Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


11:15 AM

Privacy Requirements & Penalties Grow, Causing Firms to Struggle

Between Europe's and California's privacy laws, companies have a complex landscape to navigate in 2020. Even data-mature industries, such as financial services, see problems ahead.

As US companies head into the new year, data privacy is one of the most fluid areas at the junction of business and security. On January 1, the California Consumer Privacy Act (CCPA) goes into effect, threatening firms with significant fines if they do not protect consumers' data and give consumers the ability to access and delete data or opt out of collection. 

The risks of falling afoul of such regulations were made apparent in 2019. Data regulators have passed out significant fines, giving notice to hotel chain Marriott and air carrier British Airways, for example, that they may be fined £99 million (US$124 million) and £183 million (US$229 million) penalties, respectively, under the European Union's General Data Protection Regulation (GDPR), which went into effect in May 2018.

Financials firms — in one of the most privacy-mature industries because they are so highly regulated — continue to search for strategies that deliver privacy to customers while keeping as much data as possible accessible to power business. The average financial-services firm, for example, spent between $1 million and $2 million on managing their data privacy responsibilities, with the top expenditures going to enforcement of data-retention and classification policies, according to the "Data Privacy Maturity Study, " published on Dec. 18 by data management provider Integris Software.

"We are early in the journey, even with the most mature industry out there, because it is so heavily regulated, and it still has a way to go," says Drew Schuil, the firm's president. "Other industries — retail, for example — have a long way to go in terms of maturity and finding solutions to these issues."

After more than two decades of scattershot regulation and a scramble to collect as much consumer data as possible, legal protections for consumers are starting to take hold. In the United States — the home of technology giants, such as Facebook and Google, that make a business out of collecting data on and giving advertisers access to consumers — the CCPA will be a significant test for companies. 

Firms for which data is not their major focus may struggle more to comply with regulations. 

"Awareness in the US among consumers of these privacy rights has emerged very quickly, and the wave has hit a lot faster than we thought," Schuil says. "CCPA is kind of leading the charge. California, like with things such as car emissions, often becomes the de facto standard for policy in the US."

If the financial services industry is any measure, the costs of complying with regulations will be high. 

The average financial services firm needs to access between 50 and 100 different data sources to determine whether its stored data is secure, according to Integris' study. While the average firm has 10 to 25 employees working on the data privacy team, 40% of companies need at least 50 people on their teams to adequately meet their data-protection responsibilities. The average team discusses data-privacy issues at least once every two weeks, the report found.

Some companies are hampering their business by adopting a strict strategy toward complying with regulations. At a previous company where Schuil worked, the compliance team took a strict approach to GDPR, deleting 98% of the company's Salesforce data, he says. The firm had to cancel events because it could not contact potentially interested customers in specific sales regions.

"The most knee-jerk reaction of conservative interpretations of the privacy law is let's lock down or get rid of the data," he says. "And that is not something you want to have happen to one of the most valuable resources a company might have — data."

Integris believes that technology can help companies meet their privacy obligations. Currently, most financial services firms see their compliance with privacy regulations as a massive cost center, he says.

"These companies have a deep interest in privacy, but the interesting thing is that it's heavily weighted toward non-technical folks — lawyers, governance folks, and compliance," Schuil says. "It has been a lot about process and workflow and policy, but now we are seeing organizations say, 'hold on, how are we going to get a handle on 200 data sources, when it's everywhere, unstructured and not automated?'"

Until companies stop reacting to regulations and try to create a unified business strategy that includes privacy, future regulations will just pose more challenges, he says.

"We are seeing many firms take the wait-and-see approach, not doing much to change their business and waiting to see what happens with the regulations — maybe the federal law will be watered down?" he says. "And then we see organizations really paying attention, creating cross-functional teams to really investigate and solve the issue of privacy."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Manage API Security."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.