Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
September 2014 
Data Protection Heat Index 
SURVEY REPORT 
Sponsored by Cisco Systems
© 2014 Cloud Security Alliance - All Rights Reserved. 2 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
© 2014 ...
© 2014 Cloud Security Alliance - All Rights Reserved. 3 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
Acknowl...
© 2014 Cloud Security Alliance - All Rights Reserved. 4 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
Table o...
© 2014 Cloud Security Alliance - All Rights Reserved. 5 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
Executi...
© 2014 Cloud Security Alliance - All Rights Reserved. 6 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
Survey ...
© 2014 Cloud Security Alliance - All Rights Reserved. 7 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
Privacy...
© 2014 Cloud Security Alliance - All Rights Reserved. 8 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
Survey ...
© 2014 Cloud Security Alliance - All Rights Reserved. 9 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
“The US...
© 2014 Cloud Security Alliance - All Rights Reserved. 10 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
How wo...
© 2014 Cloud Security Alliance - All Rights Reserved. 11 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
User C...
© 2014 Cloud Security Alliance - All Rights Reserved. 12 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
Legisl...
© 2014 Cloud Security Alliance - All Rights Reserved. 13 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
Privac...
© 2014 Cloud Security Alliance - All Rights Reserved. 14 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
PURPOS...
© 2014 Cloud Security Alliance - All Rights Reserved. 15 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
OPENNE...
© 2014 Cloud Security Alliance - All Rights Reserved. 16 
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 
Summar...
Upcoming SlideShare
Loading in …5
×

Data Protection Heat Index Survey Report – Sep 2014

4,656 views

Published on

The 2014 Cloud Security Alliance surveyed a select group of global data privacy experts with the intention to measure attitudes towards data protection areas that tie into technology solutions which enable the exchange of information across the cloud. The survey data will be incorporated into a Data Protection Heat Index that Cisco is building to inspire global interest and cooperation in aligning cloud, Internet of Things (IoT) and big data solutions to the data sensitivities of the regions in which they are being built to operate in.

The survey is structured in four parts and the findings are surprising and indicative of a positive role that privacy and data protection principles can play in the development of cloud, IoT and big data solutions.

Cisco’s Data Protection Heat Index is a valuable tool in employing a Privacy by Design approach. The Privacy by Design framework is the gold standard in privacy protection, offering the user the ability to build in privacy right from the outset, surpassing global legislated requirements for privacy, and representing a significant “raising of the bar” in terms of privacy protection.

