The Conundrum
I’ve noticed an interesting conundrum: cybersecurity programs operating without consulting a privacy attorney.
When I first realized that cybersecurity was being implemented without consulting a privacy attorney, I thought, “how?” and “why?” How would you know which data requires cybersecurity if you don’t know which data is entitled to privacy? Why would you spend money on a cybersecurity program that might not help you avoid legal liability and fines?
A privacy law determines what needs to be protected. Cybersecurity is how to protect it.
Privacy Law & Cybersecurity Work Together
From trade secrets to personal identifying information, we look to the law to understand which type of data is entitled to privacy. Some laws even dictate how we achieve privacy by mandating security measures such as encryption. The laws might also impose duties and obligations on companies that handle data. Failure to comply with privacy laws can cost companies a lot of money in the form of penalties, fines, expensive law suits, and crippling damage to reputation. Without a proper assessment of privacy law, a cybersecurity program might not include appropriate security measures that will reduce legal liability or allow the company to meet its legal obligations. Cybersecurity without data privacy is an expensive shot in the dark. I can only assume that when companies pursue cybersecurity without understanding data privacy laws, they do so out of ignorance or misunderstanding, but it is not intentional.
Rather than randomly apply cybersecurity measures, companies should narrow the focus of its cybersecurity program by tailoring it around potential legal liability. Of course, it is crucial to implement general cybersecurity to protect the company’s network from malicious attacks and intrusions, but it is also important to understand that some types of data require additional security, procedures for destruction, processes for obtaining appropriate consent and access, and other requirements depending on applicable privacy laws. Such requirements should be addressed in a comprehensive cybersecurity program.
Consider basic home security. We put locks on the outward facing doors and windows to protect ourselves and our belongings. Many of us even install alarm systems. We put locks on bathroom doors to protect privacy. But do we put locks on all doors? For some reason, we do not put locks on closet doors. It is another door, yet not deserving of a lock because of the general understanding about how closets are used and the expectations of privacy and security within a closet. Of course, you could add a lock to your closet door. Nothing is stopping you. You could add locks to every single door and cabinet in the house. But this would be unnecessary and inconvenient. Could you imagine having to unlock a cabinet door to get a cup for water? Even though it is possible, we simply do not need locks on every door and cabinet.
Unlike the common sense we share about home security and physical privacy, cybersecurity and data privacy are less intuitive. The good news is that rather than rely on common intuition, we have privacy laws to guide us in determining which doors in the cyber world require locks so that we are not wasting resources by installing locks that unnecessary and inconvenient.
Having a cybersecurity program without considering privacy law might not only be a waste of money, but it could also miss the target and leave your company exposed to legal liability.