Navigating Privacy Regulation and Surveillance Capitalism: Strategies for Security Leaders

In early April 2024, U.S. Senators Cathy McMorris Rodgers (R-WA) and Maria Cantwell (D-WA) proposed the American Privacy Rights Act.

The proposal “sets clear, national data privacy rights and protections for Americans, eliminates the existing patchwork of state comprehensive data privacy laws.”

If passed, it gives individuals control over their personal data, where it goes, and who can sell it.

Additionally, it provides people the ability to sue any organizations that violate data protection rights.

We recently talked about the rise of surveillance capitalism - the widespread collection and commodification of personal data by corporations - with renowned security expert Bruce Schneier, and discussed some strategies security leaders can use right now to prepare for future rules and regulations designed to reign it in.

Strategies Discussed:

• Emphasize transparency and rights: Provide users with rights to access, correct, and delete their data.
• Minimize unnecessary data collection: Only ask for what is absolutely necessary to provide your products and services.
• Enforcement mechanisms: Regularly evaluate data collection practices and protocols to make sure your organization is following existing privacy and data mandates based on your region and industry.
• Invest in employee training: Provide training programs to employees on data collection and privacy best practices and cybersecurity awareness.
• Engage with partners and peers: Participate in relevant forums, conferences and working groups to learn what best practices, insights and resources others in your industry are using to help them navigate data privacy challenges.

Meet Bruce at RSA

Discuss more strategies and ideas when you meet Bruce at RSAC 2024 in San Francisco.

He will be at the Gutsy booth for a one-hour free book signing of his best-selling book, "A Hacker’s Mind."

WHAT: Author book signing at RSAC featuring Bruce Schneier

WHEN: Tuesday, May 7, 2024

3:30 - 4:30 pm PST

WHERE: Booth #360

Moscone Center South Expo Hall

747 Howard Street

San Francisco, CA

Supplies are limited.

RSVP highly recommended

Related Resources:

1) [Whitepaper] Navigating a New Security Governance Reality: A CISO's Guide to Cybersecurity Disclosure & Compliance

2) [Article] When Investing in Security Processes is a Solid Governance Strategy

3) [Article/Video] What is Process Mining?

4) [Article/Video] Redefining Security Governance with Process Mining

The full transcript:

Bruce

You know, we're living in the age of surveillance capitalism that we are being spied on, you know, not just by our browsers, but by everything and the Internet of Things is an Internet of sensors. And that data is collected and used for our benefit and also for the benefit of the companies collecting them. I bought a car last year. You cannot buy a car. It doesn't spy on you even if you try. You tell the dealer “can you turn this stuff off” and they don’t even know what you're talking about. Let alone be able to know what is happening at all levels of society. And I mean, I'll blame the lack of any regulation about surveillance and privacy, which is why this is happening. And that really is where we are today, because all of these products are computers. So the fact that they are computers means they are producing the surveillance data and it is being collected because there are no rules against collecting it. And any company wants the two sided market. Right. They want to sell you the TV, then also sell your data to somebody else. So they're not going to leave it on the floor because if they do, I mean, they're going to lose market share to a less ethical TV company that will do that. So it's a race to the bottom and this is where we are.

John

You talked earlier about the EU really being more of the, you know, the leader in terms of protecting those rights. Do you see that this is something that there's any real hope in the near term of changing the US.

Bruce

In the U.S. near-term requires an act of Congress, and Congress has shown no will to embed privacy into our rights. So we're not going to see privacy regulation at that level. And without that, it's again, a race to the bottom.

John

What are some of the few most important principles that you would say would be important in an effective privacy regulation to protect consumers in these kinds of situations?

Bruce

You know, a lot of countries do have privacy commissioners. United States is I don't think they're unique in the industrial world, but they're close to unique as a country without privacy laws and a privacy commissioner. And, you know, when you're looking at data, it's transparency about what's happening to it. It's rights to know who's collecting your data, rights to see it, maybe correct it, rights of deletion. You famously have the right to be forgotten which is that I mean it's a series of rights that you have about your data. The U.S., we really think of it as property and data that you and I generate together is property that each of us have. If you think about our privacy laws created when physical proximity was a decent proxy for importance, right? So my privacy rights are about search of my person, my home, my car, because that's where the important stuff was. Nowadays, the important stuff is in some cloud somewhere. It's on Google servers, it's on Apple servers, it's on Microsoft servers. I mean, that's where it is. But our laws don't reflect that.

John

What advice or observations do you have for CISOs when you think about the risks that using such devices creates in the organization?

Bruce

In a sense, it doesn't matter, because that's where you using. You're using the consumer devices because that's what's available. I mean, the military had this problem 20 years ago and they finally realize we're just buying off the shelf things because that's what there is. So you have to figure out how to make that work. Now, you're not alone. I mean, there are products and services that deal with IoT devices in the organization. There are Discovery services and security and patch updating, sort of making sure they all work. But you can't change this. You know, if you tell your employees they can't use their own phones, they're going to quit. They don't want your phone. They've got a phone, especially as you get younger. I mean, like we might be used to carrying two phones, one for work and one for personal, but, you know, that's going away. So we have no choice here but to make this work.