Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/15/2020
10:00 AM
Hilary Wandall
Hilary Wandall
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Simplify Your Privacy Approach to Overcome CCPA Challenges

By building a privacy-forward culture from the ground up and automating processes, organizations can simplify their approach to privacy and be prepared for any upcoming regulations.

The July 1 enforcement date for the California Consumer Protection Act (CCPA) has come and gone, but how confident are companies that they're compliant with that and other regulations? TrustArc polled 1,500 privacy professionals around the globe to gauge readiness for CCPA, as well as the overall state of privacy compliance. It turns out that for quite a few organizations, compliance is still a work in progress.

Just more than one-quarter (27%) of respondents have either some, very little, or no confidence that their company is able to keep all of their employees' and customers' relevant data secure and protected. The facets of their organizations in which respondents most lack confidence include training, tools and technology, and mindfulness.

Related Content:

ISO 27701 Paves the Way for a Strategic Approach to Privacy

The Threat from the Internet—and What Your Organization Can Do About It

Respondents cite a number of challenges that may affect their confidence, including increased usage of third-party technologies such as videoconferencing platforms, staying current with changing regulations, and managing risks.

The following suggestions will help organizations overcome the challenges of third-party technologies and their underlying data, an ever-changing privacy-regulation landscape, and maintaining organizational mindfulness.

Implement Additional Security Layers for Third-Party Technology
To enable employees to work remotely, numerous companies have been forced to quickly adopt new third-party applications or use existing third parties differently during the COVID-19 crisis. To manage vendor risk effectively, it is essential that companies assess new vendors before beginning to use them. Third-party risk assessment is a critical step to ensure data privacy during remote work.

After vetting third-party vendors, companies can implement an additional layer of security, such as secure video meetings. Organizations should require employees to use password-protected videoconference services and encourage the use of "waiting room" features where the meeting host manually allows participants to enter the meeting. Taking these precautions can prevent unknown parties from entering company meetings that now increasingly include discussions of highly sensitive information. Adding these safeguards will make it easier for organizations to ensure the information discussed or shared in these virtual meetings remains secure.

Automate Risk-Assessment Processes to Remain Current
There are now more than 900 different privacy regulations around the world, and this list continues to grow and evolve on a daily basis. To remain current, companies must examine each law; pore over their records, including data from third-party sources; and determine the risk factor of their data as it pertains to each law. Often, organizations maintain this compendium of regulatory risk factors via spreadsheet and other manual processes.

Attempting to stay apprised of 900 existing laws and regulations — even as hundreds more swirl around US state legislatures — by manually calculating risk factors is a Sisyphean task. To remain current, companies will have to leverage technology that can automate parts or all of these processes, thereby simplifying risk assessment.

Operationalize Risk Management
In addition to making risk-assessment processes more automated, successful organizations should weave the considerations of personal data usage into the fabric of their company and services. One way to do that is to have a chief privacy officer (CPO) lead ongoing discussions about privacy and ensure that privacy is embedded in the framework of the organization.

Privacy isn't a checklist item, a task with a beginning and an end. Rather, it is an ongoing strategy that CPOs and other privacy officers, such as chief information security officers (CISOs), should be responsible for administering. Privacy officers must work to do the following:

  • Ingrain data privacy concerns into their entire organization from day one.

  • Expend resources on individual rights management, privacy-by-design principles in product and service development, and operationalized data governance in the form of record-keeping, data retention and deletion policies, and mapping data flows.

Above All, Simplify
Between the myriad privacy laws, the array of technologies companies use, and the increasing reliance on data as a business asset, data privacy compliance is a complicated issue. With so many moving parts, it's no wonder that many organizations struggle to build ongoing privacy programs. By building a privacy-forward culture from the ground up and automating processes wherever possible, organizations can simplify their approach to privacy and ready themselves for CCPA as well as any regulations coming up on the horizon.

 

As a lawyer, scientist, and ethicist with 25 years of experience, Hilary Wandall is a highly regarded data privacy thought leader and international data regulation expert. She is often called upon by government agencies in the US, the EU, Asia and Latin America to provide her ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...