Data privacy regulations such as General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have been at the center of discussions surrounding the need for data privacy laws at a federal level and, as of February 2021, new state-specific regulations proposed by Washington, Virginia, Oklahoma and Minnesota present unique challenges for organizations conducting business in different states, particularly those without pre-existing data management strategies. In addition, organizations will need to understand the variations in these state regulations to assure compliance.

If the added consumer data privacy regulations aren’t enough, organizations are facing a rapid increase in ransomware, with a 40% uptick in cases compared to 2019. As more state-level policies are anticipated to be introduced ahead of a national data privacy policy, it's important for organizations to have the right strategies, policies, processes and technologies in place to ensure compliance while minimizing the impact of potential cyberattacks.

Here, Steve Grewal, Cohesity Federal CTO and former U.S. Department of Education CISO/CTO/CIO, shares his insights into how organizations can leverage modern data management strategies and technologies to ensure they are prepared to reduce the impact of ransomware attacks while being ready for audit and reporting processes to remain compliant with increasing state-by-state regulations.

Security: What is your background, and current role and responsibilities?

Grewal: I’m a veteran technology executive and have served in leadership roles for several federal agencies, including the U.S. General Services Administration (GSA) and the Department of Education (ED). At Cohesity, a leading data management company, I’m  vice president and CTO for Public Sector, responsible for all aspects of go-to-market including product management, thought leadership and marketing, business development, cybersecurity and compliance and customer success for Cohesity's presence in the federal markets. 

Security:  New state-specific regulations proposed by Washington, Virginia, Oklahoma and Minnesota present unique challenges for organizations conducting business in different states, particularly those without pre-existing data management strategies. Could you discuss some of these challenges?

Grewal: Data privacy regulations such as GDPR and CCPA have been at the center of discussions surrounding the need for data privacy laws at a federal level for some time. And, as of February 2021, new state-specific regulations proposed by Washington, Virginia, Oklahoma and Minnesota do, in fact, present an interesting set of challenges for organizations that are interested in doing business with entities that are in other states. The challenge will be striking a balance between doing what’s necessary in terms of data collection while also prioritizing compliance and security - so consumers feel comfortable sharing personal information when necessary and companies have a clear understanding of what practices to follow. These rules help ensure that people will feel safe using technology that requires personal information. Without these protections, companies that adopt unscrupulous data storage processes could undermine the sense of trust that supports most activity online today. In addition, organizations will need to understand the state level regulations to assure end-to-end compliance.

Security: In your opinion, why will organizations need to understand the variations in these state regulations? 

Grewal: Organizations will need to understand the variations in these state regulations because compliance is not a point-in-time exercise, it is an on-going process that requires organizations to take the utmost care in managing and protecting personal data. This means minimizing data volumes, reducing data fragmentation, and -- absent standardized policies in the US across all 50 states on personal data and privacy -- taking a proactive approach to ensure data is secure and protected. It’s imperative that organizations are good stewards of customer data. Failing to make compliance a key part of an overall data management strategy can severely damage trust and erode brand reputations.

Security: Why is it important for organizations to have the right strategies, policies, processes and technologies in place as more state-level policies are anticipated to be introduced?

Grewal: Organizations must have a detailed understanding of data jurisdictions and corresponding security challenges they may present. For example, in relation to specific data privacy regulations like CCPA, data may only be stored or transferred where the state has jurisdiction or an agreement is in place. To ensure compliance, organizations should look for security solutions that allow them to encrypt data, independent of where it's being hosted, while maintaining local control. Additionally, solutions that dynamically allow or deny access based on contextual factors like a user’s location, device type, or job function are very effective. For ease of management and financially efficient, consistent security, organizations should look for a single security platform that integrates all these capabilities into one offering.

Security: How can organizations leverage modern data management strategies and technologies to ensure they are prepared, not only to reduce the impact of cyberattacks, but for any auditing and reporting processes?

Grewal: To better address the challenges of data privacy regulations and customer concerns, organizations need to adopt a data-first mindset. This means prioritizing and investing in the management and protection of data in a manner that effectively balances the intrinsic business value of data with the needs and rights of customers and consumers. 

Consumers and customers expect to be informed of how their data is being used and protected, with complete auditing and reporting. This is a significant challenge for all organizations, and it will require greater collaboration between the individuals tasked with providing data security, privacy, and compliance to meet these expectations and enhanced regulations. Greater levels of collaboration, scrutiny, and the adoption of modern, next-generation data management technologies and strategies will be needed to better protect the data organizations have been entrusted with. If the added consumer data privacy regulations aren’t enough, organizations are facing a significant increase in ransomware attacks. As more state-level policies are anticipated to be introduced ahead of a national data privacy policy, it's important for organizations to have the right strategies, policies, processes and technologies in place to ensure compliance while minimizing the impact of potential cyber attacks.