Data Privacy and Security: it takes two to tango.

In my cyber career, I have had the privilege of serving as the Virtual Chief Information Security Officer (vCISO) for prominent organizations such as Virgin Voyages, CRISPR, and LATTICE amongst others. In these roles, the cyber security programs I created for protecting Personally Identifiable Information (PII), Protected Health Information (PHI), and other sensitive data was paramount.

It was not just a cybersecurity obligation; data privacy demanded it as well. I have often collaborated closely with Chief Privacy Officers and legal teams to ensure their privacy objectives were met. This collaboration was essential in developing comprehensive strategies that not only secured our data but also respected and safeguarded the privacy rights of individuals. Our joint efforts ensured that we stayed ahead of evolving threats while complying with stringent privacy regulations. This article, based on my experiences showed to me how both Cyber and Privacy would often tango, but we would also sometimes find ourselves with a different dancing partner.

How Privacy and Cybersecurity Intersect and Diverge

Today, privacy and cybersecurity are often discussed in tandem, yet they encompass distinct areas within the broader realm of information protection. Understanding their interrelationship and differences is crucial for effectively managing and securing sensitive data. Privacy and cybersecurity are inherently connected, both aiming to protect sensitive information from unauthorized access and misuse. Here is how they fit together:

Shared Goals: Both privacy and cybersecurity strive to safeguard information. Privacy focuses on the protection of personal data, ensuring that it is collected, processed, and stored in a manner that respects individual rights and meets all governing laws. Cybersecurity, on the other hand, aims to defend all types of data from malicious threats and breaches.

Collaborative Efforts: In many organizations, privacy officers and cybersecurity teams work closely together. Collaborative projects and shared responsibilities ensure that both privacy and security measures are aligned to provide comprehensive protection. This constructive collaboration helps in anticipating threats and implementing proactive strategies, all aimed at keeping sensitive information away from prying eyes and prospective new owners.

Trust Building: A strong relationship between privacy and cybersecurity enhances trust among stakeholders. Customers and clients are more likely to trust an organization that demonstrates a commitment to both protecting their data and ensuring privacy.

Distinct Areas of Focus

Privacy is concerned with the appropriate handling, processing, and sharing of personal information in compliance with legal and ethical standards. It addresses questions of who has the right to access and control personal data, ensuring that individuals’ data is used transparently and with consent. Cyber, however, focuses on protecting data from external threats such as hackers, malware, and other cyberattacks, insider threats, awareness training, and security policy implementation. Understanding these distinctions is essential for developing comprehensive strategies that safeguard both the integrity and confidentiality of sensitive information.

Privacy and Data Handling

Privacy is concerned with how data is collected, processed, stored, and shared. It ensures that data practices comply with regulations like GDPR and the California Consumer Privacy Act (CCPA). Technical aspects include:

Data Minimization: Limiting the collection of personal data to what is strictly necessary for the intended purpose. Implementing data discovery and classification tools to identify and label data, minimizing unnecessary data collection.

Anonymization and Pseudonymization: Using techniques to anonymize or pseudonymize personal data, reducing the risk of re-identification. This involves using algorithms for hashing, encryption, and tokenization to mask sensitive information while preserving data utility for analysis.

Data Encryption: Applying robust encryption methods such as AES-256 to protect personal data both at rest and in transit. This satisfies both cyber and privacy needs, ensuring that even if data is intercepted or accessed without authorization, it remains unreadable and secure.

Data Masking: Implementing dynamic data masking techniques to hide sensitive information in real-time while allowing authorized users to access necessary data. This helps protect data in development, testing, and production environments.

Access Control: Utilizing advanced access control mechanisms like Attribute-Based Access Control (ABAC) and Policy-Based Access Control (PBAC) to enforce strict data access policies based on user attributes, roles, and contextual information.

Logging and Monitoring: Implementing comprehensive logging and monitoring solutions to track access and modifications to personal data. Using Security Information and Event Management (SIEM) systems to analyze logs and detect potential privacy breaches in real-time.

Data Retention and Deletion Policies: Establishing clear data retention and deletion policies to ensure that personal data is only kept for as long as necessary. Automating data lifecycle management to comply with these policies and reduce the risk of retaining unnecessary data.

