Date: 23 March 2023
Europe took the lead on emphasising the importance of data security and protection of sensitive information by bringing the General Data Protection Regulation GDPR into effect in 2018. The US is now catching up fast with State Privacy Laws going into effect in five states in 2023.
These new data protection laws compel organisations to protect personal and sensitive data. But privacy of personal data and confidential information can only be ensured when effective cybersecurity is in place.
Privacy Laws make general statements about the need for “appropriate” cybersecurity safeguards and processing of personal data. However, they do not specifically dictate technical requirements and/or security solutions.
The onus remains on businesses to put security measures in place that not only keep their network security and critical infrastructure protected, but also keep any information collected safe. This also necessitates building strong cyber incident response capabilities which can help mitigate the damage that ransomware attacks and cyber attacks can cause.
There are five main areas organisations need to focus on as they strive to bolster cybersecurity capabilities, improve their protection of customer privacy and thereby comply with the new laws.
These are:
1. Data Breaches
2. Privacy by Design
3. Data Subject Rights
4. Third-Party Risk Assessment
5. Regulatory Readiness
1. Data Breaches
Data breaches occur when information is taken from an organisation without authorization by the owner. Breaches –like the theft of user data-- are often highlighted in the media and have profound financial, reputational, and legal consequences. GDPR and state data privacy laws require organisations to report data breaches promptly, sometimes within 72 hours. The only way to comply is when organisations have effective cybersecurity incident response measures in place to detect, prevent, and respond to data breaches. Otherwise, breaches can go unnoticed and unreported for months or more.
Effective measures can include access controls, encryption, intrusion detection, and incident response plans. It is important to regularly refresh incident response plans, policies and procedures to ensure they are fit for purpose and relevant. In case, you need help with creating new incident response documents or want an external professional review, consider enlisting the help of cost-effective Virtual Cybersecurity Assistants.
They can also help you rehearse your incident response plans and ransomware response checklists with professionally-conducted Cyber Tabletop Exercises. They help to make sure all stakeholders understand their roles and responsibilities in the immediate aftermath of a security incident.
Organisations must also conduct periodic vulnerability scanning and risk assessments to identify and address potential cybersecurity risks.
Penalties for failing to comply with breach notification requirements can be massive. Under GDPR, organisations can be fined up to four percent of their annual global sales for failing to report data breaches promptly. For big companies that can result in eye-popping fines ranging into the hundreds of millions of dollars. US penalties are less daunting, but still steep.
It’s almost impossible to prevent the most sophisticated attacks – such as those from nation states. However, it is possible to control the damage from these advanced security risks.
Another interesting thing to note is that data that isn’t there in the first place cannot be breached. That realisation is causing organisations to minimise the personal data they collect and hold, which is one of the goals of privacy laws in the first place.
It is significant to note here what personal data includes. As per the GDPR, “‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
2. Privacy by Design
US data privacy laws and the GDPR require the implementation of “privacy by design” principles. That means that privacy and security must be built into products, services, and processes from the ground up rather than added later. Companies must assess cybersecurity risks and put in place effective safeguards to protect personal data throughout its lifecycle.
Key ‘privacy by design’ principles include implementing access controls, encryption, and data minimization techniques to limit the risk of unauthorised access or disclosure. Organisations should also consider the security implications of new technologies, such as artificial intelligence and wearable devices and apply sufficient controls to protect the personal data that these new technologies generate.
Privacy by design also requires organisations to conduct regular Privacy Impact Assessments (PIAs) to identify and mitigate privacy risks associated with their products, services, or processes. PIAs can help organisations identify possible cybersecurity risks and implement safeguards to protect personal data.
3. Data Subject Rights
Privacy laws give individuals specific rights over their personal data, such as the right to access, correct, or even delete their data. This means that organisations must implement appropriate cybersecurity measures to ensure that these rights can be exercised securely and that the existence of these rights does not introduce new attack vectors.
Many organisations do a shockingly poor job of tracking what information they have about their customers and other individuals. For example, a bank may have information dating back years or decades in systems no current employees know about. These could include personal data –like income-- on people who applied for loans long ago at a smaller bank that was acquired, even if those individuals never became customers! That information could be costly if breached.
Every business must conduct information discovery exercises to identify what data they have and where they have it. It can be a daunting task, but automated cybersecurity tools are becoming available to help. Once the information is catalogued, you need to implement access controls to ensure that only authorised individuals can access that data. They must also implement encryption to protect personal data when it is stored, transmitted, or processed. One must also look into introducing procedures to verify the identity of individuals who request access to their personal data.
4. Third-Party Risk Assessment
Both the GDPR and US data privacy laws require organisations to ensure that their third-party service providers comply with the laws’ privacy and security requirements. This means that organisations must implement effective cybersecurity measures to manage third-party risks and ensure that personal data is protected when shared.
Effective third-party risk assessment can include conducting due diligence and vulnerability scanning on third-party service providers, implementing contractual obligations to ensure compliance with applicable privacy and security requirements, and conducting regular audits to ensure compliance.
5. Regulatory Readiness
Privacy laws provide regulatory authorities with significant enforcement powers, including the ability to impose substantial fines for non-compliance. This means that organisations must demonstrate compliance with applicable privacy and security requirements and be prepared for regulatory audits and investigations. 
Organisations must implement cybersecurity measures to protect personal data, maintain appropriate documentation to demonstrate compliance, and have robust procedures in place to respond to regulatory audits and investigations. What’s “appropriate” for one organisation, data type or time period may be insufficient or an overkill for another.
One example of how the definition of “appropriate” changes over time is encryption. Not long ago, 32-bit encryption was sufficient. But as computers have become more powerful it is now possible to use a consumer-grade PC to break this level of encryption by brute force. The current standard, AES-256 is considered virtually unbreakable. But as computational technology advances, organisations will need to continue to adjust and evolve.
Final Thoughts
There is no privacy without cybersecurity. Every business, government body and organisation must implement appropriate and stringent cybersecurity measures to comply with the GDPR and state privacy laws or risk severe consequences.
About the Author: Matthew T. Carr
Matthew is the Co-Founder and Head of Research & Technology at Atumcell, which provides cyber security software and services for private equity firms and their portfolio companies. Matthew is an award-winning cyber security researcher, inventor and penetration tester who’s been called upon by national intelligence services and companies of all sizes to solve thorny security and privacy problems. He held senior positions in security at IKEA, IBM and SecureLink and is the inventor of patent-pending innovations to stop Stuxnet-style attacks on industrial systems.
ABOUT ATUMCELL: The Atumcell scanner is a cloud-based tool for cyber risk assessment.
Atumcell analyses your publicly facing assets, information security practices and emerging threats in the context of your specific IT infrastructure or investment portfolio.
