“Climbing GDPR and CCPA” – Privacy Doesn’t Have to Be Everest

Author: Aaron Pritz– CEO, Principal Consultant, Co-Founder at Reveal Risk

GDPR (General Data Protection Regulation) brings some of the most significant globally reaching comprehensive privacy/data protection regulation impact of the century – if not ever. It is a continuation of the journey Europe has been on since the 1960’s.

For many companies, it has unfortunately turned into a “hair on fire” drill of epic proportions. Some started 2 years ago, others are just getting started, and some didn’t realize they were impacted. There are definitely some complicated elements to GDPR (especially for companies with legacy tech and antiquated business processes. However, it doesn’t have to be as hard if the “basics” in understanding your business and PI data come first.

Since then, progressive privacy minded states (such has California) have introduced similar legislation that will be effective in the next couple years called CCPA (California Consumer Privacy Act) that will broaden the required focus in the US.

Why has protecting personal data taken massive legislation, a lot of hype and fear mongering, and anticipation of significant fines and penalties to prompt major action?

I believe there are 3 main reasons for lack of action or getting a late start.

Cost and Effort

I’ve heard some individuals say that the cost of fines and penalties that may be issued are less than the perceived cost of compliance. Some leaders would rather gamble getting penalized over taking action. Perhaps previous lack of enforcement in the US for regulations like HIPAA set a perceived standard of lack of action. Similarly, recent articles explain how many European countries are not ready or equipped for enforcement. This likely gives some executives a belief that there is plenty of cushion and extra time to “catch up” later.  This thinking often fails to account for the softer costs of risk (beyond compliance) and what would happen if a breach occurs.

Fear of What May Be Found

There is a certain line of thinking with some individuals that would indicate that it is better to not ask and not know the state of affairs with privacy then dig in and learn that things are not in good shape and a ton of work is required. Legally speaking (and I’m not an attorney), I suppose it is a valid argument if you were to do an assessment, learn that you have a mess on your hands, and still do nothing it would be more risk than just pleading complete ignorance. However, this argument (if enforcement is real) is similar to pleading to and officer that you didn’t notice a speed limit sign in a school zone. This rarely is an effective strategy.  There also may be fear that the business processes and IT systems are so antiquated that fixing the problems would be too significant to stomach.

Privacy Has Become Comfortably Numb 

The weekly (or sometimes daily) breach notifications have become so routine that there is a perception that this is “business as usually.” At the aggregate level, most companies are very little lasting stock price or consumer trust impact (beyond some marquee breaches that have surfaced poor handling of the situation after finding out about the breach).

Regardless of the specific rationalization for lack of sufficient action, I would argue that like many things in life; we have made this overly complex. I would also argue that the basics behind almost every privacy regulation or framework shares about 80% of the exact same requirements and actions required. I found this out after being at a company that had an inadvertent (and unfortunate) technical glitch that resulted in disclosure of patient emails to all other enrolled patient website users for a product that was considered very sensitive (drug for depression). This resulted in a 25 year consent decree from the FTC and a side benefit of transformation of the privacy efforts. I was lucky enough to join an internal audit team that was put together to conduct privacy audits (starting in Europe) after this event. I found that I was auditing and assessing well over 80% of the thing now standardized in GDPR back in 2004!

Thinking about understanding data and risk agnostic to regulations can enable your efforts to cover more territory and minimize unnecessary effort and churn. Consider these simple 6 questions:

1. What?

What personal information does a company, business units, or departments have (collect, process, store, or transfer)?

2. Why?

Why is this data necessary for conducting business? Is ALL of it really necessary?

3. When?

When do you need the data? Do you have and maintain it for the specific time period you require for business?

4. Where?

Where is the data? (IT systems, business processes, and other data repositories). Where do you transfer the data to and conversely where does it come from?

5. Who?

Who needs and actually had access? Do these individuals have a valid need to see the data?

6. How?

How do you protect the data from becoming lost, stolen, or inadvertently disclosed?

If you read nothing else in this article, go ask these questions. If you don’t get satisfactory understanding, you know where to start.

Now, pretend for a moment that there are no laws, regulations, or practical norms. If your customer and stakeholder data (that has an emotional value and real requirement to preserve trust) was at risk of bad things happening, wouldn’t every CEO want to ensure that she (and all of her leadership) has a solid understanding of the 6 basic question areas above? One would hope so.

