Data Privacy Week 2024: The Definitive Roundup of Expert Quotes

Solutions Review editors sourced this definitive roundup of expert quotes on Data Privacy Week 2024 from Insight Jam, its new community of enterprise tech experts.

It’s Data Privacy Week 2024! For Data Privacy Week 2024, it’s essential to spotlight the evolving landscape of digital rights and personal data protection. This year’s theme underscores the critical balance between leveraging technology for advancement and ensuring the confidentiality and integrity of individual data. As we navigate through waves of technological innovation, from AI-driven analytics to IoT proliferation, the question of how to protect personal information while fostering progress becomes increasingly complex.

This roundup features insights from leading experts who dissect the nuances of data privacy today. They explore the challenges we face in safeguarding digital identities, the emerging threats to our online spaces, and the innovative strategies being developed to secure personal information against unauthorized access.

Their perspectives shed light on the importance of proactive measures, the role of legislation, and the individual’s part in maintaining their data privacy.

Note: Data Privacy Week 2024 quotes are listed in the order we received them.

Data Privacy Week 2024: Expert Insights

Sam Gupta, Founder and CEO at ElevatIQ

“Technologies such as Palantir are already changing the game of data privacy, especially with government organizations where individual-centric privacy matters. Visibility of this magnitude wasn’t possible before due to technology limitations. Watch as other companies follow suit, creating a culture of transparency for consumers becoming a new norm, driving competitive advantage. This is likely to impact industries where transparency matters, such as healthcare, financial services, and insurance. Also, AI-consumption reporting is likely to evolve, where companies might use consumers’ data for their LLMs, creating demand for newer data privacy technologies.”

Joseph Harisson, CEO at IT Companies Network

“Data Privacy Week 2024 emphasizes the important intersection of technology and ethics in our digital world. Key industry experts assert that data privacy has transformed from a mere compliance requirement to a fundamental human right, essential for gaining consumer trust and serving as a competitive differentiator in the business landscape. My experiences and insights, as shared in my book “Top 25 IT KPI Metrics You Should Be Tracking As a Business Owner,” align with these views, highlighting the importance of treating data privacy as a continuous journey. This week serves as a reminder for all of us in the tech industry to persistently balance innovation with the imperative to protect individual privacy, shaping a future where data safeguarding is an integral part of our digital culture.”

Raja Mukerji, Co-Founder & Chief Scientist at ExtraHop

“A key focus this Data Privacy Week should be on generative AI. As a new approach gaining attention across enterprises, concerns about data security and privacy have run rampant. Most enterprises are eager to take advantage of generative AI, however, circumstances like employees uploading sensitive corporate data and IP, the opacity of criteria used to train the model, and lack of governance and regulations introduce new challenges. 

During this time of development, enterprises should focus on ways to make generative AI work for their specific needs and protocols. Visibility into AI tools is critical, and enterprises should have solutions in place that monitor how they’re being both trained and used while educating employees on best practices for safe and ethical use. Investing in systems and processes that grant you this visibility and training will help position generative AI as an aid for productivity in the workplace, and help mitigate data privacy concerns. Eventually, enterprises will be able to take advantage of the opportunity to build their own unique AI tools to better serve their employees, customers, and processes, in a provably secure and repeatable manner.”

Dave Russell, VP of Enterprise Strategy at Veeam

“Cyber threats like ransomware play a critical role in organizations’ ability to keep their data safe. Knowing how public attacks have gotten and considering consumer demands for better transparency into business security measures, there’s generally more awareness around ransomware in 2024. New research supports the idea that ransomware continues to be a ‘when’ not ‘if’ scenario, with 76 percent of organizations attacked at least once in the past year, and 26 percent attacked at least four times during that time. Data recovery should be a key focus around Data Privacy Week 2024, knowing that it’s still a major concern as only 13 percent of organizations say they can successfully recover during a disaster recovery situation. In 2024, the overall mindfulness of cyber preparedness will take precedence.”

James Dyer, Thread Intelligence Lead at Egress

“With this year’s theme of “Take Control of Your Data,” Data Privacy Week holds a mirror to how much information we share about ourselves online. Cybercriminals use open-source intelligence (OSINT) to create plausible backstories in seconds, usually utilizing social media profiles to gather information about a victim’s career, hobbies, and habits. With valuable personal insights, threat actors will then ask chatbots to write the most persuasive messages, and even use AI software to help create payloads and speed up delivery.

To take control of your data, my first tip would be to hack yourself; no, that doesn’t mean launching ransomware on your own device! Deploying basic OSINT techniques is a simple way to find out exactly how much information is online about yourself. Research your name, common usernames, and even pictures for an overview of how much is already out there at a hacker’s fingertips.

Depending on what you find, you may need to review what you’re posting on social media. A simple solve would be to make as much of your profile private, withholding the attacker’s ammo during their data scrapes. With the rise of deepfakes, videos posted on social media can be used to clone a user’s voice, so depriving threat actors of this valuable resource is crucial.

Two other easy steps to better your data privacy are to limit the amount of email newsletters you sign up to and terminate or deactivate old and unused social media profiles to give attackers fewer opportunities. Narrowing the amount of information readily available on the internet and minimizing the possible attack routes will make it tougher for cybercriminals to take control of your data.”

Petr Nemeth, CEO at Dataddo

As a result of the evolution of AI and changing global standards, data privacy will be more important in 2024 than it’s ever been.

