The convergence of cybersecurity and data privacy

California’s New Consumer Privacy Rights Act: What to Know

Across industries, discussions surrounding privacy and cybersecurity are no longer two separate conversations, and the frequency of that conversation is only increasing. While cyberattacks frequently make splashy headlines, privacy violations that accompany these intrusions are not as widely acknowledged or reported. In part, that’s because most people don’t understand what privacy is, why it’s important, and how it’s tied to security. 

At its most basic level, privacy has historically been defined as the right to be left alone. As businesses and societies become increasingly digital, the concept of data privacy has come to mean control of how personal information is used by businesses that collect it. As personal information is passed from user to business to third parties, the ensuing mix of data can be so muddy that it can be challenging to determine who owns the data and how it should be treated, much less who is accountable for protecting it.  

Historically, much of the governance around how personal information must be safeguarded has been from a technical perspective, driven by the need to maintain the confidentiality, integrity, and availability of information systems. Today, it’s imperative to add another dimension: data privacy laws. These include the California Privacy Rights Act (CPRA), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act (UCPA), as well as dozens of other proposed laws under consideration in U.S. statehouses. In the EU, compliance with the General Data Protection Regulation (GDPR) requires a slew of technically advanced processes and technologies to safeguard citizen data. 

But in the coming years, an increased emphasis will be put on privacy and security maturity as a business differentiator – not just a cost center. Organizations must keep in mind that once data is collected and resides on an enterprise system, a connection between data privacy and cybersecurity is formed. After that, it is the business who is held accountable for designing cybersecurity controls and programs that protect personal information from theft, unauthorized access, and damage, and ultimately keeping the trust of the users. 

Taking steps to safeguard personal data

Given the potential fallout of data privacy infractions, one would expect that most businesses would have an up-to-date data privacy policy in place. But many do not. 

One explanation is that many organizations don’t understand the purpose and components of data privacy. In part, that’s because privacy tends to be heavy on “legalese,” whereas cybersecurity is a more practical and tactical discipline that has been practiced for years.

To safeguard information, businesses must first understand what data is in their ecosystem. Data should be protected by security controls designed to limit access to information and make sure employees do not misuse personal data or systems in ways that could result in breaches. Businesses must also safeguard consumer data from theft or tampering by external actors. 

Beyond that first step, businesses can understand and protect personal data by taking the following steps: 

  • Understand your critical business processes.
  • Map the data use and data flow across the different organizational units.
  • Design and implement an effective data governance program. 
  • Classify data to identify and understand all information in your environment.
  • Create policies for data collection, storage, use, sharing, and sale.
  • Use proper access controls to limit access to data.
  • Review and verify the security and privacy controls of third parties that have access to your data, applications, and networks.
  • Create and test an incident response plan.
  • Disclose how your organization uses personal information.
  • Develop easy-to-understand privacy guidelines to inform the organization on how information in your ecosystem should be treated. 
  • Know the regulatory requirements in the jurisdictions in which your company operates.
  • Appoint a chief information security officer (CISO) or a chief data officer (CDO) to oversee security and privacy.

Keep it simple

Privacy as a program should not be simply legalese posted on your company website. It should be practical, tactical, and transparent, making it easy for both employees and consumers to understand. Ultimately, a unified information security and data privacy program will help businesses weigh the cost of collecting and using personal data with the advantages it delivers, and craft their best path forward in using and protecting it.


Bhavesh Vadhani, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy 


Deborah Nitka, Senior Manager, Cybersecurity, Technology Risk, and Privacy



Get in touch with our specialists

View All Specialists
Bhavesh Vadhani

Bhavesh Vadhani

CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

Looking for the full list of our dedicated professionals here at CohnReznick?



Let’s start a conversation about your company’s strategic goals and vision for the future.

Please fill all required fields*

Please verify your information and check to see if all require fields have been filled in.

Please select job function
Please select job level
Please select country
Please select state
Please select industry
Please select topic
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.