Cohesive Governance of Cybersecurity and Data Privacy: A Value Proposition for Businesses
Happy Cybersecurity Awareness Month! To some, privacy and cybersecurity are viewed as layers of the same cake. And to others, two completely independent verticals. The reality exists somewhere in between these two competing views. With the convergence of laws and new regulations emerging in the data privacy and security space, the overlap between privacy and cybersecurity is growing. There is also an increasing hint of tension in how to govern data privacy and cybersecurity to ensure a cohesive, continued alignment.
With tight budgets and brand reputation on the line, organizations worldwide are grappling with how to prioritize cybersecurity and privacy, ideally under one plan of action. So where should companies focus: cybersecurity, privacy, or both?
Some businesses may prioritize the more “established” field, cybersecurity. Companies in all industries have implemented internal policies around cybersecurity for decades - dating back to the 1980s and the passage of the Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA) - then refined those policies following the passage of more recent national cybersecurity laws such as the Federal Information Security Management Act (FISMA) of 2002 and the Cybersecurity Information Sharing Act (CISA) of 2015.
On the privacy side, historically laws and regulations have been much more industry-specific, such as the Health Insurance Portability and Accountability Act (HIPAA) established in 1996, the Children’s Online Privacy Protection Act (COPPA) established in 1998, and the Family Educational Rights and Privacy Act in the early 2000s. These regulations led certain companies within specific industry verticals to shift and update internal data privacy practices to ensure compliance, but it also left vast ecosystems - businesses, service providers, and vendors outside of those specific industries that still process large swaths of consumer data - stagnant and noncommittal.
But now, all of that is changing.
Several states have included cybersecurity provisions within their data privacy laws. For example, the California Consumer Privacy Act (CCPA) requires that businesses extend data breach laws to create a private right of action for unauthorized access, theft, or disclosure of certain non-encrypted and non-redacted personal information, take a risk-based approach to cybersecurity, and enact reasonable security measures to protect personal data.
Other states like New York, Massachusetts, and Maryland have similar provisions. New state consumer privacy laws sprinkled across Colorado, Connecticut, Virginia, Iowa, and Utah focus on practices like conducting a risk assessment, acknowledging a duty of care, and establishing data retention policies that have been embedded in good faith cybersecurity practices for decades.
The desire for proactivity in the face of having to pay attention to several potentially inconsistent state laws leads many businesses to look at transregional data privacy frameworks. This rationale becomes even more important when global laws like the EU General Data Protection Regulation (GDPR) are thrown into the mix.
GDPR specifically requires that organizations have proper technical and organizational measures like specific policies, processes, and procedures to protect the personal data they process.
Meanwhile, the FTC’s 2023 Privacy and Data Security Update blends the worlds of privacy and security, with enforcement actions across children’s privacy, AI, geolocation data privacy, and health privacy.
As the FTC notes, “through 2023, the FTC has brought 97 privacy cases and 169 Telemarketing Sales Rule and CAN-SPAM cases since 1999, as well as 89 data security cases. In addition to its law enforcement work, the agency also has engaged in rulemaking and policy work to push companies to bolster privacy protections for consumers and implement safeguards to secure consumer data.”
Companies need to proactively prioritize both data privacy and cybersecurity and many are hoping they can do so in parallel. Is there a bridge that connects the two worlds?
Demonstrating Accountability Across Privacy & Security with Soft Law
With the growth in new technologies and the pacing problem that persists with passing laws that appropriately reflect new data practices in the fields of cybersecurity and privacy, businesses are looking for answers to questions that hard law and enforcement actions cannot solve, leave gaps in, or perhaps remain silent about, such as the lack of a comprehensive data privacy law in the United States.
“Soft law” efforts, such as guidance through clear frameworks, certifications, and industry-wide standards, can help fill those gaps.
In cybersecurity, the ISO 27001, NIST Cybersecurity Framework, and SOC 2 are recognized industry standards that focus on managing information security risks that have been refined through years of state cybersecurity laws, enforcement actions, and guidelines developed by standard-setting bodies and frameworks.
And the ISO extension ISO 27701, an add-on to 27001, signals the privacy component of an established standard in the cybersecurity world. The extension creates alignment across compliance requirements with EU’s GDPR, California’s CCPA, and statutory data privacy requirements.
