CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
View full biography
The convergence of cybersecurity and data privacy
Across industries, discussions surrounding privacy and cybersecurity are no longer two separate conversations, and the frequency of that conversation is only increasing. While cyberattacks frequently make splashy headlines, privacy violations that accompany these intrusions are not as widely acknowledged or reported. In part, that’s because most people don’t understand what privacy is, why it’s important, and how it’s tied to security.
At its most basic level, privacy has historically been defined as the right to be left alone. As businesses and societies become increasingly digital, the concept of data privacy has come to mean control of how personal information is used by businesses that collect it. As personal information is passed from user to business to third parties, the ensuing mix of data can be so muddy that it can be challenging to determine who owns the data and how it should be treated, much less who is accountable for protecting it.
Historically, much of the governance around how personal information must be safeguarded has been from a technical perspective, driven by the need to maintain the confidentiality, integrity, and availability of information systems. Today, it’s imperative to add another dimension: data privacy laws. These include the California Privacy Rights Act (CPRA), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act (UCPA), as well as dozens of other proposed laws under consideration in U.S. statehouses. In the EU, compliance with the General Data Protection Regulation (GDPR) requires a slew of technically advanced processes and technologies to safeguard citizen data.
But in the coming years, an increased emphasis will be put on privacy and security maturity as a business differentiator – not just a cost center. Organizations must keep in mind that once data is collected and resides on an enterprise system, a connection between data privacy and cybersecurity is formed. After that, it is the business who is held accountable for designing cybersecurity controls and programs that protect personal information from theft, unauthorized access, and damage, and ultimately keeping the trust of the users.
Given the potential fallout of data privacy infractions, one would expect that most businesses would have an up-to-date data privacy policy in place. But many do not.
One explanation is that many organizations don’t understand the purpose and components of data privacy. In part, that’s because privacy tends to be heavy on “legalese,” whereas cybersecurity is a more practical and tactical discipline that has been practiced for years.
To safeguard information, businesses must first understand what data is in their ecosystem. Data should be protected by security controls designed to limit access to information and make sure employees do not misuse personal data or systems in ways that could result in breaches. Businesses must also safeguard consumer data from theft or tampering by external actors.
Beyond that first step, businesses can understand and protect personal data by taking the following steps:
- Understand your critical business processes.
- Map the data use and data flow across the different organizational units.
- Design and implement an effective data governance program.
- Classify data to identify and understand all information in your environment.
- Create policies for data collection, storage, use, sharing, and sale.
- Use proper access controls to limit access to data.
- Review and verify the security and privacy controls of third parties that have access to your data, applications, and networks.
- Create and test an incident response plan.
- Disclose how your organization uses personal information.
- Develop easy-to-understand privacy guidelines to inform the organization on how information in your ecosystem should be treated.
- Know the regulatory requirements in the jurisdictions in which your company operates.
- Appoint a chief information security officer (CISO) or a chief data officer (CDO) to oversee security and privacy.
Privacy as a program should not be simply legalese posted on your company website. It should be practical, tactical, and transparent, making it easy for both employees and consumers to understand. Ultimately, a unified information security and data privacy program will help businesses weigh the cost of collecting and using personal data with the advantages it delivers, and craft their best path forward in using and protecting it.
Bhavesh Vadhani, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
703.847.4418
Deborah Nitka, Senior Manager, Cybersecurity, Technology Risk, and Privacy
646.762.3372
Related services
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Related Insights
-
InsightNew SEC cybersecurity guidelines: Next steps for public companiesBhavesh Vadhani, Scott CorzineNew rules require public companies to elevate their cybersecurity risk management and disclosure practices. Read key changes, deadlines, and action items.
-
InsightFederal agencies face complex cyber compliance – but relief is underwayBhavesh Vadhani, Bill Hughes, Adonye ChamberlainWith a new national cybersecurity strategy expected to create a baseline cybersecurity standard, read how to get a head start in the meantime.
-
InsightPractical Infrastructure: A blueprint for program management successRoman CastilloVideo series explores program management guidance for state, local, trial agency execs and administrators.
-
InsightToday’s boards need cyber expertise more than everCyber risk is fundamentally unlike every other risk that companies face, and boards should add expertise accordingly. Read why – and how to get started.
-
InsightZero Trust 2.0: Strengthening security for a shifting threat landscapeAdonye Chamberlain, Bhavesh Vadhani, Bill HughesA new federal maturity model offers insights for entities of all kinds looking to protect their users, devices, and networks. Learn more.