“The increasing use of AI systems is putting four types of risk in the spotlight:

• Risk of personal identification (intentional and unintentional)

• Risk of poor decision-making

• Risk of non-transparency (due to inability to explain decisions)

• Risk of violating privacy regulations and/or best practices

New data privacy moves by international and national entities will also force a modified approach to data management:

• More stringent regulations (GDPR for Europe – fines getting bigger and bigger; in USA, more states enacting privacy laws)

• For digital marketers: Google’s sunsetting of third-party cookies for enhanced consumer privacy will make first- and zero-party data all the more important

Makers of AI systems, as well as organizations that need to stay compliant, will have to pay a lot more attention to how data is collected and processed (e.g., via stricter governance policies), and employ new tooling and technologies to help offset growing privacy risk (e.g., data integration tools capable of masking/hashing sensitive data, or detecting/excluding personal identifiable information). Digital marketers will need to resort to alternative methods of targeting prospects online, like server-side tracking and offline conversion imports.”

James Fisher, Chief Strategy Officer at Qlik

As a result of the evolution of AI and changing global standards, data privacy will be more important in 2024 than it’s ever been.

“We are squarely in the middle of an AI boom, with Generative AI promising to take us into a new era of productivity and prosperity. However, despite its vast potential, there remains a lot of trepidation around the technology – particularly around how to use it responsibly. For example, there are risks around violation of data privacy and individual consent when it comes to the data that AI algorithms are trained on.

Trust in GenAI – and the data powering it – is key for the technology to be embraced by enterprises. With the risk of misinformation, the use of deepfakes and more, it will take hard work to build this trust. One way to do this is through improving the data that AI is fed – because AI is only as good as its data.

We are seeing steps in the right direction here through a push for better governance, origin, and lineage of data to power AI. At an enterprise level, businesses must look to test the validity of their data and get robust data governance in place. Then, it will be possible to use AI to generate more trustworthy and actionable insights down the line.”

Sophie Stalla-Bourdillon, Senior Privacy Counsel & Legal Engineer at Immuta

As a result of the evolution of AI and changing global standards, data privacy will be more important in 2024 than it’s ever been.

“Privacy is now a top concern for individuals, while organizations still struggle to implement effective data protection safeguards when engaging in data analytics and AI practices. We’ve seen US states such as California passing their own privacy laws and drafting detailed regulations on cybersecurity audits, risk assessments, and automated decision making privacy by design in practice a must-do to be able to effectively respond to the demands of augmented privacy regulatory frameworks. At the global level, it’s becoming obvious that attempting to redirect data movements from one location to another to try to avoid data protection obligations is not a viable strategy for a variety of reasons. By reviving core, but often denigrated data protection principles, such as purpose limitation and data minimization, with the recent take-off of purpose-based access control, new paradigms such as zero trust architecture and data mesh will help data teams to enhance transparency and accountability when building data architectures and organizational processes and to produce quality insights.”

Omri Weinberg, Co-Founder and CRO at DoControl

“An often-overlooked aspect of data security, especially in SaaS environments, is the insider threat posed by employees. Collaboration through these platforms, while boosting productivity, can inadvertently lead to the exposure of sensitive information. It’s crucial for organizations to educate their teams on the risks of data sharing and implement robust controls to mitigate accidental breaches. Ensuring data privacy is a collective effort, where every employee’s awareness and vigilance are key.”

Gopi Ramamoorthy, Head of Security & Governance, Risk and Compliance Engineering at Symmetry Systems

“For individuals, data privacy should start with Zero trust. It is highly recommended not to share the personally identifiable data (PII) with any organization or any website unless required. If you are providing PI to a required site, always use caution to ensure the website that you are on is correct, legitimate and secure. There are many fake sites that collect personal data. Additionally, posting on social media and reacting to social media posts should be done with no sharing of personal information including sensitive information like home address, travel, family plans and related information.

For organizations, GDPR articles 4,5 and 6 can be referred for guidance to make decisions on what personal data to collect and why. These three articles define the means and purpose of collection data and processing principles. Other privacy regulations have similar articles that provide the guidance on the basis of PII data collection. Once data collection and purpose is decided, adequate data security needs to be carefully planned. Securing PII starts with Privacy By Design (PbD). The core principle of Privacy By Design is based on least privilege and need to know basis. Organizations should have clearly defined and strict access controls around PII data based on regulations, policies and procedures. Also, organizations should implement adequate logging and monitoring controls. For many tasks such as data discovery, data classification, data access controls, etc., the latest technologies can be used for effective security, automation and scaling.”

Eric Scwake, Director of CyberSecurity Strategy at Salt Security

“Data Privacy Weeks allows organizations of all sizes to reflect on their critical data and assess ways to ensure its safety and security. Customers and internal stakeholders trust organizations with their data, but the digital transformation has exposed it to more significant threats. As APIs are now touching this data more than ever, it’s essential to understand how they utilize it and promptly identify any potential risks. When considering data privacy, it’s crucial to consider the people, processes, and policies involved.

1. Understand your APIs: Have processes in place to understand APIs used in your environment, including what data they access. Knowing this will allow you to apply policy governance rules to API’s across your organization.
2. Embrace Access Control: Implement strong authentication and authorization protocols to ensure only authorized applications and users can access data. Use multi-factor authentication, API keys, and granular access controls.
3. Encryption is Everything: Encrypt data at rest and in transit, rendering it useless to any unauthorized eyes that might intercept it.
4. Vulnerability Vigilance: Regularly scan your APIs for vulnerabilities and patch them promptly. Proactive monitoring is vital to staying ahead of evolving threats.
5. Transparency Matters: Open communication is vital. Clearly document your API usage policies and data privacy practices. Let users know what data you collect, why, and how they can control its use.

These steps allow organizations to build a robust data privacy ecosystem where APIs become guardians, not vulnerabilities. Commit to securing these digital gateways and ensuring data travels safely in the online world this Data Privacy Week.”