Published in: Technology

Comments are closed

  • Be the first to comment

  • Be the first to like this

Data Protection Heat Index Survey Report – Sep 2014

  1. 1. September 2014 Data Protection Heat Index SURVEY REPORT Sponsored by Cisco Systems
  2. 2. © 2014 Cloud Security Alliance - All Rights Reserved. 2 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 © 2014 Cloud Security Alliance – All Rights Reserved All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance “Data Protection Heat Index Survey Report” at https://cloudsecurityalliance.org/research/surveys/, subject to the following: (a) the Document may be used solely for your personal, informational, non-commercial use; (b) the Document may not be modified or altered in any way; (c) the Document may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Document as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance “Data Protection Heat Index Survey Report” (2014).
  3. 3. © 2014 Cloud Security Alliance - All Rights Reserved. 3 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 Acknowledgements (In alphabetical order) Special Thanks Dan Blum, Chief Security and Privacy Architect for Respect Network; Former Burton Group and Gartner Analyst Mary Beth Borgwing, President, Cyber and Risk Practice Advisen Daniele Catteddu, Managing Director for CSA EMEA Dr. Ann Cavoukian, Executive Director for Ryerson University Institute for Privacy and Big Data; Former Information and Privacy Commissioner of Ontario, Canada Michele Drgon, CEO for DataProbity Frank Guanco, Project Manager for CSA Renee Guttman, VP Office of the CISO/Accuvant; Former Fortune 500 CISO; Ponemon Fellow Raj Samani, VP, CTO for McAfee; Chief Innovation Officer for CSA EMEA Luciano (J.R.) Santos, Global Research Director for CSA Managing Editor/Researcher Evelyn DeSouza, Compliance and Data Privacy Leader for Cisco John Yeoh, Senior Research Analyst for CSA Design/Editing Tabitha Alterman, Copyeditor Kendall Cline Scoboria, Graphic Designer for Shea Media Evan Scoboria, Co-Founder for Shea Media, Webmaster for CSA
  4. 4. © 2014 Cloud Security Alliance - All Rights Reserved. 4 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 Table of Contents Acknowledgements.................................................................................................................................................3 Executive Overview.................................................................................................................................................5 Survey Overview .....................................................................................................................................................6 Findings Summary ...............................................................................................................................................6 Survey Results ........................................................................................................................................................8 Data Residency/Sovereignty.................................................................................................................................8 Lawful Interception .............................................................................................................................................9 User Consent .................................................................................................................................................... 11 Privacy Principles............................................................................................................................................... 13 Summary.............................................................................................................................................................. 16
  5. 5. © 2014 Cloud Security Alliance - All Rights Reserved. 5 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 Executive Overview The ways in which different countries or regions approach privacy can be diverse and varying, which is why the Data Protection Heat Index was developed by the Cloud Security Alliance (CSA). The collaboration brought individuals together from various corners of the globe to form focus groups and provide information about their regions’ laws and practices surrounding personal information. Survey participants provided answers regarding the regulation of data, the geographical area their data protection laws govern, governmental practices, the role of consent, and security standards. By discovering areas of alignment and deviation with regard to global data protection laws and practices, as depicted by the Data Protection Heat Index, organizations can drive innovation within the context of new technologies such as cloud computing, the Internet of Things, and big data. It is essential that organizations designing the smarter technologies of the future adopt a privacy protection standard that reaches above and beyond regional differences. The Privacy by Design framework is the gold standard in privacy protection, offering the user the ability to build in privacy right from the outset, surpassing global legislated requirements for privacy, and representing a significant “raising of the bar” in terms of privacy protection. In 2010, regulators from around the world gathered at the annual assembly of International Data Protection Authorities and Privacy Commissioners in Jerusalem, Israel, and unanimously passed a Landmark Resolution recognizing Privacy by Design as an essential component of fundamental privacy protection. By building in privacy at the time of design, manufacturers and vendors can engineer much more effective solutions, better meet regulatory compliance standards and save time and money versus having to retrofit solutions or experience the negative reputation that can be caused by data breaches. The Data Protection Heat Index is a valuable tool in employing a Privacy by Design approach. There is a need for global cooperation and discussion around standards – work – one that places the user at the center of any data protection regime. The Organisation for Economic Co-operation and Development (OECD) Fair Information Practice Principles (FIPPs) have done so for decades, having been reaffirmed during a review of the principles in July 2013. Some have suggested that the OECD FIPPs, which most privacy laws are based upon, should be revised to loosen the individual’s control over their personal information. However, while the world is changing due to the growth of big data and ubiquitous computing, individuals still have the right to a basic expectation of how their personal data will be used by companies and governments. It is important to realize that as technologies advance, and the amount of personal information available for storage and analysis grows to unprecedented levels, it is now more than ever that we must preserve and build upon the privacy principles we currently rely on. It is my hope that one day every country will have some form of legislated requirement for Privacy by Design. Until then, I hope you will find the Data Protection Heat Index useful, and that you will take the opportunity to learn about Privacy by Design (www.privacybydesign.ca). Best Regards, Dr. Ann Cavoukian Executive Director, Ryerson University Institute for Privacy and Big Data Former Information and Privacy Commissioner of Ontario, Canada I'm very taken by Privacy by Design, which has 7 foundational privacy principles. The positive sum principle can help steer us towards greater harmonization of data privacy implementations. Dan Blum, Chief Security and Privacy Architect for Respect Network; Former Burton Group and Gartner Analyst “
  6. 6. © 2014 Cloud Security Alliance - All Rights Reserved. 6 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 Survey Overview The Cloud Security Alliance surveyed a select group of global data privacy experts with the intention to measure attitudes towards data protection areas that tie into technology solutions which enable the exchange of information across the cloud. Survey respondents from across North America, Asia-Pacific and the European Union were categorized according to their professional areas: privacy/legal, CISO/InfoSec and developer/architect. We specifically hand-selected 40 of the most influential thought leaders based on their titles and day-to-day roles:  Privacy commissioners play a pivotal role in advising about and setting data privacy standards, as well as enforcing regulations within their respective jurisdictions. Privacy and legal counselors are responsible for advising business leaders on emerging and required changes to privacy standards, and the legal and ethical impact of such standards on their businesses.  CISOs and InfoSec leaders are instrumental in architecting data protection capabilities into new IT solutions.  Developers and architects are moving rapidly on architecting new and innovative capabilities for cloud, IoT and big data solutions. Findings Summary The survey was structured in four parts and the findings were both pleasantly surprising and indicative of a positive role that privacy and data protection principles can play in the development of cloud, IoT and big data solutions. Data Residency and Sovereignty Respondents identified “personal data” and Personally Identifiable Information (PII) as the data that is required to remain resident in most countries. It was interesting to note that responses to the question how do their country’s definition of data’s residency/sovereignty compare with other regions were split evenly among the three response types of Open, Restricted, and Unknown. Lawful Interception Responses indicated a universal interpretation of the concept of lawful interception. The question on the criticality of privacy to employee trust drew a surprising 25% of responses showing “neutral” to “low importance.” User Consent Of particular note is that 73% of respondents indicated that there should be a call for a global consumer bill of rights and furthermore saw the United Nations as fostering that. Beyond data protection regulations, understanding the expectations of privacy is an important component in maintaining trust and assurance in the digital age. The work done to develop a data protection heat map is a strong indicator as to those expectations, and should be an important component in the provision of digital services. “ Raj Samani, VP, CTO for McAfee EMEA; Chief Innovation Officer for Cloud Security Alliance
  7. 7. © 2014 Cloud Security Alliance - All Rights Reserved. 7 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 Privacy Principles In this section, we surveyed whether OECD privacy principles would facilitate the trend or cause room for tension with cloud, IoT and big data. The responses were surprisingly in favor of facilitating the trend. This trend seems indicative of a shared interest to bake-in emerging privacy principles into new solutions versus trying to retrofit solutions post-build to accommodate privacy.
  8. 8. © 2014 Cloud Security Alliance - All Rights Reserved. 8 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 Survey Results Data Residency/Sovereignty Increasingly regulated data is bound to remain within specified geographic bounds. What types of data cannot traverse geographic boundaries in your region? Personal data and Personally Identifiable Information (PII) were the prevailing themes for these responses. RESPONSE SAMPLING “The transfer of personal data to a foreign State is prohibited whenever it may endanger public security or Tunisia's vital interests. (Article 50 Organic Act N°2004-63 of July 27th 2004 on the protection of personal data)” “There is no limitation on data traversing geographic boundaries in my region. However, national law imposes that if sensitive data are transferred outside EU space, in countries that are not compliant with EU data protection regulations, then data controllers must notify the competent national authority for this process.” “In Hong Kong, cross-border transfer of personal data is covered by Section 33 of the Personal Data (Privacy) Ordinance ("PDPO"), which restricts transfer to jurisdictions with similar protections (similar to EU law). However, this is currently not operative. Effectively there is currently no cross-border restriction in operation.” “U.S. doesn't really restrict the flow of PII across boundaries. There are restrictions for "arms" information (ITAR).” How does your country’s definition of data residency/data sovereignty compare with other regions? These responses were divided evenly. Most responses from the European Union showed alignment to legal frameworks, whereas respondents predominantly in the United States did not always know how definitions compare. Also, one-third of responses indicated that data sovereignty was defined in a more restrictive manner compared to other regions. RESPONSE SAMPLING Open “US regulations allow transference of specific data types with specific security measures such as encryption for data in motion, at rest and in use. EU standards and ASIA PAC are more stringent as they do not allow specific data types to transit externally-hence in such and in my opinion the regulation boundaries OUTCONUS are much stricter.”
