As the data privacy space matures, a sovereignty battle is brewing. An explosion of regional and semi-global laws have proliferated across the world stage. And, for most organizations, the alphabet soup of data privacy laws (CCPA, GDPR, LGPD, POPI, KVKK, etc) are disrupting previously established practices and breaking down existing workflows.
Will we see one consistent data privacy framework? Must multinational corporations prioritize both data security AND privacy? How will we navigate the transfer of sensitive data as cloud frameworks dissolve geopolitical barriers? Finally, will GDPR continue to be the framework that countries build upon?
In many ways, the evolution of data privacy standards mirrors that of the Payment Card Industry Data Security Standard (PCI-DSS). The online payment framework certainly changed the way businesses across the globe operated. However, it also brought with it a host of unintended consequences (i.e.credit card fraud) that needed to be rectified. Unfortunately, setting standards for new technology isn’t easy.
And between the introduction of new technologies (in this case, eCommerce) and the creation of the PCI-DSS standard, the business world experienced over a decade of friction caused by security risks and breaches.
The Spawn of Both eCommerce and Data Modeling: Two Sides of a Similar Coin
Credit cards have been a payment method since the 1950s — and were especially popular in the late 80s. However, in the decade between 1988 and 1998, Visa and MasterCard experienced a combined total loss of $750 million dollars from credit card fraud. For context, credit card fraud losses amounted to more than $21 billion dollars in 2015.
This type of fraud wasn’t necessarily rare in the 80s and 90s, but it also wasn’t systematic — at least not yet. It wasn’t until the spawn of the Internet and eCommerce that card processors were beset with fraud activity. In 2001, Visa reported that online credit card fraud rates were 4x greater than credit card transactions. Given the rise of credit card fraud spawned by Web-induced vulnerabilities (Trojans, keyloggers, phishing, etc.), several of the larger credit card agencies started to push for security standards for merchants to help combat these rising security risks.
When we look at the rise of big data and predictive modeling, we see a remarkably similar trend. Big data was a niche project before 2010. Large search engines like Google and B2B database providers like Oracle were already processing large amounts of data. However, the average business wasn’t dipping its toes into anything resembling the large data lakes we have today.
In time, as more businesses began harnessing the power of big data, threat actors began to assemble tools to access millions of consumer profiles. Sure, eCommerce may have ushered in an era of credit card theft via malware. However, big data involves massive repositories of personal info that can be swiped in a single attack. In 2009, threat actors exposed 130 million users’ credit card details from Heartland Payment Systems databases. Three years later, hackers were able to score 3 billion usernames, phone numbers, passwords, and birth dates from Yahoo.
Each year, the data threats continue to grow. In the first quarter of 2020, hackers breached Facebook, Microsoft, Lifelabs, Marriott, and hundreds of other businesses. And, as with credit card fraud, new security standards are being developed to combat these surging threats.
A Wave of Confusing Data Privacy Standards
In 1999, Visa approved the Cardholder Information Security Program (CISP) standard. The goal was simple: to create a global standard for credit card security to prevent breaches. Yet, due to the evolving nature of the threat climate, Visa wasn’t the only company looking to set the tone for security.
To retain competitive advantage, MasterCard responded with its signature Site Data Protection program. Meanwhile, Discover premiered its Information Security and Compliance program (DISC), and American Express created the Data Security Operating Policy Standard. Finally, JCB introduced a Data Security Program. In other words, there was a rush to standards. All of these standards clashed — creating confusion and dread for payment processors and retailers across the globe.
In fact, very few companies could successfully meet the various compliance requirements. There were simply too many overlapping standards to navigate.
This is where the data privacy space is currently operating. Every city, country, and public body is rushing to set data privacy standards. Like Visa’s CISP standard, GDPR has inspired a shockwave of regulation across the globe. And, like credit card compliance, businesses are feeling overwhelmed. Only 59% of organizations currently meet GDPR compliance. At the small business level, less than half are compliant.
