{"id":41654,"date":"2021-07-07T18:00:15","date_gmt":"2021-07-07T18:00:15","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=94089"},"modified":"2021-07-07T18:00:15","modified_gmt":"2021-07-07T18:00:15","slug":"how-to-build-a-privacy-program-the-right-way","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/how-to-build-a-privacy-program-the-right-way\/","title":{"rendered":"How to build a privacy program the right way"},"content":{"rendered":"
<\/div>\n
\n

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla<\/a> talks with attorney <\/em>Whitney<\/em> Merrill<\/em><\/a>, an expert on privacy legal issues and Data Protection Officer and Privacy Counsel at Asana. The thoughts below reflect her views, not the views of her employer, and are not legal advice. In this blog, Whitney talks about building a privacy program and offers best practices for privacy training.<\/em><\/em><\/p>\n

Natalia: How do security, privacy, and regulatory compliance intersect?<\/strong><\/p>\n

Whitney:<\/strong> Security and privacy are closely related but not the same. Privacy is not possible without security<\/a>. In the last 5 to 10 years, regulations in privacy and security have taken very different paths. Most regulations across the world fall to a standard of reasonable security, whereas privacy is much more prescriptive about the types of behaviors or rights that individuals can exercise from a compliance perspective. Companies look to common security frameworks like ISO 27001 or SOC 2, but privacy doesn\u2019t really have that. That\u2019s born from the fact that security feels very black and white. You can secure something, or you can\u2019t.<\/p>\n

In privacy, however, there\u2019s a spectrum of beliefs about how data can be used. It\u2019s much more grey. There were attempts in the early 2010s with Do Not Track, the proposed HTTP header field that let internet users opt-out of website tracking. That fell apart. Privacy and regulatory compliance have diverged, and much of it is because of fundamental disagreements between the ad industry and privacy professionals. You see this with cookie banners in the European Union (EU). They\u2019re not a great user experience, and people don\u2019t love interacting with them. They exist because there have been enough regulations like the Electronic Privacy Directive and General Data Protection Regulation<\/a> (GDPR) that essentially require those types of banners.<\/p>\n

Natalia: Who should be involved in privacy, and what role should they play?<\/strong><\/p>\n

Whitney: <\/strong>It\u2019s very important to get privacy buy-in from the highest levels of the company. Not only do you have an obligation under GDPR to have a Data Protection Officer that reports to the highest levels of a company if you\u2019re processing European data, but an open dialogue with leadership about privacy will help establish company cultural values around the processing of data. Are you a company that sells data? How much control will your users and customers have over their data? How granular should those controls be? Do you collect sensitive data (like health or financial data), or is that something that you want to ban on your platform?<\/p>\n

The sooner you get buy-in from leadership and the sooner you build privacy into your tools, the easier it\u2019s going to be in the long run. It doesn\u2019t have to be perfect, but a good foundation will be easier to build upon in the future. I\u2019d also love to see the venture capital community incentivizing startups and smaller companies to care about privacy and security as opposed to just focusing on growth. It\u2019s apparent that startups aren\u2019t implementing the privacy lessons learned by other companies that have already seen privacy enforcement from a privacy regulator. As a result, the same privacy issues pop up over and over. Obviously, regulators will play a role. In addition to enforcement, education and guidance from regulators are vital to helping companies build privacy by design into their platforms.<\/p>\n

Natalia: What does a privacy attack look like, and which attacks should companies pay attention to?<\/strong><\/p>\n

Whitney:<\/strong> A privacy attack can look very similar to a security attack. A data breach, for instance, is a privacy attack: it leaks confidential information. A European regulator recently called a privacy bug a breach. In this particular case, a bug in the software caused the information to be made public that the user had marked as private. Folks generally associate data breaches with an attacker, but often accidental disclosures or privacy bugs can cause data breaches. I\u2019ve talked with folks who say, \u201cWow, I never thought of that as a security breach,\u201d which is why it\u2019s important to engage your legal team when major privacy or security issues pop up. You might have regulatory reporting obligations that aren\u2019t immediately apparent. Other privacy attacks aren\u2019t necessarily data breaches. Privacy attacks can also include attempts to deanonymize data sets, or they might be privacy bugs that use or collect data in a way that is unanticipated by the user. You might design a feature to only collect a certain type of data when in reality, it\u2019s collecting much more data than was intended or disclosed in a privacy notice.<\/p>\n

On the more adversarial side of privacy attacks, an attacker could try to leverage weaknesses and processes around privacy rights to access personal information or erase somebody\u2019s account. An attacker could use the information they find out about an individual online to try to get more information about that individual via a data subject rights process (like the right to get access to your data under global privacy laws). There were a few cases of this after the GDPR went into effect. An attacker used leaked credentials to a user\u2019s account to download all of the data that the service had about that individual. As such, it\u2019s important to properly verify the individual making the request, and if necessary, build in additional checks to prevent accidental disclosure.<\/p>\n

Natalia: How should a company track accidental misuse of someone\u2019s information or preferences?<\/strong><\/p>\n

Whitney:<\/strong> It\u2019s very hard. This is where training, culture, and communication are really important and valuable. Misuse of data is unfortunately common. If a company is collecting personal data for a security feature like multifactor authentication, they should not also use that phone number for marketing and advertising purposes. That goes beyond the original scope and is a misuse of that phone number. To prevent this, you need to think about security controls. Who has access to the data? When do they have access to the data? How do you document and track access to the data? How do you audit those behaviors? That\u2019s where security and privacy deeply overlap because if you get alignment there, it\u2019s going to be a lot easier to manage the misuse of data.<\/p>\n

