New EU restrictions could force companies to change data transfer practices and adopt more advanced data encryption methods
Traditionally, privacy has taken the form of a policy document created, housed, and referenced by the offices of general counsel and compliance at most organizations. In the past decade however, largely driven by digital transformation and the digital economy, data has become the lifeblood of functionality and innovation ensuring things run smoothly, consumers are happy, new opportunities are uncovered, and progress accelerates. As a result, data has become a critical asset for companies and governments alike, as well as the primary target for nefarious actors and nation states.
Personal Identifiable Information (PII) is the top target for cybercriminals, according to the annual Cost of a Data Breach report by IBM and Ponemon Institute. The 2020 analysis found that customer data was by far the most-commonly compromised type of record with 80% of breached organizations saying that customer PII was affected. “While the average cost per lost or stolen record was $146 across all data breaches, those containing customer PII cost businesses $150 per compromised record,” said the report. In recent years, costly breaches and evolving data security concerns have bubbled up to a board level agenda item.
How data is used, classified, and protected carries cultural differences and varying geo-political values around the world, making data privacy and security a multidimensional problem to solve. Data privacy is not a check-the-box compliance or security item. Rather it is a complex, business risk management issue that has both legal and operational elements woven throughout its fabric.
Multinationals Face Unique Challenges
Multinationals face difficult and unique compliance challenges to successfully meet the ongoing waves of government regulations for data privacy and security. The most sweeping and aggressive regulation, the European Union’s General Data Protection Regulation (GDPR), went into full force in May 2018. Compliance with GDPR requires that each line of business, compliance team, IT staff and security operations center reach alignment on new operating procedures and corresponding changes to IT infrastructure, applications, and security.
The problem is not limited to the requirements of GDPR. Beyond this we also have Payment Card Industry (PCI) standards, Health Insurance Portability and Accountability Act (HIPAA), the California Data Privacy Act (CCPA) and much more. Multinationals are uniquely impacted by these compliance regulations. While regulations like GDPR are driven locally within the EU community the scope of its impact is global. Every business that uses, processes or controls data for European citizens and residents must meet all of the requirements. For some the impact and expense of regulations like GDPR compliance can be overwhelming, and the financial cost of failing to comply being even greater.
Things get even more complicated with the July 2020 ruling from the EU’s top court that the EU-U.S. Privacy Shield was unlawful. The 2016 agreement enabled trans-Atlantic commercial data transfers, but the court said U.S. government surveillance posed a threat to privacy and there was no sufficient redress in the American legal system for Europeans. In response to the ruling, the EU’s executive body has prepared draft guidelines specifying how companies can transfer data to countries outside of the bloc. The new clause tightens requirements for companies moving data to business partners or subsidiaries abroad.
The vast global supply chain and various third-party organizations that a multinational company exchanges data with presents a multitude of technical, legal, risk and compliance challenges. Privacy experts predict that companies will likely turn to new and more advanced data encryption methods to comply with recent EU restrictions.
In the Dec. 3 blog post, A Solution to Schrems II and the Security of Transatlantic Data Flows, Sebastien Cano of Thales takes a closer look at the recent EU guidelines for data protection of personal data, calling for robust encryption of data in motion and strong key management to build a trusted security framework.
Data Privacy and Security in the Quantum Era
Q-Day, or the day in which a quantum computer breaks the Public Key Encryption (PKE) that protects most of our digital world and the personal data critical to industry is coming. Industry pundit and Cryptography Apocalypse book author Roger Grimes predicts 2021 will “likely see the first public acknowledgment of the quantum crypto break, where quantum computers are capable of breaking traditional public key crypto."
While pundits debate the actual arrival time of a quantum computer, the quantum era is fast approaching and could arrive much sooner than anticipated. Certainly, any organization deploying a network infrastructure today should ensure it is quantum-safe now or risk its premature obsolescence. Waiting is nothing less than shortsighted and could have major long-term consequences on the organization including the loss of revenues, customer trust, critical data, and IP, as well as exposure to increased risks.
For existing infrastructure, the looming quantum threat coupled with data privacy and security regulations, should force companies to reexamine their data transfer practices, quantum-proof their communications infrastructure, and incorporate quantum-enhanced encryption into their technology stack today. There’s just too much at stake to wait.
Cyber-aware organizations should begin their quantum readiness journey by conducting a data protection inventory and quantum-risk assessment. Not all data is created equal. Different data types require different protection levels – or defense-in-depth countermeasures. Then evaluate and deploy practical and highly scalable quantum-safe technologies that are available today.
Quantum-Proofing Your Communications Infrastructure Starts by Making Your Network Encryptors Immediately Quantum-Resistant
As more and more organizations are relying on a zero-trust security model and encrypt everything approach, they need options and a flexible, crypto-agile network that can ensure all data transmissions across the Internet or network are protected, secure, and compliant with local laws and regulations.
Phio Trusted Xchange (TX) from Quantum Xchange gives companies choice and an affordable, crypto-agile key infrastructure to easily upgrade defenses as the threat landscape evolves. It is the first key exchange to support quantum-keys in any format (PQC, QKD, QRNG or combination) – offering multinationals the strongest form of encryption available today. Using its patent-pending, out-of-band symmetric key delivery technology, Phio TX is uniquely capable of making existing, classical keys quantum-safe – delivering an immediate and infinitely stronger cybersecurity posture to any network environment.
Phio TX used in combination with Thales High Speed Encryptors (HSE) arms customers with a powerful and dynamic enterprise security solution and the only key distribution system capable of making native encryption keys quantum-safe today. The joint solution addresses PKE vulnerabilities head-on with quantum-enhanced keys and quantum-safe out-of-band key delivery that can easily scale to meet the risk mitigation needs of the business at any time.
With the market’s first quantum-safe HSE and a dynamic quantum-secure infrastructure in place, multinational organizations can easily increase their quantum-protection levels as the threat landscape evolves, cross-border data transfer regulatory practices intensify, and new risks associated with advances in computing and mathematics emerge.
To learn more about the joint solution, download Thales and Quantum Xchange: Delivering Quantum Safe, Data-in-Motion Security Without Compromise solution brief.