Is Privacy Debt Derailing Your Company? How to Build for Data Protection

Originally published on Law.com on April 27, 2021.

Securing the enterprise and protecting consumers are the touchstones of cybersecurity in 2021. Avoiding “privacy debt” and designing-in data protection will also differentiate the winners and losers in the market.

Data protection is one of the single most important issues facing the tech industry today, both for consumer-facing businesses as well as those catering to enterprise customers. Just earlier this month, Facebook was hit with a new kind of data breach in which hackers misused legitimate functions on the site to scrape and collect data containing personal information from 533 million Facebook users in 106 countries. An increased variety in data breaches and security threats are becoming more commonplace, and the sophistication of breach actors has elevated. The potential for data misuse has also skyrocketed with the large volumes of data collected and stored by businesses. Cybersecurity solutions have become the darlings of entrepreneurs, venture capital firms and the public markets.

Consumers have higher expectations and an appetite for more stringent protection of their personal data. This has been evidenced by the recent and ongoing enactment of privacy legislation both at the state level in the US and in countries abroad. In fact, less than one year after enacting California Consumer Protection Act (CCPA), one of the strictest privacy regulations in the US, California voters approved an amendment to further increase personal data protections for California residents. The augmented consumer protection legislation, or CPRA, is slated to go into effect in 2023.

In this regulatory and business environment, data and privacy protections are becoming a competitive differentiator for tech companies as they compete for customers and users. To stay competitive, companies will need to build a robust, multi-disciplinary data protection foundation that encompasses product design, data security, privacy operations and training.

For many tech companies today, their products and business model require the collection and storage of data. At the same time, a failure to build adequate data protection technology, processes, and operations will continuously generate “privacy debt” for the business. The accumulation of this “privacy debt” can eventually turn away customers, attract regulatory penalties, and create an existential risk for the company.

Start with Design

When it comes to data protection, it is important to start early and from first principles. Companies should consider making privacy and data minimization a key consideration in the product development process. The more data that is collected, the more risk there is for the data to be vulnerable to breach or misuse. Today, there is a growing field of “data privacy engineering” as more founders and executives seek to mitigate privacy risks early on in their business.

In order to develop technology that minimize data collection, companies first will need to assess why they are collecting data, and for what purposes. In the past, tech companies have often indiscriminately collected as much data as they could, the opposite of data minimization. Arguably, this practice has led to the manifestation of “privacy debt,” in the form of data breaches, regulatory ire, and threats to consumer privacy.

Other design principles to consider is the classification of data, as well as security for collected data. If a company does not understand or know all of the data it is collecting, then it will not be able to implement protections for such data. At the same time, any technical security vulnerabilities can be exploited and result in a data breach.

Operational Deployment

Companies must also look at their internal operations and processes when it comes to data protection as well as security incident prevention, detection, and response. Robust protocols need to be in place to detect and mitigate security risks, and there needs to be accountable individuals designated within the organization to deploy such protocols. When looking at the organizational aspects of data security, there are multiple points to consider:

• Is the data you’ve collected properly categorized and securely stored?
• How are you keeping track of new data collected?
• Are you thoroughly vetting any new vendors with access to data?
• Is data being deleted in a timely manner?
• Are you storing more data than is necessary?
• Who has access to the data internally and are they fully trained on data protection?

At the same time, companies need to implement the internal processes to comply with evolving privacy regulations applicable to their business, which increasingly prescribe specific requirements for companies. The specific requirements will vary depending on the privacy regulations applicable to a company, and may include:

• Specific responses and timelines for data subject requests;
• Requirements for verification and authentication;
• Public-facing notices and opt-out mechanisms;
• Documentation and assessments that need to be routinely updated; and
• Reporting or registration with regulatory authorities.

In the past, privacy and security have largely been managed manually, often by separate groups of legal practitioners and IT and security experts. In the current landscape, effective operationalization will require close collaboration by privacy compliance and data security teams. We are starting to see a proliferation of tools and technology to aimed facilitating cross-functional collaboration, as well as automating certain tasks.

Minimize Human Error Through Training

Phishing scams, installing malicious content, granting unauthorized access and other forms of human error present some of the largest risks for companies when it comes to data exposure. As we know, human error cannot be eliminated entirely, even with more automated processes, but there are ways to reduce risks.

First, companies should develop a comprehensive training program for all employees with access to data. This should be company-wide and include training on handling data, granting access, working with vendors. Even those employees who do not have access to sensitive data should be trained on best practices for cybersecurity. Companies should also consider assigning data access on a necessity basis.

Employees working remotely can present an elevated risk for companies, particularly when using unsecured networks. With millions of Americans now working remotely, the issue of network security is at the forefront. Utilizing cloud databases and secure infrastructures such as blockchain can help with network vulnerability.

Finally, it is important to not become complacent about data protection. The sophistication of breach actors and technology continues to evolve, while an increasing array of privacy regulations continues to be enacted. Entrepreneurs and investors have got the memo, as evidenced by Q1 2021 global investment data showing that venture capital firms plowed $3.7 billion into cybersecurity firms, according to Crunchbase. The year 2021 is on pace to shatter the prior record for global investment, and could nearly double the prior record if it hits the current cadence of $15 billion. Stock prices of CrowdStrike, Cloudflare and Datadog are benefiting as well. Private equity and SPACs are also fueling demand.

Securing the enterprise and protecting consumers are the touchstones of cybersecurity in 2021. Avoiding “privacy debt” and designing-in data protection will also differentiate the winners and losers in the market.