It’s not necessarily true that GDPR compliance is an impossible feat. After all, we now have access to automation technologies that weren’t readily available to companies when credit card processing standards were introduced. The problem is the lack of a single, unified standard that companies can rally behind.
The Scramble to Comply
When data privacy standards first hit the scene, confusion reigned. With PCI-DSS, many organizations struggled to understand scoping and segmentation within the new standards. In particular, businesses had to figure out how to segment network configurations to reduce PCI-DSS scope and protect cardholder data (CHD).
Of course, like GDPR, PCI standards didn’t provide step-by-step guidance on how to segment networks, install network firewalls, or build out virtualized networks to create logical partitions. Instead, the official stance was that “each entity is responsible for making its own PCI DSS scoping decisions, designing effective segmentation (if used), and ensuring its own PCI DSS compliance and related validation requirements are met.”
With GDPR, many organizations are in a different, yet eerily similar boat. GDPR requires you to safeguard consumer data and comply with Data Subject Access Requests (DSARS). But, you don’t have a roadmap for doing so. So the question remains.
How do you handle all of your sensitive data? With an influx of data from various points in your tech stack, it can be a challenge to extract and transfer data into lakes, execute real-time data analysis, and segment data — all without compromising privacy. Add a layer of regulatory oversight and a horde of Data Subject Access Requests to the mix, and you have many organizations exploding at the seams with data privacy pain points.
However, we’ve all been down this road before. The solution isn’t to completely tear down your existing IT infrastructure. Instead, organizations should look for compatible technologies on the market (as many did with virtualization and firewalls during the early PCI-DSS days) and reframe existing policies to support more granular data control.
Businesses need to take an “as little as possible” approach to data without compromising their market advantage. This means collecting only the data needed and storing it only for as long as there’s a legitimate need for it. The less data collected, the lower the cyber liability risks. This makes it easier to both control and secure data.
In the short term, that means investing in the right governance solutions to help you discover, classify, organize, and secure data — as well as the right solutions to de-identify and secure massive data lakes. In the long-term, this also means breeding cross-collaboration between stakeholders and assimilating data privacy into the core of your data acquisition methodology.
Yes, it’s a challenge, but a broad approach to data privacy compliance may be the solution. With a school of regulatory bodies breathing down your neck, data privacy may only be achievable through regulatory-agnostic policy matrixes.
The Future: A Standard We Can All Rally Behind
In 2004, the PCI DSS 1.0 standard was developed. In a landmark move, all five major credit card companies rallied behind a single standards framework. As of today, PCI DSS 3.0 is still the standard for all credit card processors across the globe. Businesses have a single, clear-cut path to compliance, and they can stay informed about compliance from a single reputable source. Certified Qualified Security Assessors (QSAs) can also provide a PCI “Report on Compliance” (ROC) to verify that compliance check boxes have been met – providing level one merchants a consistent measuring stick.
This is the future of data privacy. As of now, businesses need to leverage advanced governance and compliance systems to navigate the ever-evolving world of data privacy compliance. Failure to comply with local, state, federal, and global data privacy standards can lead to serious fines and reputation damage. But given the plethora of standards in existence, businesses face untold pressures to avoid compliance missteps.
We know that millions of businesses are struggling to make sense of disparate data compliance frameworks. We think this will change. Businesses will still need deeply-ingrained data governance tools. However, we believe that a single, comprehensive standard will emerge that almost everyone can support.
A Data Compliance Framework for the “Now”
As a business owner, you know that navigating data privacy standards is no walk in the park. You understand that compliance reduces your risk of cyber breaches and by extension, liabilities from fines and reputation damage. However, you need a comprehensive, regulatory-agnostic framework that lets you meet broad compliance standards without sacrificing your core business workflows.
If so, we can help. Integris offers hyper-scalable compliance frameworks with baked-in context-based discovery, data subject recovery, and data governance policies. We can provide continuous defensibility and a finely-tuned data protection strategy. Contact us to learn how we can help you safeguard your data while complying with CCPA, GDPR, LGPD, and other data privacy standards.
In the future, your business may have a single, unified standard to rally behind. Today, you have Integris.