September 2014
Data Protection Heat Index SURVEY REPORT
Sponsored by Cisco Systems
© 2014 Cloud Security Alliance - All Rights Reserved. 2
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
© 2014 Cloud Security Alliance – All Rights Reserved
All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security
Alliance “Data Protection Heat Index Survey Report” at https://cloudsecurityalliance.org/research/surveys/, subject to
the following: (a) the Document may be used solely for your personal, informational, non-commercial use; (b) the
Document may not be modified or altered in any way; (c) the Document may not be redistributed; and (d) the
trademark, copyright or other notices may not be removed. You may quote portions of the Document as permitted by
the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security
Alliance “Data Protection Heat Index Survey Report” (2014).
© 2014 Cloud Security Alliance - All Rights Reserved. 3
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
Acknowledgements (In alphabetical order)
Special Thanks Dan Blum, Chief Security and Privacy Architect for Respect Network; Former Burton Group and Gartner Analyst
Mary Beth Borgwing, President, Cyber and Risk Practice Advisen
Daniele Catteddu, Managing Director for CSA EMEA
Dr. Ann Cavoukian, Executive Director for Ryerson University Institute for Privacy and Big Data; Former Information and Privacy Commissioner of Ontario, Canada
Michele Drgon, CEO for DataProbity
Frank Guanco, Project Manager for CSA
Renee Guttman, VP Office of the CISO/Accuvant; Former Fortune 500 CISO; Ponemon Fellow
Raj Samani, VP, CTO for McAfee; Chief Innovation Officer for CSA EMEA
Luciano (J.R.) Santos, Global Research Director for CSA
Managing Editor/Researcher Evelyn DeSouza, Compliance and Data Privacy Leader for Cisco John Yeoh, Senior Research Analyst for CSA Design/Editing Tabitha Alterman, Copyeditor
Kendall Cline Scoboria, Graphic Designer for Shea Media
Evan Scoboria, Co-Founder for Shea Media, Webmaster for CSA
© 2014 Cloud Security Alliance - All Rights Reserved. 4
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
Table of Contents
Acknowledgements.................................................................................................................................................3
Executive Overview.................................................................................................................................................5
Survey Overview .....................................................................................................................................................6
Findings Summary ...............................................................................................................................................6
Survey Results ........................................................................................................................................................8
Data Residency/Sovereignty.................................................................................................................................8
Lawful Interception .............................................................................................................................................9
User Consent .................................................................................................................................................... 11
Privacy Principles............................................................................................................................................... 13
Summary.............................................................................................................................................................. 16
© 2014 Cloud Security Alliance - All Rights Reserved. 5
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
Executive Overview
The ways in which different countries or regions approach privacy can be diverse and varying, which is why the Data
Protection Heat Index was developed by the Cloud Security Alliance (CSA). The collaboration brought individuals
together from various corners of the globe to form focus groups and provide information about their regions’ laws and
practices surrounding personal information. Survey participants provided answers regarding the regulation of data, the
geographical area their data protection laws govern, governmental practices, the role of consent, and security
standards. By discovering areas of alignment and deviation with regard to global data protection laws and practices, as
depicted by the Data Protection Heat Index, organizations can drive innovation within the context of new technologies
such as cloud computing, the Internet of Things, and big data.
It is essential that organizations designing the smarter technologies of the
future adopt a privacy protection standard that reaches above and
beyond regional differences. The Privacy by Design framework is the gold
standard in privacy protection, offering the user the ability to build in
privacy right from the outset, surpassing global legislated requirements
for privacy, and representing a significant “raising of the bar” in terms of
privacy protection. In 2010, regulators from around the world gathered at
the annual assembly of International Data Protection Authorities and
Privacy Commissioners in Jerusalem, Israel, and unanimously passed a
Landmark Resolution recognizing Privacy by Design as an essential
component of fundamental privacy protection. By building in privacy at
the time of design, manufacturers and vendors can engineer much more
effective solutions, better meet regulatory compliance standards and save time and money versus having to retrofit
solutions or experience the negative reputation that can be caused by data breaches.
The Data Protection Heat Index is a valuable tool in employing a Privacy by Design approach. There is a need for global
cooperation and discussion around standards – work – one that places the user at the center of any data protection
regime. The Organisation for Economic Co-operation and Development (OECD) Fair Information Practice Principles
(FIPPs) have done so for decades, having been reaffirmed during a review of the principles in July 2013. Some have
suggested that the OECD FIPPs, which most privacy laws are based upon, should be revised to loosen the individual’s
control over their personal information. However, while the world is changing due to the growth of big data and
ubiquitous computing, individuals still have the right to a basic expectation of how their personal data will be used by
companies and governments.
It is important to realize that as technologies advance, and the amount of personal information available for storage and
analysis grows to unprecedented levels, it is now more than ever that we must preserve and build upon the privacy
principles we currently rely on. It is my hope that one day every country will have some form of legislated requirement
for Privacy by Design. Until then, I hope you will find the Data Protection Heat Index useful, and that you will take the
opportunity to learn about Privacy by Design (www.privacybydesign.ca).
Best Regards,
Dr. Ann Cavoukian
Executive Director, Ryerson University Institute for Privacy and Big Data
Former Information and Privacy Commissioner of Ontario, Canada
I'm very taken by Privacy by
Design, which has 7
foundational privacy principles. The positive sum principle can help steer us towards greater
harmonization of data privacy implementations.
Dan Blum, Chief Security and Privacy Architect for Respect Network; Former
Burton Group and Gartner Analyst
“
© 2014 Cloud Security Alliance - All Rights Reserved. 6
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
Survey Overview
The Cloud Security Alliance surveyed a select group of global data privacy experts with the intention to measure
attitudes towards data protection areas that tie into technology solutions which enable the exchange of information
across the cloud.
Survey respondents from across North America, Asia-Pacific and the European Union were categorized according to
their professional areas: privacy/legal, CISO/InfoSec and developer/architect. We specifically hand-selected 40 of the
most influential thought leaders based on their titles and day-to-day roles:
Privacy commissioners play a pivotal role in advising about and setting data privacy standards, as well as
enforcing regulations within their respective jurisdictions. Privacy and legal counselors are responsible for
advising business leaders on emerging and required changes to privacy standards, and the legal and ethical
impact of such standards on their businesses.
CISOs and InfoSec leaders are instrumental in architecting data protection capabilities into new IT solutions.
Developers and architects are moving rapidly on architecting new and innovative capabilities for cloud, IoT and
big data solutions.
Findings Summary
The survey was structured in four parts and the findings were both pleasantly surprising and indicative of a positive role
that privacy and data protection principles can play in the development of cloud, IoT and big data solutions.
Data Residency and Sovereignty
Respondents identified “personal data” and Personally Identifiable
Information (PII) as the data that is required to remain resident in most
countries. It was interesting to note that responses to the question how
do their country’s definition of data’s residency/sovereignty compare with
other regions were split evenly among the three response types of Open,
Restricted, and Unknown.
Lawful Interception
Responses indicated a universal interpretation of the concept of lawful
interception. The question on the criticality of privacy to employee trust
drew a surprising 25% of responses showing “neutral” to “low
importance.”
User Consent
Of particular note is that 73% of respondents indicated that there should be a call for a global consumer bill of rights and
furthermore saw the United Nations as fostering that.
Beyond data protection
regulations, understanding the
expectations of privacy is an important component in
maintaining trust and assurance in
the digital age. The work done to develop a data protection heat map is a strong indicator as to
those expectations, and should be
an important component in the provision of digital services.
“ Raj Samani, VP, CTO for McAfee EMEA;
Chief Innovation Officer for Cloud Security
Alliance
© 2014 Cloud Security Alliance - All Rights Reserved. 7
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
Privacy Principles
In this section, we surveyed whether OECD privacy principles would facilitate the trend or cause room for tension with
cloud, IoT and big data. The responses were surprisingly in favor of facilitating the trend. This trend seems in dicative of
a shared interest to bake-in emerging privacy principles into new solutions versus trying to retrofit solutions post-build
to accommodate privacy.
© 2014 Cloud Security Alliance - All Rights Reserved. 8
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
Survey Results
Data Residency/Sovereignty
Increasingly regulated data is bound to remain within specified geographic
bounds. What types of data cannot traverse geographic boundaries in your
region?
Personal data and Personally Identifiable Information (PII) were the prevailing themes for these responses.
RESPONSE SAMPLING
“The transfer of personal data to a foreign State is prohibited whenever it may endanger public security or Tunisia's vital
interests. (Article 50 Organic Act N°2004-63 of July 27th 2004 on the protection of personal data)”
“There is no limitation on data traversing geographic boundaries in my region. However, national law imposes that if
sensitive data are transferred outside EU space, in countries that are not compliant with EU data protection regulations,
then data controllers must notify the competent national authority for this process.”
“In Hong Kong, cross-border transfer of personal data is covered by Section 33 of the Personal Data (Privacy) Ordinance
("PDPO"), which restricts transfer to jurisdictions with similar protections (similar to EU law). However, this is currently
not operative. Effectively there is currently no cross-border restriction in operation.”
“U.S. doesn't really restrict the flow of PII across boundaries. There are restrictions for "arms" information (ITAR).”
How does your country’s definition of data residency/data sovereignty compare
with other regions?
These responses were divided evenly. Most responses from the
European Union showed alignment to legal frameworks, whereas
respondents predominantly in the United States did not always
know how definitions compare. Also, one-third of responses
indicated that data sovereignty was defined in a more restrictive
manner compared to other regions.
RESPONSE SAMPLING
Open
“US regulations allow transference of specific data types with
specific security measures such as encryption for data in motion, at
rest and in use. EU standards and ASIA PAC are more stringent as
they do not allow specific data types to transit externally-hence in
such and in my opinion the regulation boundaries OUTCONUS are
much stricter.”
© 2014 Cloud Security Alliance - All Rights Reserved. 9
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
“The USA imposes few specific restrictions as compared with Europe. As such we are very sensitive to Safe Harbor
provisions.”
Restricted
“Based on the legal framework of directive 95/46/EC as many European Countries.”
“…most of the US operations are considerably less sensitive to privacy data than Europe and more sensitive than what we
see in APAC or Latin America.”
“In my country the crucial element is the location of the data controller, regardless of nationality or country of origin of
the data subject. If the data controller is located outside EU space, then data subject is not protected by EU regulation.
Thus, it is possibly important to set data residency criteria in order to enhance the protection offered to the data subject.”
Lawful Interception
What does lawful interception mean to you?
Responses indicated a fairly universal interpretation of lawful interception.
RESPONSE SAMPLING
“Lawful interference is interference by a public authority or its agency in accordance with the law and is necessary in a
democratic society in the interests of national security, public safety or the economic well-being of the country, for the
prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of
others”
“The right to access data through country-specific laws if the needs arises, i.e. data needs to be made available for a
cybercrime investigation.”
“Lawful interception means that under certain circumstances and by following strictly defined procedures the secrecy of
communication no longer applies and the identity of the data subject (ex. an IP holder) can be revealed.”
© 2014 Cloud Security Alliance - All Rights Reserved. 10
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
How would you rate your country’s processes to obtain information for the
purposes of criminal and terrorist investigation for the following elements?
Ratings of efficiency for countries' processes to obtain
information for this section were expected to be average
and above. However, on the spectrum for Transparency
and Accountability, a majority of the responses were on the
poor to fair side.
Briefly describe the process your
country uses to obtain information for
the purposes of criminal and terrorist
investigation?
Most responses were focused on legal means of obtaining
information.
RESPONSE SAMPLING
“Legally this needs a warrant or a subpoena, but blanket data capture is not ruled out. Many public examples exist.”
“See The Police and Criminal Evidence Act 1984 codes of practice (which regulate police powers and protect public
rights), and recent revisions.”
“The US has a strong infrastructure of legal processes, both public and secret to obtain evidence for investigations.
However, there are significant concerns about government entities exceeding or bypassing these established controls.”
“Only the judicial authorities are competent for obtaining information for the purposes of criminal and terrorist
investigation. To my knowledge this happens when special conditions apply, namely when a serious crime is identified.”
“Governed by Part VI of the Criminal Code of Canada (Invasion of Privacy)”
“Hong Kong Police, Department of Immigration, and the
Independent Commission Against Corruption are key agencies. As
Hong Kong does not have sovereign state status, foreign affairs,
intelligence and military are all external to HK and in the control
of the PRC.”
Rate the importance of the following
statement: “Privacy is critical to employee
trust.”
Surprisingly, there were close to a quarter of respondents across
the United States, Europe and Asia who were neutral or who did
not see privacy as critical to employee trust.
© 2014 Cloud Security Alliance - All Rights Reserved. 11
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
User Consent
Data protection involves more than just legal frameworks. The responses in this section are indicative of growing end
user sensitivities towards data protection and a growing awareness of the benefits and role that a universal set of
principles could enable.
Should there be a call for a consumer privacy bill of rights that would be global
in nature as opposed to regional?
The responses are indicative of a growing and strong interest in harmonizing privacy laws toward a universal set of
principles.
What role should the United Nations play in fostering universal rights for
consumers?
Many respondents felt that the United Nations could play a pivotal
role in fostering a consumer bill of rights.
RESPONSE SAMPLING
“The role of the United Nations is essential in promoting a universal
charter to establish rules that states must draw inspiration for their
internal regulations to protect consumers.”
“The UN General Assembly could pass a principled resolution (not a
prescriptive one) with broad consensus, perhaps just to endorse
existing FIPPs. It would be great if the UNGA could adopt Privacy by
Design as well, which I'm told 35 national privacy commissioners
have accepted already as an international standard.”
RESPONSE
SAMPLING:
YES
“Global guidelines
would be helpful in
harmonizing a wide
range of similar
privacy laws around
the world. However,
on its own, they
would have little
enforceable effect.”
RESPONSE
SAMPLING:
NO
“This steps over the
sovereign rights of
individual nation
states.”
© 2014 Cloud Security Alliance - All Rights Reserved. 12
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
Legislators are currently analyzing the implications of big data on privacy. What
are your recommendations to legislators on this issue and why?
RESPONSE SAMPLING
“For the U.S., pass world-class privacy legislation akin to Canada's or Europe's.”
“Pass legislation introducing more controls on intelligence gathering and separate the "offensive" cybersecurity defense
functions from the "defensive" ones into different organizations with different missions.”
“The EU rules related to automated processing and database registration will help provide an initial extension to existing
laws in this area that the US could emulate to a degree.”
What would you recommend to company
executives as their role in ensuring the
integrity of their processes?
RESPONSE SAMPLING
“Establish principle of organization-wide respect for people's
privacy for the benefit of the brand.”
“A risk-based approach must be taken for both the organization
and its employees. Processes and procedures must exist and it
makes sense to utilize and refine them in a life cycle manner.”
“Privacy-by-design is very important. It is very hard to add privacy as an after-thought. Companies that respect the
privacy of their customers will succeed better in the longer-term.”
“ Mary Beth Borgwing, President,
Cyber and Risk Practice Advisen
Privacy to me is very similar to ethics and
very connected in my world. There are always going to be very ethical people who
will do their utmost to protect individuals
and organizations while unethical people may try to take shortcuts with privacy. It's also an education process. Ultimately, the
C-suite has to own privacy and actually
build it holistically into their processes, InfoSec programs, and the products and
services they offer.
As a consumer, how do you feel that
your data is frequently used for
marketing purposes without your
expressed consent? For example,
you shop on a vendor’s website and
then start to see advertisements.
© 2014 Cloud Security Alliance - All Rights Reserved. 13
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
Privacy Principles
As developers work on building out
cloud, IoT and big data solutions,
indicate below which of the OECD
privacy principlesi you see as areas
that will help facilitate this trend
versus those that could make room for
tension.
In this section, we examined each of the OECD principles
and looked at how they facilitated trends or were an
enabler versus caused room for tension or impeded
development.
DATA COLLECTION LIMITATION PRINCIPLE: Collect data by lawful means only
DATA QUALITY PRINCIPLE: Personal data should be relevant to the purposes for which it is being used and should be accurate, complete and kept
up-to-date
“ Michele Drgon, CEO for DataProbity
The OECD privacy principles catalyzed the creation of privacy frameworks and subsequent
legislation globally. The privacy principles provide a common language for these concepts to be built
into data privacy legislation. Now, what people care about has evolved: untraceability,
unlinkability, minimization, anonymity have
become additional key points of focus […] The Data Quality principle has really become Data
Minimization and Data Quality and it is going to be a vital driver for Big Data and IoT.
© 2014 Cloud Security Alliance - All Rights Reserved. 14
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
PURPOSE SPECIFICATION: The purposes for which personal data is collected should be specified at the time of data collection and the subseq uent
use limited to the fulfillment of those purposes
USE LIMITATION PRINCIPLE: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified
SECURITY SAFEGUARDS PRINCIPLE: Personal data should be protected by reasonable security safeguards against such risk as loss or unauthorized access,
destruction, use, modification or disclosure of data
© 2014 Cloud Security Alliance - All Rights Reserved. 15
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
OPENNESS PRINCIPLE: There should be a general policy of openness about developments, practices and policies with respect to personal data
INDIVIDUAL PARTICIPATION PRINCIPLE: An individual should have the right: a) to obtain from a data controller, b) to have communicated data relating to him/her…
ACCOUNTABILITY PRINCIPLE: A data controller should be accountable for complying with measures which give effect to the principles stated above
© 2014 Cloud Security Alliance - All Rights Reserved. 16
DATA PROTECTION HEAT INDEX SURVEY Report, September 2014
Summary
Privacy can be viewed as a maze of complicated
regulations and guidance, or also examined from the
standpoint of important underlying principles. The
benefit of paying greater focus to these underlying
principles is highlighted in several of our survey
responses. Responses in the Data Residency/Data
Sovereignty section indicated that privacy experts had
similar opinions around the regulation of personal
data and PII, and there were universal interpretations
on the concept of lawful interception. The
overwhelmingly favorable response for a Global Bill of
Consumer Rights further highlights the opportunity to
focus on common principles. Responses to the OECD
principles as they could facilitate or cause tension for
cloud, IoT and big data are significantly in favor of
privacy principles as a business enabler. These
findings highlight the very significant opportunity for
global co-operation between CISOs and InfoSec
professionals, privacy leaders and developers and
architects to build privacy principles into new and
emerging solutions.
i OECD Privacy Principles: http://oecdprivacy.org/#participation
“ Renee Guttman, VP Office of the CISO/Accuvant;
Former Fortune 500 CISO; Ponemon Fellow
The time has come where it is no longer optional as to
whether companies adopt privacy principles in their products and services. Companies need to adhere to
privacy principles, especially “purpose” and “use limitation,” in order to avoid developing applications
that are considered invasive by individuals who use them. To be successful, privacy can't be bolted on after
a system has been launched. Privacy needs to be
incorporated when the system is designed. That said, companies will likely be required to retrofit existing
systems, a fact which is both underappreciated and under-resourced.
“ Dan Blum, Chief Security and Privacy Architect for Respect
Network; Former Burton Group and Gartner Analyst
If developers and privacy professionals approach
building in privacy from the standpoint that they want to do the right thing, they are going to find increased opportunities to innovate and develop solutions in a
positive manner. They will relieve themselves of many compliance obligations, reporting and potential legal
issues. Respecting privacy is generally good for business.