The Federal government must continue to prioritize data privacy and protection – including through legislation means – if it hopes to foster more safeguards for personal data in the private sector, said data experts at the 9th Annual Cyber Resilience Summit on October 12 hosted by CISQ.
There are already a lot of laws and regulations on the books concerning data and privacy protection. However, according to Robert Metzger, co-chair of the Cybersecurity and Privacy Practice Group at law firm Rogers Joseph O’Donnell, PC, what’s missing from those is the particular consequence to privacy and data protection under regulations where insecure software creates exposure to data loss.
Metzger pointed to some recent state and local legislation that has created new forms of action to further protect privacy and personal data.
“We see that in the recent Virginia Consumer Data Protection Act (CDPA), and we see it in the California Consumer Privacy Act (CCPA) that’s recently been enhanced,” he said.
The Virginia CDPA expands consumer rights to access, correct, delete, and obtain a copy of personal data provided to or collected by a company, and opt-out of processing personal data for targeted advertising, sale, or profiling.
And the CCPA gives consumers more control over personal information that businesses collect about them, along with guidance on how to implement the law.
In addition to pushing for better Federal-level privacy regulations, Metzger said those responsible for software development practices and software security assurance should be thinking of how to tell executives why recognizing and understanding software vulnerability before deployment matters.
“Organizations both create and acquire software, and some may use it without an understanding of where it comes from, and software is used in almost every aspect of an organization from service management to VPN security,” Metzger said.
“There is an emerging standard of care where you have the means to know your software’s vulnerability,” he continued. “And if you don’t know your software’s vulnerability, you are looking at exposure which can be painful.”
Joe Jarzombek, the director for Government and Critical Infrastructure Programs at Synopsys, agreed with Metzger, and said that organizations need to understand the risks associated with software exploitation and vulnerability on the consumer end.
“At some point, you have to understand users,” he said. Beyond legislation, he added, enterprise leaders need to start testing software to determine if what they are delivering to their end-users is secure, particularly against data leakages.