Patrick Harr, CEO at SlashNext

“One of the biggest gaps in security postures today is how personal and corporate data is protected in the age of the hybrid and remote workforce. These blind spots are becoming more readily apparent as organizations and individuals adopt new channels for personal messaging, communications, and collaboration. Targeted phishing attacks in collaboration tools are becoming more common because the likelihood of success is higher than email phishing attacks. Users are not expecting phishing attacks in Teams or Sharepoint, and these attacks are often too sophisticated for a user to determine the communication is malicious. It’s also far less common for organizations to have security protections in place around these types of tools compared to email security solutions. And when a phishing attack succeeds, the cybercriminals capture private data, personal information, company data, or they may even install malware directly onto the device to facilitate ongoing attacks.

In 2023 especially, the introduction of Generative AI technologies like ChatGPT has been a game changer for cybercriminals, particularly in relation to cyberattacks launched through common messaging apps including email and SMS text messaging. These new AI tools have helped attackers to deliver fast moving cyber threats, and have ultimately rendered email security that relies on threat feeds, URL rewriting and block lists ineffective, putting organizations’ private data at high risk. In fact, SlashNext’s latest State of Phishing report revealed a 1,265 percent increase in phishing emails since the launch of ChatGPT in November 2022.

The best defense for an organization to protect against phishing and ensure the safety of both its corporate data as well as employees’ personal data is to always be one step ahead of the attackers. It’s crucial for cyber security protection to leverage AI to successfully battle cyber threats that use AI technology. You have to fight AI with AI.”

Philip George, Executive Technical Strategist at Merlin Cyber

“Year after year, Data Privacy Week invokes calls for better data protection practices, regulations and standards, and encourages individuals to be more conscious of how they share and protect their own personal data online. These are all important parts of the data privacy conversation, but this year a much stronger emphasis needs to be placed on post-quantum cryptography (PQC) and what organizations must be doing now in order to ensure data remains protected in the post-quantum future. Today’s data encryption standards will be ineffective against advanced decryption techniques fueled by cryptographically relevant quantum computers. Although commercial quantum computers exist today, they have yet to achieve the projected computational scale necessary for cryptographically relevancy. However, this reality may change quickly, considering the continued investment by nation states and private sector alike. Coupled with the growing application of ML/AI in the areas of research and development, the potential for more breakthrough developments in quantum computing remains high. Which means the chances for any of the aforementioned entities reaching quantum cryptographic relevancy are improving day-by-day.

NIST is expected to publish its first set of PQC standards this year, which will serve as an important step toward providing organizations with quantum resistant cryptography solutions. Security leaders and data-owners should follow NIST’s guidance and begin their internal preparations today. Primarily, this should entail establishing an integrated quantum planning and implementation team and mapping out cryptographic dependencies by conducting a full system cryptographic inventory. After conducting this inventory, security teams can then implement a risk-driven modernization plan that starts with business-critical and protected data (by law) systems.

These activities must happen in 2024, because threat actors are in fact already targeting encrypted data, by taking a “steal and store now to decrypt later” approach. Quantum computing-based attacks will become a reality in the near future, and we cannot wait until cryptographic relevancy is achieved to begin what may become the largest cryptographic migration in modern history/the history of computing.”

Nick Edwards, VP of Product Management at Menlo Security

“The explosion of Generative AI use following the launch of ChatGPT in November 2022 has opened a world of new risks and data privacy concerns. Companies must be aware of how these tools can potentially compromise or expose sensitive data. By nature, they pose a significant security risk, especially when employees inadvertently input corporate data into the platforms. When data is entered within these models, that data is used to further train the model to be more accurate. In May 2023, a group of Samsung engineers input proprietary source code into ChatGPT to see if the code for a new capability could be made more efficient. Because of the model’s self-training ability, the Samsung source code could now be used to formulate a response request from other users outside of Samsung. In response, Samsung banned ChatGPT. Our own team of researchers at Menlo Security found more than 10,000 incidents of file uploads into generative AI platforms including ChatGPT, Microsoft Bing, and Google Bard, and 3,400 instances of blocked “copy and paste” attempts by employees due to company policies around the circulation of sensitive information.

To prevent data leakage similar to the one described previously, employees should be trained in how to use these platforms securely. Organizations need to prioritize data security tools that prevent information from being shared with Generative AI platforms in the first place. While data loss protection (DLP) tools are useful, organizations need a layered approach that could include, for example, limiting what can be pasted into input fields, restricting character counts or blocking known code.

Another data privacy concern was uncovered last week, when OpenAI launched the GPT store, which allows OpenAI subscribers to create their own custom versions of ChatGPT. As exciting as this is for developers and the general public, this introduces new third-party risk since these distinct “GPTs” don’t have the same levels of security and data privacy that ChatGPT does. As generative AI capabilities expand into third-party territory, users are facing muddy waters on where their data is going. Securing access to generative AI tools is just one of the topics covered in Menlo’s State of Browser Security Report, launched this week, which talks to the wider landscape of evasive threats targeting users in the browser.”

Krishna Vishnubhotla, VP of Product Strategy at Zimperium

“The biggest risk to our private data lies in the mobile devices we use everyday and the applications that are on them. In fact, the Zimperium 2023 Global Mobile Threat Report showed that 80 percent of phishing sites now either specifically target mobile devices or are built to function on both mobile devices and desktops, and that the average user is 6-10 times more likely to fall for an SMS phishing attack than an email-based one. As we know in today’s workplace, particularly following COVID, many of us are working from home (or working from anywhere). We have clearly seen employees working on personal mobile devices that are accessing all the same data that they were previously accessing via corporate devices. It’s the organization’s duty to protect the data that’s being accessed at all times, while at the same time ensuring privacy for the user on the personal device. Organizations must ensure that the device accessing its data is safe; the network it’s connecting from is safe and trusted; and the applications on the device are not hostile.”

