In the past, data protection regulation has largely been concerned with preventing the theft of personal data. Security and security products have focused on preventing breaches — no breach effectively meant no failure of data protection compliance.
This has changed — firstly with the EU’s GDPR, and secondly (from January 2020) with the California Consumer Privacy Act (CCPA). These new regulations both elevate the rights of the user. Regulatory control has become as much about what companies do with personal data as with how they protect it from theft.
Proving user consent to the storage of personal data and allowing the user to revoke that consent, delivering on the user’s right to know what data is kept and how it is used, knowing and controlling where it is stored, are all new regulatory requirements. Without proper tools designed to deliver on these new requirements, many companies have been forced to reimagine existing tools: data classification and discovery tools to find data and track locations, and spreadsheets to handle consent records. If security has told us one thing, it is that filling in gaps with point products just leaves more gaps.
It is to fill this need for overarching privacy controls that a new firm, Securit.ai, has emerged from stealth with $31 million series A funding (led by Mayfield and Navin Chaddha), a new privacy platform called Privacy.ai, and a desire to create and promote the new concept of PrivacyOps. Ultimately, the firm sees PrivacyOps as so important that the nascent DevSecOps could eventually evolve into DevSecPrivOps.
Based in San Jose, California, Securiti.ai was founded in 2018. Its president and CEO is Rehan Jalil, formerly president and CEO at Elastica, and then SVP and GM cloud security at Symantec.
The problem for corporations now, Jalil told SecurityWeek, is that “the user has the right to say to any global company, ‘give me my data, show me what data you have about me, delete my data, do not use it for that purpose, and so on.’ If you don’t comply, this is not just a guideline. Non-compliance could lead to a $7,500 dollar fine for every violation under CCPA.” Google has already been fined 50 million euros by France for privacy process violations. Something like 500,000 companies are affected by CCPA — and even more by GDPR.
This is the purpose of Securiti.ai’s new privacy platform: Privici.ai. It uses artificial intelligence to understand the nature and use of companies’ stored personal data. It includes modules for finding data, fulfilling user requests, a portal to collect data requests, a consent lifecycle manager, third-party privacy assessment and ratings, and privacy assessment for auditing compliance with privacy regulations.
The use of AI is important. The platform focuses on ‘privacy’, not individual regulations. These are increasing both in the U.S. and around the world. Privaci.ai does not rely on separate modules being developed for separate state regulations. Instead, it just uses the AI to teach the platform about any new requirements. So, for example, if a new regulation in a different state (or country) started to classify pacemaker registration numbers as personal information, then the AI would simply teach the platform how to recognize pacemaker data patterns, and classify those patterns as personal data. Such records could then be automatically retrieved and tracked as with any other personal data.
The data finder module finds personal data from hundreds of structured and unstructured sources, and also identifies the owner of that data.
The user request fulfillment module investigates the systems holding the data, and gathers relevant details into a report for review and approval.
The data request portal can be used to collect new user requests for information about or action on their personal data.
The consent lifecycle manager is used to collect user consent from the various sources from which it is provided, and centralizes the records into a single searchable location.
A third-party privacy assessment module can continuously asses third parties for privacy risk. A separate third-party privacy rating module can rate third parties on their privacy risk based on publicly available information about their data collections, data handling practices, as well as breach risks.
And a privacy assessment module, using all the information the platform knows about what and how personal data is stored, can continuously assess internal systems for compliance with privacy regulations.
The biggest single problem is that most companies do not know what personal data they hold, nor where it is located. Faced with a user demand, all this data must be found. Done manually, this is heavy on manpower and time — and requires automation. Using AI-based bots, these searches can be achieved in a fraction of the time and cost. The system can help in complying with user requests, and can find user data not known to the company in locations not sanctioned by the company or privacy regulations.
A natural language interface built into the platform answers questions about various aspects of an organization’s privacy compliance, a person’s sensitive data, and personal information risks, and can assist in areas like data request fulfillment. It helps perhaps less technical staff like the data protection of compliance officer, and the legal team, take a more active role in ensuring that compliance is met.
“GDPR and CCPA are the tip of the iceberg with dozens of global privacy regulations in the works. We’re on a mission to make it easy for businesses to be responsible custodians of people’s data, comply with global privacy regulations and bolster their brands,” said Rehan Jalil.