Great Expectations: Identifying Non-Secured Personal Data for CCPA

Published On: September 7, 2020Categories: Blog

“In a word, I was too cowardly to do what I knew to be right, as I had been too cowardly to avoid doing what I knew to be wrong.”Charles Dickens

When privacy practitioners championed the use of the first generation and now outdated ‘Mapping Sold as Discovery’ technologies, they were assured that this system-based approach of being told which systems to analyze to reveal personal data was enough. This is common of technologies that existed before the market understood what privacy regulators and consumers would expect.

The first tranche of technologies set these low expectations, and to some extent, was adopted by the uneducated privacy marketplace. Inadvertently, it seems the users are being deceived about the real risks of adopting a technology not built for personal data discovery from a security perspective. Security has always been about Zero Trust – ‘tell me what I don’t know.’ Zero Trust is simply not possible in the system-based ‘Mapping Sold as Discovery’ technologies.

However, with increased fines for unsecured personal data breaches, whether it is being stored or in transit, the regulators’ expectations have grown. Consequently, these expectations have led to heightened expectations by customers as well. Customers and regulators expect organizations to not only be in control of data they know about but also data they don’t. A system based technology will always be a system based technology, in the same way, that an amoeba will always be an amoeba. Sure, it will evolve over time, but who has millennia to wait?

Users of these outdated ‘Mapping Sold as Discovery‘ privacy technologies should challenge their vendors to discover all instances of unsecured personal data in their entire network. This should now be a minimum expectation of any privacy technology that boasts personal data discovery. Imagine you were an adopter of one of these early technologies. While you may have extended political capital in supporting a particular product, you may need to rethink and ask your vendor some difficult questions.

(Hint: If your vendor is not continually monitoring flows of personal data in the entire network and cross-checking that with storage and sharing in real-time data lineage of all personal data – not just sampling, then you’re in for a surprise).

As my father always said; Don’t be afraid. Be brave.

Kick them out.