Data protection & the beginning cyber era

Cybersecurity is attracting more attention than ever — not just in headlines, but among policymakers, industry leaders, academics, and the public. Successful cyberattacks are becoming more frequent and threatening as adversaries become more determined, more sophisticated, and more likely to be connected with a nation-state. No one and nothing seems safe. As we all know that WannaCry ransomware attack has marked a dent over more than 100 countries. The presidential elections in many countries have been the subject of major attacks, followed by strategically timed disclosures.

The increasing attention to cybersecurity is the result of society’s growing reliance on digital systems to manage crucial infrastructures, such as automobiles, utilities, handheld devices, etc. But such attention raises important issues for personal privacy and the data protection tools we use to protect it.

In 2010, for example, the U.S. and Israel reportedly cooperated in the development and use of Stuxnet, a software program that destroyed centrifuges critical to Iran’s nuclear weapons program by inferring with their control systems. Hackers used cyberattacks to temporarily shutter three power distribution companies in western Ukraine and operations at a Venezuelan oil unloading facility. In 2014, cyberattacks on a German iron plant caused widespread damage. In 2015, thieves stole $81 million by exploiting weak security at the Central Bank of Bangladesh to persuade the network that controls international transfers of money between banks to transfer the money from the Federal Reserve Bank of New York to the thieves’ accounts. The following year, the Mirai botnet exploited vulnerabilities in the Internet of Things devices to overwhelm the Dyn domain server, causing major Internet platforms and services to be unavailable in the U.S. and Europe. Enterprising security researchers have hacked insulin pumps, drones in flight, and cars on the road.

The relationship between security and data privacy has always been intricate. Privacy depends absolutely on security. No obligation to provide privacy, whether entered into voluntarily or compelled by law, will be meaningful if the data to be protected are accessed or stolen by unauthorized third parties. As a result, all modern data protection principles include an obligation to protect the security as well. For example, the influential 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted by the Committee of Ministers of the Organization for Economic Cooperation and Development (OECD) in 1980, included the Security Safeguards Principle as one of the eight foundational principles of data protection: ‘Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.’ This principle was retained in the 2013 revision of the Guidelines (the OECD Privacy Framework) and supplemented by additional security-related language covering data breaches. And security has been recognized in every significant codification of data protection law since then, including the EU Data Protection Directive, the U.S. Federal Trade Commission’s fair information practice principles, the APEC Privacy Framework, and the EU General Data Protection Regulation.

Data privacy and cybersecurity are often advanced by common tools, such as encryption, data minimization, and limits on collecting, retaining, and transferring personal data. In short, what is good for privacy is often good for security as well.

Role of increasing cybersecurity

1. By drawing attention to the challenges of information governance broadly, the growing focus on cybersecurity may lead to increased funding and other resources for privacy work as well. This is especially true because security is so integral to privacy and public acceptance of new security measures often depends, at least in part, on the degree to which those measures protect privacy.
2. Enhanced attention to information security, and especially the sense of urgency with which these threats must be addressed, may lead not only to more attention being given to privacy as well but also to greater insistence that data protection tools, like cybersecurity tools, adapt and change more readily to the challenges of the 21st century. Data protection law has rarely been thought nimble; pressure to deal with cybersecurity may help change that.
3. The importance of technological skills for cybersecurity professionals may intensify the movement towards more data protection professionals trained in technologies as well. At the same time, the broader range of disciplines traditionally applied to privacy may help facilitate a much-needed expansion of cybersecurity competencies as well. After all, the vast majority of successful cyber attacks involve human or institutional failures, so greater attention to human and institutional behavior, training, incentives, and risk management is key to enhancing cybersecurity, being applied to privacy.
4. The human rights foundations of data protection law could benefit efforts to improve cybersecurity as well. For years, many institutions calculated the ‘cost’ of information security breaches only in terms of the losses suffered by the institution. A greater understanding that information security, as a component of data protection, is not just a financial obligation, but a human rights obligation might contribute to a broader accounting of the harms that may be caused by breaches and the range of parties who may be injured.

Civilization needs better protection for cybersecurity — far better than we have seen to date–urgently, but it also needs better data protection. The significance of the possible effects on data protection — both positive and negative — of the increased attention being paid to cybersecurity suggests that privacy professionals in government, industry, civil society, and academia should, at a minimum, be paying close attention to the emergence of cybersecurity. Even better would be to think constructively and proactively about how to take advantage of this important development to ensure that people everywhere enjoy strong, effective protection for their privacy and for the security of their data.

References:

1. Cybersecurity principles for industry and government: A useful framework for efforts globally to improve cybersecurity
2. A novel model for cybersecurity economics and analysis
3. The rise of cybersecurity and its impact on data protection