In the classic espionage movie Three Days of the Condor, Robert Redford learns the name of Faye Dunaway’s character by eavesdropping on a cashier reciting her credit card information over the phone. Later, on the street, Redford calls out to Dunaway by name, pretending to know her and causing a moment of confusion that enables him to kidnap her. (Spoiler alert: It all works out in the end, so don’t worry.) This was a spear phishing attack circa 1975. The technique, however, is now available to malicious actors in an exponentially more powerful form—the scanning of surveillance video to glean personal information.

Video footage, produced by millions of Internet connected video cameras so ubiquitous that we no longer even notice, is creating risk exposure for businesses, governments and everyday people. It’s a security blind spot. Billions of hours of video reside in storage arrays, often with weak protections. The material contains a great deal of information that can be used for fraud, espionage or physical crime.

I spoke about this issue recently with Mathieu Gorge, CEO and founder of VigiTrust and author of the recent book The Cyber Elephant in the Boardroom. In his experience, the collection and storage of surveillance video tends to fall between areas of security responsibility in many organizations. The physical security or anti-fraud team may be tasked with operating the cameras and handling the resulting video files. This group tends not to have the expertise in data security needed to protect these sensitive digital assets. The cybersecurity team, in turn, may not even be aware of what’s going on with video. Or, they lack the time and resources to deal with it.

While surveillance videos may seem like the world’s most boring TV program, the reality is they often contain information that is valuable to malicious actors.

While surveillance videos may seem like the world’s most boring TV program, the reality is they often contain information that is valuable to malicious actors. High-definition cameras in stores, for example, which are trained on cash registers, record credit card numbers and PIN codes. They may also pick up images of driver’s licenses and other personally identifying details. In government offices, such as passport centers or motor vehicle departments, video cameras vacuum up myriad images and text details about people’s identities from birth certificates and other documents. This can lead to identity theft. Cameras in healthcare settings can record sensitive health information about patients.

Internet cameras can be hacked. Video file repositories can be penetrated, especially if they are not well defended. With automated, AI-driven content scanning, attackers can crawl through millions of hours of video and find valuable nuggets of information for use in fraud and worse. Backups are a particular problem, in Gorge’s experience. “Pay attention to storage,” he advised. “Where are you keeping your original and your copies? Do you have policies for deleting video after a set period of time? These are issues that need attention.”

According to Gorge, “Businesses may not realize it, but the video they record is covered by the same privacy regulations as their customer databases. A breach of personal information from a video is still a data breach.”

According to Gorge, “Businesses may not realize it, but the video they record is covered by the same privacy regulations as their customer databases. A breach of personal information from a video is still a data breach.”

Physical risks can also arise from video. As Gorge put it, “If you have access to security camera footage, you can learn where the CEO parks her car, where her office is located, how many security guards the building has on duty and so forth. If you wanted to harm this person, security video gives you a lot of valuable details.” Critical infrastructure facilities like dams and nuclear power plants present comparable risks.

What can be done about video security? The answer, as Gorge sees it, is not complicated, but it could require some effort. The main cybersecurity organization should be made aware of video assets and their disposition. Video files need to be covered by an organization’s overall data security and cloud security policies and countermeasures. For example, default passwords should not be allowed on storage devices for surveillance video. Realizing these policy changes may require cross-team collaboration or changes in responsibility.

Video vulnerabilities represent a solvable problem. To deal with the issue, however, it is first necessary to understand that it exists. From there, it’s a matter of thinking through areas of risk exposure and applying countermeasures, most of which already exist elsewhere in the organization.

The Biden administration faces an exquisite dilemma over the SolarWinds attack. As with most nation state cyberattacks on the United States government, it is impossible to prove who did it. US intelligence agencies appear certain that it was the work of Russian hackers, who likely carried out the attack with the knowledge and blessing, if not the direct instruction of Russian intelligence services. For sure, an attack of this sophistication and duration was no casual hacking effort done for laughs. It has to have been a work of serious state-sponsored sabotage.

The question, yet again, is what to do about it? As Politico and other outlets have noted, Biden faces few good options. The US is more vulnerable to digital disruption than Russia, so an overreaction invites an escalation in Russian cyberattacks that could destabilize the country. This could be disastrous. Other retaliatory options like “hacking back” risk revealing the USA’s (theoretically) secret knowledge of Russian networks and vulnerabilities—shutting off these avenues of espionage forever. So, what should be done?

