The convergence of cybersecurity and data privacy
Across industries, discussions surrounding privacy and cybersecurity are no longer two separate conversations, and the frequency of that conversation is only increasing. While cyberattacks frequently make splashy headlines, privacy violations that accompany these intrusions are not as widely acknowledged or reported. In part, that’s because most people don’t understand what privacy is, why it’s important, and how it’s tied to security.
At its most basic level, privacy has historically been defined as the right to be left alone. As businesses and societies become increasingly digital, the concept of data privacy has come to mean control of how personal information is used by businesses that collect it. As personal information is passed from user to business to third parties, the ensuing mix of data can be so muddy that it can be challenging to determine who owns the data and how it should be treated, much less who is accountable for protecting it.
Historically, much of the governance around how personal information must be safeguarded has been from a technical perspective, driven by the need to maintain the confidentiality, integrity, and availability of information systems. Today, it’s imperative to add another dimension: data privacy laws. These include the California Privacy Rights Act (CPRA), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act (UCPA), as well as dozens of other proposed laws under consideration in U.S. statehouses. In the EU, compliance with the General Data Protection Regulation (GDPR) requires a slew of technically advanced processes and technologies to safeguard citizen data.
But in the coming years, an increased emphasis will be put on privacy and security maturity as a business differentiator – not just a cost center. Organizations must keep in mind that once data is collected and resides on an enterprise system, a connection between data privacy and cybersecurity is formed. After that, it is the business who is held accountable for designing cybersecurity controls and programs that protect personal information from theft, unauthorized access, and damage, and ultimately keeping the trust of the users.
One explanation is that many organizations don’t understand the purpose and components of data privacy. In part, that’s because privacy tends to be heavy on “legalese,” whereas cybersecurity is a more practical and tactical discipline that has been practiced for years.
To safeguard information, businesses must first understand what data is in their ecosystem. Data should be protected by security controls designed to limit access to information and make sure employees do not misuse personal data or systems in ways that could result in breaches. Businesses must also safeguard consumer data from theft or tampering by external actors.
Beyond that first step, businesses can understand and protect personal data by taking the following steps:
- Understand your critical business processes.
- Map the data use and data flow across the different organizational units.
- Design and implement an effective data governance program.
- Classify data to identify and understand all information in your environment.
- Create policies for data collection, storage, use, sharing, and sale.
- Use proper access controls to limit access to data.
- Review and verify the security and privacy controls of third parties that have access to your data, applications, and networks.
- Create and test an incident response plan.
- Disclose how your organization uses personal information.
- Develop easy-to-understand privacy guidelines to inform the organization on how information in your ecosystem should be treated.
- Know the regulatory requirements in the jurisdictions in which your company operates.
- Appoint a chief information security officer (CISO) or a chief data officer (CDO) to oversee security and privacy.
Press ReleaseCohnReznick adds two senior leaders to growing Cybersecurity, Technology Risk, and Privacy practiceScott Corzine, Managing Director, and Stephen P. Gilmer, Director, have joined CohnReznick's Cybersecurity, Technology Risk and Privacy practice, bringing extensive experience in cybersecurity risk, risk management, compliance, and operational impact.
InsightWhat fintech companies need to know about the convergence of cybersecurity and data privacyAlex Castelli, Bhavesh Vadhani, Deborah Nitka and Asael MeirWith more laws and regulations being introduced, poor cybersecurity and privacy practices are not acceptable. We detail what fintech companies need to know. Learn more.
InsightTorigence: The gateway to intelligent data insightsSupported by AI-enabled solutions, CohnReznick’s Torigence helps organizations sort, decipher, and analyze what matters most. Learn more.
Press ReleaseCohnReznick earns CMMC Third-Party Assessment Organization AuthorizationThe C3PAO designation allows CohnReznick to assess Department of Defense contractors seeking CMMC compliance under the joint surveillance voluntary assessment program or as soon as the CMMC rule is finalized.
Insight6 keys to a future-ready enterprise risk management (ERM) programMaurice L. Crescenzi, Jr., Bhavesh VadhaniAn optimized ERM program is critical to bringing your organization into the future. Ready to move yours forward? Download our infographic.