With the recent increase of global data privacy regulations and their ramifications on multinational organizations, it is crucial to examine the differences between data privacy and data security, why these nuances matter, and the impact they have on cybersecurity trends for not only organizations, but consumers.
Twenty years ago, data protection and information security were largely viewed as complementary activities. In today’s environment, data protection is rarely articulated without its privacy counterpart, and information security has transformed into “cybersecurity” to consider that data contains multiple threat factors.
Typically, cybersecurity is described as an intersection of three principles: confidentiality, integrity, and availability (CIA). If one of these core components is to fail or otherwise be wrongly configured, the resulting vulnerability could be a breach of information, commonly by means of unauthorized access, leakage, or wrongful deletion due to poor policy, risk management, or immature security practice.
Data privacy is often defined as the protection of sensitive data, typically referencing personally identifiable information (PII), such as a social security number, race, ethnicity, and age. Depending on the sector, regulation, or jurisdiction, the definition of which data is considered “sensitive” will vary and can expand beyond personal types of information to assets like trade secrets, intellectual property, or financial and operational data. The problem with this definition of data privacy is that the protection of this information is viewed more as a security attribute, lending to the longstanding proverb that you cannot have privacy without security.
If you reflect on the information trends since the turn of the last millennium, we experienced a shift to the cloud in the early 2000s, where organizations moved servers and other hardware assets to centralized vendors that maintain data center environments at scale. With this migration, the world’s first Software-as-a-Service (SaaS) companies came online at the height of the dot-com bubble.
The “as a service” business model placed a new dependence on service organizations when their customers outsourced critical elements of their supply chain for operational efficiencies or for the ability to scale quickly without having to gain expertise in an industry not core to their product. This reliance on third parties created increased security risks since more companies would now have access to the same information that was previously received, managed, and maintained all under the same roof.
The effect on consumers
Beginning in the 2010s, data breaches that affected consumers due to stolen credit card data, like those disclosed by Adobe, Target, and Home Depot all occurring within the same year, made data security a hot topic for consumers for the first time, causing boards and regulators to inquire about the controls in place to mitigate these threats. However, it was not until recently that consumers shifted that mindset to include data privacy, after public breaches exposed health and personal information at Anthem, Uber, Adult Friend Finder, and Marriott. These data breaches made headlines, and consumers began to ask, ‘what data are you storing for me, how do you plan to use this data, and how long will it be retained?’.
Lawmakers and regulators took notice of this shift to consumer protectionism and began to mandate public changes in normal business operations in lieu of federal privacy laws.
The effect on companies
With so many checkpoints to consider when engaging a new vendor, and the stakes for proper due diligence higher than ever, organizations began to turn to assessment firms for assurance around these security controls. Assistance is needed because companies are unable to audit every service provider that might interact with user or customer data. In the United States, an organization may request a System and Organization Controls (SOC) 2 report, an examination by a competent Certified Public Accountant (CPA) of their security controls based on set criteria. Or they may seek ISO 27001 certification, an accredited, point-in-time report on the conformity of their activities to requisite management processes and control objectives, establishing a baseline for what is considered a minimum state of security maturity.
Due to the shift in consumer focus on privacy considerations, globally recognized assurance programs have only recently been developed. In August 2019, the International Organization for Standardization (ISO) released the ISO 27701 standard – requirements and guidance for establishing a Privacy Information Management System (PIMS) for organizations that are controllers and/or processors of sensitive information like PII. While data privacy legislation had been around for several years through mechanisms like the EU-U.S. Privacy Shield and, more recently, the General Data Protection Regulation (GDPR), ISO 27701 is the first assurance program that organizations could certify demonstrating their commitment to privacy based on the legal context affecting their data subjects.
In the months following the release of ISO 27701, organizations such as Alibaba, Huawei, Microsoft, Accenture, Blackhawk Network, and OneTrust have certified to the new standard; however, these certified organizations plus a multitude of others looking to match the achievement have quickly realized that privacy hygiene requires different resources and in-house skill sets than were needed with their security program.
The challenges of incorporating data privacy
One of the top challenges security teams face when building a privacy program on top of their existing security management system is how to expand the enterprise risk assessment to include risks that threaten the protection of PII. They inherently gravitate towards thinking about this new taxonomy of risk in terms of the foundational CIA principles, but neglect to consider the rights of the data subject. As a result, they have been forced to merge security personnel with privacy personnel to complete this task, which now exposes a new problem – many organizations do not have privacy personnel.
Looking at some Fortune 500 organizations, job titles such as Chief Security Officer or Chief Information Security Officer (CISO) are far more commonplace than Chief Privacy Officer. Often, the privacy function of an organization is absorbed by General Counsel or outsourced to law firms kept on retainer. Early ISO 27701 certification plans at the largest processors of personal information in the world have been halted after discovering their security departments have little to no connection to their in-house privacy teams, if they exist at all. This results in a remediation only possible through a major shift in the organizational chart or hiring of competent personnel.
According to the International Information System Security Certification Consortium (ISC)² 2019 Cybersecurity Workforce Study, the unemployment rate among cybersecurity professionals is zero percent with an underemployment – meaning jobs are available but there is nobody to fill them – of approximately 500,000 professionals in the United States and over four million people worldwide. While an inherent skills gap is present due to the quick emergence of the industry and slow reaction by traditional education systems, the underemployment rate for competent personnel that understand data protection and data privacy – read: ‘workers skilled in both security and privacy’ – goes unreported, as the marriage of these two functions is still relatively new.