Individual Rights

Privacy policies and practices are designed to protect the rights of individuals, providing transparency about data use, and offering mechanisms for individuals to control their information. It is intricately linked to individual rights, serving as a shield against the intrusive reach of data collection and processing. At its core, it empowers individuals with the authority to determine how their personal information is utilized, stored, and shared. This fundamental concept enshrines several key rights for individuals, of which some are listed:

Right to Control: Individuals have the right to control their personal data, including the ability to access, modify, and delete it as they see fit. This control extends to how organizations and third parties use their data.

Right to Consent: Data subjects must provide informed consent before their personal information can be collected or processed. This ensures that individuals are aware of how their data will be used and have the opportunity to opt out if desired.

Right to Transparency: Individuals have the right to know what personal data is being collected about them, how it will be used, and who will have access to it. Transparency promotes trust between individuals and organizations and enables informed decision-making.

Data Subject Access Requests (DSARs): Implementing processes to manage DSARs efficiently, allowing individuals to access, correct, or delete their personal data. Utilizing automated DSAR management platforms to streamline request processing and ensure timely responses.

Impact Assessments

Privacy impact assessments evaluate the potential risks to personal data and ensure that privacy considerations are integrated into new projects and technologies. Techniques include:

Risk Assessment Frameworks: Utilizing frameworks such as the NIST Privacy Framework, GDPR, CCPA, and the Health Insurance Portability and Accountability Act (HIPAA) to systematically assess and manage privacy risks, conduct regular privacy risk assessments using these frameworks to identify and mitigate risk.

Automated Tools: Leveraging automated tools to conduct impact assessments and monitor compliance with privacy regulations. Using privacy management software that integrates with data processing systems to continuously monitor and assess privacy risks.

Cybersecurity

Cyber by default checks a lot of boxes for its privacy dance partner, but must go it alone in other aspects:

Threat Mitigation: Cybersecurity focuses on protecting data from external threats such as hackers, malware, and other cyberattacks. It involves implementing firewalls, encryption, intrusion detection systems, anti-virus, end point detection and other defensive measures. Technical measures include:

Intrusion Detection and Prevention Systems (IDPS): Deploying IDPS to detect and prevent unauthorized access and malicious activities.

Endpoint Security: Using endpoint detection and response (EDR) and endpoint protection platforms (EPP) to secure devices against threats.

Incident Response: Cybersecurity teams are responsible for detecting, responding to, and recovering from security incidents. This includes developing and executing incident response plans and employing Incident Response Teams to manage security breaches effectively.

Security log management: Security logs typically include details such as timestamps, event types, user identities, IP addresses, and actions taken. Utilizing solutions to aggregate and scrutinize event logs and Indicators of Compromise (IOCs) from diverse sources. These platforms serve as a vital defense mechanism, swiftly identifying anomalous activities and potential security breaches in real-time.

Infrastructure Security: Cybersecurity extends to securing the infrastructure, including networks, servers, and devices, ensuring that the entire IT environment is protected against vulnerabilities. Key practices include:

• Network Segmentation: Segmenting networks to limit the spread of potential threats and protect critical assets.

• Patch Management: Regularly updating and patching software and hardware to address vulnerabilities.

Convergence and Future Trends

As technology evolves, the convergence of privacy, cybersecurity, and other disciplines like AI and data governance becomes increasingly apparent. Many organizations are adopting unified strategies that integrate privacy and cybersecurity practices. This comprehensive approach ensures that data is protected from multiple angles, reducing the risk of breaches, and enhancing compliance.

Emerging regulations are beginning to treat all data with the same level of importance as personal information, emphasizing the need for transparency and impact assessments for

all types of data. With the advent of AI and automation, we are presented both opportunity and challenge for privacy and cybersecurity. While AI can enhance threat detection and response, it also raises new privacy concerns that need to be addressed through ethical AI practices and robust data governance.

Conclusion

Privacy and cybersecurity are two essential components of a comprehensive data protection strategy. While they have distinct areas of focus, their goals are closely aligned, and their collaboration is vital for building trust and ensuring the security of sensitive information.

By understanding and integrating these disciplines, organizations can better navigate the complexities of the digital landscape and safeguard their data against evolving threats. Sometimes they do the tango, sometimes privacy is doing the electric slide while Cyber (and from personal experience) is occupied doing a frenetic, frantic Irish jig.

Stephen Dye is the Principal at Uplift Cyber, a cyber security consulting practice, dedicated to ransomware protection advisory, uplifting the cyber security of businesses, and software assurance.