This Saturday, January 28, is Data Protection Day in Europe, the US and dozens of other countries, including Canada and Israel. An opportunity to reflect on the current situation as well as the future of data protection regulations. Currently, seemingly contradictory cybersecurity trends are threatening cloud initiatives to improve data protection.
These initiatives taken to protect data are numerous. With good intentions, they provide a logical response to daily reports of data breaches and other illegal data disclosures. Data protection advocates and legislators are increasingly aware of the need to align cybersecurity requirements with data protection laws. However, proposals for data localization remain, which could undermine attempts to improve data protection in general and cyber resilience in particular.
General cybersecurity requirements pave the way for privacy
In addition to the confusion caused by the proliferation of data protection obligations enshrined in directives such as the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) in California, the Personal Data Protection Act (APPI) in Japan, the amendments with Australian privacy law and growing privacy law in the United States, the changes are positive for organizations looking to build a global program. These various regulations actually have a priori general safety requirements for applying “appropriate” or “reasonable” protective measures in the face of this risk. It has been recognized over the years that these requirements have been developed to ensure that companies view data protection compliance not as a static situation, but rather as a set of methods to improve data protection in the face of ever-changing conditions. changing threats and technologies.
With the start of 2023, we are enjoying both greater visibility and broader consensus on what is “right” or “sane.” Common cybersecurity practices and technologies can be found in the State of the Art report published by the European Cybersecurity Agency (ENISA), in the Presidential Executive Order (EO) to enhance the cybersecurity of the United States, and in recent guidelines. published by the New York State Department of Financial Services.
These recommendations cover the following technologies: endpoint discovery and response (EDR), dark web monitoring, connection history management, threat detection, and zero-trust identity protection. Also, it appears that after the Federal Trade Commission’s (FTC) announcement of the Log4Shell security vulnerability, fixing known vulnerabilities has been upgraded to Compliance Priority.
This general acceptance of certain cybersecurity practices means that professionals now have more confidence in core standards in the event of regulatory or litigation applications.
Confusing policy trends could undermine cybersecurity best practices
Simultaneously, but in contrast to the heightened focus on meeting the security requirements set by data protection laws, new proposals for data localization threaten to challenge priorities. Current trends in cybersecurity make it clear that cyber intrusions continue to pose a serious threat to privacy. Essentially, security requirements and accepted practices are designed to prevent unauthorized access to data. However, many proposals filed around the world seek to prohibit otherwise authorized access – such as network management outside of one jurisdiction – effectively limiting the means available to human rights defenders to protect against any unauthorized access.
Recent examples include some of the provisions of India’s digital privacy protection bill, the French SecNumCloud standard for qualifying cloud computing service providers, the first version of the Italian presidential decree implementing the European NIS 1.0 directive on critical data resiliency. , certain interpretations of the international transfer of personal data in accordance with the Schrems II decision, as well as other rules that promote data sovereignty for the collection of information about the household or for the purposes of industrial policy. As the debate continues, the reality is clear: the commitment to localize data will limit the use of cybersecurity best practices that have gained consensus around the world. To do this, defenders need SaaS platforms, aggregated security data, unified visibility across organizations, centralized log management, the ability to track lateral movements, and 24/7 operational services that constantly need data flows.
Ironically, adversaries don’t follow the rules, so defenders, lacking the analytics and threat-hunting tools of the planet, must contend with adversaries who naturally seek to push data across borders as well as roam the global web. In other words, data localization requirements may encourage companies to protect themselves against the hypothetical risks of litigation applicable abroad, rather than comply with their country’s requirements for using appropriate technologies to protect their data from leaks. Fortunately, there have been some positive developments, including the OECD Declaration on Government Access to Personal Data held by Private Sector Entities, which addresses many of the concerns raised by data location proponents.
Cybersecurity concerns give new meaning to today’s privacy demands
As security and privacy teams work hand in hand to meet today’s data protection standards that are “reasonable” and “appropriate” for risk, and as regulators assess interest in the issue of data localization, it’s important to highlight how current threats have evolved. Data leak extortion is a major privacy and security threat. From a tactical standpoint, modern attacks are now identity oriented and based on the use of legitimate credentials.
Faced with the challenges of today’s attacks and the methods used, companies must question whether the security tools they deploy on their network are “suitable” for the risk, whether they comply with applicable legal requirements, and whether they reflect generally accepted best practices. . Likewise, these standards can form the basis for discussions about whether certain proposals can lead to better cybersecurity outcomes.
On Data Protection Day, it’s important to reflect on what comprehensive data protection entails and the importance of cybersecurity, whether in terms of respecting or protecting privacy and human rights. Data leaks pose a serious threat to privacy. That’s why legislators and government agencies can improve privacy protection by advocating for transparency as well as encouraging best practices to protect data from the risk of hacking. This is the approach that should be taken primarily to protect privacy, rather than seemingly arbitrary measures like data localization. Today, modern IT infrastructures, cybersecurity and privacy programs depend on global data flows. The implementation of platforms that ensure the security and reliability of data transmission is an important element of holistic data protection.