How strong, flexible data protection controls can help maintain regulatory compliance

Privacy and security regulations are evolving quickly. The European Union’s GDPR and California’s new CPRA law are only the most high-profile examples. According to Privacy Desk, around 110 countries have data protection and privacy laws in place. Within the US, hundreds of state-level bills are pending. Nevada, Maine, Oregon, and Texas are among the states that have already passed consumer information protection acts.

The regulations all have their own nuances and trying to stay on top of them is like playing whack-a-mole—especially if a company’s infrastructure isn’t flexible enough to adapt quickly to new requirements. A better approach is to look at the underlying principles behind these privacy laws and build data platforms that support these principles but are flexible enough to adapt to specific new requirements as they come along.

CISOs can bring controls in areas such as access, encryption, and metadata to the table that can help address privacy concerns, meet compliance requirements, and improve cybersecurity. “It’s a great idea that security take the lead in setting up controls necessary to protect data to new regulatory standards,” says Steve Wilson, vice president and principal analyst at Constellation Research. “The CISO has the right mindset to think strategically about data as an asset.”

That’s because accountability for information is the common theme in all the new regulations, Wilson says. “CISOs and chief data officers need to be more accountable about where the data is, where it’s going, and what it’s going to be used for.”

Good compliance controls start with ethics

A proactive approach to the fast-changing regulatory environment around data privacy requires a cultural shift, says Lorelei Chernyshov, assistant vice president for information governance at Merrick Bank, a Utah-based financial institution focusing on credit cards and loans. The old way of thinking is that businesses owned all the customer and employee data they collected. “Now, we are custodians of that personal information,” she says. The customer or employee is the one who owns their information, and a company’s job is to protect it.

All the laws and regulations support that cultural shift, that changing understanding of the ownership of the data, Chernyshov says. That’s a good thing. “I am absolutely delighted by these new regulations and I am not joking.”

Even as the bank was rethinking its operations to comply with new requirements, Chernyshov was looking at the bigger picture. “For the past two and a half years, I’ve been talking about forming a digital ethics working group,” she says. The talking has paid off, and that group was formed two months ago. Its goal is to discuss technology and its impact on privacy and make recommendations to steering committees.

The group is just one indicator of a cultural shift surrounding the use of customer data, Chernyshov says, but isn’t the only one. In response to California’s CCPA—the precursor to the CPRA ballot initiative passed late last year—Merrick Bank looked at its entire infrastructure and business processes not just from the perspective of what it had to do to get compliant, but from the standpoint of doing the right thing.

For example, the bank decided to start with the most stringent elements of each of the state laws and apply them universally to all customers. “Otherwise, we have a customer calling in from North Dakota saying, ‘Where is my data?’ and we’d say, ‘You’re not in California, so you don’t get to know that.’ That’s ridiculous,” Chernyshov says. “So, we take the most stringent regulations and then roll up to that.”

That required a broad commitment from the bank’s leadership team. “Immediately after the CCPA was passed, we created the CCPA working group that involved the CIO, the CFO, all the department heads—all the executives,” Chernyshov says. The assistant vice president of information security was also involved, as were representatives from infrastructure and software development. “The question was, how can we install privacy by design, which encompasses security by design as well?”

To do this, the bank created a master spreadsheet of the data that every system contained and all the bank’s business processes. “We created a data flow map for every single business process in great detail,” Chernyshov says. “Then we looked at whether the data was at risk, if it was tokenized, if retention policies were applied.”

The bank also took a minimization approach to what data was collected, how it was distributed, and what business processes were involved. “Can we take applications and tokenize all the data in those applications so that none of that private information is being tossed about the company?” says Chernyshov.

This kind of holistic approach to data governance isn’t universal, says Francoise Gilbert, legal counsel at Cloud Security Alliance (CSA), and the author of a privacy concepts primer for security professionals, released earlier this month. “You also have companies that have an ad-hoc approach,” she says. “A new client is a hospital, so we better pay attention to the HIPAA law. Or there goes the client, so there goes your HIPAA compliance.”

Other companies have long been working on privacy and security. “They have a level of maturity so that if there’s a new law it’s just an addition, not a major step they have to make,” Gilbert says. “It depends on the maturity of the company—and on its pocketbook.”

Access controls, least privilege and audit trails

A year and a half ago Merrick Bank standardized on SailPoint’s SaaS identity platform for governing access to both on-premises and cloud data, along with compliance and governance tools from OneTrust and digital risk management tools from PwC’s Terrain Insights product. “With all that in place, we are more confident in offering other lines of business and ensuring that we’re protecting those customers’ interests and concerns,” Chernyshov says. “It provides us a foundation to address all these new regulations and makes us adaptable on the back end.”

CISOs can also become business enablers in their companies by offering tools that help other departments roll out new products and services in a faster, more secure, and more compliant way. Take, for example, the question of how to allow users access to a particular system. This is an area of concern for any company that deals with private data, but particularly so for companies working in the healthcare field, such as New York-based health technology company Cedar.

Cedar provides billing systems, which means it also touches financial information, doubling the privacy and security concerns. Aaron Zollman, Cedar’s CISO, says it’s important for security to be part of the discussion when new systems are built and provide good centralized tools to other business units and software development teams.

“We can say, this is an SSO tool,” Zollman says. “You don’t have to use it, but if you don’t use it, and your data is HIPAA relevant, then there’s a much longer set of things you’ll have to do and it probably won’t be the win you think it is to bypass this requirement.”