A discussion of retaliation should begin with a different question, however, which is why Russia felt it could carry off such a massive, brazen attack in the first place? That would be a good starting point for today’s response and future deterrence. For insights into this issue, I turned to Rosa Smothers, a former CIA analyst and technical intelligence officer who now serves SVP of cyber operations at KnowBe4.

Rosa Smothers, SVP of cyber operations at KnowBe4

As Smothers explained, Putin was emboldened to permit such an audacious operation because he was minimally concerned about retribution by the previous administration. In her experience, as she put it, “The global scale of this intrusion lacked subtlety to say the least. When conducting espionage, the idea is to not make international headlines.” According to Smothers, the Biden administration requested an intelligence review of several alleged Russian actions early on. These included the SolarWinds hack and the targeting of American soldiers in Afghanistan. Based on that assessment, the administration can take advantage of an array of public and classified capabilities.

The past provides some examples of what may be in the works. For instance, in December 2016, in response to Russia’s meddling in US elections, President Obama issued an Executive Order that expelled 35 Russian diplomats and shuttered two Russian government-owned properties. Obama also sanctioned nine entities and individuals: the GRU and the FSB, four individual officers of the GRU and three companies that provided material support to the GRU’s cyber operations.

Biden may follow a similar path in responding to SolarWinds. The Treasury Department can designate additional companies and individual operatives associated with support to Putin’s government. The US can work with its allies to freeze Russian government and Putin’s oligarch’s assets.

As Smother’s suggests, “It is important that we take a global approach, because oligarchs’ billions are not limited to the United States. For instance, Oleg Deripaska was sanctioned by the Treasury Department, but maintains an ostentatious presence in London. And, there is so much Russian oligarch money in the Miami area that it is often referred to as the ‘Russian Riviera.’ The international community needs to hit them where it truly hurts—their bank accounts.”

She added, “The Intelligence Community (IC) provides several Concept of Operations, or ‘conops’ from which our leadership can select based upon the risk/gain analysis. Since the discovery of the SolarWinds operation, there has likely been a debate within the IC about how we should respond. I have been at the table when some DoD elements advocate for a very public cyberattack, while CIA and FBI recommend a more collection-oriented response.”

In her view, cyber operations against Russia’s networks should be targeted and focused to provide intelligence for US policy makers or as a means to deny, degrade and disrupt Russian capabilities. She warned, however, “Unless there is an immediate, kinetic threat to our national security, there should be no expectation of a headline-grabbing hack, but rather a methodical, ongoing operation. We do not want to disclose our network access or current tools and capabilities — the undetected cyber operation is the most effective.”

Those of us who have worked in startups and small-to-midsized businesses (SMBs) sometimes gloat over our ability be more agile than our elephantine Fortune 500 competitors. It may take a company like IBM a year to roll out a new software feature. A startup can do it in two days! We “move fast and break things,” as the credo goes.

That’s great, until you realize there’s a reason IBM takes a year to develop a feature. They know they have to support that feature in market for 10 years. They move slowly and don’t break things. Is that better? Maybe, maybe not. However, the sad truth is that the credo is incomplete. It should really say, “Move fast and break things, one of the broken things perhaps being the law itself.”

The credo is incomplete. It should really say, “Move fast and break things, one of the broken things perhaps being the law itself.”

The tendency to create risk exposure is quite prevalent in the area of data privacy. Here, SMBs are bound by the same regulations as larger companies, but have fewer resources to cope with them.  An SMB still has to comply with new data privacy laws like the California Consumer Privacy Act (CCPA).

The CCPA provides consumers in California with new privacy rights. As a result, it sets up new obligations for companies doing business in California. For example, a California consumer now has the right to know what personal identifying information (PII) a business is collecting about him or her, along with how that information is being used and if it is being shared. They are entitled to get a copy of the PII being held by a company. They can also demand that their private data be deleted.

Complying with CCPA is challenging, even for big companies. However, a large enterprise can deploy people and budget resources to deal with consumer data requests and related compliance matters. An SMB will likely struggle to comply, partly due to lack of people and budget, but also because SMBs tend to have fewer enforceable data management policies.

An SMB may be aware that it has PII hidden away in unstructured data, such as PDF files, which may be strewn about among servers, backup volumes, cloud repositories and mobile devices. The SMB may also not realize that it is storing PII from third parties, such as mailing list providers. It’s a messy, risky situation, one that SMBs may not know how to confront—if they’re even cognizant that they have a problem.