Manu Singh, VP, Risk Engineering at Cowbell

“In today’s threat landscape, we are seeing the continued evolution and sophistication of cyberattack techniques and tactics, including bad actors circumventing multi-factor authentication (MFA) and accessing offline backup systems. What the industry previously considered ironclad defenses simply aren’t anymore. This Data Privacy Day, organizations should prioritize staying ahead of threats through:

• Conducting a risk assessment to identify the vulnerabilities within the organization, and actioning on the findings. A risk assessment shows organizations what their architecture looks like, their vulnerabilities, and more. Addressing issues identified in a risk assessment puts an organization in a better position to deal with cyber incidents. If you work with a cyber insurance provider, ask them for your organization’s risk assessment report and how they can help you improve your cyber hygiene.
• Upholding good cyber hygiene. While cybersecurity measures should be tailored to an organization based on its risk assessment, it’s important to follow basic best practices: adopt MFA, deploy an Endpoint Detection and Response (EDR) solution, keep up with patching, maintain good password hygiene by adopting a password manager, and have offline and tested backups/copies of all data.”

Darren Guccione, CEO and Co-Founder at Keeper Security

Attacks are changing, protecting yourself isn’t

“This Data Privacy Day, industry experts may warn about the new and novel ways attackers violate your privacy and breach your data. From the threats that come with generative AI to the rise of attacks targeting genealogy companies like 23andMe that hold highly sensitive personal information, it’s certainly clear the tools in a cybercriminal’s arsenal are growing more sophisticated. But the fundamental rules of protecting oneself in the digital landscape remain as relevant as ever. Basic cybersecurity measures, such as creating strong and unique passwords, enabling multi-factor authentication and keeping software up to date, are frequently overlooked. A recent study by Keeper found a quarter of IT leaders confessed that they even use their pet’s name as a password!

Take the following steps to proactively protect yourself in the evolving digital world:

1. Use strong, unique passwords for every account
2. Enable multi-factor authentication
3. Regularly update software
4. Employ strict privacy settings on apps and browsers
5. Avoid oversharing on social media
6. Back up your important data

Before finding yourself overwhelmed by all the ways cybercriminals can attack you, sit down and consider these basic cybersecurity measures and whether you are following them. Number one is critical, but difficult to achieve using just your memory, so consider using a password manager to safely and securely store and manage passwords. By taking these proactive steps, you can significantly strengthen your data privacy and reduce the risk of falling victim to both current and evolving cyber threats.”

John A. Smith, Founder and CSO at Conversant

“Cyberattacks are the top global business risk of 2024. Data Privacy Week provides organizations an opportunity to raise awareness about data privacy issues and associated security risks, educate individuals about protecting their personal information, and promote more secure organizational data practices.

In today’s digital age, most enterprises obtain personal and confidential data from their employees, customers, and stakeholders, making them vulnerable to a cybersecurity attack or data breach. All organizations have a responsibility to protect their data; many (such as law firms and healthcare institutions) have a fiduciary duty to protect sensitive information regarding clients. These businesses are built on trust; and in many cases, lives and financial well being depend on it; both can be easily and irreparably harmed if data is compromised. Organizations should consider the following to increase data privacy and security within their company:

• Adhere to regulations and compliance requirements: Enterprises should constantly review and be aware of data privacy regulations, such as GDPR, CCPA, or other regional laws.
• Understand that compliance isn’t enough: While security frameworks and mandatory compliance standards must be met, they in no way guarantee security: These frameworks and compliance standards should be viewed as a minimum floor. Threat actors are not limited to the guardrails within these frameworks, and threat actor behavior simply changes faster than the frameworks and standards can keep pace with. It’s essential to have a layered security program across people, process, product, and policy that protects the entire security estate with redundant controls.
• Measure your secure controls against current threat actor behaviors: By implementing robust security protocols and conducting regular security assessments against current threat tactics, organizations will know where their vulnerabilities lie and how to protect them. Threat actors are exploiting things that make the users’ experience easier, such as Help Desks that provide easy access and few verification steps, self-service password tools, weak forms of MFA, etc. To keep up, companies must trade some levels of user convenience for more stringent controls. Know your limitations: Most organizations have gaps in security controls and orchestration because they lack access to breach intelligence—how threat actors are causing damage technically. It’s those very gaps that threat actors seek and prey upon. It’s important to seek expert assistance to gain breach context and act without delay. While addressing these gaps may require additional capital investments, it will be far less than the cost of a breach, its mitigation, and the long-term fallout.
• Change your paradigms: Systems are generally open by default and closed by exception. You should consider hardening systems by default and only opening access by exception (“closed by default and open by exception”). This paradigm change is particularly true in the context of data stores, such as practice management, electronic medical records, e-discovery, HRMS, and document management systems. How data is protected, access controls are managed, and identity is orchestrated are critically important to the security of these systems. Cloud and SaaS are not inherently safe, because these systems are largely, by default, exposed to the public internet, and these applications are commonly not vetted with the stringent security rigor.
• Most breaches follow the same high-level pattern: While security control selection and orchestration are important, ensuring a path to recovery from a mass destruction event (without paying a ransom) should be the prime directive. Organizations should assume a mass destruction event will occur, so that if it occurs, they can have confidence in their path to recovery.

Data privacy is not just a technical concern, but a crucial tenet of ethical business practices, regulatory compliance, and maintaining the trust of individuals who interact with your business. It has become an integral part of building a secure and resilient digital economy.”

Ratan Tipirneni, President & CEO at Tigera

“This Data Privacy Awareness Week, enterprises and small businesses alike should prioritize holistic cybersecurity. While Kubernetes adoption has taken off, most Kubernetes teams haven’t implemented adequate posture management controls. They continue to implement the minimal level of security mandated by compliance requirements. This bubble is about to burst. This will manifest as stolen data (data exfiltration) or ransomware. However, this can be easily prevented through effective posture management to ensure that the right egress controls and micro-segmentation is in place.”

Rick Hanson, President at Delinea

“The end of privacy as we know it might be closer than you think. The world is increasingly relying on more AI and machine learning technologies. This reliance could result in privacy becoming less and less of an option for individuals, as AI’s capabilities in surveillance and data processing become more sophisticated.

