Until this point, privacy and cybersecurity have largely remained separate and distinct topics with only minimal overlap. That is about to change in a big way. Cybersecurity professionals must take steps today to prepare for tomorrow’s privacy requirements.
A global privacy perfect storm started in the European Union (EU) and is now set to take over the United States. A company’s ability to compete and thrive in the new era of educated, empowered, and privacy-aware consumer in the US will be tested soon.
"Cybersecurity professionals must start now to prepare for the privacy-aware consumer and leverage privacy, trust and transparency to create competitive advantage for the company"
The storm started earlier this year with the arrival of the EU’s General Data Protection Regulation (GDPR) in May. Although GDPR was passed in 2016, it permitted businesses until May 25, 2018 to comply. Most of the attention surrounding GDPR was derived from the potentially large fines for non-compliance ranging up to 20 million Euros ($24 Million USD), or 4% of the company’s worldwide annual revenue.
GDPR represents a new set of requirements to support the privacy rights of individuals. Many IT shops in the US have never dealt with these types of requirements before. For example, the ‘Accuracy’ guiding principle of GDPR states, “every reasonable step must be taken” to erase or rectify an individual’s data that is inaccurate or incomplete. It also specifies that individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days. Implementing processes to support these consumer rights may require completely new procedures for many US-based companies.
The overlap between privacy and cybersecurity is most evident in principle #6, ‘Integrity and Confidentiality.’ In this principle, GDPR states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”
The topic of personal privacy has been top of mind in the European Union since the 1990s; however, privacy has not been a priority for most US-based consumers or businesses. That all changed for the US in March when Facebook admitted Cambridge Analytica collected personally identifiable information (PII) of up to 87 million Facebook users since 2014. This might have passed as a mere footnote in the history of privacy until it was revealed this PII was utilized to attempt to influence the outcome of the controversial US 2016 elections. The resulting public outcry from the Cambridge Analytica scandal likely accelerated the arrival of privacy regulation in the US by several years.
In response to the public outrage, Facebook apologized profusely and CEO Mark Zuckerberg was hauled in to testify in front of the Senate Judiciary and Commerce committees.
South Dakota Senator John Thune’s remarks during Zuckerberg’s testimony demonstrate the changing tide of privacy: “After more than a decade of promises to do better, how is today’s apology different and why should we trust Facebook to make the necessary changes to ensure user privacy and give people a clearer picture of your privacy policies?” Senator Thune continued: “In the past, many of my colleagues on both sides of the aisle have been willing to defer to tech companies’ efforts to regulate themselves. But this may be changing.” Senator Thune and his colleagues sent a clear message that the current status quo of privacy in the US was no longer acceptable.
The first major wave of US privacy legislation arrived when the State of California signed the California Consumer Privacy Act (CCPA, or AB 375) into law on June 28, 2018. CCPA emphasizes four basic privacy rights for California consumers including the right for consumers to know what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, to whom it is being disclosed or sold, etc. It also grants consumers the right to “opt out” of allowing a business to sell their personal information. Companies need to start preparing today to support these consumer rights before the 2020 deadline.
So, what are the action items for cybersecurity professionals?
1. Design Privacy into Everything You Do
Implementing GDPR and CCPA privacy practices at the design stage is critical. GDPR refers to these concepts in Article 25 as “Data protections by design and by default.” These concepts require any action a company undertakes to process personal data be performed with data protection and privacy in mind at every step. Reactive CIOs or CXOs will face retrofitting privacy into products, apps and processes, which will be substantially more complex and expensive.
2. Create a Culture of Privacy and Respect for Consumer Rights
Cybersecurity executives can and should become outspoken advocates of privacy and consumer rights. Nevertheless, the real power is in creating a culture where respect for privacy and the rights of your customers is paramount. In many businesses, this will require a significant culture change. Take steps today to begin affecting this change within your sphere of influence.
3. Demonstrate Your Commitment to Privacy and Cybersecurity with a SOC 2 Report
Interest in SOC 2 is skyrocketing. The American Institute of Certified Public Accountants (AICPA) created SOC 2 reports for companies to demonstrate sufficient security and privacy controls are in place. SOC 2 reports provide a high level of assurance because an independent CPA firm tests and reports on whether the controls are working. If not already producing a SOC 2 report, leading companies are completing a SOC 2 Readiness Assessment to understand the necessary improvements. After implementing the required cyber and privacy controls, a company can produce a clean SOC 2 report.
Today’s consumers are becoming aware of their rights and increasingly willing to exercise them. Cybersecurity professionals must start now to prepare for the privacy-aware consumer and leverage privacy, trust and transparency to create a competitive advantage for the company.
About the Author
David Hartley is a Principal for UHY Advisors MO, Inc. where he focuses on delivering “Virtual CIO” technology consulting services to primarily middle market companies. He assists companies with everything from digital transformation and IT strategy to assessing cyber risks and implementing cybersecurity programs. David is a CPA and Certified Information Systems Auditor (CISA) with experience in technology, consulting, audit and C-suite business leadership roles. Prior to joining UHY in 2015, David was VP & Chief Information Officer at Arch Coal, Inc., responsible for leading technology at the company from 2009 to 2015.