A new generation of data privacy solutions is beginning to address these difficulties. Aparavi, for instance, uses automation and machine learning to discover PII wherever it’s hidden in an SMB’s infrastructure. The solution even has optical character recognition (OCR) capabilities that can spot PII on written forms.

“It can be something of a shock when managers start to see how much private data they’ve amassed without knowing.” – Beth Winters, JD, Solution Manager at Aparavi

“It can be something of a shock when managers start to see how much private data they’ve amassed without knowing,” explained Beth Winters, JD, who serves as Aparavi’s Solution Manager. “Yet, the law may be quite unforgiving of a company that cannot address itself to the legal requirements of the CCPA or comparable regulations. We enable our clients to know what they have, and be able to deliver data privacy on a cost effective basis.”

Automation is critical to making the process work, explained Gary Lyng, Aparavi’s Chief Marketing Officer. “Data never stops moving or changing,” he said. “From yesterday to today, your people could have copied files to laptops and then, without realizing it, you’ve lost track of someone’s PII. Compliance takes constant, automated discovery and classification of data. That’s what we do.”

Solutions like Aparavi’s are probably going to become indispensable for SMBs. Their busines strategies rely on the “move fast” ethos, but the law is the law. Compliance is still mandatory, even if the SMB doesn’t think it has the resources to deal with the issue. And, laws like CCPA are early in their lifecycles. The legal environment appears on track to become a lot more restrictive and unforgiving. SMBs will need a coherent, practical data privacy compliance strategy moving forward.

The story of a major cyber attack follows an eccentric path. Riffing on the Kübler-Ross model, a cyber attack narrative usually lurches from anger (“OMG!”) to denial (“It wasn’t that bad”), bargaining (“We’ll fight back!”), depression (“We’re doomed!”) and finally, acceptance (“We got burned…”). The Solar Winds supply chain hack, however, which involved suspected Russian hackers penetrating numerous US government agencies, is so immense that it’s creating its own distinct cacophony of mixed messages. We don’t know the true extent of the damage, and will likely never know it. It’s hard even to be quite sure of what actually happened. Yet, we still need to figure out how to do better next time.

What can be done now to reduce the odds of an attack of this magnitude recurring in the future? In this disorienting moment, it’s helpful to seek the opinions of experienced people in the industry. Tom Kelly, president and CEO of the data privacy and breach firm IDX, was involved in briefing Congress on the attack. In his view, the SolarWinds hack demonstrated the devastating impact of a well-known risk factor. “The fact that a foreign intelligence service can set up a server on U.S. territory and appear to be an American-based entity, while carrying out an attack on the U.S. government, is a major national security problem,” he said. “If we want to avoid this kind of nightmare going forward, this would be a good place to start.”

“The fact that a foreign intelligence service can set up a server on U.S. territory and appear to be an American-based entity, while carrying out an attack on the U.S. government, is a major national security problem. If we want to avoid this kind of nightmare going forward, this would be a good place to start.” – Tom Kelly, president and CEO IDX

Kelly also spoke to an issue that, while easy to identify, is hard to address: the imbalance between a given organization’s cyber defenses and the resources of a nation-state attacker. “It’s not a fair fight, even for the most well-resourced agency,” he noted. “It’s time for better public-private partnerships to bolster defenses at the levels of individual government agencies and American corporations.”

Gregory Bell, Co-founder and Chief Strategy Officer of Corelight, the Network Detection and Response (NDR) vendor, offered a different take on the situation. Based on his experience in network defense, his reality is that preventive countermeasures are almost guaranteed to fail in mitigating such an advanced mode of attack. “If you’re relying on firewalls and access controls to prevent a state security agency, with a signed certificate in its hand, from taking over your enterprise management software, you’re in for a rude shock,” Bell shared.

“If you’re relying on firewalls and access controls to prevent a state security agency, with a signed certificate in its hand, from taking over your enterprise management software, you’re in for a rude shock.” – Gregory Bell, Co-founder and Chief Strategy Officer of Corelight

A better approach, in his experience, is to monitor network traffic and collect system logs and other data, in order to catch an early glimpse of an attack unfolding. “It’s important to collect data from endpoints, network infrastructure, and external sources of intelligence,” he said. “If you combine this data with analytics and threat hunting, you stand a chance of detecting an attack as Mandiant did—so you can then respond on a timely basis. At a minimum, you’ll get a quick understanding of what we call the ‘blast radius’ of the attack. You’ll know what got infected, and how the event unfolded.”

