Privacy Post-COVID: Predictions for 2021

The pandemonium that was 2020 is coming to an end. “Normal business operations” finally loom in the horizon. But there is no rest for the weary.

Privacy Prognosticators Are Scared

I get it. Prediction is tough. Nobody predicted that a worldwide pandemic would force everyone to work from home and turn into a Zoom-fueled scramble to protect new endpoints. We all predicted wrong in 2020. And it shows in 2021’s conservative predictions.

International privacy standards will increase.” Ooh!!!

The importance of transparency will increase.” Aaah!!!

Forrester steps it up a bit. “Regulatory and legal activity related to employee privacy will increase 100%”. But still…

What is going on here? Facebook last year was fined $5 billion for misrepresenting its privacy program—312 times larger than the biggest HIPAA fine. Equifax is still paying for its 2017 privacy leak and will be until at least 2024. We just had the greatest workforce shift since the industrial revolution. And the top prediction for 2021 is that privacy requirements will increase? The industry is lagging.

Here’s what you need to know about privacy in 2021, post-COVID.

The Privacy Market Struggles to Innovate

For more evidence that the industry is falling behind, look at the leading companies. OneTrust earlier this year raised $210 million in VC funding, just seven months after raising $200 million. To finish 2020, OneTrust raised $300 million more, giving them $700 million to hire the best and tackle their grandest ideas.

And how does OneTrust plan to use this money? To buy other companies. In February chairman Alan Dabbiere told Crunchbase, who was baffled why OneTrust would raise so much more than it could effectively deploy: “We want to move fast on any organic and inorganic growth opportunities we may see in the market.”

OneTrust’s strategy is to let others innovate, and then buy them. 

When did privacy become a stodgy market with strategies you might see in the Coca Cola boardroom?

Privacy Will Finally Expand Beyond “Find it, Encrypt it”

When training for the omnipresent CISSP, we are repeatedly drilled on the CIA triad: Confidentiality, Integrity, and Availability. The idea is that important data needs to be protected from prying eyes (confidential), tracked to ensure it has not been modified (integrity), and accessible when needed (availability).

Cybersecurity focuses on all three, but privacy solutions barely touch the triad. Most privacy companies help find privacy data lost in the cacophony of IT systems or on compliance.

Some privacy companies inch further and help secure personal data with end-to-end encryption, similar to modern text messaging app technology. This is the C, confidentiality; encryption helps ensure that personal information is not viewed by outsiders.

I’m only aware of one company that offers the A, availabilityInCountry is a smaller, newer startup ($40 million) that offers Data Residency as a Service, ensuring that your data is available in the country in which it needs to be available. But honestly, this feels more like a tool to skirt data laws.

And perhaps most shockingly, the privacy industry has nothing for I, integrity, which ironically is today’s hot topic. There are debates about whether votes were cast properly, whether outside nations tampered with election results, and “fake news” has become daily lexicon. Social media gets it; fact checking has become commonplace. In privacy, what happens if someone changes my information or provide bad information about me? What happens if Equifax is hacked again and the attackers demand money from you under threat of ruining your credit history?

2020 was tough, but 2021 needs to be a renaissance year. Privacy needs to expand beyond find it, encrypt it.

ZenPrivata will focus heavily on ensuring the integrity of personally identifiable information in 2021. Others will follow.

Privacy Consultant Will Be the New Hot Job

I hate to be jaded, but we’ve seen major cybersecurity hacks. Yahoo, Sony, Home Depot… governments, customers, and markets mostly brush them off and move on. As a result, many companies only do what is required on cyber.

Privacy looks different, with real consequences. Facebook’s $5 billion privacy fine is one thing, but also Equifax was fined $575 million for failing to secure personal information and Marriot $123 million for violating European privacy laws. And people care. 32% are willing to switch to a competitor if a company doesn’t protect their privacy, according to a Cisco study.

If you’re a CEO and see that your cybersecurity program is well-staffed and you face minimal consequences, but that your privacy program is minimal and you face potential $100 million fines, which team do you think you’ll plus-up?

Companies in 2021 will bump up their privacy teams or hire external privacy consultants.

Conclusion

Businesses face a unique “new normal”, and COVID-19 and 2020 delayed most companies’ progress on privacy. Companies will return to the office in 2021 and find that the problem has progressed but that their program is still stuck in 2019. They will find themselves buried with privacy tasks, of which there are few innovative solutions to help them. They will yearn for the quaint days of wearing pyjama pants at Zoom meetings about getting people working from home onto a VPN.

What’s Hot on Infosecurity Magazine?