Data De-Identification: Balancing Privacy, Efficacy & Cybersecurity

COMMENTARY. Global data privacy laws were created to address growing consumer concerns about individual privacy. These laws include several best practices for businesses about storing and using consumers' personal data so that the exposure of personally identifiable information is limited in case of a data breach. Several recent data breaches prove that consumer data continues to stay vulnerable. Why is it that such strict regulations have not been able to safeguard consumer data - beyond generating ad-hoc revenue by penalizing a few businesses that blatantly flout privacy concerns? The answer may lie in how companies need to do a delicate dance between consumer privacy protection, upholding their product's efficacy, and de-risking cyber breaches. Data De-Identification Weaknesses in the Digital World There are two primary laws guiding online privacy: the General Data Protection Regulation and the California Privacy Rights Act, although many countries and states have started to write their own. Among the various safeguard measures, data de-identification is a prime one. Both define data de-identification as the process of making PII anonymized in a way that any piece of secondary information, when associated with the personal data, cannot identify the individual. The industry unanimously agrees on some entities as personal data including a name, address, email address, and phone number. These laws neither explicitly list the attributes that are personal nor do they mention how and when to anonymize, beyond sharing a few best practices. Full anonymization of personal data and the data linked to it is useless to businesses in this ever-digital world. Every new technological breakthrough demands massive input of data sets - both personal and aggregated. Companies need to maintain non-anonymized data sets for their users to validate login attempts, prevent account takeovers, provide personalized recommendations, and more. A financial institution needs several key pieces of personal data to comply with know-your-customer rules; for example, an e-commerce provider needs its end user's delivery address. Such use cases cannot be fulfilled with completely de-identified data sets. Companies use a process known as pseudo-anonymization, an irreversible data hashing technique that involves converting personal data into a string of random characters that can't be reverse engineered. This technique has a serious flaw: Rehashing the same personal data yields the same string of random characters. In the event of a data breach, if the hacker gets access to a database of pseudo-anonymized personal data and the key used to pseudo-anonymize the personal data, they could infer the actual consumer data just by running multiple lists of breached personal data available in the Dark Web and matching the output by sheer brute force. What's worse: Individual device and browser metadata is almost always stored in raw format, making it easier for the hacker to run associations and get past fraud-detection systems. If the hacker gets access to a financial institution's database containing pseudo-anonymized personal phone numbers along with a range of browser and device attributes that are tied to the end user, the hacker can run possible phone number combinations through the same algorithm and match the output with the database. Using the phone number, the browser, and device attributes, an attacker can perform an account takeover attempt. Safeguarding Consumer Data in the Era of Pseudo-Anonymization Safeguarding personal data requires constant monitoring and threat mitigation against sophisticated hackers. On the data infrastructure side, privacy vaults can disassociate sensitive data from the business' core infrastructure. In case of a breach, sensitive data stays in a secluded vault. Using separate infrastructures for storing the key to the pseudo-anonymized data is also recommended to reduce breach impact. Other recommendations include rotating the key at an optimum interval. Once rotated, the key can unlock the personal data only until that time, reducing the volume of data at risk. Creating multiple keys is an additional defense technique. Beyond the one key used to unlock personal data, storing additional "Dummy" keys confuses hackers on which key to use. Each additional dummy key exponentially increases the time to unlock the data, thus buying additional time for the business to take mitigation steps. Anonymizing nonpersonal information, such as device and network data related to the consumer, also increases the complexity for the hacker since now they have more data to unlock with possibly higher cardinalities than the personal data itself.

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:01 +0000


Cyber News related to Data De-Identification: Balancing Privacy, Efficacy & Cybersecurity

