Every time a user opens an app on their device, they seem to be asked to provide both the information needed to engage with the app and far too often additional information that falls within the marketing niche or nice to have. The participation of CISOs in discussions on the data necessary for the operation of an application is a table stake. They should have a say in how that data is analyzed to determine how it needs to be protected to stay compliant with privacy laws. Additionally, CISOs have a role to play in helping employees stay safe online and protect their (and the company’s) privacy.
The risks of excessive data collection
In a recent conversation with Rob Shavell, founder of DeleteMe, he commented on how endemic excessive data collection by companies is a problem. Data brokers take what you give them and what they collect, package and sell. He notes, “Employers are now helping employees protect their PII [personal identifiable information] because it is in the interest of the company to do so.
As for what steps CISOs can take, Shavell suggests they focus on data collection compliance points and data tagging. In this way, the process and procedure evolves so that “the data is retained for as long as necessary, so if an individual wishes their personal information to be deleted, it is possible to do so.” (Data privacy in the European Union in the form of the General Data Protection Regulation [GDPR] includes the “right to be forgotten” requiring companies to delete an individual’s information upon request.)
TikTok the glaring example of data over-collection
An example of an app that raises an eyebrow would be TikTok. Shavell comments how “TikTok comes across as a benign app used by children, teens and adults. Every video interaction is cataloged. Teenagers become adults. He continued how, over time, it is likely that these bodies of “life path data” will be used for predictive analysis to chart the future course of individuals.
A recent Gizmodo article dissected a study by Internet 2.0, an Australian cybersecurity firm, titled It’s Their Word Against Their Source Code – TikTok Report. Their research showed that the app does connect to China and requests “almost full access to phone content while using the app.” This data includes calendar, contact lists and photos. Robert Potter, co-CSO of Internet 2.0, told Gizmodo: “When the application is used, it has the ability to scan the entire hard drive, access contact lists, as well as see all other applications that have been installed on the device.” He noted that this was “much more” than an app like TikTok needs access to.
Gizmodo has been informed by TikTok that the data collection performed is “in line with industry practices. We collect information that users choose to provide to us and information that helps the app to function, operate securely, and improve user experience.
ADPPA is on the horizon
In late June 2022, the American Data Privacy and Protection Act (ADPPA) was introduced to the House Energy and Commerce committee and left the committee on July 22. Although not a panacea, the State of California does note that if passed as it will weaken some of the measures taken in California to protect the privacy of individuals, it is a step ahead. Since it’s likely to take some time to get through Congress, CISOs don’t have to wait to act on some of the recommendations in the bill, because they make immediate sense from the point of view of data protection and privacy.
Violet Sullivan, cybersecurity and privacy attorney, vice president of customer engagement at Redpoint Cybersecurity, shares, “Digital transformation has created a highly available method of tracking surveillance.” She goes on to explain that this bipartisan legislation has great potential to become our first truly federal privacy legislation.
The bill picks up on the areas Shavell suggested to include the right to erasure, the right of access and rectification, the need for businesses to designate data protection officers (CISOs take note), and the duty of loyalty. Sullivan explains, “In theory, the duty of loyalty would require organizations to act in the best interest of the individual when processing data and designing services. She adds, “What this means for cybersecurity on a technical level – multi-factor authentication, network management, access control, vulnerability assessments, data retention, and incident response processes and procedures.”
In summary, CISOs should push to ensure that the data collected is protected.
Copyright © 2022 IDG Communications, Inc.