July 25, 2019
Information security and data privacy have merged into a new single discipline called data protection. This article discusses why an in-depth understanding of it is critical to your ability to meet security and privacy compliance obligations.
In recent years, a whole host of new laws mandating how sensitive information is collected, used, stored, shared, and disposed of has come into force. Here are a few critical questions these laws have raised:
- “If we’re ISO 27k certified, are we compliant with _____________?”
- “Do we need a data protection officer [DPO]?”
- “Can the CISO be the DPO?”
- “Can we perform our risk assessment internally and still be compliant?”
- “If our data is encrypted, is it still considered sensitive?”
- “If I remove someone’s name from a record, doesn’t that de-identify it?”
These questions are both security and privacy-related, and stem from compliance obligations driven by new laws. Moreover, security and privacy clauses in contracts are precipitating these same questions.
The Need for Data Protection
This isn’t an academic discussion. The incident involving personal data that Cambridge Analytica obtained from Facebook was widely reported as a security breach. It was not. Rather, Cambridge Analytica misused personal data that is obtained legally from Facebook.
Facebook missed multiple opportunities to correct this misuse. There was no “bad actor,” “state actor,” or other “hacker” (at least not as those terms are commonly used). Facebook was fined by the data protection authorities of the United Kingdom and Italy in 2018. On July 24, 2019, the company was fined $5B by the U.S. Federal Trade Commission (FTC), the largest fine for data protection violations in history.
The Facebook/Cambridge Analytica incident underscores the need for data protection, a discipline that unifies information security and data privacy. Data protection looks at data from a variety of angles with the goal of protecting it holistically.
It incorporates a determination of the downside exposure if that data is mishandled or lost, versus the cost of protecting it (i.e., it has been risk adjusted). Understanding and adopting data protection as an organizational discipline will greatly advance your compliance posture. It will also prevent intrusions from criminals and protect your intellectual property.
The Brief History of Data Regulation
In the United States, privacy and security developed on separate “tracks” over time, starting with restrictions on government use of personally identifiable information (PII). The Privacy Act of 1974 introduced cutting edge, if not revolutionary, privacy concepts.
- Prohibiting the creation of a secret database of PII;
- Granting individuals the right to review their government-collected PII
- Requiring consent of the subject individuals before releasing their PII to others.
Other laws followed, addressing particular sectors such as financial services (the Gramm-Leach-Bliley Act of 1999; protecting privacy) and healthcare (HIPAA’s Privacy Rule and Safeguards Rule, each issued in 2003).
There are several problems with this approach:
- It’s centric to an “industry,” ignoring personal information used in other contexts;
- It leaves gaps between the “privacy” and “security” perspectives; and
- There’s no single person that has the “big picture” of how effectively data is being protected.
Take, for example, the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005. This federal law was brought into force specifically to protect personal information that would otherwise be exposed in a corporate bankruptcy. While it’s laudable that this law was passed, it exposed the problem of playing privacy and security “whack-a-mole.”
The European Union Approach to Data Protection
The European Union (EU) took a completely different tack. The first broadly-applicable law addressing data security and privacy was the EU’s Data Protection Directive, which was brought into force in 1995. The Directive directed EU member states to implement its principles into local law. Included among its obligations are the following:
- A threshold legal “basis” or justification for processing personal data;
- Rights of individuals to be informed of the processing of their personal data;
- Rights to make corrections to personal data or have it deleted;
- Rights to be informed when their personal data is shared with another party;
- Rights to be informed with personal data leaves the EU; and
- The necessity of using technical and organizational security measures to protect personal data.
Note that the Directive was not sectoral – it applied with equal force to all industries as well as non-profits and government agencies. While the Directive represented a sea change in protecting personal information, it did not wear well over time. Mobile devices, cloud computing, and social media confounded the Directive.
The Directive’s successor, the EU General Data Protection Regulation (GDPR), was designed to fix these deficiencies. Passed into law in 2016 with a May, 2018 compliance deadline, it expanded the discipline of data protection. Concepts such as Data Protection by Design and by Default and the Right to Erasure, known as the Right to be Forgotten, were added. These concepts, along with several others, were introduced to Americans while preparing for the deadline.
Data Protection Implications for U.S. Professionals
The GDPR was largely responsible for introducing data protection concepts to U.S. security and privacy professionals. Following almost immediately was the passage of the California Consumer Privacy Act of 2018 (CCPA). The Act copied many of the GDPR’s obligations and furthered the spread of data protection.
This introduction raises two questions:
- What “big picture” changes are needed at an organizational level to incorporate them and
- How do professionals use this discipline to address rapid changes in the regulatory landscape?
As to the first question, data protection implies the following changes at organizations:
- Close cooperation between IT/IT security and the legal department on an on-going basis;
- The establishment a formal data protection program with attendant performance metrics; and
- Board-level attention directed to the program.
As to the second, in Part 2 of this series, I will discuss how you can meet data protection obligations with data discovery and classification.
Information security and data privacy have merged into a new single discipline called data protection. It is critical to understand this merger in order to meet security and privacy compliance obligations.
See how Spirion can help you meet your compliance obligations with data protection. Download the CCPA whitepaper, How Spirion Advances Compliance with the California Consumer Privacy Act of 2018 (CCPA).