Data Protection Heat Index Survey Report – Sep 2014

September 2014

Data Protection Heat Index SURVEY REPORT

Sponsored by Cisco Systems

© 2014 Cloud Security Alliance - All Rights Reserved. 2

DATA PROTECTION HEAT INDEX SURVEY Report, September 2014

© 2014 Cloud Security Alliance – All Rights Reserved

All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security

Alliance “Data Protection Heat Index Survey Report” at https://cloudsecurityalliance.org/research/surveys/, subject to

the following: (a) the Document may be used solely for your personal, informational, non-commercial use; (b) the

Document may not be modified or altered in any way; (c) the Document may not be redistributed; and (d) the

trademark, copyright or other notices may not be removed. You may quote portions of the Document as permitted by

the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security

Alliance “Data Protection Heat Index Survey Report” (2014).

https://cloudsecurityalliance.org/research/surveys/



Acknowledgements (In alphabetical order)

Special Thanks Dan Blum, Chief Security and Privacy Architect for Respect Network; Former Burton Group and Gartner Analyst

Mary Beth Borgwing, President, Cyber and Risk Practice Advisen

Daniele Catteddu, Managing Director for CSA EMEA

Dr. Ann Cavoukian, Executive Director for Ryerson University Institute for Privacy and Big Data; Former Information and Privacy Commissioner of Ontario, Canada

Michele Drgon, CEO for DataProbity

Frank Guanco, Project Manager for CSA

Renee Guttman, VP Office of the CISO/Accuvant; Former Fortune 500 CISO; Ponemon Fellow

Raj Samani, VP, CTO for McAfee; Chief Innovation Officer for CSA EMEA

Luciano (J.R.) Santos, Global Research Director for CSA

Managing Editor/Researcher Evelyn DeSouza, Compliance and Data Privacy Leader for Cisco John Yeoh, Senior Research Analyst for CSA Design/Editing Tabitha Alterman, Copyeditor

Kendall Cline Scoboria, Graphic Designer for Shea Media

Evan Scoboria, Co-Founder for Shea Media, Webmaster for CSA



Table of Contents

Acknowledgements.................................................................................................................................................3

Executive Overview.................................................................................................................................................5

Survey Overview .....................................................................................................................................................6

Findings Summary ...............................................................................................................................................6

Survey Results ........................................................................................................................................................8

Data Residency/Sovereignty.................................................................................................................................8

Lawful Interception .............................................................................................................................................9

User Consent .................................................................................................................................................... 11

Privacy Principles............................................................................................................................................... 13

Summary.............................................................................................................................................................. 16



Executive Overview

The ways in which different countries or regions approach privacy can be diverse and varying, which is why the Data

Protection Heat Index was developed by the Cloud Security Alliance (CSA). The collaboration brought individuals

together from various corners of the globe to form focus groups and provide information about their regions’ laws and

practices surrounding personal information. Survey participants provided answers regarding the regulation of data, the

geographical area their data protection laws govern, governmental practices, the role of consent, and security

standards. By discovering areas of alignment and deviation with regard to global data protection laws and practices, as

depicted by the Data Protection Heat Index, organizations can drive innovation within the context of new technologies

such as cloud computing, the Internet of Things, and big data.

It is essential that organizations designing the smarter technologies of the

future adopt a privacy protection standard that reaches above and

beyond regional differences. The Privacy by Design framework is the gold

standard in privacy protection, offering the user the ability to build in

privacy right from the outset, surpassing global legislated requirements

for privacy, and representing a significant “raising of the bar” in terms of

privacy protection. In 2010, regulators from around the world gathered at

the annual assembly of International Data Protection Authorities and

Privacy Commissioners in Jerusalem, Israel, and unanimously passed a

Landmark Resolution recognizing Privacy by Design as an essential

component of fundamental privacy protection. By building in privacy at

the time of design, manufacturers and vendors can engineer much more

effective solutions, better meet regulatory compliance standards and save time and money versus having to retrofit

solutions or experience the negative reputation that can be caused by data breaches.

The Data Protection Heat Index is a valuable tool in employing a Privacy by Design approach. There is a need for global

cooperation and discussion around standards – work – one that places the user at the center of any data protection

regime. The Organisation for Economic Co-operation and Development (OECD) Fair Information Practice Principles

(FIPPs) have done so for decades, having been reaffirmed during a review of the principles in July 2013. Some have

suggested that the OECD FIPPs, which most privacy laws are based upon, should be revised to loosen the individual’s

control over their personal information. However, while the world is changing due to the growth of big data and

ubiquitous computing, individuals still have the right to a basic expectation of how their personal data will be used by

companies and governments.

It is important to realize that as technologies advance, and the amount of personal information available for storage and

analysis grows to unprecedented levels, it is now more than ever that we must preserve and build upon the privacy

principles we currently rely on. It is my hope that one day every country will have some form of legislated requirement

for Privacy by Design. Until then, I hope you will find the Data Protection Heat Index useful, and that you will take the

opportunity to learn about Privacy by Design (www.privacybydesign.ca).

Best Regards,

Dr. Ann Cavoukian

Executive Director, Ryerson University Institute for Privacy and Big Data

Former Information and Privacy Commissioner of Ontario, Canada

I'm very taken by Privacy by

Design, which has 7

foundational privacy principles. The positive sum principle can help steer us towards greater

harmonization of data privacy implementations.

Dan Blum, Chief Security and Privacy Architect for Respect Network; Former

Burton Group and Gartner Analyst

“

http://www.privacybydesign.ca/



Survey Overview

The Cloud Security Alliance surveyed a select group of global data privacy experts with the intention to measure

attitudes towards data protection areas that tie into technology solutions which enable the exchange of information

across the cloud.

Survey respondents from across North America, Asia-Pacific and the European Union were categorized according to

their professional areas: privacy/legal, CISO/InfoSec and developer/architect. We specifically hand-selected 40 of the

most influential thought leaders based on their titles and day-to-day roles:

Privacy commissioners play a pivotal role in advising about and setting data privacy standards, as well as

enforcing regulations within their respective jurisdictions. Privacy and legal counselors are responsible for

advising business leaders on emerging and required changes to privacy standards, and the legal and ethical

impact of such standards on their businesses.

CISOs and InfoSec leaders are instrumental in architecting data protection capabilities into new IT solutions.

Developers and architects are moving rapidly on architecting new and innovative capabilities for cloud, IoT and

big data solutions.

Findings Summary

The survey was structured in four parts and the findings were both pleasantly surprising and indicative of a positive role

that privacy and data protection principles can play in the development of cloud, IoT and big data solutions.

Data Residency and Sovereignty

Respondents identified “personal data” and Personally Identifiable

Information (PII) as the data that is required to remain resident in most

countries. It was interesting to note that responses to the question how

do their country’s definition of data’s residency/sovereignty compare with

other regions were split evenly among the three response types of Open,

Restricted, and Unknown.

Lawful Interception

Responses indicated a universal interpretation of the concept of lawful

interception. The question on the criticality of privacy to employee trust

drew a surprising 25% of responses showing “neutral” to “low

importance.”

User Consent

Of particular note is that 73% of respondents indicated that there should be a call for a global consumer bill of rights and

furthermore saw the United Nations as fostering that.

Beyond data protection

regulations, understanding the

expectations of privacy is an important component in

maintaining trust and assurance in

the digital age. The work done to develop a data protection heat map is a strong indicator as to

those expectations, and should be

an important component in the provision of digital services.

“ Raj Samani, VP, CTO for McAfee EMEA;

Chief Innovation Officer for Cloud Security

Alliance



Privacy Principles

In this section, we surveyed whether OECD privacy principles would facilitate the trend or cause room for tension with

cloud, IoT and big data. The responses were surprisingly in favor of facilitating the trend. This trend seems in dicative of

a shared interest to bake-in emerging privacy principles into new solutions versus trying to retrofit solutions post-build

to accommodate privacy.



Survey Results

Data Residency/Sovereignty

Increasingly regulated data is bound to remain within specified geographic

bounds. What types of data cannot traverse geographic boundaries in your

region?

Personal data and Personally Identifiable Information (PII) were the prevailing themes for these responses.

RESPONSE SAMPLING

“The transfer of personal data to a foreign State is prohibited whenever it may endanger public security or Tunisia's vital

interests. (Article 50 Organic Act N°2004-63 of July 27th 2004 on the protection of personal data)”

“There is no limitation on data traversing geographic boundaries in my region. However, national law imposes that if

sensitive data are transferred outside EU space, in countries that are not compliant with EU data protection regulations,

then data controllers must notify the competent national authority for this process.”

“In Hong Kong, cross-border transfer of personal data is covered by Section 33 of the Personal Data (Privacy) Ordinance

("PDPO"), which restricts transfer to jurisdictions with similar protections (similar to EU law). However, this is currently

not operative. Effectively there is currently no cross-border restriction in operation.”

“U.S. doesn't really restrict the flow of PII across boundaries. There are restrictions for "arms" information (ITAR).”

How does your country’s definition of data residency/data sovereignty compare

with other regions?

These responses were divided evenly. Most responses from the

European Union showed alignment to legal frameworks, whereas

respondents predominantly in the United States did not always

know how definitions compare. Also, one-third of responses

indicated that data sovereignty was defined in a more restrictive

manner compared to other regions.

