Data Protection Laws & Compliance As Drivers of WAF Adoption

WAFs are among the most common security controls used by organizations in both the public and private sectors to protect their web applications against common web exploits.

Driven by the extensive growth in attack volume against web applications, the global WAF market size is expected to reach $6.89 billion by 2024. What else is driving this growth across industries?

Driver of WAF adoption

compliance waf firewallIn a research study by Computing, 62% of  IT decision makers surveyed across various industries stated regulatory compliance as their primary reason for purchasing a WAF.With regulations introduced to protect consumer data safety, businesses and organizations are keen to adopt industry standards like PCI-DSS (Payment Card Industry Data Security Standard), given that the standard is a prerequisite for businesses who need to accept and process online credit card payments.Other notable drivers of WAF adoption in the study found that: 

  • 46% of respondents find that inherent vulnerabilities to application layer attacks had enabled them to present a compelling business case for a WAF.
  • 23% were driven by penetration testing that alerted them to some serious vulnerabilities in their web applications. 
  • 18% stated that there was simply no other cost-effective way of securing legacy applications.

Role of WAF in data protection laws

 

In the 1990s, there were only 20 data privacy laws worldwide. Now, there are over 100.  In many cases, government regulations require the deployment of a WAF, either explicitly or implicitly. 

WAFs by their very nature are designed to protect an organization’s core assets (i.e. web applications) and maintain data integrity. That’s why countries with mature cybersecurity markets tend to have data protection or data privacy laws in place to address data security.

One of the most well-known government laws contributing to WAF adoption is the GDPR (General Data Protection Regulation), which is the EU’s answer to adhere to data protection and privacy for all its citizens.

However, not all countries have highly developed laws like the GDRP. Many countries have data protection laws that are too general and might not provide enough guidance to delegate any sort of accountability for companies that hold user data. In these cases, there is also no mention of deploying a WAF.

Saudi Arabia, for example, has privacy laws similar to those found in other countries but their laws simply address privacy and data collection with no mention of data security or clause to notify users of notification of data breaches. 

Why compliance and protecting customer data matter

Besides a desire to avoid any penalties or suspended privileges of their services, adhering to data protection laws and compliance industry standards also establish trust among data owners. By demonstrating a commitment to data protection through compliance, more users will be willing to engage with their services. If an organization does not uphold these standards, users will be less willing to just give up their personal information, and a company’s reputation may be on the line.Therefore, it makes sense that any company that processes, manages, and stores personal data must engage in the proper security protocols to protect user data and notify users of any data breaches.Though not all data privacy laws explicitly require WAF adoption, data protection can be achieved with its implementation. Take a look below at some of the laws around the world aimed at protecting user data.

 

Europe North America Latin America
EU: GDPR (General Data Protection Regulation) Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) Brazil: Lei Geral de Proteção de Dados (LGPD)
UK: Data Protection Act 2018 US: Privacy Act of 1974 Family Educational Rights and Privacy Act (FERPA) Mexico: Federal Law on Protection of Personal Data Held by Individuals (LFPDPPP)
Sweden: Data Protection Act (DPA) Argentina: Personal Data Protection Act 2000 (Law No. 25,326)
France: French Data Protection Act 2 (FDPA)
Germany: Federal Data Protection Act 2017 (Bundesdatenschutzgesetz – BDSG)

 

Middle East Africa Asia-Pacific
Israel: Privacy Protection Law (5741-1981) South Africa: Protection of Personal Information Act 2013 (POPIA) Singapore: The Personal Data Protection Act 2012
Hong Kong: Personal Data Privacy Ordinance Cap 486 (PDPO)
Australia: Privacy Act of 1988 and Telecommunications Act 1997
Malaysia: Personal Data Protection Act (PDPA)

 

Is there a famous data privacy law we missed? Drop us a line!

Check out Telstra Ventures’ Cybersecurity in 2020: Investment and New Legislation infographic for more key statistics.