time their data is shared, but if it will be shared. None of the privacy statements we saw even said that. There are a lot of examples like that, where the privacy statements are simply not up to date with what’s coming, especially in the United States with CCPA, which is basically GDPR-lite.
It seems silly, but really simple things like including a table of contents with links is actually super important because all of these new laws have readability standards. They are all different, but the goal is to simplify them so people can understand them. Even experts have trouble understanding them sometimes. The act of simplifying them is important, and it’s not hard. You can have the long legalese version for legal protection, but just writing a summary can really help users.
Is implementing these types of transparent data privacy processes to remain compliant difficult for companies? Is a lot of it a matter of changing the philosophy about how data is handled?
Olmstead: It’s kind of a sliding scale. For some companies it’s going to be more difficult than others, depending on the size of the data they are handling or what kind of data they are handling. But it’s in their interest; if they don’t do it, they are going to get fined.
We picked three privacy regulations, but there are dozens, if not hundreds, around the world. Even just in the U.S., 13 or 14 states are developing their own regulations outside of CCPA. At the end of the day, you have to keep abreast of it because, if you don’t, it’s going to be a serious problem.
There are very robust tools and resources for companies; these laws were not written in a vacuum. It’s pretty easy to find the tools you need to be compliant with these new regulations. It is going to be a challenge, however. Things are changing rapidly. Right now, CCPA is being amended and will be different when it goes into effect in January than when it was passed. Staying on top of that is going to be a challenge, but the tools and resources are there.