RESPONSE SAMPLING

Open

“US regulations allow transference of specific data types with

specific security measures such as encryption for data in motion, at

rest and in use. EU standards and ASIA PAC are more stringent as

they do not allow specific data types to transit externally-hence in

such and in my opinion the regulation boundaries OUTCONUS are

much stricter.”



“The USA imposes few specific restrictions as compared with Europe. As such we are very sensitive to Safe Harbor

provisions.”

Restricted

“Based on the legal framework of directive 95/46/EC as many European Countries.”

“…most of the US operations are considerably less sensitive to privacy data than Europe and more sensitive than what we

see in APAC or Latin America.”

“In my country the crucial element is the location of the data controller, regardless of nationality or country of origin of

the data subject. If the data controller is located outside EU space, then data subject is not protected by EU regulation.

Thus, it is possibly important to set data residency criteria in order to enhance the protection offered to the data subject.”

Lawful Interception

What does lawful interception mean to you?

Responses indicated a fairly universal interpretation of lawful interception.

RESPONSE SAMPLING

“Lawful interference is interference by a public authority or its agency in accordance with the law and is necessary in a

democratic society in the interests of national security, public safety or the economic well-being of the country, for the

prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of

others”

“The right to access data through country-specific laws if the needs arises, i.e. data needs to be made available for a

cybercrime investigation.”

“Lawful interception means that under certain circumstances and by following strictly defined procedures the secrecy of

communication no longer applies and the identity of the data subject (ex. an IP holder) can be revealed.”



How would you rate your country’s processes to obtain information for the

purposes of criminal and terrorist investigation for the following elements?

Ratings of efficiency for countries' processes to obtain

information for this section were expected to be average

and above. However, on the spectrum for Transparency

and Accountability, a majority of the responses were on the

poor to fair side.

Briefly describe the process your

country uses to obtain information for

the purposes of criminal and terrorist

investigation?

Most responses were focused on legal means of obtaining

information.

RESPONSE SAMPLING

“Legally this needs a warrant or a subpoena, but blanket data capture is not ruled out. Many public examples exist.”

“See The Police and Criminal Evidence Act 1984 codes of practice (which regulate police powers and protect public

rights), and recent revisions.”

“The US has a strong infrastructure of legal processes, both public and secret to obtain evidence for investigations.

However, there are significant concerns about government entities exceeding or bypassing these established controls.”

“Only the judicial authorities are competent for obtaining information for the purposes of criminal and terrorist

investigation. To my knowledge this happens when special conditions apply, namely when a serious crime is identified.”

“Governed by Part VI of the Criminal Code of Canada (Invasion of Privacy)”

“Hong Kong Police, Department of Immigration, and the

Independent Commission Against Corruption are key agencies. As

Hong Kong does not have sovereign state status, foreign affairs,

intelligence and military are all external to HK and in the control

of the PRC.”

Rate the importance of the following

statement: “Privacy is critical to employee

trust.”

Surprisingly, there were close to a quarter of respondents across

the United States, Europe and Asia who were neutral or who did

not see privacy as critical to employee trust.



User Consent

Data protection involves more than just legal frameworks. The responses in this section are indicative of growing end

user sensitivities towards data protection and a growing awareness of the benefits and role that a universal set of

principles could enable.

Should there be a call for a consumer privacy bill of rights that would be global

in nature as opposed to regional?

The responses are indicative of a growing and strong interest in harmonizing privacy laws toward a universal set of

principles.

What role should the United Nations play in fostering universal rights for

consumers?

Many respondents felt that the United Nations could play a pivotal

role in fostering a consumer bill of rights.

RESPONSE SAMPLING

“The role of the United Nations is essential in promoting a universal

charter to establish rules that states must draw inspiration for their

internal regulations to protect consumers.”

“The UN General Assembly could pass a principled resolution (not a

prescriptive one) with broad consensus, perhaps just to endorse

existing FIPPs. It would be great if the UNGA could adopt Privacy by

Design as well, which I'm told 35 national privacy commissioners

have accepted already as an international standard.”

RESPONSE

SAMPLING:

YES

“Global guidelines

would be helpful in

harmonizing a wide

range of similar

privacy laws around

the world. However,

on its own, they

would have little

enforceable effect.”

RESPONSE

SAMPLING:

NO

“This steps over the

sovereign rights of

individual nation

states.”



Legislators are currently analyzing the implications of big data on privacy. What

are your recommendations to legislators on this issue and why?

RESPONSE SAMPLING

“For the U.S., pass world-class privacy legislation akin to Canada's or Europe's.”

“Pass legislation introducing more controls on intelligence gathering and separate the "offensive" cybersecurity defense

functions from the "defensive" ones into different organizations with different missions.”

“The EU rules related to automated processing and database registration will help provide an initial extension to existing

laws in this area that the US could emulate to a degree.”

What would you recommend to company

executives as their role in ensuring the

integrity of their processes?

RESPONSE SAMPLING

“Establish principle of organization-wide respect for people's

privacy for the benefit of the brand.”

“A risk-based approach must be taken for both the organization

and its employees. Processes and procedures must exist and it

makes sense to utilize and refine them in a life cycle manner.”

“Privacy-by-design is very important. It is very hard to add privacy as an after-thought. Companies that respect the

privacy of their customers will succeed better in the longer-term.”

“ Mary Beth Borgwing, President,

Cyber and Risk Practice Advisen

Privacy to me is very similar to ethics and

very connected in my world. There are always going to be very ethical people who

will do their utmost to protect individuals

and organizations while unethical people may try to take shortcuts with privacy. It's also an education process. Ultimately, the

C-suite has to own privacy and actually

build it holistically into their processes, InfoSec programs, and the products and

services they offer.

As a consumer, how do you feel that

your data is frequently used for

marketing purposes without your

expressed consent? For example,

you shop on a vendor’s website and

then start to see advertisements.



Privacy Principles

As developers work on building out

cloud, IoT and big data solutions,

indicate below which of the OECD

privacy principlesi you see as areas

that will help facilitate this trend

versus those that could make room for

tension.

In this section, we examined each of the OECD principles

and looked at how they facilitated trends or were an

enabler versus caused room for tension or impeded

development.

DATA COLLECTION LIMITATION PRINCIPLE: Collect data by lawful means only

DATA QUALITY PRINCIPLE: Personal data should be relevant to the purposes for which it is being used and should be accurate, complete and kept

up-to-date

“ Michele Drgon, CEO for DataProbity

The OECD privacy principles catalyzed the creation of privacy frameworks and subsequent

legislation globally. The privacy principles provide a common language for these concepts to be built

into data privacy legislation. Now, what people care about has evolved: untraceability,

unlinkability, minimization, anonymity have

become additional key points of focus […] The Data Quality principle has really become Data

Minimization and Data Quality and it is going to be a vital driver for Big Data and IoT.



PURPOSE SPECIFICATION: The purposes for which personal data is collected should be specified at the time of data collection and the subseq uent

use limited to the fulfillment of those purposes

USE LIMITATION PRINCIPLE: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified

SECURITY SAFEGUARDS PRINCIPLE: Personal data should be protected by reasonable security safeguards against such risk as loss or unauthorized access,

destruction, use, modification or disclosure of data



OPENNESS PRINCIPLE: There should be a general policy of openness about developments, practices and policies with respect to personal data

INDIVIDUAL PARTICIPATION PRINCIPLE: An individual should have the right: a) to obtain from a data controller, b) to have communicated data relating to him/her…

ACCOUNTABILITY PRINCIPLE: A data controller should be accountable for complying with measures which give effect to the principles stated above



Summary

Privacy can be viewed as a maze of complicated

regulations and guidance, or also examined from the

standpoint of important underlying principles. The

benefit of paying greater focus to these underlying

principles is highlighted in several of our survey

responses. Responses in the Data Residency/Data

Sovereignty section indicated that privacy experts had

similar opinions around the regulation of personal

data and PII, and there were universal interpretations

on the concept of lawful interception. The

overwhelmingly favorable response for a Global Bill of

Consumer Rights further highlights the opportunity to

focus on common principles. Responses to the OECD

principles as they could facilitate or cause tension for

cloud, IoT and big data are significantly in favor of

privacy principles as a business enabler. These

findings highlight the very significant opportunity for

global co-operation between CISOs and InfoSec

professionals, privacy leaders and developers and

architects to build privacy principles into new and

emerging solutions.

i OECD Privacy Principles: http://oecdprivacy.org/#participation

“ Renee Guttman, VP Office of the CISO/Accuvant;

Former Fortune 500 CISO; Ponemon Fellow

The time has come where it is no longer optional as to

whether companies adopt privacy principles in their products and services. Companies need to adhere to

privacy principles, especially “purpose” and “use limitation,” in order to avoid developing applications

that are considered invasive by individuals who use them. To be successful, privacy can't be bolted on after

a system has been launched. Privacy needs to be

incorporated when the system is designed. That said, companies will likely be required to retrofit existing

systems, a fact which is both underappreciated and under-resourced.

“ Dan Blum, Chief Security and Privacy Architect for Respect

Network; Former Burton Group and Gartner Analyst

If developers and privacy professionals approach

building in privacy from the standpoint that they want to do the right thing, they are going to find increased opportunities to innovate and develop solutions in a

positive manner. They will relieve themselves of many compliance obligations, reporting and potential legal

issues. Respecting privacy is generally good for business.

Technology

Data Protection Heat Index Survey Report – Sep 2014