Bell further noted that it may take months to figure out if the Solar Winds hack included the implanting of as-yet undetected malware that could lurk for a long time. “But if you’re gathering real-time data, including network data, you’ll have critical evidence you need in that case – since attacks like this do need to cross the network.”

“What we saw for the first week or two after the initial SolarWinds revelations was some organizations just trying to figure out whether they even use SolarWinds products. Every network has some type of dependency on third parties. It’s not realistic to expect that any network can be completely isolated from third party risk.” – Katie Nickels, director of intelligence at Red Canary

The Solar Winds attack revealed many deficient security practices. As Katie Nickels, director of intelligence at Red Canary, put it, the attack “has emphasized the need for basic security measures like asset inventory and knowing your network, including having a concise list of all third-party providers being used. What we saw for the first week or two after the initial SolarWinds revelations was some organizations just trying to figure out whether they even use SolarWinds products. Every network has some type of dependency on third parties. It’s not realistic to expect that any network can be completely isolated from third party risk.”

The story of this attack has not yet been fully told. The work of preventing the next one must start now. What’s clear, despite all the confusion of the situation, is that traditional security models aren’t up to the job. New thinking is needed.

What does 2021 have in store for Identity and Access Management (IAM) and related security workloads like authentication? Industry experts weigh in:

What we know about digital identity will change

“Non-human identities will be just as important as human identities. While we often associate digital identity with a person, many other “things” will need identities from watches to wristbands, to supervisory control and data acquisition (SCADA) sensors and medical equipment, to even DevOps containers and Kubernetes resources. While the number of human identities may grow at a slow pace, the number of non-human identities will explode. For example, enterprises want to attach identities to machines, such as virtual machines, hosts or containers to control security, as well as spend on cloud compute. The ratio of humans, or developers, to machine identities is 200:1 and still growing.” – Mary Writz, VP of Product Management at ForgeRock

A Zero Trust framework is no longer optional for enterprises

“There’s no doubt that COVID-19 and the shift to remote work have accelerated Zero Trust adoption in the enterprise. In 2021 and the following years, implementing a Zero Trust approach will become essential to protecting every enterprise, regardless of industry. This is due to the increasing volume of cyberthreats that organizations and individuals face on a regular basis, and human error remains one of the top causes of security breaches. In fact, roughly one-quarter of all data breaches are caused by human error, with the average cost of $3.92 million for each breach, according to a report from the Ponemon Institute. As a result of this growing issue, the Zero Trust Model will become the new standard, in which all users, even those inside the organization’s enterprise network, must be authenticated and authorized before being able to access apps and data.” – Jasen Meece, CEO of Cloudentity

Active Directory and authentication attacks will continue to dominate ransomware and breach events

“In 2021, as attackers seek dominance in victim networks, attacks against Active Directory and authentication, like the SolarWinds attack, will continue to dominate major ransomware and breach events. In particular, healthcare and manufacturing attacks will continue to accelerate, given the large amount of legacy protocol use and gaps in visibility in critical infrastructure.” – Jason Crabtree, CEO and Co-Founder at QOMPLX

Identity is the new security perimeter

“Threat actors will continue to adapt their attack tactics to capitalize on employees working from outside the company’s physical office perimeter. As remote work continues, the utility of traditional controls like firewalls to protect corporate resources will be diminished as there is no longer a true physical perimeter and employees are now accessing business applications through various devices in various locations. Plus, many of the accounts employees use to get their work done are not full within the control of the IT team. Instead, organizations will look to new ways of protecting the identity of the user, as well as the identity of the device. Identity will become the new security perimeter. In 2021, IT teams will have to implement a more robust identity and access management (IAM) strategy with solutions such as single sign-on (SSO), password management, and multifactor authentication (MFA) to support a secure digital dynamic workforce and to further enhance remote employees’ security.” – Gerald Beuchelt, Chief Information Security Officer, LogMeIn

What does 2021 have in store for cybersecurity in the workplace? Industry experts weigh in:

Consequences from employees letting their guards down as work-from-home extends

“Many employees will continue to work remotely in 2021 to slow the spread of COVID-19 until a vaccine can be reliably distributed. Consequently, bad actors are no longer following these employees ‘through the door’ when looking to steal data. Instead, they will seek to take advantage of workers who have been remote since the start of the pandemic, as they may be more likely to be letting down their guard when it comes to following security protocols. This relaxation on security protocol — combined with threats that already exist in a rushed remote work environment — will result in data loss rates exceeding what we saw in 2020.” – James Carder, Chief Security Officer for LogRhythm

Securing remote work continues to be a pressing concern for IT departments

“Companies are still struggling to set up adequate processes and security protocols to foster a seamless work from home experience. In 2021, there will be a continued focus on providing a greater security level to remote employees. As work is no longer tied to a physical space, IT departments need to rethink their organization’s security beyond the physical perimeter. We will see IT departments continue to implement new processes and procedures to support a work-from-anywhere environment. Unfortunately, attackers will similarly find increasingly sophisticated ways to exploit the circumstances of this new reality. With this new shift in the business process, commensurate investment in cybersecurity is necessary.” – Andrew Sellers, Chief Technology Officer & Co-Founder, QOMPLX

The traditional office as we know it will disappear

“The pandemic-specific concept captured in the phrase ‘work-from-home’ will be replaced by the permanent concept of ‘work-from-anywhere’ by leveraging collaboration platforms and cloud-based applications. Remote collaboration platforms will become the “new normal” and the traditional office as we’ve known it won’t come back soon.” – Devin Redmond CEO and Cofounder Theta Lake

New collaboration features will make security a headache

“Collaboration platforms will add new, dynamic features at a furious pace that will make it more difficult to monitor and configure security options. These platforms and APIs will be built to facilitate new activities, like sending and receiving payments, that will further increase the risky and regulated activities on those platforms – forcing companies to increase the security and compliance of their API and integration features.” – Devin Redmond CEO and Cofounder Theta Lake

Collaboration security will be a top priority for government

“Incumbent collaboration tools (Zoom, Teams, WebEx) are going to get dragged into conversations about privacy law and big tech, further pressuring them to stay on top of security and compliance capabilities. At least two regulatory agencies will make explicit statements about regulatory obligations to retain and supervise collaboration conversations. Additionally, collaboration tools will replace many call center interactions and force organizations on related compliance, privacy, and security risks.” – – Devin Redmond CEO and Cofounder Theta Lake

What’s in store for cybersecurity in the banking and FinTech sectors for 2021? The experts weigh in:

Gen Z Will Lead the Shift to Open Banking

“In 2021, we will see significant international growth in the open banking industry as it democratizes financial services. In recent years, Europe has been the center of a new movement towards customer-centric banking using open banking to build new consumer banking apps, but open banking is gaining momentum in the U.S. as well with Venmo and SoFi. Now, Gen Z has grown up using opening bank apps to manage their personal finances and transfer large amounts of money, rather than traditional banks. As a result, we will see an influx of software companies being founded with the purpose of creating a new method for digital-first consumers to do banking. To keep up with the growing demand for these easy-to-use digital banking solutions, banks have now embarked on the same journey by introducing similar types of mobile apps designed to make customers’ financial lives more productive and seamless.” – Jasen Meece, CEO of Cloudentity

More AI, machine learning, biometrics and fewer passwords

“A massive transformation is occurring across digital and mobile channels in how banks engage with their customers and use AI. Banks will combine machine learning with biometrics to provide new experiences, such as facial and fingerprint verification instead of passwords. One example we’re already seeing is banks leveraging machine learning to detect and read physical passports to allow for ID scanning. Customers use their smartphones to scan a government-issued ID and then take a selfie. The banks then leverage biometric facial comparison technologies with liveness detection to verify that ID is authentic and unaltered, confirming the individual’s identity.”

• Benoit Grange, Chief Technology Evangelist, OneSpan 

Digital banking standards will emerge to safeguard the use of payment platforms fueled by cutting-edge technologies such as AI, ML and Blockchain

“Technologies including artificial intelligence (AI), machine learning (ML) and Blockchain have been at the forefront of disrupting the banking industry for years. The pandemic has further exposed the holes in the banking industry as they rely heavily on dated legacy systems, leaving them vulnerable to fraud. This will be the year that banks will be forced to implement a standardized body of standardized regulations to regulate the emergence of technologies in digital payments.”

