More data is being collected than ever before from online interactions, apps, and smart devices. With cyberattacks, ransomware, and a variety of data breach risks on the rise, industry leaders took the opportunity presented by Data Privacy Day to reflect on the current state of data security and the business damage that can be sustained if data is not handled effectively.
Recent industry reports on breaches and their costs serve to amplify the message of Data Privacy Day, which, according to the National Cybersecurity Alliance, began in the United States and Canada in January 2008 as an extension of Data Protection Day in Europe. Its purpose is to commemorate the 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.
In 2021, the overall number of data compromises was up more than 68% compared to 2020, according to the "2021 Annual Data Breach Report" issued by the Identity Theft Resource Center (ITRC).
And, on top of that, IBM’s "Cost of a Data Breach Report," found that data breaches now cost surveyed companies $4.24 million per incident on average—the highest cost in the 17-year history of the report. The loss of customer personal identifiable information (PII) was the most expensive compared to other types of data ($180 per lost or stolen record versus $161 for overall per record average).
Underscoring the importance to businesses of governing individuals' data appropriately, the number of fines issued for violations of GDPR, one of the most widely known data-handling regulations, was up substantially in 2021. According to law firm DLA Piper's annual "General Data Protection Regulation (GDPR) Fines and Data Breach Survey," EU data protection authorities issued a total of almost €1.1 billion ($1.2/£0.9 billion) in fines in 2021 representing nearly a seven-fold increase over the previous year's total.
Here's what IT and data security leaders have to say about the current trends in data security and the need for organizations to keep tight controls on their data management processes:
Pritesh Parekh, Chief Trust & Security Officer, VP of Engineering at Delphix: With cyberattacks on the rise, this year’s Data Privacy Day is timelier that ever before. Take ransomware as an example. Last year’s onslaught of attacks demonstrated the impact that it can have not only on a single person or business but on the population as a whole. Whether it’s a shortage in the food supply chain or the inability to access critical healthcare services, individuals around the world are realizing that successful cyberattacks could have serious implications for us all.
Stijn Christiaens, Founder and Chief Data Citizen, Collibra: Particularly as new legislative requirements emerge, businesses must look at compliance proactively instead of reactively to avoid reinventing the wheel each time. It’s time for a shift, especially as consumers increasingly hold companies accountable for mishandling their privacy. We need to reframe the conversation around data privacy to be less complacent and more proactive, and we need to move faster to bring as many people as possible to the table to have a real impact. Invest in building sustainable processes now to be ahead of the market and the competition.
Carolyn Duby, Cloudera Field CTO & Cybersecurity Lead: IT decision makers and CIOs are increasingly looking for companies that protect their privacy by doing the right things with their data. From our vantage point, we see companies actually using privacy as a selling point, i.e., Apple’s decision to limit other companies’ access to data from their devices. This is continuing to expand within the enterprise. Going forward, it's going to be really important for companies to carefully think about what they’re doing with data and how it affects their customers. And it can't just be one-sided: It has to be a partnership of what they’re collecting, how they’re keeping it safe, and how they’re using it in an ethical manner.
Adrian Moir, Technology Strategist and Principal Engineer, Quest Software: Regulatory elements such as the privacy of data itself and the levels of intrusion, data scraping and ransomware events seem to continue unabated. However, we have seen traction in the right direction this year including multiple new policies emerging affecting privacy in different areas of the globe, such as CPRA (California Privacy Rights Act), China’s Personal Information Protection Law, and CoPA (Colorado Privacy Act), and next year is likely to bring some simplification to the UK GDPR policy and deal with cross-border data movement. Looking toward the future, we’re likely to see the way data is perceived, used, and regulated increase and become more refined. Attack vectors are constantly evolving, so these regulatory changes are driving a more involved process around security.
Lewis Carr, Senior Director, Product Marketing at Actian: 2021 was one of the worst years for cybersecurity ransomware attacks to date. The threat will only grow in the upcoming year as attackers become emboldened by their success and the lack of adequate responses against them. However, data privacy will be driven by changing perceptions of how important it is for public and private sector organizations to safeguard personal data and what exactly is considered “personal data.” The need to protect personal data and information will impact where and how data is stored, integrated, and analyzed in accordance with an expanding set of data privacy regulations, balanced against the need to better understand consumers, citizens, patients, and employees working remotely.
Rajesh Ganesan, Vice President of Product Management at ManageEngine: As more countries implement data privacy laws, organizations should consider the deployment of on-prem applications to keep sensitive data within geographical boundaries and to facilitate better control of business data. Not only do on-prem applications provide increased safety and regulatory benefits, but they also offer a significant cost advantage. Given the increased volume of corporate data and the rising costs of cloud storage, it's no wonder that many organizations are looking at on-premises applications as a cost-effective approach to data management.
Andy Teichholz, Senior Industry Strategist, Compliance and Legal, at OpenText: People are more empowered than ever to exercise their rights, submit subject rights requests (SRRs) and reclaim control of their information. They want to understand how their data is used and to access, correct, delete, and restrict use. To meet these data-intensive demands and overcome a scarcity of resources to support key business activities, organizations must embrace process automation for SRR response and apply case management tools that best track its performance and effectiveness.
Keith Neilson, Technical Evangelist at CloudSphere: In the U.S. alone, there are several disparate federal and state laws, some of which only regulate specific types of data?like credit or health data, or specific populations such as children. Combine these regulations with the many different international laws that aim to ensure data privacy, such as GDPR, and compliance for companies with global operations becomes an extremely complex undertaking. Data Privacy Day serves as a reminder that cyber-asset management should be a top priority for every organization. To avoid jeopardizing sensitive company or customer data, organizations must take the first step of cyber-asset management to secure visibility of all cyber assets in their IT environment and understand connections between business services. This includes identifying misconfigurations and automatically prioritizing risks to improve overall security posture, allowing for real-time visibility and management of all sensitive data.
Bryan Palma, CEO of Trellix: A sensitive-data aware XDR (extended detection and response) ecosystem enables the use and sharing of data confidently. XDR bridges the gap between threat protection and data security by combining threat analysis with the context of data to enable a more accurate and timely decision-making process. Gartner predicts by year-end 2027, XDR will be used by up to 40% of organizations, and IDC projects the cloud-native XDR market will grow at a CAGR of 89.3% through 2025.
Rob Price, Principal Expert Solution Consultant at Snow Software: Data privacy and protection is the responsibility of every employee within the organization, and safeguarding sensitive information is core to every organization’s business. However, data privacy laws differ around the world and across industries, so when it comes to data protection, organizations need to understand what they are legally obligated to do. This is especially true when it comes to data retention, as organizations need to understand how long they must keep data. Once their data retention period ends, organizations should get rid of excess data they no longer need, because it quickly becomes a liability as well an unneeded expense.