Ride the Lightning

Data Privacy and Cybersecurity Are Converging but the Road is Bumpy!

July 16, 2020

Security Boulevard had a great post on July 14 about the convergence of data privacy and cybersecurity.

Traditionally, lines between privacy and security have been distinct. A privacy officer (PO) handled an organization's privacy policies, procedures, and compliance as it related to local, state, and federal laws, while an information security officer (ISO) generally formulated policies and procedures to ensure data security and integrity.

New laws are forcing the two areas to converge, but it's not an easy process.

In a recent webinar on Privacy and Security hosted by Apptega, a cybersecurity and compliance company, only 23% of attendees indicated that privacy and security are managed separately by different departments.

Privacy was once an abstract concept, unlike security. Privacy meant different things to different companies and laws in various states and countries have varied a lot. Once, there were not a lot of privacy laws/regulations/penalties but that day is gone. Privacy experts were responsible for drafting policies about data usage but had little control over the technical decisions made by security folks to protect collected information. Data protection was more regulated and the penalties were more severe.

New data privacy laws have caused a move to converge privacy and data security.

Today, businesses are working hard to collect data about customers – and potential customers – while attacker are trying to steal that data. Is your data secure within your organization? Is it secure against outside attacks? Do other organizations, like third-party vendors and suppliers, have access to that info? Are they keeping it safe, too?

Globally, legal and privacy departments are moving away from being siloed from the more technical aspects (protecting collected, stored, and transmitted data), and information technology and cybersecurity professionals are becoming more in-tune with legal responsibilities and compliance and regulatory mandates.

The post goes on to give a history of data scandals and information about the EU's General Data Protection Regulation and its penalties. GDPR is the most far-reaching regulation directly influencing the convergence of data security and privacy regulations. Not only does it clearly define privacy requirements, but it also outlines technical and organizational requirements to protect private information. It requires controllers to adopt internal policies and implement specific data protect measures.

At home, many states are now enacting stricter data privacy laws that include regulations about data security, similar to GDPR – the New York and California laws are discussed in some detail.

The NIST Privacy Framework is a free resource you can use to build your privacy program. It's not regulatory, but it can help you integrate your privacy practices with your cybersecurity protocols. And it's adaptable for organizations of all sizes. The post offers many specific pointers for using NIST standards.

Unlike the NIST Privacy Framework, ISO 27701 for Privacy Information Management Systems (PIMS) provides guidance on how you can create, implement, maintain, and improve your PIMS. Unlike the NIST Privacy Framework, which is a tool you can voluntarily use without certification, ISO 27701 certification can be used to demonstrate your organization complies with GDPR regulations. You can also map ISO 27701 to the Health Insurance Portability and Accountability Act (HIPAA), CDPA, CCPA, and more.

Overall, this lengthy post provides an excellent roadmap for those who seek assistance in converging privacy and cybersecurity within their organization.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson