Each month, we bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss hybrid cloud security challenges, Vermont’s updated data breach law, Zoom’s new CISO, and more.
The Green Mountain State updated its data breach notification law to expand the definition of “personal information.” When combined with a person’s first and last name, “personal information” now encompasses:
- Identification information: Individual taxpayer ID number, passport number, military ID card number, and other government-assigned identification documents used for commercial transactions.
- Biometric data: Fingerprints, retina scans, iris images, and other unique measurements of the human body that identify or authenticate a consumer.
- Genetic information: Information gathered from DNA or blood tests, among others.
- Health records: Information recorded as part of wellness or health promotion programs for disease prevention, medical diagnoses or treatments, and health insurance policy numbers.
Along with the updated definition, the law now requires notification upon breach of login credentials such as usernames and email addresses when combined with a password or security question. If a breach is limited to login credentials and no other personally identifiable information (PII), then data collectors are only required to notify the Attorney General or Department of Finance if the data collector is regulated by the Department.
The changes went into effect on July 1, 2020.
With a hybrid cloud environment comes a host of challenges, particularly security hurdles that businesses are still struggling to overcome. The annual State of Hybrid Cloud Security report found the three most significant causes behind hybrid cloud security challenges are:
- Increased complexity and scale due to cloud adoption
- Lack of automation
- Overburdened security teams
As an unfortunate consequence of these challenges, the state of hybrid cloud security hasn’t improved year over year. But this doesn’t mean organizations are satisfied with the status quo; many businesses will seek solutions for alleviating concerns and enabling a smoother migration to the cloud. Solutions like user activity monitoring are likely to see an increase in demand, especially for mission-critical tools like Salesforce and Office 365.
Zoom, the video conferencing company, announced the hire of new Chief Information Security Officer Jason Lee. Lee comes to Zoom from Salesforce, where he was the Senior VP of security operations. Prior to Salesforce, he spent 15 years as a security executive at Microsoft.
The announcement came as Zoom approached the end of its 90-day period to develop a substantial privacy and security plan. CEO Eric Yuan has made efforts to address security and privacy concerns as the user base exploded due to co-workers, family, and friends needing a way to connect virtually as they remain at home during the COVID-19 pandemic.
“Zoom is on an incredible journey of growth and I am thrilled to bring my experience of running world-class security organizations to the company. Ensuring that customers trust our products is of the utmost importance and I look forward to working with the team to continue instilling security into the DNA of Zoom.”
– Jason Lee, CISO, Zoom
Tech giant Google recently announced changes to its privacy policies and retain less user data by default. The data privacy improvements will automatically delete activity and location history in both the web and app versions of Google after 18 months. This feature is only for new users, and existing users’ settings won’t be affected, though they will receive notice of the new default settings.
Google previously added controls for auto-deleting information like location history, search data, voice interactions, and YouTube activity after three or 18 months. The development team also simplified the process for switching in and out of incognito mode when using Search, Maps, and YouTube – users can long-press their profile picture icon to toggle.
Another improvement is that Google is making it easier for users to access their privacy and security controls. If a logged-in user searches for terms like “Google Privacy Checkup” or “Is my Google Account secure?” then Google automatically loads a tool to review and adjust settings.
In her recent article, Data Governance For 2020 And Beyond, Forrester VP and Principal Analyst Michele Goetz discusses how to create an effective governance strategy through frameworks and aligning the purpose, culture, and actions of business practices. 2020 has shaped data management in many ways, largely due to the coronavirus and new requirements for maintaining privacy and security during a pandemic.
This article offers a plan of action and other advice that can help organizations prioritize and realign efforts for effective governance throughout 2020 and beyond.
“Here is the truth: There is nothing simple or basic about data governance. Effective data governance grows out of data management maturity. It is why, to make progress, organizations are hiring chief data officers and activating strategic and unified data, analytics, and data governance competency centers. Data governance policies and procedures designed to herd your organization’s “data cats” require experience and expertise.”
– Michelle Goetz, VP and Principal Analyst, Forrester
Across Europe, countries like Germany, France, Italy, and Britain have been rolling out coronavirus contact-tracing apps to isolate new patients and prevent the spread of the virus. Contact-tracing apps work by alerting users who have been in contact with an infected person, alleviating the burden of tracking down and communicating with every individual who may have been in contact with a COVID-19 carrier.
While these apps are meant to help prevent a secondary wave of coronavirus infections, they’ve also raised concerns over data privacy since they utilize health information, cellphone data, credit card activity, location history, and other personal information to track possible interactions. To combat unwanted surveillance concerns, some countries have made use of contact-tracing apps optional, with the unfortunate side effect of reducing effectiveness. Citizens are concerned about the apps’ efficacy of and giving tech giants and the government even more power.
The question stands – what’s more important, individuals’ privacy or public health? Developers, lawmakers, and privacy and security professionals continue to work on striking the right balance.