On January 28, 2021, the National Cybersecurity Alliance encouraged individuals this Data Privacy Day to “Own Your Privacy” by “holding organizations responsible for keeping individuals’ personal information safe from unauthorized access and ensuring fair, relevant and legitimate data collection and processing.” Indeed, the NCSA recognizes “[p]ersonal information, such as your purchase history, IP address, or location, has tremendous value to businesses – just like money.”
The NCSA “data as money” perspective is not a new concept. In fact, it was hoped that Data Privacy Day 2016 would usher in a system for consumers to easily monetize their private data – a hope that has yet to materialize five years later. Still, in the same way a bank protects money, there can be no adequate privacy without adequate security.
Richard Clarke – a security advisor to four U.S. presidents, properly recognized in 2014: “Privacy and security are two sides of the same coin.” The ransomware epidemic of 2020 should inform everyone why Data Privacy Day 2021 solidly places privacy and security on the same level. There can be little respect for the privacy rights of consumers – whether monetized or not, without an adequate effort at securing such data. Some companies such as Microsoft – last year’s champion of Data Privacy Day, recognize the need to continually push the security envelope in order to properly protect consumer privacy rights. Accordingly, these companies go the extra distance and often work hand-in-hand with law enforcement to take down online criminal enterprises such as Emotet.
Going forward in 2021, companies safeguarding consumer data must recognize that the lines have blurred between nation state APT attacks – focused on the slow espionage of large companies, and criminal enterprises looking for quick financial hits. For example, the lateral movement hallmarks of an APT attack are now routinely used during Ryuk ransomware exploits. Moreover, the recent SolarWinds Orion Platform exploit highlights the need to focus on supply chains when protecting consumer data.
Focused security efforts would quickly stop being left on corporate “to do” lists if there was an applicable federal law in place for companies nationwide – not just the hybrid privacy/security state laws now applicable to only some companies. Unfortunately, despite high hopes in 2019, there was little bipartisan push for a federal privacy law these past few years. That dynamic might change in 2021.
Former California Attorney General Kamala Harris’s 2012 annual privacy report opens with the words: “California has the strongest consumer privacy laws in the country.” During her tenure, California enjoyed “a constitutionally guaranteed right to privacy, over seventy privacy-related laws on the books, and multiple regulatory agencies set up to enforce these laws.” As the new year progresses, the current Vice President may very well prod Congress for the sort of California “privacy pride” she once enjoyed on a state level. Given the current one-party rule, there is certainly no longer any excuse available to politicians looking to continue kicking the “federal privacy law can” around Capital Hill.