2023 marked a significant leap in the authenticity of deepfakes, blurring the lines between reality and digital fabrication, and that is not slowing down any time soon. Our digital identities, extending to digital versions of our DNA, can be replicated to create digital versions of ourselves, which can lead to questioning who actually owns the rights to our online personas.

Unfortunately, advancements in AI technologies are evolving more swiftly than current regulations can keep pace with. In 2024, we can expect stricter data protection requirements across more countries and regions. But until these regulations evolve and can keep pace, it is important to reduce our risk and protect our privacy however possible.

One of the best ways to do this is to continuously check each application including what data is being collected and processed, and how it is being secured. Use a password manager or password vault to securely store credentials, and leverage multi-factor authentication (MFA) to ensure credentials don’t get exploited by forcing whoever the user is to prove its identity beyond just a username and password. In the event that a data privacy breach does occur, it is also important to have a cyber insurance policy in place to ensure you’ll have the means to continue to operate and recover.”

Michael Brown, Vice President of Technology at Auvik

“The evident tension between employee monitoring and personal privacy makes it imperative for companies to find and maintain an appropriate balance that upholds critical visibility while respecting boundaries and adhering to data privacy laws.

With the continued expansion of remote and hybrid work, there is a heightened necessity for employers to keep a close eye on the way that employees are utilizing devices and applications in their daily routines. In addition to providing valuable information about the types of and ways in which technology is being used, employee monitoring ensures that installed applications are up-to-date, protects against known security vulnerabilities, and identifies potential productivity improvements. However, maintaining data privacy during this process is critical; when boundaries are overstepped and certain kinds of information is collected, this can feel invasive to employees and result in reduced morale as well as the potential violation of data privacy laws.

On one end of the spectrum, monitoring an employee’s every action provides deep visibility and potentially useful insights, but may violate an employee’s privacy. On the other hand, while a lack of monitoring protects the privacy of employee data, this choice could pose significant security and productivity risks for an organization. In most cases, neither extreme is the appropriate solution, and companies must identify an effective compromise that takes both visibility and privacy into account, allowing organizations to monitor their environments while ensuring that the privacy of certain personal employee data is respected.”

Gal Ringel, CEO and Co-Founder at Mine

• “With a new wave of AI set to revolutionize how we live and work, data privacy has never been more important than it is today. Ensuring companies use data to train and develop AI systems safely and transparently is reliant on all of us emphasizing how much we collectively value individual data rights and could very well be the defining question of whether society builds a healthy, trusting relationship with AI innovation.”
• “Over the past few years, the enthusiasm so many companies have had for data privacy software has grown immeasurably. There is still work to be done in spreading that enthusiasm to every company that handles personal identifiable information (PII), but it’s heartening to see data rights receiving the love and attention they deserve as the role data plays in business continues to soar.”

Shivajee Samdarshi, Chief Product Officer at Venafi

“Artificial intelligence is democratizing coding to a whole new level. Everyone can be a developer now, but this opens up a massive opportunity for malicious actors to take advantage of unauthorized code and use it as an attack vector within unaware organizations. This is fundamentally altering how we protect privacy and ensure the systems our lives depend upon are secure. The attack surface is expanding day by day, but organizations are often not adapting in real time.  

 This Data Privacy Week, it’s critical for organizations to bear in mind the detrimental impacts of unauthorized code. To combat this risk and reduce the attack surface, know what code your organization is using and deploying. Secure the code signing process and use trusted code signing certificates. The best offense is a good defense, especially when it comes to your code.”

Theresa Lanowitz, Head of Evangelism at AT&T Cybersecurity

“Edge computing is the next generation of computing and is all about data. A characteristic of edge computing says that the applications, workloads, and hosting are closer to where data is being generated and consumed. And, edge computing is about a near-real-time and digital-first experience based upon the collection of, processing of, and use of that data.

This data needs to be free of corruption to assist with decisions being made or suggested to the user, which means the data needs to be protected, trusted, and usable. In response, strong data lifecycle governance and management will be a continued requirement for edge computing use cases. 

Such data security is something a security operations center (SOC) will begin to manage as part of its management of edge computing, while working to understand diverse and intentional endpoints, complete mapping of the attack surface, and ways to manage the fast-paced addition or subtraction of endpoints.”

Patrick Harding, Chief Product Architect at Ping Identity

“Privacy is really about choice, trust, and giving customers autonomy over how their data is managed. A disheartening 10 percent of consumers have full trust in organizations that manage their identity data – and it shouldn’t be that way. It’s up to organizations to ensure customers understand how data is collected and are given a clear opt-in or opt-out option to feel secure and respected. This transparency and accountability go a long way in instilling brand loyalty, long-term trust, and a positive customer experience. 

Ultimately, customers just want to know their data is being protected and not exploited. The majority (61 percent) of global consumers report that having privacy laws enacted to protect consumer data and knowing that the website vendor is complying with those regulations makes them feel more secure when sharing their information online.

Data Privacy Week serves as a great opportunity to underline the value of decentralized identity management, which improves data security and privacy, and empowers individuals with control of their data while reducing resource and compliance burdens for enterprises.”

Bjorn Andersson, Senior Director, Global Digital Innovation Marketing and Strategy at Hitachi Vantara

“Right now, technology is moving faster than regulations in many ways and across many regions globally. Governments are actually racing to keep up. For example, the European Union in December 2023 just reached a landmark agreement on its AI Act, but it’s not yet in effect. While the U.S. has laid out a risk framework in its October 2023 executive order on AI, there is no comprehensive law passed by Congress nor stringent regulation of the private sector on AI aside from critical infrastructure governance. As new compliance and regulation standards in the data management industry get codified, companies must ensure employees stay informed, adopt relevant policies, and deploy best-in-class security measures.

Global organizations navigating the nuances of diverse regulations across countries should seek guidance from legal experts. Teams can harness the power of generative AI and other kinds of AI tools to elevate organizational knowledge and awareness on data security and privacy and to implement the guardrails themselves.”

Larry Zorio, CISO at Mark43

“With 91 percent of first responders facing cybersecurity issues in the past year, it’s imperative that public safety agencies have cost-effective and data-driven protections in place. The intersection of data and technology has long been central to public safety, but the ascent of AI and other emerging technologies has revolutionized the sector. To counteract bad actors and evolving security threats, public safety agencies need robust internal security processes and strong external partnerships to effectively serve their communities, especially in crises.

Information security is pivotal for the confidentiality, integrity and availability of public safety data, systems and networks. Providing partners and government agencies with comprehensive security controls and reliable platforms — like their CAD and RMS — couldn’t be more important. In 2023, the global average cost of a data breach was $4.45 million, highlighting the urgency for agencies to adopt a strategic, risk-based approach to data protection in 2024 and beyond.”

Daniel Chechik, CISO at WalkMe

“The emergence of technologies like AI marks a new era of data protection in enterprise tech, defined by a need for constantly-evolving, modernized technology that adapts to security regulations. Alongside this, organizations have an increased responsibility to safeguard sensitive information. As AI-driven solutions are deployed, cybersecurity considerations and data safeguarding are top priorities to ensure that AI serves as an enabling factor for businesses without posing an outsized risk. 

 Business and government entities must adapt to this new “digital age,” all while ensuring employee trust and productivity. The global agreement to make AI ‘secure by design,’ for example, highlights the responsibility of large, small, public, private, government, and organizations of all types to prioritize and invest in the safe use of these new capabilities by putting proper measures in place to safeguard their organizations against thefts and data leaks. Without sacrificing the innovation, creativity, and productivity boosts promised by generative AI applications, organizations must pursue the right technology and employee education to create clear guidelines and guardrails that prioritize effective, data-driven protection.”

Erik Gaston, CIO at Tanium

“In an age when individuals produce almost 2MB of data every second, it is critical for companies to have proven, proactive and preventative security strategies in place to protect employee and customer data. It is also important to understand what data is coming in and out of the network and where it is being stored at all times.

Data breaches (both accidental and intentional), data mining, surveillance, and the potential misuse of personal data by corporations or governments all have the potential to expose personal information to unauthorized parties. To mitigate the risk, a few recommendations to achieve a proactive, preventative strategy – over one that solely relies on reactive data protection – include:

• Actively managing passwords, authentication, social media and installed software / settings on personal devices
• Choosing strong and unique passwords for all online accounts and updating them often
• Having multi-factor authentication as an extra layer of security
• Avoiding sharing ANY personal information online, especially on social media sites
• Keeping software up to date
• Understanding privacy settings on various devices and platforms and exercising your rights to control the collection and use of your data”

Geoffrey Mattson, CEO at Xage Security

“Data Privacy Week serves as a reminder of the symbiotic relationship between data security and the safeguarding of critical infrastructure. The threat landscape continues to evolve, leaving critical infrastructure increasingly reliant on interconnected systems, all of which can be breached. When it comes to critical infrastructure, the implications of a data breach stretch far past the digital realm, instead impacting real-world, everyday operations such as water systems, emergency services, government facilities, transportation systems, and more. Consider the thousands of electricity, oil and natural gas facilities that provide energy to people every day, suddenly shut down. These aren’t abstract scenarios—they directly impact the average citizen’s quality of life. Protecting critical infrastructure is a responsibility with the potential to preserve and save lives daily.”

Will LaSala, Field CTO at OneSpan

“In today’s online world, more data is being shared by users than ever before and has expanded to include intricate connections between individuals, organizations, and the vast web of the internet. Many users are not aware of how this data will be used. Technological advancements, such as AI, have led to freely available data that not only trains software but also becomes vulnerable to attackers exploiting application and security service vulnerabilities. Generative AI further complicates data security by generating content that closely mimics the original, often relying on common solutions based on private data. While AI can also serve as a tool to catchfraudulent data and secure it before it gets attacked, there needs to be more comprehensive measures toprotect data from being readily available for AI to use. There is a shift towards individual management of data privacy, which has introduced a new era of distributed identity. Digital wallets, for example, allow users to control data access and duration in user-friendly ways. Organizations benefit from this by gaining insights into data ownership changes and building trust to offer enhanced services based on reliable data. This Data Privacy Week, responsible data handling is crucial. Navigating this expansive sea of data poses a constant challenge that has prompted regulations to encourage banks and other organizations to take data privacy seriously. Everyone has a responsibility to practice safe data handling.”

Cam Roberson, Vice President at Beachhead Solutions

“Complying with government agencies’ data privacy and cybersecurity is getting more complicated this year. For many businesses, regulatory enforcement is quickly becoming the single biggest cybersecurity-related risk they face. Data privacy and security requirements and enforcement are expanding on just about every front—and the risks of non-compliance are real and accelerating. For example, the FTC Safeguards Rule now requires *any* business that transfers money to and from customers (and isn’t already under the purview of another regulator) to secure customer data effectively. This affects millions of previously unregulated businesses that are now subject to six-figure fines per violation, additional fines that can personally target business leaders, and risk to their business’s licensing. Organizations in or adjacent to the healthcare field subject to HIPAA need to be aware that HIPAA fines around data privacy have become more actionable. Regulators have shifted strategies, from massive seven-figure fines that were rarely enforced, to $35,000-$50,000 fines per violation that businesses are fully expected to pay. While the ubiquity of cyber insurance to protect businesses from these fines’ impact continues to be another key development to pay attention to, cyber insurance policies require the same security protections as major compliance mandates. There will continue to be less leniency for organizations that don’t have the encryption, data access controls, and other non-negotiable data privacy capabilities required of most cybersecurity compliance regulations.”

Viktoria Ruubel, Managing Director of Digital Identity at Veriff

“As consumers and employees, we have all seen or experienced biometric technology in action. Fingerprints or “selfies” have replaced passwords, granting access to our smartphones and other devices. In business settings, face scans can enable entry into controlled access areas or even the office. However, while these tools have made identity verification easier and reduced some of the friction of identification and authentication, there’s growing concern around biometric data and privacy – biometric data is unique to each individual and permanent, making it one of the most personal forms of identification available.

As concerns mount and amid an escalation of regulatory action, users need greater transparency around collecting and using biometric data. Careful considerations are required to properly reflect the use of biometric data in public-facing policy and the approach to gathering and employing data around user consent and data security. 

Data Privacy Week is a time to facilitate open dialogue around these risks and how to address them to strike a better balance between protecting users’ privacy and demystifying their experience with technologies like biometrics. Organizations must be ready to balance user experience with effective security controls to ensure the highest levels of data privacy in all transactions.” 

Steve Stone, Head at Rubrik Zero Labs

The most compromised data

“Breaches often compromise the holy trinity of sensitive data: personally identifiable information, financial records, and login credentials. As long as these lucrative data types remain decentralized across various clouds, endpoints and systems not properly monitored, they will continue to entice, and reward increasingly sophisticated attackers.”

Why it’s vulnerable

“Over 60 percent of sensitive data stored across disparate–on-prem, cloud, and SaaS–environments lack unified security protocols. Cybercriminals can easily access the keys to deeply infiltrate the systems and exfiltrate the most valuable data undetected over longer periods.”

How to better protect it

“Reliance on prevention is simply ineffective. Organizations need cyber resilience – a combination of cyber posture and cyber recovery – to keep their business running without interruption, even in the midst of the inevitable cyberattack.” 

Tim Wade, Deputy CTO at Vectra AI

“Customers and consumers alike are sharing more data than ever with organizations. This comes at a time when enterprises are shifting more applications, workloads, and data to hybrid and multi-cloud environments, and threat detection and response has become increasingly siloed and complex. Together, this underscores the crucial responsibility organizations have in safeguarding sensitive information and serves as a poignant reminder of the challenges involved in maintaining data privacy.

We’ve seen steady improvement on the part of the end user towards keeping their personal information secure and private. They deploy multi-factor authentication solutions, only use secure networks or VPNs, and are much more selective about which information they share with organizations, but exposure incidents still happen. As we strive to make the world a safer and fairer place, companies have a responsibility to their customers, partners, and end users to implement the right practices that will ensure their privacy and data are protected. In the upcoming year, businesses will face heightened expectations to demonstrate their commitment to implementing comprehensive measures aimed at safeguarding data.”

Reed Taussig, CEO at AuthenticID

“Inconsistent data privacy regulations are being legislated all over the world, and indeed, across all 50 states. While some of these regulations are ubiquitous, many of the requirements vary from country to country and state to state. Look at GDPR and the right to be forgotten, as an example. Fraudsters can legally require a site to delete all of their PII data thus making it much more difficult to identify who those individuals are. Globally fraudsters are winning. Fraud goes up year after year despite the billions of dollars invested in security. Data privacy is a double-edged sword; it protects good customers and people, but it also creates significant hurdles for security experts trying to keep a company’s assets safe.”

Stephen Franchetti, CIO at Samsara

Amidst emerging threats, increased regulation, and data privacy laws, organizations will lean on technology for management and protection.

“With a global focus on data privacy, organizations must leverage technology to identify and mitigate risks quickly and effectively. In 2024, leaders will invest in AI-driven security to monitor network behavior, detect anomalies, and protect against potential threats – all in real time. This proactive approach will allow organizations to enhance their ability to safeguard data and operations. 

This technology, however, is only effective when coupled with a robust data strategy that leverages a zero-trust model. In the new year, more leaders will adopt this approach, which requires verification at every step of the data access and transfer process, significantly reducing the potential for breaches.”

Dan Benjamin, CEO and Co-Founder at Dig Security

“As organizations moved to the cloud, their infrastructure has become increasingly fragmented. With multi-cloud and containerization becoming de-facto standards, this trend has intensified. Data storage and processing is dispersed, constantly changing, and handled by multiple vendors and dozens of tools.

To secure data, businesses found themselves investing in a broad range of tooling – including DLP for legacy systems; CSP-native solutions; compliance tools; and more. In many cases two separate tools with similar functionality are required due to incompatibility with a specific CSP or data store.

This trend is now reversing. Economic pressures and a growing consensus that licensing and management overhead have become untenable are leading organizations toward renewed consolidation. Businesses are now looking for a single pane of glass to provide unified policy and risk management across multi-cloud, hybrid, and on-premises environments. Security solutions are evolving accordingly – moving from point solutions that protect a specific data store toward more comprehensive platforms that protect the data itself, wherever it’s stored and in transit.”

Jim Liddle, Chief Innovation Officer at Nasuni

“This year’s Data Privacy Week is all about ensuring that organizations maximize their data intelligence with privacy best practices. A shocking number of companies store massive volumes of data simply because they don’t know what’s in it or whether they need it.

These questions must be asked to retain maximum privacy and quality: Is the data accurate and up-to-date? Is it properly classified and ‘searchable’? Is it compliant? Does it contain personal identifiable information (PII), protected health information (PHI), or other sensitive information? Is it available on-demand or archived?

Data Privacy Week serves as a reminder to organizations to answer these questions to ensure they meet data quality, privacy, security, access, and storage requirements. This must be assessed and completed before pursuing AI initiatives that may compound risk exposure without these foundational governance guardrails in place.”