However, while a recognized cybersecurity certification such as ISO 27001 may serve as an excellent starting point to enact some of the measures needed to reduce the risk of a breach, companies may find the resources and bandwidth necessary to fulfill the certification a challenge, or perhaps even a “stretch” goal. Therefore, we suggest that the ISO certification need not be the only bar companies set for themselves.
Companies should not feel limited to an all-or-nothing, high-stakes certification. Rather, a middle ground exists: the Global Cross Border Privacy Rules (CBPR) certification. To fully ensure compliance with both the privacy and information security requirements of GDPR and other privacy and security standards, the CBPR certification can complement completion of rigorous certifications like the ISO standards.
Global CBPR, on the data privacy side, is one of multiple international data transfer certifications that carries industry-wide recognition and soft-law enforcement through the U.S. Department of Commerce’s oversight and coregulatory model of governance with its accountability partners, including BBB National Programs.
The Global CBPR, which includes the Privacy Recognition for Processors (PRP) program, is an international data transfer consumer privacy framework that focuses on data privacy and security practices meeting some common requirements and goals of the ISO certifications and expectations of the cybersecurity community. The nations that are committed to the Global CBPR, which span the globe, are dialed into enforcing the requirements, creating an incentive for the companies and the certifying bodies to hold companies to a high standard, because if they don’t, they could be hit with enforcement action.
The Global CBPR certification is aimed at data controllers with a robust set of principles focused on consumer transparency, notice, choice, and preventing harm. The PRP certification is centered on data service providers/processors and rests on two major principles: security safeguards and accountability. The PRP certification asks questions ranging from the applicant’s ability to describe physical, technical, and administrative safeguards used to protect personal information to explaining the measures taken by the organization to detect, prevent, and respond to attacks or other security failures.
So, despite cybersecurity and privacy seeming to have differing certifications and assessment criteria, you will be hard pressed to find privacy frameworks that do not have some components of cybersecurity and vice versa. For example, the ISO extension ISO 27701, an add-on to 27001, signals the privacy component of an established standard in the cybersecurity world. The extension creates alignment across compliance requirements with EU’s GDPR, California’s CCPA, and statutory data privacy requirements. These requirements are a part of some of the leading privacy laws globally.
By adding a privacy extension to a cybersecurity certification, the industry is signaling a shift from siloing to embracing synergy.
Reconciling the Differences Across Cybersecurity and Privacy
As noted, new privacy frameworks like the Global CBPR/PRP may be the way to tie the threads between the cybersecurity and privacy fields: the data security practices within the PRP certification seek to meet some of the common requirements and goals of the ISO certifications and expectations of the cybersecurity community.
The PRP certification embodies the rationale that good privacy and good cybersecurity enjoy an interdependent relationship. Both fields go hand in hand and sit on two sides of the same coin with the same overarching goal: demonstrating clear, accountable practices regarding your data.
The Path Forward
Compliance with the law is a minimum requirement. A sustained effort to remain proactive on cybersecurity and data privacy compliance is a best practice.
If industries want to work toward long-term accountability and be viewed favorably by both consumers and regulators, data-driven companies should move away from the proverbial compliance as a box-checking exercise and instead treat it with the same level of scrutiny they give to the retrospective after a data breach. Privacy and cybersecurity practitioners need to look holistically at industry-recognized certifications and frameworks, which can potentially fulfill a two-for-one.
It is important now more than ever that cybersecurity and privacy be looked at through a lens of symbiosis. It has long been accepted that good privacy is underpinned by good cybersecurity, but it is time that we accept that good cybersecurity should be underpinned by good privacy. As the world becomes more digitized, with the implementation of AI in every sector, organizations and practitioners alike are tasked with keeping pace with each new development. Good cybersecurity and good privacy predicate proactivity, the thing that often escapes us until it is too late.
It is imperative that cybersecurity practitioners look to data privacy frameworks not only to make their cybersecurity programs more robust, but also to reiterate their commitment to good privacy hygiene. Such an approach fosters consumer trust and proactively protects their businesses, making cybersecurity and privacy two sides of the same coin, the coin of the realm.
Contact us at globalprivacy@bbbnp.org to get started.