What is cloud load balancing? - Cloud load balancing is the process of distributing workloads across computing resources in a cloud computing environment and carefully balancing the network traffic accessing those resources. Cloud load balancing helps enterprises achieve ...
6 months ago Techtarget.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 week ago Aws.amazon.com
Privacy Education for Students: A Vital Curriculum Component - Recognizing privacy as a fundamental right, educators are increasingly acknowledging the importance of integrating privacy education into the curriculum. This article explores the significance of privacy education for students and its role as a vital ...
9 months ago Securityzap.com
My Yearly Look Back, a Look Forward and a Warning - 2023 saw cybersecurity and privacy law arrive at a crossroads, especially with regard to the regulatory landscape. This is the time of year when it is traditional to look back at the past year and extrapolate forward to make predictions for the year ...
9 months ago Securityboulevard.com
Holistic Approach To Privacy and Security in Tech - In this article, I would like to explain how I tackle privacy and security issues that are specific for large scale web and mobile applications and Big Tech. First, let's outline some of the biggest challenges Big Tech companies deal with in terms of ...
10 months ago Feeds.dzone.com
Business Data Privacy Laws: Compliance and Beyond - Governments worldwide have implemented strict data privacy laws to protect individuals' information in the face of increasing cyber threats and data breaches. Let's dive into the world of business data privacy laws as we navigate the complexities of ...
8 months ago Securityzap.com
Privacy Isn't Dead. Far From It. - EFF is one of dozens, if not hundreds, of organizations that work to protect privacy. Millions of people read EFF's website each year, and tens of millions use the tools we've made, like Privacy Badger. Privacy is one of EFF's biggest concerns, and ...
7 months ago Eff.org
Data De-Identification: Balancing Privacy, Efficacy & Cybersecurity - COMMENTARY. Global data privacy laws were created to address growing consumer concerns about individual privacy. These laws include several best practices for businesses about storing and using consumers' personal data so that the exposure of ...
10 months ago Darkreading.com
Protecting Student Privacy Online - In the rapidly evolving world of online education, the protection of student privacy has emerged as a critical concern. This article delves into the privacy risks associated with online education and highlights the significance of complying with ...
9 months ago Securityzap.com
What CISOs Need to Know About Data Privacy in 2024 - While consumers continue to demand stronger personal data protections, companies are scrambling to keep track of an ever-evolving patchwork of applicable laws and regulations. In this environment, cybersecurity professionals need to understand the ...
9 months ago Cybersecurity-insiders.com
Enhancing Home Privacy with Technology: Your Digital Shield - In an ever-evolving world, technology has become increasingly integral to home privacy. Smart lock systems, video doorbells, motion sensors, security cameras, and automated privacy settings are some of the popular home privacy tech options available. ...
9 months ago Securityzap.com
Building a Privacy-Centric Organization with FireMon - As organizations increasingly rely on technology to streamline operations and connect with customers, the need for robust privacy measures has become more critical than ever. Here at FireMon, we play a pivotal role in building a privacy-centric ...
8 months ago Securityboulevard.com
Transcend enhances its privacy platform to address current and future compliance challenges - Transcend announced an expansion of its product suite-going even further to help the world's best brands manage complex privacy compliance challenges. Powering privacy for Fortune 100 companies, the global 2000s, and high-growth start-ups, Transcend ...
9 months ago Helpnetsecurity.com
Building a Sustainable Data Ecosystem - Finally, I outline future research and policy refinement directions, advocating for a collaborative and responsible approach to building a sustainable data ecosystem in generative AI. In recent years, generative AI has emerged as a transformative ...
6 months ago Feeds.dzone.com
Fortinet Contributes to World Economic Forum's Strategic Cybersecurity Talent Framework - Shining a light on the cybersecurity workforce challenge, the World Economic Forum recently published its Strategic Cybersecurity Talent Framework, which is intended to serve as a reference for public and private decision-makers concerned by the ...
4 months ago Feeds.fortinet.com
Unlocking the Secrets of Data Privacy - Data masking, or obfuscation involves hiding original data with random characters or data. Data masking is commonly used in software development and testing, where developers must work with realistic data sets without accessing sensitive information. ...
8 months ago Feeds.dzone.com
Privacy Badger Puts You in Control of Widgets - The latest version of Privacy Badger replaces embedded tweets with click-to-activate placeholders. This is part of Privacy Badger's widget replacement feature, where certain potentially useful widgets are blocked and then replaced with placeholders. ...
9 months ago Eff.org
Thought GDPR Compliance Was Hard? Buckle Up - COMMENTARY. Five years since the European Union's General Data Protection Regulation took effect, its fingerprints are everywhere: from proliferating privacy laws worldwide to the now-ubiquitous consent banners seen across websites of every kind. For ...
10 months ago Darkreading.com
Tech Privacy: Navigating the Age of Digital Surveillance - Users generate and share a significant amount of personal data with third-party companies, highlighting the importance of understanding data ownership and privacy. Technology offers benefits such as data encryption, two-factor authentication, and ...
10 months ago Securityzap.com
Student Cybersecurity Clubs: Fostering Online Safety - Student cybersecurity clubs are playing a crucial role in promoting online safety among students. Student cybersecurity clubs play a vital role in this regard, as they provide a platform for students to learn about the latest threats, share best ...
9 months ago Securityzap.com
Navigating the Digital Frontier: Insights from Leading Experts on Data Privacy Day - The roots of Data Privacy Day can be traced back to the European Data Protection Day, marking the historic signing of Convention 108 on January 28, 1981 - the first-ever international treaty addressing privacy and data protection. Fast forward to ...
8 months ago Cybersecurity-insiders.com
Navigating the Digital Frontier: Insights from Leading Experts on Data Privacy Day - The roots of Data Privacy Day can be traced back to the European Data Protection Day, marking the historic signing of Convention 108 on January 28, 1981 - the first-ever international treaty addressing privacy and data protection. Fast forward to ...
8 months ago Cybersecurity-insiders.com
Navigating the Digital Frontier: Insights from Leading Experts on Data Privacy Day - The roots of Data Privacy Day can be traced back to the European Data Protection Day, marking the historic signing of Convention 108 on January 28, 1981 - the first-ever international treaty addressing privacy and data protection. Fast forward to ...
8 months ago Cybersecurity-insiders.com
Navigating the Digital Frontier: Insights from Leading Experts on Data Privacy Day - The roots of Data Privacy Day can be traced back to the European Data Protection Day, marking the historic signing of Convention 108 on January 28, 1981 - the first-ever international treaty addressing privacy and data protection. Fast forward to ...
8 months ago Cybersecurity-insiders.com
Navigating the Digital Frontier: Insights from Leading Experts on Data Privacy Day - The roots of Data Privacy Day can be traced back to the European Data Protection Day, marking the historic signing of Convention 108 on January 28, 1981 - the first-ever international treaty addressing privacy and data protection. Fast forward to ...
8 months ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)