Written by Elizaveta Shesterneva and Ong Chin Ngee | Edited by Utsav Rakshit and Josh Lee
Recently, LawTech.Asia had the exclusive opportunity to interview Christopher Strand, the Chief Compliance Officer at IntSights. IntSights is a cybersecurity company with offices in the United States, Singapore, Japan, Israel and Netherlands. Christopher shared with us his views on cyber threat intelligence, data privacy and various regulatory developments in this area.
What are your thoughts on the EU’s General Data Protection Regulation (“GDPR”) and the criticism that it has faced? Are there any amendments that you wish to see?
I have long been in the role of developing cyber security controls that include defining data protection. This role involves thinking about the way data protection regulations will develop, especially when it comes to the GDPR.
The GDPR often faces a lot of criticism because it was one of the biggest endeavours for a data protection law that had a large geographical scope. As the first legislation covering enforceable data privacy rules, I think it is natural for it to face a lot of criticisms.
I would like to see more discussion around data security controls (i.e. controls that counteract, detect, minimise or avoid security risks to computer systems, data, or information sets). To elaborate, there are many sections in the GDPR that deal with defining data access. There are, however, many grey areas within those sections – in particular, on how organisations define security controls. As a cyber security professional, I believe that cyber security controls need to be tightly defined and should have a logical relation to how we measure liability in terms of using data.
When doing a data impact assessment, one needs to think about data access. However, the GDPR doesn’t necessarily define how you do that. There are no prescriptive controls inside the GDPR’s accompanying guidelines for organisations on how they can define cyber security controls and how such controls would be measured to determine if they are effective.
On the other hand, it is also not necessary for legislators to recommend a certain technology as it has often happened in the past. There ought to be a middle ground when it comes to defining what companies need to do in respect of having adequate technical security controls. There should be more prescriptions so that companies would be equipped with knowledge on what they should do during a critical time. A critical time is when there is a compelling event, possibly a data breach, that gives rise to a GDPR issue like how the company should be monitoring for a data access.
Currently, organisations have obligations, such as having to respond within 72 hours of the data breach and to provide all data associated with data breach. However, there are no guidelines on how the organisation should monitor data access and access privileges. Hence, it is left up to individual companies to find the technology solutions they need to address the 72-hour response requirement.
What in your view is the future for GDPR? How do you see the regulations evolving, and do you think more countries will choose to follow GDPR footsteps?
I think the trend will continue. The GDPR has formulated a baseline for data protection. Singapore’s Personal Data Protection Act (“PDPA”), like many other laws worldwide, bears similarities with the GDPR. I think this trend will continue, especially in light of the pandemic wherein businesses are seeking a solid baseline framework for data protection. As the GDPR has been around for two years or so, legislators from various countries may naturally turn to it as their first source of reference when deciding what they wish to include or exclude when formulating the data protection laws for their home country.
As one example, the California Consumer Protection Act, which was passed in 2018, contained provisions such as the terms of a risk assessment which are very similar to the GDPR. So, I think that other legislators may continue to follow GDPR’s footsteps as we have seen in the last couple of years. So, in my view, the GDPR as a model is here to stay, especially now when cybersecurity matters are becoming increasingly popular.
Do you think it is possible and advisable to create a single global data protection framework?
I would love to see that as it would make things for the e-commerce business a lot easier. That being said, it would be a legislative nightmare to have a single global data protection framework shared amongst multiple jurisdictions. Therefore, from a legal perspective, I do not think it is possible for us to see a unified global framework albeit we will see the foundational frameworks as is the case now.
Coming back to GDPR, I have already seen the effect it has had on data protection frameworks of other countries. While a global data protection framework might not be doable, I believe regional data protection frameworks will gradually occur. For instance, a common framework may arise between areas that have frequent business transactions and dealings with each other. In the past, USA and Europe had arrangements to share data between each other as well as shared protection guidelines within those frameworks. So in that sense we had something similar to a global data protection framework. However, if we take, for example, Canada, USA and Mexico, we will see that USA has different laws in every state, and they are different from those in Canada and Mexico. At the same time, the geographical proximity as well as economic ties and other factors can drive the need for unified regulations. Businesses will push for more structured and harmonized framework and this may eventually result in unified data protection frameworks across various business regions across the globe.
What advice would you give to companies trying to strike a balance between maintaining consumers’ trust while providing their data to the government?
At IntSights, we deal with various types of businesses across the globe. These businesses often have different requirements depending on the type of particular data they are dealing with. They also have to walk a fine line when it comes to the different jurisdictional data privacy requirements. For instance, the government may determine that they be given access to a certain set of data by reason of that organisation being a data processor within their country. This has thus created a lot of friction between, say, China and other countries. The companies need to decide on the level of transparency they wish to include their data protection policies as well as their liability when it comes to utilizing this data in different jurisdictions.
From a data security perspective, this is known as your “business-as-usual” (or “BAUs”). For most data protection and data compliance requirements, a key requirement is conducting is a data impact assessment. It can help measure the liability of the company concerning the use of a particular data set. However, companies must be mindful that consumers bear both a risk and a choice in how their data is used. This can in turn relate to the corporate BAUs. One of the first steps in developing a data security policy is to determine what your BAU is. Companies need to ask themselves – why are they using data, who has access to this data, how much data they need, and if they need to collect that data in the first place. This is especially so in today’s global climate, where there is an increasing number of cross-border issues. Companies should also check whether their end-users have access to such data as the more one grants access to data, the more channels to risk one creates to that data.
Could you elaborate more on how data privacy and cyber threat intelligence intervene with each other?
While data protection and data privacy are separate concepts, both concern cybersecurity and assist us in moving towards a better data protection policy. I came to IntSights after a decade specializing in end-point security, so I have been spending lot of time looking at providing cybersecurity protection policy for companies. Cyber intelligence is interesting to me because the first part of the equation, being the digital footprint, was always missing from the inspection of data security controls, and I believe that this is an element that businesses should evaluate more as threats continue to grow.
This is a very important concept in relation to cyber intelligence. It is a standpoint on how it relates to data privacy or information privacy as well as data protection. Cyber intelligence helps us to measure our digital footprint from a business perspective. It informs us of our liability and our exposure to data threats and enables us to leave no stones unturned when it comes to the different regulations and responsibilities of handling the data that we are using.
Featured Image Credit: IntSights