  9. 9. © 2014 Cloud Security Alliance - All Rights Reserved. 9 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 “The USA imposes few specific restrictions as compared with Europe. As such we are very sensitive to Safe Harbor provisions.” Restricted “Based on the legal framework of directive 95/46/EC as many European Countries.” “…most of the US operations are considerably less sensitive to privacy data than Europe and more sensitive than what we see in APAC or Latin America.” “In my country the crucial element is the location of the data controller, regardless of nationality or country of origin of the data subject. If the data controller is located outside EU space, then data subject is not protected by EU regulation. Thus, it is possibly important to set data residency criteria in order to enhance the protection offered to the data subject.” Lawful Interception What does lawful interception mean to you? Responses indicated a fairly universal interpretation of lawful interception. RESPONSE SAMPLING “Lawful interference is interference by a public authority or its agency in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others” “The right to access data through country-specific laws if the needs arises, i.e. data needs to be made available for a cybercrime investigation.” “Lawful interception means that under certain circumstances and by following strictly defined procedures the secrecy of communication no longer applies and the identity of the data subject (ex. an IP holder) can be revealed.”
  10. 10. © 2014 Cloud Security Alliance - All Rights Reserved. 10 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 How would you rate your country’s processes to obtain information for the purposes of criminal and terrorist investigation for the following elements? Ratings of efficiency for countries' processes to obtain information for this section were expected to be average and above. However, on the spectrum for Transparency and Accountability, a majority of the responses were on the poor to fair side. Briefly describe the process your country uses to obtain information for the purposes of criminal and terrorist investigation? Most responses were focused on legal means of obtaining information. RESPONSE SAMPLING “Legally this needs a warrant or a subpoena, but blanket data capture is not ruled out. Many public examples exist.” “See The Police and Criminal Evidence Act 1984 codes of practice (which regulate police powers and protect public rights), and recent revisions.” “The US has a strong infrastructure of legal processes, both public and secret to obtain evidence for investigations. However, there are significant concerns about government entities exceeding or bypassing these established controls.” “Only the judicial authorities are competent for obtaining information for the purposes of criminal and terrorist investigation. To my knowledge this happens when special conditions apply, namely when a serious crime is identified.” “Governed by Part VI of the Criminal Code of Canada (Invasion of Privacy)” “Hong Kong Police, Department of Immigration, and the Independent Commission Against Corruption are key agencies. As Hong Kong does not have sovereign state status, foreign affairs, intelligence and military are all external to HK and in the control of the PRC.” Rate the importance of the following statement: “Privacy is critical to employee trust.” Surprisingly, there were close to a quarter of respondents across the United States, Europe and Asia who were neutral or who did not see privacy as critical to employee trust.
  11. 11. © 2014 Cloud Security Alliance - All Rights Reserved. 11 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 User Consent Data protection involves more than just legal frameworks. The responses in this section are indicative of growing end user sensitivities towards data protection and a growing awareness of the benefits and role that a universal set of principles could enable. Should there be a call for a consumer privacy bill of rights that would be global in nature as opposed to regional? The responses are indicative of a growing and strong interest in harmonizing privacy laws toward a universal set of principles. What role should the United Nations play in fostering universal rights for consumers? Many respondents felt that the United Nations could play a pivotal role in fostering a consumer bill of rights. RESPONSE SAMPLING “The role of the United Nations is essential in promoting a universal charter to establish rules that states must draw inspiration for their internal regulations to protect consumers.” “The UN General Assembly could pass a principled resolution (not a prescriptive one) with broad consensus, perhaps just to endorse existing FIPPs. It would be great if the UNGA could adopt Privacy by Design as well, which I'm told 35 national privacy commissioners have accepted already as an international standard.” RESPONSE SAMPLING: YES “Global guidelines would be helpful in harmonizing a wide range of similar privacy laws around the world. However, on its own, they would have little enforceable effect.” RESPONSE SAMPLING: NO “This steps over the sovereign rights of individual nation states.”
