Privacy, Regulations, and Cybersecurity E-Book

Table of Contents

COVER

TITLE PAGE

COPYRIGHT

FOREWORD

PREFACE

ABOUT THE AUTHOR

ACKNOWLEDGMENTS

PART ONE: Privacy

CHAPTER 1: Understanding Privacy

CHAPTER 2: A (Very) Brief History of Privacy

The Legal Case for Privacy (the Big Print)

Slouching toward Privacy

Debating Privacy in the US

Confidentiality vs. Privacy

CHAPTER 3: The Legal Case for Privacy (the Finer Print)

International Privacy Legislation

PART TWO: Regulations

CHAPTER 4: Introduction to Regulations

Preparing to Take Charge

Creating Your Privacy Profile

Know before You Go: Using the Regulations Section

One Last Thing before We Go!

CHAPTER 5: North American Regulations

United States

Federal Regulations

State Regulations

California

Maine

Amendment to the Nevada Privacy of Information Collected on the Internet from Consumers Act via SB 220

Data Protection in the United States: Conclusions

Canada

Mexico

CHAPTER 6: European Regulations

Non-EU Member European Countries

Russia

Switzerland

Coming Soon to a European Union Near You!

CHAPTER 7: Asia-Pacific Regulations

China

India

Japan

Australia

CHAPTER 8: African Regulations

Economic Community of West African States

Nigeria

South Africa

Egypt

CHAPTER 9: South American Regulations

Brazil

Argentina

Colombia

PART THREE: Privacy and Cybersecurity

CHAPTER 10: Introduction to Cybersecurity

Everything You Always Wanted to Know About Tech (But Were Afraid to Ask Your Kids)

In the Beginning

1

…

Key Definitions

Note

CHAPTER 11: A Cybersecurity Primer

Cybersecurity Defined

Confidentiality

Integrity

Availability

Safety

Measuring Cybersecurity's Success

Ensuring and Preserving

Cybersecurity Controls and Defense in Depth

Defense in Depth

The Threats

Threat Agents

Key Trends Influencing Threat Agents

The Nature of Hackers

Attack Process

Types of Attacks

A Brief Cyberglossary

CHAPTER 12: Privacy-Centric Cybersecurity Program Overview

What's the Point of It All?

Vision and Mission Statements

Culture and Strategy

Off to See the Wizard

What Does Organizational IT Typically Look Like?

What's at Risk?

Threat Assessment

At the Club House Turn!

Mitigating Risk

Incident Response Planning

CHAPTER 13: Privacy by Design Overview

The Case for Frameworks

CHAPTER 14: Cover Your Assets!

Asset Classification

Asset Metadata

A Fleeting Glimpse into the Other Side

Business Impact Analysis

One Spreadsheet to Rule Them All

CHAPTER 15: Threat Assessment

Types of Threats

Internal Threats

External Threats

Threat Rankings

Threat Intelligence

Threat Modeling

CHAPTER 16: Vulnerabilities

Who's Who in Vulnerabilities Tracking

Vulnerabilities: Mapping and Remediation

Vulnerability Testing

CHAPTER 17: Environments

On-Premises Computing Environments

Private Cloud Computing Environments

Public Cloud Computing Environments

Hybrid Cloud Computing Environments

Cloud Security Questions

The Internet of Things (IoT)

Distributed Workforces

CHAPTER 18: Controls

Preventative Controls

Detective Controls

Corrective Controls

Compensatory Controls

Defense in Depth

Privacy and Cybersecurity Controls

People, Technology, and Operations

Communications

Policies, Standards, Procedures, and Guidelines

Putting It All Together

CHAPTER 19: Incident Response

Incident Response Planning: Not Just a Good Idea—It's the Law!

Incident-Response Plan Phases

Preparing Your Incident-Response Plan

Identifying Incidents

Containing Incidents

Treating Incidents

Incident Recovery

Post-Incident Review

Do It All Over Again!

CHAPTER 20: Welcome to the Future! Now, Go Home!

Social Transformation

Technology Transformation

Business Transformation

The Story of ACME

Final Words

BIBLIOGRAPHY

History, Case Law, and Legal Analysis

Legislation, Regulation, and Analysis

Information Technology, Design, and Privacy

Threat and Incident Reports

Future Trends

Selected Bibliography from

Cybersecurity Program Development for Business: The Essential Planning Guide

(Wiley 2018)

INDEX

END USER LICENSE AGREEMENT

List of Tables

Chapter 2

Table 2.1 Milestones in the Evolution of Privacy Law

Table 2.2 Privacy vs. Confidentiality

Chapter 5

Table 5.1 Federal Regulations Affecting Personal Identifiable Information

Chapter 11

Table 11.1 Privacy vs. Confidentiality

Chapter 14

Table 14.1 PII Life Stage Value (Sample)

Table 14.2 Business Impact Analysis Table (Sample)

Table 14.3 Business Impact Analysis Table for Finance (Sample)

Table 14.4 Business Impact Analysis Table for an Accounting Application (Samp...

Table 14.5 Business Impact Analysis Table for an Accounting Application (Sample)...

Table 14.6 Impact/Criticality Systems Spreadsheet (Sample)

Table 14.7 Systems/Criticality Spreadsheet (Sample)

Chapter 15

Table 15.1 Threat Agents and Motives

Table 15.2 ENSIA Threat Landscape

Chapter 18

Table 18.1 2020 NIST Special Publication 800-53, Rev. 5, Collaboration Index ...

Table 18.2 2020 NIST Special Publication 800-53, Rev. 5, Security and Privacy...

Table 18.3 2013 NIST Special Publication 800-53, Rev. 4, Summary of Privacy C...

List of Illustrations

Chapter 5

Figure 5.1 The IAPP's State Comprehensive Privacy Law Comparison (as of Octo...

Figure 5.2 State-by-State Comprehensive Privacy Law Comparison

Chapter 6

Figure 6.1 Does GDPR Apply to Your Business?

Chapter 11

Figure 11.1 Cybersecurity Domain Map

Chapter 13

Figure 13.1 Cybersecurity and Privacy Risk Relationships

Figure 13.2 Cybersecurity and Privacy Functions Mapping

Figure 13.3 Cybersecurity and Privacy Program Boundaries

Chapter 18

Figure 18.1 Cybersecurity and Privacy Program Boundaries

Guide

Cover

Table of Contents

Begin Reading

Pages

iii

iv

vii

viii

ix

x

xi

xiii

xiv

xv

xvi

xvii

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

45

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

161

162

163

164

165

166

167

168

169

170

171

173

174

175

176

177

178

179

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

PRIVACY, REGULATIONS, AND CYBERSECURITY

THE ESSENTIAL BUSINESS GUIDE

Copyright © 2021 by Chris Moschovitis. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data is Available:

ISBN 9781119658740 (hardback)ISBN 9781119660118 (ePub)ISBN 9781119660149 (ePDF)

Cover image: © Yuichiro Chino / Getty Images, © dem10 / Getty ImagesCover design: Wiley

FOREWORD

Businesses today are faced with increasing demands for privacy protections, ever-more complex regulations, and ongoing cybersecurity challenges that place heavy demands on scarce resources. During these difficult times it is important that we have the courage to proactively deal with these imperatives. This book is an essential tool for any business executive who needs to orchestrate the “handshake” between privacy, security, and ongoing regulations. Oh yes, and courage.

A few years ago, I returned to one of my passions—security—when I took over as the leader of a business in the eastern US. These last three years have been challenging but exciting, and I have seen an unprecedented level of interest by business executives in privacy and security. I have made more board presentations and been in more meetings with the C-suite on these topics in the last three years than the ten years before that combined. When I was appointed to the board of the ISACA (Information Systems Audit and Controls Association), I was thrilled at the opportunity to make significant change in the security profession. But I expected too much too soon, and the board's message after my first presentation was clear: “We need more research on the concept of information security management and how security is viewed by executives before we make any investments.”

It was early in the new millennium, and security was becoming a topic of conversation in the executive suite. Even though the first CISO had been appointed at Citi in 1995, the body of knowledge for security was defined by technical and product-specific certifications with no frameworks to support organizations, and privacy regulations such as GDPR were still just a distant thought.

At that time, I had made my recommendation to the board of the ISACA to drive the setting of “common body of knowledge” of the future CISO. I had a strong belief that there was wider acceptance of the role and its importance in protecting the organization.

