InfoSec Insider

A Post-Data Privacy World and Data-Rights Management

Joseph Carson, chief security scientist at Thycotic, discusses the death of data privacy and what comes next.

The reality is that today, almost everyone is being tracked and monitored 24/7 with cameras recording our expressions, interactions and speech to determine what we might be thinking, where we are going and who we are meeting. While privacy differs from nation to nation and culture to culture, one thing that remains consistent is that having privacy is becoming less and less of an option.

As a result, it may drive us to treat our daily lives as if privacy no longer exists. The concept itself is quickly becoming obsolete as individuals continue to build their online digital presence, and organizations shift operations to the cloud — resulting in more complex global ecosystems. Society is moving to an influencer culture where everyone will be either an influencer or be influenced. Social-media platforms are no longer focused on social interaction — when ads got introduced these became influencer platforms.

Discussions surrounding how to ensure data privacy have been replaced with conversations on how citizens’ data is being used, collected and processed. For example, the DHS stated in a September 2020 announcement that they would “authorize expanded use of biometrics beyond background checks to include verification, secure document production and records management” to improve screening and vetting processes. While modernizing and extended usage of biometrics serves many advantages, it is critical that the DHS continue to outline exactly what is collected from its citizens and its intended specific purpose on how it will be used, along with how it will not be used.

Generally, regulations should continue to pressure companies – including government entities – to provide adequate cybersecurity measures and follow the principle of least privilege to protect the data they have been entitled to collect or process, including transparency and giving users access to their data.

Ultimately, the issue of data privacy will start to evolve into a “data-rights management” movement, meaning that it will become more about how the personal data is used and what monetization results from the data. Questions that are arising now include how will citizens be incentivized, even paid, for the use of their data if it’s going to be used for marketing purposes? Are we entering a world of ‘renting’ our data?

The good news is that there are several data-privacy and regulatory organizations that are aiding in the security process. GDPR and CCPA regulations are at the forefront of imposing stricter requirements on companies that collect personal data. For example, CCPA requires that if consumers opt out from having their data used (or sold), the business will be required to withhold from selling any data for 12 months.

Regulations like the one above allow the public to have a say over their specific data. This includes the right to view, share and erase stored content. We can be sure that in the coming years, we’ll see even more restrictions that are pro-public that help the average person understand privacy policies.

Nonetheless, in 2021, organizations must take a risk-based approach and apply the appropriate security controls to each user based on the level of access they have to privileged data.

Joseph Carson is chief security scientist at Thycotic.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles