The importance of privacy in your cybersecurity strategy
Keeping confidential information secure has always been under the care of the cybersecurity team in bigger organizations or for SMBs, their IT department. While that task has come with its own challenges, we are now thrown into an additional challenge that comes with the digital transformation phenomenon: the exposure of personal data, better known as Personal Identifiable Information (PII).
Numerous data breaches made headlines in the last few years. It was just a piece of news among others for many until things started hitting us close to home. Some of the breaches had critical information that could help identify individuals. It goes from the well-known email and password combo to more critical information such as: date of birth, full name, social security number and address.
"Once the data breach occurs, all that information becomes available for sale on the Dark Web or sometimes on platforms that are easily accessible to anybody with malicious intent."
At this point, hackers have all the ingredients for fraud and identity theft.
Privacy implies the obligation to get the user’s formal approval along with the purpose of the data collection. That area is where the IT team will need to follow guidance from litigation to ensure the company complies with the legislation in force. The company will need to perform its due diligence in assessing how to communicate with the individuals should an incident occur with their data.
Once again, litigation will be leading this initiative to ensure lawful resolution and communication.
Some companies believe that privacy should not be part of their security objectives because they do not collect any personal information. However, this omits the employees’ PII collected by HR as part of the employment process!
The recent rise of privacy-related regulations has been quite a refreshing trend to witness considering how much personal data is requested and processed by businesses. Let’s do a quick recap of some of them, which are either brand new or updated:
The General Data Protection Regulation (GDPR) for the European Union and its citizens
The California Consumer Privacy Act (CCPA) for California
The New York Privacy Act (under development)
Bill C-11, the Canadian Federal Privacy law (under development)
Bill 64, the provincial law for Quebec (under development)
For a long time, privacy was deemed solely a legal matter. However, digital transformation quickly brought technology at the forefront of that battle. ESI, alongside your legal team, can assist you on multiple fronts: advice in the management of your confidential data, in the compliance to privacy regulations or even in the assessment of your privacy controls.
Aziz Touré
Cybersecurity Specialist – ESI Technologies
You might also like
Risk and Compliance Governance
For a long time considered as a purely technical domain, we have been observing, for a few years now, a paradigm shift in cybersecurity management.
Identify and prioritize cybersecurity investments
In order to produce the information security action plan, the initiatives should be carried out over a period of time based on various factors that are well known in project portfolio management, such as the company's strategic orientations, the availability of resources, etc.