It can also help translate security and privacy policies into code, Zollman says. “I can literally say that these tables and fields have this label and that only these teams should be able to query these fields.” Cedar is a venture-funded company and needs to continually launch new products, run experiments, and figure out what works. The security department can’t dictate to the business units what they should and shouldn’t be doing. “That tends to go poorly,” he says. “It has to be a partnership—but we have to be in the room.”

Selling the idea of limiting access to data can be a hard sell for CISOs. “You’ll always hear complaints and frustration from the user community,” says Johanna Baum, founder and CEO of S3 Consulting. “They would prefer to have unfettered access to anything and everything.”

Setting up controls is also costly and time consuming and Baum has seen businesses of all sizes dropping the ball. With the new regulations, CSOs are getting a little bit more leverage, she says.

Encryption, tokenization, and anonymization

Similarly, encrypting sensitive data is a no-brainer, or should be, for all companies, but often isn’t. With new regulations—and high-profile attacks like SolarWinds—that’s starting to change, says Baum. “I think CEOs are starting to understand how important this is and are willing to spend the money.”

Without encryption, when attackers get into enterprise systems, whether on-prem or in the cloud, they can get easy access to the crown jewels. Encryption is also expensive, says Baum, and the process of tracking down where the sensitive data is stored, and then convincing people to give up their own, unencrypted copies of that data, is also a challenge. “It’s been difficult to sell this,” she says. “It’s expensive, and the CEOs feel it’s complicated to deploy and they’re not seeing immediate benefits.”

Another problem, says Chris Williams, cyber solution architect at Capgemini, is that tokenization, encryption, and anonymization involve very foundational changes in databases and applications that use them. “If the application doesn’t support it, then you can’t use it, no matter how much you love the technology,” he says. “If it is a legacy application or a custom application that can’t be easily modified, then you may be out of luck.”

Key management is another complicating factor. “Regulations require that sensitive data be encrypted but they do not stipulate how it is to be encrypted, and where the keys to decrypting that data are to be stored or protected,” Williams says.

Security experts can play a role in improving the situation, but they need to evolve to be more focused on protecting data and establish and maintain controls that are more data-centric than they have been in the past, Williams says. That includes looking beyond the traditional perimeter, he adds. “We are seeing increased use of third-party data processing services.”

The use of outside providers doesn’t obviate a company’s compliance or security responsibilities. “This has control implications as organizations must be aware of what their data processors have access to, and what they might be doing with that access,” Williams says.

The coming wave of metadata

Another security control that has privacy implications is the use of metadata. Metadata is data about data—information about how particular data elements were collected or allowed to be used. For example, a customer might give permission for their phone number to be shared with the marketing department but not shared with third parties.

Metadata is going to be one of the trends of the next decade, says Williams. Companies will need to upgrade their data-driven applications and the databases that underlie them to support robust metadata capabilities, he says.

A robust and flexible metadata platform can allow companies to quickly add more controls without having to rebuild its whole data infrastructure. “Metadata is the name of the game,” says Constellation’s Wilson. “We need to imagine that each piece of data has tags on it that helps us understand where the data is and where it’s going. There’s no standard to this—this is really leading edge.” People need to start thinking about it, he says. “Customer databases should be mostly metadata full of tags that explain the compliance aspects of that data, what jurisdiction it is coming from, what rules it is subject to.”

The need to collaborate

So how do you get to be in that room? Top-level executive action can help, Zollman says, but senior executives have only so many of those chips. Having major new regulations coming online definitely helps. “It forces people to think,” he says.

A better long-term strategy is to be useful, Zollman says, to provide the other business units with the support they need to meet the new regulatory requirements and to address their security challenges. “I’d rather focus on showing people not to be scared of it.”

Being able to work closely with other business units is also key to changing a company’s culture to prioritize data privacy and security, says Merrick Bank’s Chernyshov. “You can’t do this without collaboration,” she says. “It’s impossible.”

For example, when the bank does its annual data privacy review, everyone is in the room—the chief legal counsel, the CIO, the compliance officer. “Everyone’s in there,” she says. “We can have a discussion, make a decision, document it, and we’re ready to go.”

For the digital ethics function, the reach can be even broader, Chernyshov says. “I will get questions from different departments,” she says. “‘Should we have access to this data? I’m seeing all this, but I don’t need to.’ ‘Should this type of information be circulated in email?’ I bring these questions to the digital ethics committee, and we will bring in the appropriate people from different departments and say, ‘Should we be doing this? Based on regulations, and our policies, how do we change that process to address these issues?'”

These discussions are an indication that the cultural shift is taking place. “I’m very heartened when people ask me those questions,” says Chernyshov. The need for collaboration goes beyond corporate walls. “It’s also important, in a position like mine, to belong to not only groups in our own organization but to be looking at external resources.”

That includes being part of organizations like AIIM International, the Association for Intelligent Information Management, where she is a board member. It also includes continuing education. Last year, Chernyshov completed her master’s in legal studies in the field of cybersecurity and data privacy from Albany Law School. “You need to be constantly educating yourself about these issues, whether through professional certifications or continuing education in some other way,” she says.

Security is everyone’s concern

Security needs to take the lead in setting up necessary controls to meet new regulatory standards, says Capgemini’s Williams. Security needs to champion the idea that cybersecurity is never done and can’t be ignored, and to evolve security frameworks to protect data as it moves beyond corporate perimeters—to the cloud, and to home offices. The security frameworks must be more data centric than they have been in the past, Williams says, “and more identity centric than they have been in the past.”

Williams agrees that security leaders need to be enablers and facilitators to protect the business, but a bigger challenge is to drive a cultural change in the enterprise. “Performing business securely is a responsibility of business leaders, not security leaders,” he says.