– Eric Solis, CEO of MovoCash

What should we expect in the worlds of privacy and compliance in 2021? Industry experts weigh in:

More consumers will submit data subject to access requests (DSARs)

“Now that the California Consumer Protection Act (CCPA) is in place, we will likely see an increase in customers submitting data subject access requests (DSARs). However, numbers will vary tremendously from company to company. Generally speaking, individuals either don’t know or don’t care that they can ask for this information until something brings it to their attention. For example, the publicity surrounding a ransomware attack might make them think, ‘I’m a customer of that company.  I want to know what they’ve got on me!’” – Rick Hedeman, Sr. Director of Business Development at 1touch.io

More CCPA-type regulations

“The new US administration will continue the work done by the previous two administrations on privacy regulations and enforcement. This will start with ensuring higher security and transparency for anything related to voting but will be much wider. We can expect more CCPA-type regulations and stricter privacy regulations. What is still not clear is whether there will be an effort to bring a federal PII regulation to the US, such as GDPR in the EU. If so, any bill will most likely be met with initial pushback as it would mean that the stricter states may need to loosen mandates whilst less strict ones will need to increase PII controls and have a way to implement them.” – Mathieu Gorge, CEO of VigiTrust and author of the new book The Cyber-Elephant in the Boardroom

The biggest threat to personal privacy will be healthcare information

“Researchers are rushing to pool resources and data sets to tackle the pandemic, but this new era of openness comes with concerns around privacy, ownership and ethics. Now, you will be asked to share your medical status and contact information, not just with your doctors, but everywhere you go, from workplaces to gyms to restaurants. Your personal health information is being put in the hands of businesses that may not know how to safeguard it. In 2021, cybercriminals will capitalize on rapid U.S. telehealth adoption. Sharing this information will have major privacy implications that span beyond keeping medical data safe from cybercriminals to wider ethics issues and insurance implications.’ – Joe Partlow, CTO of Reliaquest

More scrutiny from data protection authorities and more fines

“During the pandemic, privacy compliance became even more important due to the rapid rise in cybersecurity attacks targeting the remote workforce. As work from home continued in 2020, many news sources reported a significant increase in cybersecurity and ransomware attacks, including phishing campaigns to steal login credentials. As a general trend, data protection authorities have used their investigative and enforcement powers to issue an increasing number of fines in 2020 and I believe this will continue through 2021. The enactment of new privacy regulations, like California Consumer Privacy Act, which will begin in the second half of 2020, will only further fuel this. Data protection authorities are relying on companies to implement robust security protocols and educate their employees to protect consumer and personal data. Companies that fail to do so are vulnerable targets.” – Elizabeth Schweyen, Senior Manager, Global Privacy and Compliance at Druva

“Another factor that may lead to an increased number of fines is increased funding for data protection authorities and the expansion of their investigative and enforcement resources. Recent court cases in the EU have focused on appropriate methods of data transfers, highlighting the need for parties to enter into contractual arrangements that clearly detail each party’s obligations concerning data transfers outside the EU. Data protection authorities are scrutinizing these arrangements to ensure that consumer rights are adequately protected.” – Jung-Kyu McCann, General Counsel at Druva

New data regulations, like CPRA, must be enforced at the API level

“After CPRA passed in November 2020, many other states and countries may follow suit in implementing data and privacy laws to give consumers control of how their personal data is being used. However, enforcing regulations like GPCR, CCPA and CPRA needs to start at the API level. When it comes to managing consumer and employee identity, APIs are a key leg of the identity stool, dictating how the app handles user data, identity governance, and who has access to privileged data. It will be much simpler for companies to ensure they are compliant with these regulations if their APIs are updated or built from the ground up. On the flipside, if federal officials monitor and enforce these data laws at the API level, it will be evident which parts of the app’s code must be altered to comply and avoid large fines.” – Jasen Meece, CEO of Cloudentity

Consumers’ data confidentiality will be top priority

“As we look ahead to 2021, society will continue to reason about the importance of consumer privacy and countering the “echo chamber” effect of social media as current data privacy protection and related regulations have not yet curbed the collection or use of personal data. With many Americans expressing initial concerns surrounding data collection, especially with the new tracking tools used for COVID-19, there will be continued conversations surrounding the government’s role in protecting consumers’ personal data. We will see more and more firms investing in solutions that include end-to-end encryption and user-controlled encryption to ensure consumers’ data confidentiality.”  – Andrew Sellers, Chief Technology Officer & Co-Founder, QOMPLX