Today, society tends to try to make everything as simplified as possible for everyone. New applications and websites are popping up by the hour with services for everything from website design to dog walking. We are sprinting face-first into as much convenience as we can afford. This convenience, if not slowed down to fully understand the impacts of all these changes, however, could lead us into a very painful brick wall. In this post-covid era of dodgy ethics, limited regulations, a lack of transparency in Ai development, the growing movement towards “Everything-as-a-Service” at what seems like terminal velocity. As such, the continued monetization (and weaponization) of data poses a uniquely great risk to individuals, households, and businesses that mainstream society is not equipped to deal with.
Protecting your data is not just about understanding network security or cyber hygiene, it is about understanding how privacy rights protect your data and how the two must be aligned to conform to the laws of the land. The hard truth is that mainstream society must wake up to the fact that cyber, privacy, and law all come from the same conceptual logic and are therefore inseparably linked. You cannot understand one of these concepts effectively without understanding them all.
Let’s first look at defining the three concepts separately.
In cyber, we’re referring to the practice of protecting systems, networks and data from digital attacks, unauthorized access, and damage. In privacy, we are working to control and protect personal data from unauthorized collection, use and disclosure. At the core of both of those concepts, the law provides the frameworks which play a crucial role in regulating and enforcing both cybersecurity and privacy standards. Legal mandates and regulations define rights, responsibilities, and penalties which enable enforcement actions related to data protection and information security.
You might be wondering how these concepts relate to each other in applied practice, so let’s explore that too.
First and foremost, cyber is a means of ensuring privacy. At its very core, that is the entire point of cybersecurity. Many of the drivers of why organizations build and implement cyber programs derive from the need to safeguard personal and proprietary data from exploit and unauthorized access. It stands to logic then that strong cybersecurity practices enable compliance with privacy laws and regulations. The same logic also works in reverse.
Privacy regulations will often require organizations to implement specific cybersecurity measures and standards to protect customer data. The scale and seriousness of competition of business in today’s open market means it is also equally critical to protect intellectual property and corporate “secrets” information. Compliance with applicable your jurisdiction’s privacy laws is what necessitates the investment in robust cybersecurity programs and protocols. It is easy to make a business case to your board to make such investments when it comes clear that legal mandates will predicate the need to do so. Legal frameworks are at the very core of cyber and privacy governance.
Many laws and regulations, such as the EU’s GDPR (General Data Protection Regulation) or California’s CCPA (California Consumer Privacy Act) and even Quebec’s recent implementation of Law 25, address both privacy and cybersecurity considerations in attaining compliance. These laws and regulations provide tangible requirements for data protection, breach disclosure notifications, and security standards. They are vital to enabling the continued growth of our global digital economies while protecting consumers from threats and risks that are so cutting edge, most are not even aware of the dangers that exposure of their data brings. Data breaches or other cybersecurity control failures can result in costly legal liabilities, fines, and penalties to organizations that can be imposed for years and decades after an incident. Laws help us define what even constitutes PII (Personally Identifiable Information) or sensitive information.
Protection is not provided in a vacuum either, as law also grants individual consumers more control over their data, therefore impacting how that data is managed by businesses. Sometimes, cybersecurity measures can be overly comprehensive, such as when employers attempt to monitor employee activity under the justification of security reasons that are more ambiguous than valid. The law often strikes that balance to protect individuals from even their own employers in cases like this, as seen with mandates such as the Ontario Electronic Monitoring Policy (part of the Working for Workers Act, 2022), which ensures employers keep monitoring practices within the boundaries of legislated standards.
What this really exemplifies for mainstream society is the need to embrace education around all three of these concepts to even maintain the integrity of their own personal data in their day to day lives. In both cybersecurity and the law, the knowledge needed to conduct the business vastly differs from the ability to do it in practice--though many may argue the contrary. With technology now becoming part of our everyday business and world, it now forces us all to take real world responsibility for the protection of our own data. Whether you work in a technical or non-technical role or field, you must live with the implications of surrendering your data in exchange for the use of one of the endless numbers of digital services out there today.
We must acknowledge that self-learning does not come without challenges. Work, family, friends, life stresses are all blockers from having the time and headspace to really dig into these concepts and their applications into our own lives. All three concepts are complex, and there is a learning curve that matches the complexity of the material for every concept, but that is no excuse. We must, as a society, embrace learning about the cyber-privacy-legal dynamic. Our evolving roles in society mean that we learn the principles of these concepts and live by them, and it is everyone’s responsibility to seek out and acquire this knowledge. Be it due to money or time, lawyers and security experts will not do it for us.
Ultimately, the ability to best protect yourself and your family’s data rests solely on you.
About the author: George Y. Al-Koura, CD, is CISO at Ruby Life Ltd. and Principal Security Advisor for Ceiba Law