This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Develop Best Practices for IT Security and Privacy Laws
IT security professionals are responsible for the detection, prevention, and resolution of security issues. The growing number of domestic state and international privacy legislation in effect or soon will be, complicate the security operations for all types of organizations. The security professional must know more about the many legislative efforts and the organization’s responsibilities when conforming to the security and privacy laws. This knowledge will also lead to developing and following best practices.
Privacy Laws in the U.S.
There are no broadly applicable U.S. national privacy laws that cover all businesses and other organizations. The regulations are promulgated by states such as the California Consumer Privacy Act (CCPA), which are further discussed in this related No Jitter post.
This lack of privacy laws leads to the increasing complexity of the regulatory environment, and those that exist, create obligations for contracts with vendors. Enforcement has been sporadic so far but is expected to increase soon. Most of the litigation has focused on data breaches. Privacy advocates, consumers, and regulators are concerned about big data collection, retention, and distribution, the use of artificial intelligence (AI), and the unregulated use of personal data.
International Privacy Laws
There are separate privacy and security regulations related to data in force and proposed in foreign countries such as the European Union’s (EU) General Data Protection Regulation discussed in this related No Jitter post. The U.K., having left the EU, will probably have its own set of regulations soon, which are generally tougher than the pending and in place U.S. state-based regulations. These foreign regulations focus more on protecting individual privacy. Since they’re relatively new, their application and enforcement still need work, so expect changes to occur. A surprise that comes to many US-based businesses is that international regulations apply to them even though they don’t have offices in foreign countries.
Which Laws Apply?
Most businesses face challenges when trying to determine which laws apply to them. The law application can be direct or through service provider relationships such as cloud-based services or contracts. Issues the security professional should address are:
- Does the law apply to my business?
- What does the law impact in my business?
- Who is the law is designed to protect?
- My business has lots of data, which of it is covered by the law?
- Who has the rights to the data?
- How is the law enforced?
- What happens when there is confusion about who is and who is not covered by the law?
- Who can help resolve these issues?
Security Professional Impact
Complying with the laws and demonstrating adherence is the responsibility of the security professional. Overall compliance is driven by the security controls implemented, and when it comes to litigation, security professionals may be required to collect, retrieve, analyze, and evaluate the data. When creating products, they should prioritize privacy by design not include it as an add-on. If the business is facing a merger or acquisition, then this should be evaluated for the combined company’s security posture. It’s becoming common that a business has relationships with service providers that are impacted by security issues that the professional has to evaluate and determine the risks involved.
Privacy Law and the Future
Privacy and data security laws are works in progress. However, the development and passage are accelerating. The types of personal data are also growing, for example, tracking individuals in regard to COVID-19 infections. If and when a federal regulation finally passes, does the federal law add to, diminish, or conflict with the state laws?
Security professionals must work together since this isn’t a single business issue. This cooperation will offer appropriate business strategies and adequate protection. The privacy issues are daunting. But producing effective partnerships between security, privacy, and legal colleagues provide businesses with the required background, information, and support.
For more information on the topic, visit the International Association of Privacy Professionals and The American Bar Association websites. The Future of Privacy Forum is another great resource for discussions on data privacy issues, and Cybercrime Magazine has a list of cybersecurity industry associations posted on their site.