  12. 12. © 2014 Cloud Security Alliance - All Rights Reserved. 12 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 Legislators are currently analyzing the implications of big data on privacy. What are your recommendations to legislators on this issue and why? RESPONSE SAMPLING “For the U.S., pass world-class privacy legislation akin to Canada's or Europe's.” “Pass legislation introducing more controls on intelligence gathering and separate the "offensive" cybersecurity defense functions from the "defensive" ones into different organizations with different missions.” “The EU rules related to automated processing and database registration will help provide an initial extension to existing laws in this area that the US could emulate to a degree.” What would you recommend to company executives as their role in ensuring the integrity of their processes? RESPONSE SAMPLING “Establish principle of organization-wide respect for people's privacy for the benefit of the brand.” “A risk-based approach must be taken for both the organization and its employees. Processes and procedures must exist and it makes sense to utilize and refine them in a life cycle manner.” “Privacy-by-design is very important. It is very hard to add privacy as an after-thought. Companies that respect the privacy of their customers will succeed better in the longer-term.” “ Mary Beth Borgwing, President, Cyber and Risk Practice Advisen Privacy to me is very similar to ethics and very connected in my world. There are always going to be very ethical people who will do their utmost to protect individuals and organizations while unethical people may try to take shortcuts with privacy. It's also an education process. Ultimately, the C-suite has to own privacy and actually build it holistically into their processes, InfoSec programs, and the products and services they offer. As a consumer, how do you feel that your data is frequently used for marketing purposes without your expressed consent? For example, you shop on a vendor’s website and then start to see advertisements.
  13. 13. © 2014 Cloud Security Alliance - All Rights Reserved. 13 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 Privacy Principles As developers work on building out cloud, IoT and big data solutions, indicate below which of the OECD privacy principlesi you see as areas that will help facilitate this trend versus those that could make room for tension. In this section, we examined each of the OECD principles and looked at how they facilitated trends or were an enabler versus caused room for tension or impeded development. DATA COLLECTION LIMITATION PRINCIPLE: Collect data by lawful means only DATA QUALITY PRINCIPLE: Personal data should be relevant to the purposes for which it is being used and should be accurate, complete and kept up-to-date “ Michele Drgon, CEO for DataProbity The OECD privacy principles catalyzed the creation of privacy frameworks and subsequent legislation globally. The privacy principles provide a common language for these concepts to be built into data privacy legislation. Now, what people care about has evolved: untraceability, unlinkability, minimization, anonymity have become additional key points of focus […] The Data Quality principle has really become Data Minimization and Data Quality and it is going to be a vital driver for Big Data and IoT.
  14. 14. © 2014 Cloud Security Alliance - All Rights Reserved. 14 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 PURPOSE SPECIFICATION: The purposes for which personal data is collected should be specified at the time of data collection and the subsequent use limited to the fulfillment of those purposes USE LIMITATION PRINCIPLE: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified SECURITY SAFEGUARDS PRINCIPLE: Personal data should be protected by reasonable security safeguards against such risk as loss or unauthorized access, destruction, use, modification or disclosure of data
  15. 15. © 2014 Cloud Security Alliance - All Rights Reserved. 15 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 OPENNESS PRINCIPLE: There should be a general policy of openness about developments, practices and policies with respect to personal data INDIVIDUAL PARTICIPATION PRINCIPLE: An individual should have the right: a) to obtain from a data controller, b) to have communicated data relating to him/her… ACCOUNTABILITY PRINCIPLE: A data controller should be accountable for complying with measures which give effect to the principles stated above
  16. 16. © 2014 Cloud Security Alliance - All Rights Reserved. 16 DATA PROTECTION HEAT INDEX SURVEY Report, September 2014 Summary Privacy can be viewed as a maze of complicated regulations and guidance, or also examined from the standpoint of important underlying principles. The benefit of paying greater focus to these underlying principles is highlighted in several of our survey responses. Responses in the Data Residency/Data Sovereignty section indicated that privacy experts had similar opinions around the regulation of personal data and PII, and there were universal interpretations on the concept of lawful interception. The overwhelmingly favorable response for a Global Bill of Consumer Rights further highlights the opportunity to focus on common principles. Responses to the OECD principles as they could facilitate or cause tension for cloud, IoT and big data are significantly in favor of privacy principles as a business enabler. These findings highlight the very significant opportunity for global co-operation between CISOs and InfoSec professionals, privacy leaders and developers and architects to build privacy principles into new and emerging solutions. i OECD Privacy Principles: http://oecdprivacy.org/#participation “ Renee Guttman, VP Office of the CISO/Accuvant; Former Fortune 500 CISO; Ponemon Fellow The time has come where it is no longer optional as to whether companies adopt privacy principles in their products and services. Companies need to adhere to privacy principles, especially “purpose” and “use limitation,” in order to avoid developing applications that are considered invasive by individuals who use them. To be successful, privacy can't be bolted on after a system has been launched. Privacy needs to be incorporated when the system is designed. That said, companies will likely be required to retrofit existing systems, a fact which is both underappreciated and under-resourced. “ Dan Blum, Chief Security and Privacy Architect for Respect Network; Former Burton Group and Gartner Analyst If developers and privacy professionals approach building in privacy from the standpoint that they want to do the right thing, they are going to find increased opportunities to innovate and develop solutions in a positive manner. They will relieve themselves of many compliance obligations, reporting and potential legal issues. Respecting privacy is generally good for business.

×