Twenty-one years ago, Latanya Sweeney showed that it’s possible to uniquely identify 87% of Americans with just three pieces of personal data: gender, ZIP code and full date of birth. Long before anyone had heard the words ‘data lake’, ‘cloud storage’ or ‘big data’, nevermind ‘social media’, it was clear that the disclosure of even simple information can pose a significant threat to personal privacy.
On their own, individual pieces of personal data can be of little value. It’s what happens when you link data with other information that really matters – we’ve all played some version of the Kevin Bacon Game or Six Degrees of Separation; joining the dots between seemingly disparate pieces of information can provide unexpected insights.
In this context, a breach of even the smallest fragment of data can have serious consequences; Imperva research found that 76% of the data stolen in the 100 biggest breaches was personally identifiable information (PII). And the chances of it happening are increasing all the time: since 2017, the number of data breaches has increased more than 30% each year, with the number of records breached increasing more than 130% per year in that time. In January 2021 alone, more than 870 million records were compromised – more than all of 2017.
On this trajectory, more than 30 billion records containing personal data will be compromised in 2021.
All data is vulnerable. That makes the data subject more vulnerable too. In the wrong hands, one company’s ‘data subject’ is an identity thief’s payday and a destroyed credit rating for the victim. That’s before we mention financial and legal penalties for organizations responsible for the breached data. It’s taken a while, but most organizations recognize the need to manage personal data in a manner that keeps it secure. Even if they don’t, there’s a regulatory body nearby to ensure they don’t have a choice.
Age of consent
Over 130 jurisdictions around the world have data privacy and protection laws – and virtually every government and commercial organization that holds personally identifiable information is subject to them. Maximum penalties for breaches range from €20 million or 4% of annual global turnover (GDPR) to $7,500 per intentional violation (CCPA) but the real potential for damage stretches far beyond the fine, into notification requirements, audits, legal remediation and credit monitoring for victims. In many jurisdictions, health information is a special category, with additional attention paid to how it’s handled, and carrying significant fines for violation. These regulations have also given considerable control to the people behind this information, aka the ‘data subject.’
At the heart of most of these regulations is the principle of consent, the recognition that individuals give unambiguous consent to a data processing activity – and that consent can be withdrawn at any time. As public awareness builds around the risks and the rights associated with personal data , there’s an increased interest in finding out exactly what kind of information organizations hold about them, what they do with it, and how well it’s protected. It’s no small ask: when Microsoft launched its self-service portal for subject rights requests in the wake of GDPR, it received 25 million requests in 18 months. As Gartner’s The State of Privacy and Personal Data Protection 2020-2022, points out, had the company chosen to simply provide a form and process the requests manually, “at the unrealistic cost of $100 per request,” it would have cost US$1bn in the United States alone.
Join the dots
Walking the line between data utility, protection and privacy is tricky. Traditionally, people have assumed that anything stored inside the network perimeter is protected. Digital transformation has blurred those boundaries. Data is shared across applications, databases and networks, duplicated, sliced, diced, stored, recycled – when it comes to answering key questions, where do you even start?
As regulations governing data privacy and protection get tougher, it’s critical that organizations are able to discover, identify and classify personal data across their estate. Only when you know where personal data is hosted and what applications and users are using it will you be able to extend the security controls that protect it – and, increasingly, be able to respond to subject access requests.
To find out more about Imperva Data Privacy solutions and how, among other things, you can automate subject right request responses, delete PII on demand and prove regulatory compliance to auditors, download our Tool Kit today.
Try Imperva for Free
Protect your business for 30 days on Imperva.