Everyone is a Target. Your Business Needs to Take Security Seriously.
While 2020 has been anything but expected, cybersecurity and data privacy have dominated the conversation, as consumers and governments began to demand more from organizations that collect personal information. In less than 12 months, the business environment has drastically changed in response to Covid-19. More people than ever are working from home, with some never going back to the office, and yet, at the same time, regulatory compliance to data privacy laws continues to decline. An alarming trend not just for a chief information security officer (CISO) or compliance officer, but for all parties involved as we continue to live more of our lives behind a screen.
And as security and compliance officers take a moment to look back on 2020, it may be viewed as a lost year for business operations - a time when organizations had to drop what they were doing on the compliance front just to stay in business. Having to pivot on such short notice left many businesses in a precarious situation and the ones that survived the challenges of 2020 must now look forward to 2021. But with business practices still upended by the pandemic, remote work and new compliance regulations coming down the pipeline, what can organizations expect from 2021? Let’s explore.
Catching up on compliance in 2021
Already in decline prior to the onset of the pandemic, regulatory compliance struggled to receive the level of attention it requires in 2020, as organizations diverted budgets to reactive requirements such as remote work to keep their organizations productive. Even longstanding, well known and highly effective compliance regulations like Payment Card Industry Data Security Standard (PCI DSS) declined for the third year in a row, hitting just under 28% according to Verizon. And now, as these businesses emerge from the brutal prioritization of IT and security tasks, they will have to get compliance back on track.
With the recent passage of Proposition 24, otherwise known as the California Privacy Rights Act (CPRA), by California voters in November, and the delayment of the Thailand Personal Data Protection Act (PDPA) to next year, there is a great deal for organizations to catch up on in terms of compliance. In addition to these data privacy regulations, the Payment Card Industry Security Standards Council (PCI SSC) is expected to release a major update to PCI DSS in the new year, marking yet another regulation change that must be addressed.
Noncompliant organizations may be hoping to fly under the radar in 2021 but after a quiet compliance enforcement year, likely due to the pandemic, it seems reasonable to expect an influx of proactive enforcement in the new year. While returning to some form of normalcy is entirely subjective and depends on each business and the industry they operate in, trying to get back to business as usual will be the overarching theme of 2021 and it starts with reprioritizing security initiatives to kick off the new year.
Organizations will collect less information on consumers
As we live more of our lives online - conducting business transactions, communicating and sharing personal information - organizations have become bloated on the personal data we have shared with them. And in response to the rising risk of a data breach or compliance fine becoming too great to ignore, businesses will have to refine their data collection policies to become leaner, more efficient and safer for all parties involved. Translation: Collect only the data you need and discard the data that you no longer have a justified business reason to hold onto.
In the past, organizations aimed to collect as much data on their customers as possible, but now, as consumers, governments and third party organizations pay closer attention to how data is used, shared and stored, this trend is under more scrutiny than ever. Ultimately, collecting all of this data does not make much business sense anymore. With the widespread adoption of two factor authentication, do you really need to know someone’s mother’s maiden name? What types of form fields are on marketing materials? Do you need all of it? What personal data fields are you marking compulsory for your customers to complete and which are optional, and why? If you don’t need it, why are you collecting it? These are just a small sample size of the questions that organizations are going to have to ask themselves in 2021.
Reducing the amount of information an organization collects from its customers, employees and partners is one of the best ways to limit compliance risks, but organizations should also look at what data they currently have. In the current remote work environment, it is likely that sensitive data has been lost somewhere within the network, and as a result, organizations will need to remediate these risks by thoroughly inspecting all of the data stored across workstations and endpoints, enterprise applications and their databases, shared folders, cloud storage and all other data processing points both internal and external.
California will set a new U.S. security and privacy benchmark
California’s newly voted-in CPRA is expected to supersede the California Consumer Privacy Act (CCPA) in January 2023, but until then organizations must still comply with the CCPA, something that few organizations have been able to do since its implementation.
While organizations and the overall compliance landscape would benefit from a federally-mandated data security and privacy standard, it is unlikely to come in 2021. However, California - the world’s fifth largest economy - seems set on leading the charge on consumer data privacy rights. The passage of Proposition 24 also creates the United States’ first agency dedicated entirely to creating awareness, enforcing and managing CCPA and eventually the new CPRA. This new agency, the California Privacy Protection Agency, eliminates the need for California’s Attorney General to be the enforcer of the law, which will hopefully lead to greater education and compliance with the law. However, it still remains to be seen what this means for enforcement, but with only 14% having completed their CCPA compliance as of June 2020, organizations still have a substantial amount of work to do to achieve compliance in California.
Additionally, as one of the largest economies in the world, most businesses cannot afford to not do business in California, meaning that as U.S. data privacy evolves, organizations who are unable to publicly attest to their compliance posture may be at a competitive disadvantage.
Furthermore, as other U.S. states look to protect consumer data privacy, it is likely they will attempt to recreate what California has achieved with the CCPA and CPRA. States mulling their own data privacy laws, like New York, New Jersey and Massachusetts, are closely monitoring California as it serves as a leading example on consumer data privacy. Either way, expect compliance to become an even more complicated patchwork of regulations over the next few years.
While 2020 showed us that anything can change without a moment’s notice, 2021 will show us how to pick up the pieces and come back stronger. That does not just go for security or compliance, but for all businesses in general. The next year will likely be full of its own obstacles and roadblocks, but one thing organizations can do right now is develop plans and protocols that focus on data privacy and compliance as the key priority. This starts with understanding the new level of business risk, mitigating that risk where possible, and constantly staying aware of the latest changes in the industry. And if you’re wondering where to start - go straight to the source - personal data. Once you know where it is, only then can you take steps to secure it.