You Can’t Have (Data) Privacy Without Security

While I can do without unsolicited advertisements and whacked out political diatribes, I must admit I enjoy following the lives of my family and friends on social media. And as someone in the cybersecurity industry I do try to manage all the settings to protect my privacy, but it is all very complex and deep down I know whatever I do there will be mistakes, negligence or bad intent that can leave data exposed. If only the baby photos my nieces and nephews keep posting weren’t so darn adorable.

On the positive side, the business model of sharing and selling online consumer information to create new revenue streams and the highly publicized Facebook and Cambridge Analytica scandal appears to have spurred a worldwide race to enact new data privacy laws. It certainly was the motivation for voters and quick legislation in California.

2018 brought us an alphabet soup jumble of regulatory acronyms related to privacy as a fundamental human right. On May 25th the European Union (EU) General Data Protection Regulation (GDPR) went into effect, in June the state of California passed the Consumer Privacy Act (CCPA) and in August Brazil signed the Lei Geral Proteção de Dados Regulation (LGDP).

In terms of complexity, the GDPR consists of 173 recitals and 99 Articles over almost 100 pages. Many companies, now a year after it came into effect and three years after it was passed are still struggling to bring their processes into compliance. The LGDP and CCPA seem like light reading by comparison, and while the legislative momentum seems to be all about privacy rights, it doesn’t mean data security has been pushed to the back-burner. All three regulations are focused on the rights of the data subject (consumer) and the security of processing personal information.

Simply put, the rights of the consumer require that organizations get consent to collect, process and retain personal information for the purpose it was collected and only for the time it is needed. It’s about data privacy or the “authorized use” of personal information.

Security of processing on the other hand is about the technology safeguards that ensure a consumer’s private data stays private. It’s about data security, which is often defined as preventing “unauthorized access or misuse”, as well as detection, recovery and notification in the event of a breach.

Being a Californian, and compliance nerd I believe the breadth of California data protection laws make it easier to understand the requirements for both supporting privacy rights and securing data, with the ultimate understanding that you can’t truly have data privacy without data security.

In 2003 it was mostly about data security. California enacted the first data protection law in the United States (US) that defined personal information, established requirements for data protection and required breach notifications when unencrypted personal information was reasonably believed to have been acquired by an unauthorized person. The following year California enacted the Online Privacy Protection Act which required operators of commercial web sites and online services to post and adhere to a public privacy policy. As technology advanced over the years, the laws were updated to meet new threats and challenges. California became the guide for other states and after 15 years, with Alabama passing legislation in 2018, every state in the union as well as the District of Columbia now have similar breach notification laws in place.

The CCPA defines additional rights pertaining to the privacy of personal data collected online for business applications and builds upon existing California data security laws. Beginning January 1, 2020, the CCPA will grant the California consumer rights to request a business to disclose what personal information is being collected, whether the information is sold or disclosed and to say no to the sale of personal information. In addition, they have the right to access the collected information, request data be deleted, “opt out” of a business’ ability to collect or sell their personal data and to provide equal service and price, even if they exercise their privacy rights.

The combination of California’s data protection and consumer privacy laws are comparable to articles in the GDPR and LGDP that cover the security and lawful processing of personal information, as well as breach notification and penalties.

In the US there is no parallel legislation to the GDPR or LGDP at the federal level, and all existing breach notification laws were enacted state by state. Looking at the current legislative calendars of several US states, it appears the CCPA may start the same state by state enactment of data privacy rights.

The question we need to ask is, will all citizens in the US wait another 15 years for individual states to pass privacy legislation, or it is finally time for action at the federal level?


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.