Biden’s executive order to protect Americans’ personal data: A step in the right direction, but other factors must still be addressed

Every day, Americans’ data is legitimately sold and resold through data brokers.

In late February, President Biden issued an executive order aimed at protecting Americans’ sensitive data from exploitation by countries of concern.

Under the executive order, the Justice Department (DoJ) will issue regulations that prevent Americans’ information, “including genomic data, biometric data, personal health data, geolocation data, financial data and certain kinds of personally identifiable information (PII),” from being sold to adversaries that may use it for nefarious purposes.

Every day, Americans’ data is legitimately sold and resold through data brokers. However, countries of concern have been able to purchase this data legally from U.S. information brokers and weaponize it to support blackmail, espionage and hacking efforts. Needless to say, if left unchecked, the consequences of the buying and selling of sensitive data can be serious.

The President’s EO comes at an opportune time: According to research from Rubrik Zero Labs, PII made up 38% of the reported data compromised in external organizations last year.

It’s an alarming trend that will only continue as organizations incur more sensitive data. That same report predicts that, “the total volume of data a typical organization needs to secure will increase by almost 100 [back end terabytes] in the next year — and by 7x in the next five years.”

While it’s encouraging that steps are being taken to ensure the security of Americans’ data, other critical factors must also be taken into consideration.

A closer look at the EO: What’s missing?

Anytime an EO regarding cybersecurity is released, it’s crucial to examine it through the lens of the CIA Triad: confidentiality, integrity and availability.

In the context of the CIA Triad — a model used to guide organizations’ information security policies — confidentiality refers to rules that limit access to sensitive data; integrity refers to the validity and trustworthiness of said data; and availability addresses the fact that this data must still be accessible by authorized parties.

The new EO focuses heavily on the privacy and confidentiality of Americans’ sensitive data by raising awareness and putting key building blocks in place to help reduce the loss and misuse of this data. However, it is also important for organizations protecting sensitive data to address the equally significant pillars of integrity and availability.

In addition to being integral to sound decision-making, data integrity is crucial in today’s world because it serves as the foundation for building trustworthy artificial intelligence (AI) systems. As AI continues to proliferate and impact more facets of our lives, maintaining data integrity will become increasingly vital.

Availability is also a top concern. Many of the things we take for granted today are dependent on the high availability of our personal data — everything from e-commerce companies’ personalized suggestions that make shopping easier, to medical research that benefits people living with certain health conditions. Americans want access to their personal data, such that it is private, unaltered and always available. With increased attacks on data, data immutability and mass recovery at scale of data to a trusted known good state are crucial for national security and the protection of our economy.

We’re living in a data-driven world: The ways in which we can use data — specifically sensitive data — are growing rapidly, and AI will only continue to fuel this pattern. However, challenges will inevitably arise when privacy and national security risks are coupled with the nefarious use of data, especially bulk data.

The EO will address this by enacting regulations to balance the national security and privacy risks associated with the large-scale collection and misuse of Americans’ sensitive data, while simultaneously enabling the economic and societal advantages of organizations handling this data properly.

While this EO raises awareness on the criticality of data and the privacy concerns of exposing sensitive data, it is important to not lose sight of the crucial role that data security plays in data privacy. Organizations need to focus on data security in order to have sufficient controls in place to enforce and monitor data privacy. We have seen cyber threats evolve over time from espionage against government entities and military, to bad actors going after commercial companies’ intellectual property and consumer data, including the sensitive information of American citizens.

The EO is undoubtedly a step in the right direction and has raised awareness on a critical issue. It’s important to realize organizations should be proactive and also focus on data security (specifically integrity and availability) of sensitive data.

Travis Rosiek is public sector chief technology officer at Rubrik.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories