American companies beware… if your software fails to protect consumer privacy, you will feel it in your bottom line. That was the message coming from the panelists at the MIT Enterprise Forum, “Privacy and Security by Design,” in San Diego on Wednesday, January 15, 2020.
“For years, enterprise software developers have been following a detrimental pattern of producing minimum viable products (MVP) to support demand from corporate sales divisions, only to remediate security issues after a quarterly or annual audit, or worse, after a consumer complaint or a breach,” notes CTO consultant Emad Georgy. “This is the kind of activity that will not be tolerated by the strict security and privacy laws that have been in place in Europe for years and are now being implemented in the U.S.”
During the MIT panel discussion featuring cybersecurity, privacy, and technology experts, Georgy urged that it is time to break the pattern.
“The age of remediation is over,” He asserted. How is it possible that, in the year 2020, enterprise companies are putting out software that is incapable of deleting customer data upon request?”
He suggests the problem is complicated, but not impossible to fix. “Executives, including CEOs, CFOs, CIOs, and CTOs, must all recognize the critical importance of moving privacy and security features upstream in the development process,” he stated. “And start incentivizing this rather than rewarding only on velocity of deliverables. A good tech team, with the proper resources, can produce safe, effective software at a rapid pace.”
“Privacy and Security are both essential in this new era of consumer awareness,” said panel moderator, Kathleen Glass, VP of Marketing for 2B Advice. “Privacy and Security are not synonymous, but equally important to developing applications and IoT solutions in this new decade.”
Georgy also had a message for IT and product development teams. “Senior developers, as much as compliance or security officers, need to be the company’s biggest privacy and security advocates,” he added. “They and their teams have a responsibility to embed protections as part of early product development and embrace a sense of collective ownership of privacy of consumer data. It cannot be an afterthought.”
State Data Privacy Laws Effective Jan 1: Complying and Unintended Consequences
California has two new laws that go into effect January 1: the California Consumer Privacy Act (CCPA) and SB 327, an IOT security law which mandates that manufacturers that sell or offer to sell a connected device in California equip the device with “reasonable security features.”
This makes California the first state to specifically regulate the security of connective devices, which are commonly referred to as Internet of Things (IoT) devices and the CCPA is one of most comprehensive state privacy laws to go into effect since the EU enacted General Data Protection Regulation (GDPR) in 2018.
In contrast to California data privacy laws protecting only personal information, the new security law aims to protect the security of both IoT devices, and any information contained on IoT devices.
Given this focus on legislating privacy and security we should be thinking ahead and addressing these principles during the design process. While SB 327 focuses on IoT specifically (this includes connected things such as connected cars, industrial devices, retail point-of-sale or medical devices, to name a few), privacy can impact other products and apps as well, including social apps, media, and telecommunications. Across the board, these two new acts have an impact on a wide number of products and services.