On the last Thursday in June this year, California Governor Jerry Brown signed the Consumer Privacy Act. Although not due to go into effect until January 2020, its impact will be comparable in every way to the existing European GDPR legislation.
Other US states are looking to pass similar acts. This is a wakeup call if your corporate strategy is based on putting a wall around your non-US customers and hoping the problem will go away.
For example, the Tronc group, owner of the LA Times and Chicago Tribune, have simply geo-blocked all European viewers. Other publishers such as USA Today are serving ad-stripped copies of their sites to a non-US audience.
Ignoring the problem won’t make it go away
Now that privacy legislation is also being enacted domestically, these short-term, head-in-the-sand strategies are looking increasingly futile. Your organization needs to fully engage with the challenge of managing personally-identifiable information (PII) in a way which is both secure and respects the rights of the supplier of the information.
This will be a significant challenge, even in sensitive areas such as healthcare, where legal requirements have existed for a long time.
PII is scattered all around organizations: it exists not just on centralized corporate databases, but also in spreadsheets, documents, PDF files created for printout and so forth.
Also let’s not forget about that Salesforce CRM system running in the cloud; the one your marketing department pays for with a corporate credit card and that central IT doesn’t even know about.
These risks, if not effectively controlled and mitigated, are significant enough in their own right. However, we must also remember that the advent of GDPR and comparable legislation also empowers the ‘data subject’ enormously.
Taking decisive action to manage risk
Until recently the technical challenges of controlling and managing PII were simply too onerous – one reason for a head-in-the-sand policy; but it doesn’t have to be that way. Recent developments in scalable, high performance systems management tools have made it possible to scan for PII across hundreds of thousands of endpoints in real time and then implement strategies for managing it.
For example, unauthorized files containing PII can be efficiently located, tagged, and then reversibly encrypted to ensure they aren’t further misused. This gives organizations time to then collect and contain the proliferation of data, and ensure it doesn’t replicate out of control in the future.
Turn challenge into opportunity
GDPR and the California Privacy Act aren’t therefore challenges, but opportunities. In bringing the storage and management of sensitive personal information under efficient centralized control, you can also take the opportunity at the same time to improve corporate security, control IT software expenditure and harden your defenses against attack.
It’s time to spit out the sand and start mapping out a plan of action: evaluate next-generation system management tools and technology and discuss with your software vendor how you’ll manage and remediate the PII risks within the organization. Then start planning how you’ll use these same tools and frameworks to implement timely and effective software patching.
After that, it’s time to evaluate your security posture and make sure that sensitive data stays put. Are you following recommended best practices (e.g, as exemplified by the SANS CIS Critical Security Controls?).
With modern management tools and frameworks, it’s easy to move from shared administrator passwords to much safer solutions, such as the Microsoft LAPS (Local Administrator Password Solution) infrastructure; this will augment Microsoft’s core technology to manage workflow approval for maintenance requests and ensure that administrators can work effectively, (but with their powers appropriately audited and constrained at all times).
With proven scalability to millions of endpoints, these next-generation systems management products enable you to solve your data and endpoint management issues, quickly and effectively. So, plan your strategy now, then move to execute it efficiently. Turning chaos into order is much easier than you imagine.