This Saturday, January 28, is Data Protection Day in Europe, the United States and dozens of other countries, including Canada and Israel. The opportunity to reflect on the present situation, but also on the future of the regulations governing data protection. Currently, seemingly inconsistent trends in cybersecurity threaten to cloud initiatives to improve data protection.
These initiatives taken with the aim of protecting data are not lacking. With good intentions, they provide a logical response to daily reports of data breaches and other illicit data exposures. Data protection advocates and legislators are increasingly aware of the need to harmonize cybersecurity requirements within data protection laws. However, proposals to localize data persist, threatening to undermine attempts to improve data protection broadly and cyber resilience in particular.
Common cybersecurity requirements pave the way for privacy
Beyond the confusion caused by the proliferation of data protection obligations embodied in directives such as the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) in California, the Personal Data Protection Act (APPI) in Japan, amendments to Australian privacy law and a growing body of privacy legislation in the United States, developments are positive for entities wishing to set up a global program. These different regulations in fact share a priori common security requirements, stipulating the implementation of “appropriate” or “reasonable” protective measures in the face of this risk. For years, it has been recognized that these requirements were designed to ensure that companies do not see compliance with data protection regulations as a static situation, but, on the contrary, as a set of methods to improve data protection in the face of ever-changing threats and technologies.
As 2023 begins, we are enjoying both greater visibility and a broader consensus about what is “right” or “reasonable”. Common cybersecurity practices and technologies can be found in the “State of the Art” report, published by the European Cybersecurity Agency (ENISA), in the Presidential Decree (EO) on improving the cybersecurity of the United States. States and in the latest guidelines published by the New York State Department of Financial Services.
These best practices cover the following technologies: endpoint detection and response (EDR), dark web monitoring, connection log management, threat hunting, and zero trust identity protection. Additionally, it appears that following the Federal Trade Commission (FTC) statement regarding the Log4Shell security flaw, patching known vulnerabilities has been elevated to a compliance priority.
This common recognition of certain cybersecurity practices means that professionals now display greater confidence in basic standards in the event of regulatory application or litigation.
Confusing Policy Trends Can Undermine Cybersecurity Best Practices
Simultaneously, but in contrast to the increased drive to comply with security requirements set by data protection laws, new data localization proposals threaten to challenge priorities. Current trends in cybersecurity clearly show that cyber intrusions continue to pose a major threat to privacy. In essence, security requirements and accepted practices are intended to prevent unauthorized access to data. Nevertheless, many proposals submitted around the world seek to deny otherwise authorized access – for example the management of a network beyond one jurisdiction – de facto limiting the means available to defenders to protect themselves against any unauthorized access.
Recent examples include certain provisions of the Digital Personal Data Protection Bill introduced in India, the French SecNumCloud benchmark for the qualification of cloud computing service providers, a first version of the Italian presidential decree implementing implements the European Directive NIS 1.0 on the resilience of critical data, certain interpretations of international transfers of personal data following the Schrems II judgment, as well as other rules promoting data sovereignty in order to collect household information or to industrial policy purposes. While the debates remain lively, the reality is clear: the obligation to localize data would limit the use of good cybersecurity practices that have gathered consensus around the world. To do this, defenders need SaaS platforms, aggregated security data, unified visibility across organizations, centralized log management, ability to track lateral movements , as well as 24/7 operational services, which invariably require data flows.
Ironically, threat actors don’t follow the rules, so defenders lacking analytical capabilities and planetary-scale threat hunting tools must contend with attackers who naturally seek to exfiltrate data across borders, as well as moving laterally within a global network. In other words, data localization requirements could encourage companies to protect themselves against the hypothetical risks of legal proceedings applicable abroad instead of complying with their country’s requirements stipulating the use of appropriate technologies to protect their data against breaches. Fortunately, some positive developments have taken place, including the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities, which addresses many of the concerns raised by proponents of data location.
Cybersecurity challenges give new meaning to today’s privacy requirements
As security and privacy teams work hand in hand to comply with modern data protection standards that are “reasonable” and “appropriate” to the risk, and regulators assess the interest in the issue of data localization, it is important to emphasize how current threats have evolved. Data leak extortion is a major threat to privacy and security. From a tactical perspective, modern attacks are now identity-centric and rely on the exploitation of legitimate credentials.
Faced with the challenges of modern attacks and the techniques used, companies must ask themselves if the security tools they deploy in their network are “suitable” for the risk, if they comply with the legal requirements in force, and if they reflect common best practices. Similarly, these standards can inform discussions about whether or not certain proposals can lead to better cybersecurity outcomes.
On Data Protection Day, it is important to reflect on what holistic data protection entails and the importance of cybersecurity, whether in terms of compliance or protection. privacy and human rights. Data breaches pose a significant threat to privacy. This is why legislators and government agencies can improve privacy protection by championing transparency, but also by encouraging the adoption of best practices aimed at protecting data against the risk of breaches. It is this approach that should be applied in priority to the protection of privacy, rather than seemingly arbitrary measures such as the localization of data. Today, modern IT infrastructures, cybersecurity and privacy programs rely on global data streams. Implementing frameworks that provide security and assurance to data transfers is an important element of holistic data protection.