Stewart Room, a global lead cyber security and data legal protection services at PwC said in 2017: “At the heart of the problem, is the fact that the basic principles of data protection date back to 1968, and in many organizations they have still not been incorporated into the operational reality of business. The fact that many organizations are engaged in data mapping exercises is evidence of this, because they are only now trying to find the data they should have been securing for years.” My above questions are “the basics” – without sufficient understanding of the answers to these, all other efforts may not be effective and will not be focused or efficient.

I believe that lack of focus on the basics, misinformation/misunderstanding, vendor propaganda, corporate bureaucracy, legal/business tangled, and general inefficiency, the modest mountain to climb starts to become more like Mount Everest.

Briefly continuing this analogy: to climb a “modest mountain” (assuming your company has done very little prior) would requiring planning and focused execution. You would want to first understand your mountain, why you want to climb it, and scope out the terrain (your business processes and personal data). Let’s use “Half Dome” in Yosemite National Park as the example. To summit this mountain, there is an option to go straight up the face of the dome or hike up the back.

Next, you would figure out what equipment you already have and the right amount of tools required to get up the mountain. What does your climb actually require? Packing too much will weigh you down and you will likely fall or collapse from fatigue. Packing too little could cause you to fail to be able to ascend properly or plummet to your death.

Properly physically and mentally conditioning yourself (business processes, training, and human behavior) and packing and using the right tools can make a huge difference.

  • Record for fastest climb up the “El Capitan” face (the steepest):2 hours 19 seconds– free climbing with no ropes (improved from the very first record of 17 hours and 45 minutes)
  • Record for slowest climb up the face: Infinity(17 fatalities, 85 injuries)
  • Record for fastest hike (run) up the back of the dome: 2 hours 23 seconds(no known deaths)

Which path sounds like one you would want the take?

Now let’s talk about tools. Many security programs are getting caught in the crevasses caused from thousands of security tool and service providers that are promising success and ease of summiting compliance; regardless of your skill and effort. Many leaders are buying so many tools that their teams can’t keep up. These tools never get packed for the climb and often literally collect dust in a garage.

Companies can spend years and tens of millions of dollars trying to encrypt every database they have (sacrificing other risk reducing efforts). However, given that 80% of cyber-attacks result from compromised privileged access (accounts or credentials), I often scratch my head and wonder if that is the best use of time and money. Essentially, the attackers walk in to the back door with a key even though your house has an ironclad perimeter around it. Don’t get me wrong, encryption is a good if you can do it, it just isn’t a panacea or the most critical thing you may need to be thinking about.  Personally, I would prioritize privileged access security over database encryption.

Ultimately, the secret to a successful climb is in how you plan your journey, the tools you use (and don’t use), and how everything you are doing should also be preparing you for all of your activity (not just one climb or hike). Once you have your map, you must execute and avoid ALL distractions. You may adjust your map along the way, but don’t let this throw you off your route. You should continuously make sure you know where you are on the map and that you are making the right progress (vs slipping backwards or sideways off your path).

In summary, whether your climb feels like Everest, Half Dome, or a small hill in a park, you should have, know, and monitor your plan. Bring a Sherpa or two if you don’t think you can make it yourself. You should have someone that can understand the laws (and break them down into tangible decisions and actions. You should have someone who knows your business and how to influence change. You should have someone who can evaluate IT controls and how to influence technical change in the most simplistic and effective ways. This may be one or more person and the may be internal or external to your company.

Find a way to simplify your evaluation and tracking of your plan so you stay on course. Ensure your plan answers the 6 questions and that you are getting to the right GDPR specific decisions on things like providing notice, consent, right to be forgotten, etc. Otherwise, your efforts will be unnecessarily burdensome and ultimately weigh your down. Pack the best and minimum amount of tools and dump the rest.

Send me a note if you want further advice specifically on YOUR summit. Good luck, stay safe, pack effectively, and don’t get bogged down!  

P.S. – regardless of what you may hear, there is no magical helicopter that will take you to the top.

Feel free to COMMENT, REPOST, or LIKE to keep these free articles coming.  If your security program needs help translating strategy into action and being more business risk/threat focused, you can request more information at info@revealrisk.com. More information can be found on www.revealrisk.com

(Note:  These are my views/opinions only and do not reflect any past, current or future employer’s or client’s views.  For educational and discussion purposes only.)