Jackie McGuire, Senior Security Strategist at Cribl

Data as an Asset

“In many senses, data is the new oil. It’s a finite resource that needs to be mined and managed strategically, and its value is highly dependent on your ability to refine and manipulate it for specific applications. For this reason, we see 2024 as being a critical year in the transition of data from being 1s and 0s on a screen to an actual asset to be managed, tracked, and optimized within an enterprise.

If we look past data as the space it takes up and consider each data point (IP, port number, customer name, city name, temperature reading) as an asset in and of itself, it becomes clearer that the way we are mining and storing data is incredibly wasteful. The same data points are often collected repeatedly, stored more redundantly than necessary, and contain no single source of truth. With the increasing use of AI and machine learning, as well as more stringent regulatory requirements that both require you to hold some data longer, as well as delete some data sooner, it will become crucial that data is managed as an asset.

To accomplish this, the accurate identification and categorization of data will be essential. We see an entire industry dedicated to data identification developing over the next few years, and companies becoming increasingly more focused on what the sole source is for any piece of information. This will ensure changes to data propagate, unexpected output from data science models can be traced to the training source, and ensure that any data that a company no longer has the right or desire to hold is actually deleted.”

The SEC Shines a Spotlight on Systemic Risk

“2024 may very well become the year of dirty laundry, as anew SEC requirement that registered companies disclose material cybersecurity events within four business days lays bare just how interconnected and systemic risk in cybersecurity can be. In the few months since its passing, we have already seen several high-profile disclosures from Clorox, Johnson Controls, MGM, and Okta rile the securities markets and send teams scrambling. While breaches are nothing new, the level of disclosure the SEC is now requiring ensures that enterprises feel a level of financial pain as punishment for their security misdeeds. It also makes far more public the common threads among various breaches, be they threat actors or vendors.

The good news here is that the SEC and cyber risk providers will likely succeed where guidelines and best practices have failed; financial punishment and shareholder angst cause changes in businesses’ security investment and behavior – fast. The reason we have seatbelt laws is because of the auto insurance industry, and security incident disclosures will likely have the same impact. As much as it shouldn’t be the case, hitting companies in the wallet is typically the best way to influence behavior, and in 2024, we think the SEC will do just that.”

Alex Tray, Cybersecurity Consultant at Nakivo

Data as an Asset

“As data privacy concerns continue to grow, there will likely be an increased demand for secure data backup solutions. Organizations will seek robust backup strategies to safeguard sensitive information and ensure quick recovery in the event of data breaches or ransomware attacks. Data backup solutions are expected to integrate more privacy-centric features, such as encryption mechanisms, access controls, and audit trails to enhance the overall security and privacy of backed-up data.”

Adam Ferrari, SVP, Engineering at Starburst

“Navigating the intricate landscape of data privacy regulations lacks a one-size-fits-all solution. Each company’s risk exposure is shaped uniquely by consumer interactions, information structure, geographic presence, and other variables. Despite this complexity, companies need to collect data for operational efficiency and innovation. In the realm of data analytics and compliance, the concept of data sovereignty is significant. We advise prioritizing data localization strategies aligned with regional regulations. Storing data on local servers and complying with specific laws, such as GDPR in the EU, enhances consumer data protection. This not only reduces non-compliance risks but also builds consumer trust in data-driven innovations by safeguarding their personal information according to stringent data protection rules.”

Cassius Rhue, Vice President of Customer Experience at SIOS Technology

“For organizations maintaining high availability of crucial applications and databases, with a 99.99 percent accessibility target, enhanced security measures are essential for operational success. Key to the success of these robust security measures is ensuring their integration with high availability (HA) and disaster recovery (DR) solutions and their storage.  Addressing malicious threats, without also addressing unforeseen factors like natural disasters, system failures and human errors can be disruptive to critical business operations. A well-designed security architecture that integrates with HA and DR plans ensures the swift restoration of critical systems, without compromising security or data and application availability.”

Tim Golden, Founder & CEO at Compliance Risk

“With dozens of data privacy rulings and pieces of legislation already on the books and more in the pipeline, it is going to get harder for SMBs to comply with the dizzying array of state and federal requirements. The U.S. is long overdue for a single, comprehensive data privacy rule. We could learn a lot from the EU’s GDPR.”

Liat Hayun, CEO at Eureka Security

“As we enter 2024, it is important to note that safeguarding organizational data can no longer mean restricting its use. As AI and LLM models add to the size, scope and types of data usage, organizations should focus on leveraging these emerging technologies to use their data for increased productivity, and accept some of the risk that goes along with this adoption – but must also consider ways to reduce it. With more data being stored and used, reducing data exposure will become the main focus for reducing this risk. Organizations should assess who and what has access to their data, when and how this access is used, identify anomalous behavior, suspicious access and the impact it may have on their data security.”

Andrea Malagodi, CIO at Sonar

“Data privacy today is turning into an old challenge with “new clothes” thanks to the AI-provided solutions now available to employees (the upload of data to websites). The reality is, mostly due to lack of education, that “Convenience beats Security” — malicious actors would typically rely on this to provide conversion websites (JSON to CSV as an example) and use these sites to collect data for possible attacks. The new AI sites also ask you to upload or grant access to content, which may even be worse, but not in that they service malicious intents. Any data that is shared is unlikely to have any privacy guarantees attached to them and data shared is likely to be part of new training, as the AI services have an ever-increasing hunger for data. 

Companies should develop a clear policy around Generative AI, educate employees, and ensure that the data classified at the highest tier stays safe from any sharing to AI services to help secure the data. Companies should also contract with providers that can create privacy protections around shared data. Gen AI is here to stay, so facing it fully and developing your strategy is key to the successful protection of your assets.”

Danny de Vreeze, VP IAM at Thales

“GDPR continues to set the standard for how data is stored and processed on a regional level, but 2024 will bring an increasing demand for this control in the U.S. and Canada. Enterprise organizations will m