Strong cybersecurity programs tightly control financial assets, but more and more, it’s information that’s the target of various bad actors around the world. A lot of this data falls into the privacy realm and under the protection of privacy laws. As new laws like the EU’s General Data Protection Regulation (GDPR) expand these protections, they’re colliding with equally important but often-conflicting national security and crime-fighting interests, according to Lawrence Dietz, founder of DataPrivacyLaw.com.
In his 2018 CyberCrime Symposium session, Dietz outlined the growing challenges faced by government intelligence and law enforcement agencies charged with protecting citizens and their private information, as well as between regulators and the parties — both bad and good — that want it.
“The ability to monetize personal information, particularly personally identifiable information (PII) and protected health information (PHI), has become more profitable to many than actual money,” said Dietz, who, as an attorney, cybersecurity expert, and retired Army colonel, enjoys a unique view of the escalating conflict. “An awful lot of organizations and individuals want this information.” These include intelligence community (IC) and law enforcement bodies, legitimate private- and public-sector organizations, and nation states and cybercriminals of every flavor. This wide span complicates privacy rights, as it’s not always clear whether a party is a privacy protector, violator, or both.
As the EU’s work to turn its Data Protection Directive into weaponized legislation testifies, privacy concerns have escalated in lockstep with a long succession of successful attacks that targeted sensitive personal data. If worries weren’t already high, they skyrocketed when social media’s role in influencing the 2016 Presidential election came to light. As the burden for safeguarding personal information shifts from citizens to data collectors, IC and law enforcement agencies, in particular, must strike a balance between national security and individual privacy mandates.
Privacy laws such as the GDPR only work for law-abiding people and organizations, said Dietz, whose credentials include a master's degree in European Union Law. They’re not going to deter those he categorizes as “dirt bags and baguettes,” which include cybercriminals, cyber-spies, and groups that specialize in “dis-information” dissemination and cyber-influence activities. They may not deter intelligence agencies or law enforcement entities, which, in the US, can be federal, state, local, or tribal.
With its expanded territorial scope, the GDPR protects EU citizens, wherever they are, and anyone who’s in the EU, regardless of citizenry. Further, US companies with EU operations must comply, but even those with no presence could face penalties.
“The EU’s Data Protection Authorities are funded by the fines they collect, so they’re incented to collect them,” said Dietz. If their privacy practices raise any suspicion, “American companies, especially those with significant assets, will draw the attention of EU government regulators.”
Broadly, US government agencies group people whose data they collect based on citizenship and location, said Dietz, who used the Foreign Intelligence Surveillance Act (FISA) processes to illustrate. Beyond US citizens, these regulations cover the data of “non-US persons,” which it further segments based on whether they’re located in or outside the country or its territories.
Secrets of the Trade
The crowded field of cyber-actors will continue to go after any information that gives them advantage, whether it’s economic, political, or social, said Dietz. Key targets for CISOs and CPOs to consider include any PII or PHI their organization collects on B2C consumers, B2B customers, or citizens, as well as sensitive internal information.
Privacy legislation forces organizations to better protect this personal data, but they can’t forget their own trade secrets, said Dietz. These don’t have to be the secret formula for some marketing-dominating product. Dietz pointed to the high-profile case involving Korn Ferry and a departed recruiter charged with illegally accessing the firm’s executive database and copying it for his own use. Charged in 2008, the executive was successfully prosecuted for violating the Computer Fraud and Abuse Act (CFAA) and European Economic Area (EEA) Agreement, and in 2018, finally began serving a prison sentence after exhausting appeals.
“That list was proven to be a trade secret because it had economic value and its owner took significant steps to protect it,” said Dietz. Trade secret litigation, he added, jumped 30% in 2018 thanks to the new federal Defend Trade Secrets Act (DTSA).
Organizations should regularly review their security controls for anything — data, methods, formulas — they keep secret because it gives them marketplace advantage. Further, Dietz said, they must ensure all employees understand what’s protected as a trade secret.
Privacy-compromising breaches will continue to trend upward, driving government bodies to respond with new privacy legislation — laws that expand regulatory scope and mete out punishment in line with breach and violator size. “Aside from the legal consequences, there are reputation consequences,” said Dietz. “Reputation management is a very important byproduct of these breaches.”
This is the third in our series of posts presenting key takeaways from our 2018 CyberCrime Symposium, held November 1-2, 2018. The program — “The Future of Privacy and Security” — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, this is a not-to-be-missed series!