Data Privacy Day 2019: IT Execs Weigh in on Cybersecurity Risks

Against the backdrop of a seemingly endless stream of reports of data hacks, breaches caused by negligence, and generally questionable use and governance of data, many IT executives used Data Privacy Day 2019 as an opportunity to reflect on the state of data protection and the steps the industry should take next.

Developed in 2008 as an extension to Data Protection Day in Europe, Data Privacy Day is marked in the U.S. and other countries to focus user and business attention on privacy issues and encourage greater awareness and education about the need to protect personal data online.

On January 21, it was announced that France was fining Google for $57 million for allegedly not obtaining sufficient user consent in gathering data for targeted advertising, drawing more attention to the need for proper handling of personal data. According to the Wall Street Journal, this represents the largest fine to date under the recently enacted General Data Protection Regulation, also known as GDPR but, more importantly, may also be “the starting shot” of additional regulatory actions.

Industry executives weighed in on the Google fine, heightened regulatory pressures, and the need for improved data security and privacy safeguards:

How companies respond to the Google fine will be telling: “These high-profile policy developments are sending a signal that the days of using personal data for commercial advantage without offering consumers some level of transparency are waning. It’s time for technology companies to become vigilant about building consumer trust, both because regulators are watching and because consumers are increasingly invested in how their data is being used. Ultimately, it’s a smart business strategy. Trust takes years to build but only an instant to destroy.” — Cindy Provin, CEO, nCipher Security

Trust and privacy are the cornerstones of security: Security does not necessarily imply obscurity and withholding—a society just won’t work in such a world. For society to work, physical entities need to trust each other and ensure privacy. You can’t go to a doctor and not tell the doctor about what is bothering you because you fear the doctor will not respect your privacy. You trust the doctor. Now, shift to today, where a doctor is using a digital assistant to capture notes, and you are using web and mobile interfaces to interact with the doctor. Now, there are digital representations of physical entities in play (digital assistants, web and mobile apps) that need to afford the same (if not higher) levels of trust and privacy to you and the doctor. Systems will need to change soon to accommodate this status change of digital entities. Digital entities will become at-par with physical entities, and as such, the social contracts as we know them will need to change to ensure the trust and privacy boundaries across humans, systems and data are upheld.” — Setu Kulkarni, VP, corporate strategy at WhiteHat Security

Data privacy will intensify as a growing area of focus in the coming months: “Over the next year, I believe we will see the first sign of government control over large internet service companies. Organizations such as Google and Facebook still don’t seem to understand what privacy means. I think we will actually see some form of legislative control being put forward or even break-ups considered.” — Stephen Gailey, solutions architect at Exabeam

The time has come to prioritize data protection: There’s certainly enough headline scare stories of data leaks, outages and ransomware attacks that should have persuaded them over the past year. Adding to this is the modern consumer perspective of ‘there’s no excuse for downtime, or the loss of data.’ Businesses need to be focusing on ensuring they are resilient against the many threats facing data today, to prove to their customers they are taking data protection seriously. The adoption of the latest technology, with innovative new approaches, has led to this number of both planned and unplanned disruptions in a business rising. Combating this means companies need to start looking outside of traditional backup capabilities to keep the business online; they need to choose a modern, resilience approach that can utilize continuous data protection. This, paired with the ability to orchestrate and automate the mobility of applications to the ideal infrastructure, will enable businesses to have more than just their customers’ data protected. Organizations will become completely IT resilient, protecting data, infrastructure and reputation—without the downtime.” — Steve Blow, tech evangelist at Zerto

No organization wants to be at the center of a cyberattack scandal: Data Privacy Day serves as an important reminder for every organization to perform an assessment of their own vulnerabilities. Organizations need to understand how much data they need to maintain, the sensitivity level of the data and where the sensitive data is stored. A backup from three years ago will do no good if an organization is targeted by cyberattackers, and that’s why a backup schedule that ensures data is available from a period far enough back to restore prior to the issue is necessary. No one can predict when a disaster—natural or man-made—will occur, so having a restoration plan that is documented, tested and understood by all employees involved will keep organizations safe no matter what happens,”  —  Trevor Bidle, vice president, information security and compliance officer at US Signal

Beyond digital accessibility, a large amount of risk comes from data that's exposed and vulnerable because it's stored on paper or exiled in data sources like backup tapes, optical media, hard drives, and even microfilm: "Data Privacy Day should be a reminder to legal, financial services, and other global industries that they must take steps to digitize and extract PII in these less than accessible data sources and automate reporting for compliance with SOX, GDPR, the California Consumer Privacy Act, and other regulations.”  — Alex Fielding, interim CEO, Ripcord

The bottom line is that securing data is of utmost importance: As more organizations are moving their workloads to edge and hyperconverged environments, companies are looking to protect and recover these workloads. Backup and disaster recovery used to simply be good business practices. Now, for many industries, they are a big part of regulatory compliance. Data is more valuable than ever before and how data is managed and protected is increasingly being regulated by law. Platforms that include a variety of backup and disaster recovery features including snapshots, replication, failover, failback and cloud Disaster Recovery-as-a-Service are key,”  — Alan Conboy, CTO, Scale Computing

Is it really necessary in 2019 to designate a day to simply raise awareness about data privacy?: "In the era of GDPR, multi-million dollar lawsuits, and career-ending data breaches, awareness of data privacy is higher than ever. It may sound cliché, but every single day of the year should be a day for businesses and individuals to do more to protect personal data. Data Privacy Day has been a fixture of the calendar since 2007, and I believe it needs to evolve to stay relevant with the rapidly changing data landscape. Beyond raising awareness, the 28th of January needs to become a day where businesses are genuinely held accountable for their data protection practices. To celebrate a day like this, we should be calling on all organizations to be transparent and publish exactly what they’re doing to safeguard their customers’ data, making Data Privacy Day an annual check-in on the health of data protection and to ensure there are no hiding places for data misuse. The day is an opportunity for organizations to demonstrate how competitive they are in upholding the rights of the individual and protecting their data.” — Colin Truran, principal technology strategist, Quest Software