The last time zvelo wrote on the topic of the privacy vs security debate was back in 2019, almost a year and half after General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) were enacted. At that time, the legislation was heavily focused on reigning in corporate abuse of data collection, sharing, and usage practices. Barely six months later, a global pandemic brought on a radical transformation of the digital environment. The sudden shift to work from home and online school moved digital exchanges from secured networks to residential networks, as well as a proliferation of cloud-based platforms and services allowing sensitive data to be shared with third parties like cloud service providers, data aggregators, and other technology-related intermediaries.
Organizations scrambling to enable overnight access to data outside of their secure network environments had few options to ensure data security as part of the equation. Unfortunately, threat actors were quick to capitalize on the opportunity and wasted no time exploiting the vulnerabilities. In addition to the predictable onslaught of Covid-19 related scams, threat actors adopted increasingly more aggressive attack methods that ranged from supply chain attacks like SolarWinds and Apache Log4j, to ransomware attacks on critical infrastructure like the Colonial Pipeline attack, to sophisticated spear-phishing and business email compromise, and more. As threat actors have increasingly targeted strategic systems and critical infrastructure industries, data security and data privacy are once again at the forefront of global discussions as cybersecurity failures are among the top 10 global risks (2021 World Economic Forum Report).
From the Digital Services Act (DSA) in the EU, to the US states like California, Virginia, and Colorado, data privacy legislation continues to advance with the aim to enable consumers to have greater access and control over how organizations collect, store, and use their personal data. As laws continue to evolve and increase the complexity of data privacy regulations, there is substantial confusion among business owners and cybersecurity professionals regarding their data security obligations — especially where ‘reasonable security procedures and practices’ are not clearly defined.
While the data privacy laws are intended to protect sensitive data, the patchwork legislation amplifies challenges that IT and security professionals face when it comes to data security. In most cases, to achieve privacy means implementing tools that prevent or preclude security. To achieve security and protection against threats, the trade off for the user is sacrificing privacy. By its very nature, privacy entails eliminating the ability for a user’s web surfing, email, texting, social media and app activity to be monitored. Security requires such activities to be monitored and inspected to provide protection against cyber threats.
Social media is a great example of the data privacy vs data security paradox. An article presented in Bloomberg Law’s 2022 Privacy & Data Security Outlook, explains the dilemma social media platforms face in trying to shield children from harmful content without violating their privacy by analyzing information about them which can approximate their age. Social media platforms do have a minimum age requirements established in order for end users to create accounts, however, those are effectively useless because there is no way to verify the accuracy of an end user’s age. So while social media platforms have the visibility needed to comply with data privacy regulations, they are restricted in the ability to make use of it.
Unlike social media platforms, the majority of organizations face a visibility challenge. Security professionals have always faced challenges with securing data that lives on end users’ hard drives or other out of sight compliance tools. The expansion of hybrid and cloud platforms to accommodate a remote global workforce intensifies the problem because the data is just too spread out to get a comprehensive view of the attack surface. Poor data visibility makes both data security and data privacy infinitely more burdensome for both security professionals, as well as end users. As IT and security professionals continue to adapt to evolving data compliance regulations, end users will persist in creating workarounds to avoid what they perceive to be just inconveniences that get in the way of them fulfilling the objectives of their roles.
By 2025, humanity’s collective data is projected to reach 180 zettabytes — the number 180 followed by 21 zeros. This data includes everything from streaming video and dating apps to healthcare databases to critical infrastructure like energy, food & agriculture, healthcare, and financial services. The imperative to protect both organizations and consumers from cybercrime is predicted to increase global spending on cybersecurity products and services to $1.75 trillion USD cumulatively over the period of 2021 to 2025. Yet despite all the regulatory changes and budget increases, predictions have the cost of cybercrime reaching $10.5 trillion USD by 2025. The reality is that we operate in a world in which 95% of cybersecurity issues can be traced to human error, and where insider threats (intentional or accidental) represent 43% of all breaches.
The value of data and the cost to protect data are increasing simultaneously, making it near impossible to protect data by just layering on more security. Instead, IT and infosec teams must think proactively and creatively about how to approach the privacy vs security issues in a way that strikes a balance between both sides based on assessing the risks for the types of data involved. At the same time, as users, we all have to accept greater accountability when it comes to the tradeoffs of privacy vs security — especially in today’s hybrid work environment. The sacrifices we make in favor of convenience like reusing passwords, avoiding MFA, and all the other short cuts we find to get around security policies are increasingly putting that data we are fighting to protect at greater risk.
Resources on Data Privacy Legislation:
To learn more about the different privacy laws, we have included the links below as helpful resources.
- General Data Protection Regulation (GDPR)
- Digital Services Act (DSA)
- California Privacy Rights Act (CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- The Lewis Brisbois law firm offers an interactive map with more detailed information on the different data privacy laws in North America, Brazil, Europe, and Australia.