It\u2019s also a good idea to be transparent about incidents when they occur because it builds trust. Of course, companies should work closely with their legal and PR teams when deciding to publicly discuss incidents, but when I see a news article about a company disclosing that they had an incident and then see a detailed breakdown of that incident from the company (how they investigated and fixed the issue), I usually think, \u201cThanks for telling me. I know you were not necessarily legally required to disclose that. But I trust you more now because I now know that you\u2019re going to let me know the next time something happens, especially something that could be perceived as worse.\u201d Privacy isn\u2019t just about complying with the law. It\u2019s about building trust with your users so they understand what\u2019s happening with their data.<\/p>\n

Natalia: What are best practices for implementing a privacy program?<\/strong><\/p>\n

Whitney: <\/strong>When you build a privacy program, look at the culture of the company. What are its values, and how do you link privacy to those values? It\u2019s going to vary from company to company. The values of a company with a business model based on the use or sale of data are going to be different than a company that sells hardware and doesn\u2019t need to collect data as its main source of revenue.<\/p>\n

It\u2019s easy for companies to look at new privacy laws\u2013like GDPR and the California Consumer Privacy Act (CCPA)\u2013and say, \u201cLet\u2019s just do that,\u201d without thinking through the broader implications. That\u2019s the wrong approach. Yes, you want to comply with privacy laws, but compliance does not equal security<\/a> or privacy. If you\u2019re constantly reactive to only what privacy law requires, you\u2019ll tire out quickly because it\u2019s changing and growing rapidly. Privacy is the future. Instead, think more holistically and proactively when it comes to privacy. Instead of rolling out a process to comply with only one region and one law, consider rolling it out for all users in all regions, so when a new region implements a similar law or regulation, you\u2019ll be most of the way there. Just because you\u2019re compliant with GDPR doesn\u2019t mean you\u2019re a privacy-focused company or that you process information in the most privacy-centric way. But you\u2019re moving in that direction, and you can build on that foundation. Another best practice is to find campaigners across the company who support privacy efforts. If you don\u2019t have a dedicated privacy resource, that doesn\u2019t mean you can\u2019t build a culture of privacy within your company. Work with privacy-minded employees to seek out the easy privacy wins, such as making sure your privacy policy is up to date and reflective of your practices. Focus on those to build support around privacy within the company.<\/p>\n

Putting my former regulator hat on, privacy culture is important. When the Federal Trade Commission (FTC) comes knocking at your door, they\u2019re looking to see if you have the right intentions and are trying to do your best, not just whether you prescriptively failed to do this one thing that you should have done. They look at the size of the company, and its maturity, resources, and business model in determining how they\u2019ll enforce against that company. Showing that you care, isn\u2019t going to necessarily fix your problems, but it will definitely help.<\/p>\n

Natalia: How should companies train employees on privacy issues?<\/strong><\/p>\n

Whitney: <\/strong>Training should happen regularly. However, not all training needs to be really detailed or cover the same material\u2014shake it up. The aim of training employees on privacy issues is to cultivate a culture of privacy. For example, when employees onboard, they\u2019re new and excited about joining a new company. They\u2019re not going to remember everything so keep privacy training high-level. Focus on the cultural side of privacy so they get an idea of how to think about privacy in their role. From there, give them the resources to empower themselves to learn more about privacy (like articles and additional training). Annual training is a good way to remind people of the basics, but there are many people who are going to tune those out, so make them funny and engaging if you can. I love using memes, funny themes, or recent events to help draw the audience in.<\/p>\n

As the privacy program matures, I recommend creating a training program that fits each team and their level of data access or most commonly used tools. For example, some customer service teams have access to user data and the ability to help users in a way that other teams may not, so training should be tailored to address their specific personal data access and tooling abilities. They may also be more likely to record calls for quality and training purposes, so training around global call recording laws and requirements may be relevant. The more you target training toward specific tools and use cases, the better it\u2019s going to be because the employee can better understand how that training relates to their everyday work.<\/p>\n

Natalia: What encryption strategies can companies implement to strengthen privacy?<\/strong><\/p>\n

Whitney:<\/strong> Encrypt your databases at rest<\/a>. Encrypt data in transit. It is no longer acceptable to have an S3 bucket or a database that is not encrypted at rest, especially if that system stores personal data. At the moment, enterprise key management (EKM) is a popular data protection feature involving encryption. EKM gives a company the ability to manage the encryption key for the service that they are using. For instance, a company using Microsoft services may want to control that key so that they have ownership over who can access the data, rotate the key, or delete the key so no one can access the data ever again.<\/p>\n

The popularity of EKM is driven by trends in security and Schrems II, which was a major decision from the Court of Justice of the European Union last summer. This decision ruled Privacy Shield, the safe harbor for data transfers from the EU to the United States, invalid for not adequately protecting personal data. Subsequently, the European Data Protection Board (EDPB) issued guidance advising data be encrypted before being transferred to help secure personal data when transferred to a region that might present risks. Encryption is vital when talking about and implementing data protection and will continue to be in the future.<\/p>\n

Learn more<\/h2>\n
\n

To learn more about Microsoft Security solutions, visit our website<\/a>. Bookmark the Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity<\/a> for the latest news and updates on cybersecurity.<\/p>\n<\/div>\n