Data security is the topmost concern nowadays as cyber-attack incidents are consistently rising. Organizations of any sizes working on to prepare a robust cybersecurity strategy to mitigate the risks of falling prey to the cyberattacks. Data Privacy Day is celebrated to spread awareness about data privacy and strengthening the security infrastructure. Drew Bagley, VP & Counsel for Privacy and Cyber Policy, CrowdStrike spoke to DT and shared his views about the importance of data privacy.
Importance of Data Privacy Day
Today we live such ultra-connected and busy lives with technology omnipresent yet transparency and security often lagging behind. It is important to remember that cyberattacks pose some of the most significant threats to privacy today. This makes Data Privacy Day a terrific opportunity for individuals and organizations processing data to reflect on key privacy principles and responsibilities.
In recent years we have seen a significant rise in data leak extortion incidents, whereby cyber threat actors attempt to hold data hostage - including personal or health information - unless they are paid. Identity-based attacks are also on the rise where compromised credentials are leveraged to access accounts and access sensitive data. Concurrent with this trend, countries around the globe have adopted privacy regulations that include cybersecurity requirements. Therefore, it is important for individuals and organizations alike to ask what the current risks to their privacy are and how they’re mitigating them.
As we recognize Data Privacy Day, it is important to reflect on what holistic data protection entails, and how critical cybersecurity is, not only to compliance but to protecting privacy. For policy makers and regulated organizations alike, it is important to focus on the big picture goal of incentivizing the adoption of the best way to protect data rather than arbitrary geo-restrictions not respected by cyber adversaries.
Implementation of Data Protection Bill
The Ministry of Electronics and Information Technology’s (MeitY’s) proposed DPDP Bill provides a thoughtful analysis of a complex legal and policy area. As updates to the law and administrative rulemaking moves forward, we recommend continued engagement with stakeholders. There is a unique opportunity to raise the bar on data protection in India, and it is critical to recognize that cyber threats pose some of the greatest risks to privacy today. Finally, because the underlying technologies evolve faster than law and policy, we recommend and emphasize that any legislative updates and proposed rulemaking focus on principles rather than prescriptive requirements and include a mechanism for periodic revisions.
To achieve true data protection, both personal and non-personal information are used to identify and stop security attacks, and understanding the scope of the DPDP Bill’s proposed requirements better ensures that privacy and security practitioners can design their compliance programs accordingly. Accordingly, it is important not only to draw this distinction but also to ensure that personal data can be processed for legitimate means.
For example, cybersecurity best practices, such as identity protection, endpoint detection and response, log management, and threat hunting are dependent upon unique identifiers, which may incidentally be categorized as personal information, to detect and mitigate security risks. This includes identifying which assets are being targeted by an adversary, whether or not a threat actor has moved laterally across a network, and mitigating the impact of breach attempts.
In other words, a defender would not know which accounts had been targeted, when privileges were escalated or what data was exfiltrated if the processing of identifiable information were not permitted. We recommend any further versions of this Bill continue to only apply to personal information and follow the lead of other global data protection laws in permitting the processing of personal data for data protection and cybersecurity.
Notably, the DPDP Bill does not include an explicit data localization clause. However, the inclusion of clauses limiting cross border data transfers can effectively create the same unintended consequences of data localization, even if that is not the intent of such clauses.
Further, the DPDP Bill does not include other transfer mechanisms options, such as standard contractual clauses (SCC) or binding corporate rules. In order to remain future-flexible, it is important to prioritize the goal of protecting data regardless of where it is, rather than equating data protection with restrictions on cross border data transfers. Consequently, providing as many means as possible to lawfully transfer data abroad will continue to afford Indian organizations the ability to create and use innovative technologies on a global scale.
Today, India plays an important role contributing robust technical talent and IT infrastructure to global organizations. This invariably involves cross-border data flows, whether it is to maintain IT system authentication or as part of ensuring unified security visibility. Consequently, rigorous restrictions on where data may be transferred, with an approved country list, might have the effect of limiting innovation and the technological offerings available in India. If the pre-approved country approach is maintained in the DPDP Bill then it is critical to clarify the countries to which data transfer will be permitted, along with the criteria for making those decisions.
Plans to Boost Awareness Around Data Privacy
CrowdStrike plays an important role in helping organizations protect their data against breaches, and we think Data Privacy Day is a significant opportunity to raise awareness about the cyber threats to privacy. We regularly host webinars and publish blogs to help educate practitioners about current threats, legal developments, and best practices to protect data.