There are currently 12 states considering new data privacy laws or considering making updates and changes to laws that are already in place. The Virginia Consumer Data Protection Act (VCDPA), for example, goes into effect on January 1, 2023. All of these state privacy laws, along with international data privacy laws, come with their own set of individual regulations that create challenges for security teams. of data everywhere. How do organizations comply with all these unique data compliance regulations?
Considering that much of the relevant data is transmitted or stored in the cloud, what is the best way to address data privacy laws in a global workforce and in a cloud environment?
Carefully, Tim Wade, Vectra’s deputy technical director, said in an email interview.
“This often involves clear and intentional segmentation of storage and access so that geographic region or national origin maintains a clear separation from legal requirements. Assuming these laws materially enhance the privacy of the people they are designed to protect, that allows such protection to exist in a global workforce; the challenge, of course, is the additional IT management complexity it introduces, which increases the likelihood of a material security breach. .”
Responsibility for data privacy in the cloud
Privacy laws state that organizations are responsible for the data they collect wherever it is ultimately processed or stored, Rehan Jalil, CEO of Securiti, explained in an email interview. It’s not just the people within the organization who have to follow privacy compliance standards and security requirements; all third parties, subcontractors and cloud providers must provide strong security and privacy policies and it is up to the organization to ensure this happens.
“Organizations should be aware of all the cloud services their users and systems connect to and review data transfers to these cloud services (and any other outsourcing) to ensure regulations are not breached,” Jalil said. .
Due to the complexity and fragmented nature of US data privacy laws, organizations need to know exactly where their employees and customers are located. Typically, these laws are based on the residence rather than the citizenship of the person whose data is collected and processed.
Knowing this, security and compliance teams can begin the hard work of identifying the privacy laws that correlate to each individual and sensitive data.
“By discussing, identifying and defining the privacy requirements of each business, companies can work backwards to identify which national, state and/or local privacy laws the company is subject to,” said Alex Ondrick, director of security operations of BreachQuest, by email.
The role of data privacy laws in cloud security
Data privacy laws should always be considered as part of cloud security, Jalil said.
“Many regulations discuss cross-border transfers and define the minimum requirements before data is allowed to move from one location to a different country,” Jalil said. “The organization therefore needs to review where the data is stored and processed and review all laws in other countries to ensure that the appropriate legal and technical safeguards are in place.”
To avoid penalties for noncompliance, companies should thoroughly research the data privacy laws of the countries in which they operate before placing sensitive and critical data in the cloud, advised Shweta Khare, cybersecurity evangelist at Delinea.
“The cloud is a shared responsibility. Never assume that the cloud provider’s default security controls can fully protect your data and help meet specific regulatory and compliance requirements,” said Khare. “While cloud providers have good controls in place to protect data in the cloud, they make it clear that customers remain responsible for complying with applicable privacy laws, regulations, and programs.”
One of the biggest risks to both cloud security and data privacy compliance is a lack of awareness of how much data is spreading within the organization. As Jalil pointed out, too many organizations have no idea how many files individual users have created, what kind of data is in those files (and whose data it is), or how all systems are interconnected and sharing personal information. And most of the time, many of these files are stored in cloud services.
To better monitor your organization’s cloud data and ensure that your cloud security systems can provide the necessary protection and compliance to protect data privacy, Jalil recommended two technologies: Application security agent products (CASB), which can find and report unknown cloud services in use and PrivacyOps services. PrivacyOps services can discover, catalog and index one’s own data wherever it is based on those cloud services.
“Armed with that data,” Jalil said, “IT security and privacy teams must look for anomalies and define policies for data collection, storage, and movement.”