Phil Dunkelberger, CEO at Nok Nok Labs
Get ready for global tug-of-war on data privacy regulations. The global regulatory environment will become more challenging as regulators and global governments continue to strive to implement better data privacy protection – as was done with GDPR. While this is a great progress, we’re going to see these governments counter to gain more access to information. So essentially the message will be to not lose citizen data, but that you need to share with the government.
BeyondTrust’s Morey Haber, Chief Technology Officer, and Brian Chappell, Senior Director, Enterprise & Solutions Architecture
Evolving Definitions of Privacy – The millennial generation will share almost anything on the Internet. Social media has proven that almost anything goes regardless of its perceived sensitivity. This implies that nearly an entire generation has a lower sensitivity to private data and that a “who cares” attitude for sensitive information is beginning its own movement. In addition, as we become numb to data exposure, the public dumping of health records and voter registration information, expect some push back from the youngest voting group regarding the data being exposed due to a hack. If most sensitive personal data is public (like name, email, address, birthday, etc.) and only the most important information protected (social security number, bank records, credit cards), the value is diminished for anything already being exposed today and the “who cares” movement has begun. Expect data classification to evolve based on the youngest users, and what we consider private today will not be private, or of a concern, tomorrow.
Nina Bryant, director, FTI Technology
Regulators will cooperate for GDPR enforcement. “It’s very likely that this will happen more in future actions, particularly in industries like healthcare, pharma and financial services where regulators are already extremely active. We expect to see increasing cooperation between multiple regulators, federal agencies and EU data protection authorities to investigate and enforce data privacy principles.”
Roger Grimes, Data Driven Defense Evangelist, KnowBe4
National Privacy Law Is Created And We Will Hate It. With the EU’s GDPR passed and California creating a US-like-version of GDPR that applies to any company doing business in their state or with their citizens; and on top of the recent debacles by multiple big US firms that haven’t done such a great job at protecting consumers’ private information, expect a national privacy law to be created and passed by Congress. And if history is any guide (see the CAN-SPAM act, etc.) the law will be mostly crafted by the very entities that it’s supposed to protect us against. It will contain multiple clauses which essentially make it easier for corporations to take and use private information, with even fewer penalties and consistency than what California is trying to build.
Jackson Shaw, VP of Product Management at One Identity
GDPR-like regulation will catch like wildfire across the globe — but the U.S. will continue to hold out…for now. In 2019, GDPR will pass its first anniversary, which in the mind of the EU will have been plenty of time for organizations to protect citizen data. A breach will occur to a global brand and the EU will make an example of that company. Following by example, governmental legislators from around the globe will take notice of the new privacy “gold standard” that is GDPR and enact laws similar in nature. In fact, we’re already starting to see this happen in countries like China, Singapore and Australia. Despite the recent rally cry for federal data privacy from Apple’s Tim Cook, the one exception will be the pro-business, anti-regulation United States — at least, for now. What businesses need to start to think about in the meantime are three main pillars of GDPR: defining what is personal data, identifying what must be done to protect that data, and outlining what should organizations do in the event of a breach of that data.
Jake Olcott, VP of Government Affairs at BitSight
Cybersecurity performance becomes central to the discussion around security and data privacy regulation in the U.S. In the wake of the implementation of the GDPR in Europe, similar legislation will be considered by the U.S. Congress and other government bodies across the globe. As part of the process, the policymaking community will begin exploring cybersecurity performance data to determine how to track and measure the success of such a regulatory initiative.
Julian Dunn, director of product marketing, Chef Software
2019 will be the year of increased regulation and government scrutiny around security and data privacy. The ongoing drumbeat of ever-more serious security breaches, coupled both Facebook and Google making the news for willful disregard of consumers’ private data, will collide in 2019. Politically, we can expect a Democratic-controlled House to attempt to pass one or more legislative bills to address these concerns, particularly as we can (unfortunately) expect at least several extremely serious security breaches in 2019. While this legislation may not actually clear a Republican-controlled Senate, data privacy and security will be a political issue through 2019 and even be a major issue in the 2020 election — potentially even becoming a substantial plank in a broader “anti-tech” platform by US presidential candidates.
Kristina Bergman, CEO, Integris Software
The Data Protection Continuum: Privacy and security will start to be seen as a Data Protection Continuum, with privacy telling you “what” is important and “why,” and security telling you “how” to protect it. In reaction to harsher regulations, the default approach is to lock all data down, making it unusable. Privacy adds precision and purpose to security controls, giving companies a scalpel instead of a sledgehammer to protect their most important assets – customer and employee data.