Maybe it was a turning point, but several events came together early in the new millennium to reinforce this belief. “I LOVE YOU” infected millions of computers, followed by the first criminal conviction of a hacker, the widespread disruption caused by denial-of-service attacks on Microsoft systems (and Bill Gates's decree that Microsoft products would embed security as part of the product), and a series of other high-profile hacks. This was exacerbated by the financial collapse of Enron and its impact on the trust in the US economic system. Regulation followed with the Sarbanes-Oxley Act and many others around the globe. It was a new world, and the continued regulation around security and privacy gained momentum.

That year I became chairman of the board of ISACA, and the new body of knowledge accompanied by a certification (CISM) was launched. The founding group was made up of four dedicated CISOs, and the certification is still the standard for security management professionals.

Which brings me back to my good friend Chris, with whom I have formed a terrific bond over mutual interests. Fine food and wine and a connection as first-generation Greeks cemented our friendship. Recently, we discussed and debated many topics, including the need for those executives who understand security risks to transform that knowledge into action around privacy and security around regulation.

I have found Chris's intellectual curiosity and sense of humor to be both compelling and engaging. These traits are a perfect vehicle to take the reader on this journey, from the fundamentals of privacy to the ongoing regulatory pressures and how companies can be better prepared at the executive level to tackle these changes.

Chris is able to interpret complex principles and distill them into a natural flow, where the reader is taken on a journey. In Homer's Odyssey, Circe warned Odysseus of the impending perils so that he would be prepared. Likewise, Chris's book prepares the executive to be aware of the perils and opportunities ahead and provides a roadmap on how to act with courage as security and privacy regulations continue to proliferate.

Be prepared and do the right thing and not just because of regulation—do it for your customers, employees, shareholders, and everyone who places trust in you and your company. Use the step-by-step approach from this book, so you and your company can be ready for whatever challenges the future might hold.

It is time to act, and with this guide in hand, you are well on your journey.

PREFACE

“What? I've been working like this all my life! Now, you're telling me that I have to be GDP…umm…GD-whatever compliant?”

My friend and client, an immigration attorney from way back when “immigration” was not a dirty word, was angry. Her practice had been very successful over the years, dealing with all sorts of immigration issues across continents. The problem is that she is doing business with citizens of the European Union (EU). Worse, she has a partner in Athens, Greece, an EU-member country.

Fabulous! She must comply with the General Data Protection Regulation of the EU, better known by its acronym, GDPR. For those of you blissfully unaware of GDPR, it is a law passed by the European Union in 2016. It has far-reaching consequences to businesses worldwide, including yours!

If you are a businessperson who, like my friend, has no idea where to begin with GDPR, then this book is for you! It is the sequel to Cybersecurity Program Development for Business: The Essential Planning Guide (Wiley, 2018), and just like that book, this one is designed with you, a businessperson, in mind. In Cybersecurity, my goal was to give you enough information so that you wouldn't be at the mercy of experts talking over your head and around your business when it came to cybersecurity. In its introduction, I wrote:

What if there was a book that put the whole cybersecurity thing into perspective, using simple, direct language? What if there were sections and chapters explaining what is going on, what the risks are, and what all the technobabble really means? And, what if the book had a step-by-step, actionable approach on what you can do about all this? A book that aggregated the current best practices, put them in perspective, injected my experience and my own point of view, and how I applied all this across all our clients?

All the while poking a little fun at ourselves, too?

The goal, approach, and style remain the same—only this time, the aim is to transform your hard-earned cybersecurity awareness into one that is privacy-centric and regulation-aware. If you're one of the many businesspeople out there who are new to all this, just starting to confront the new cyberwar realities, concerned about yours and your business' privacy, and worried that some regulation will descend to levy God knows what kind of fine, then you're in luck!

This book will guide you through all this step-by-step, section-by-section: privacy, regulations, and cybersecurity. We'll work through the basics together, as well as reviewing case studies and examples of best practices across different industries and different size companies.

Just like in the first book, which I will be referencing frequently, especially in Part Three, we need a case-study disclaimer: The case studies and examples presented throughout both books are aggregated from my own work and from the work of many colleagues who were gracious enough to share their experiences. As you would expect, all names, industries, and geographies have been changed to protect the anonymity of these clients. In some of the cases, multiple problems were combined into one. In others, many assignments were broken out into a single one. The goal has been to distill the essential lesson from each case while protecting the identity and respecting the privacy and confidentiality of every client.

There is a fundamental difference, though, between the first book and this one. The first book dealt strictly with the practical and pragmatic design of a cybersecurity program with the goal of protecting your business. This book synthesizes two distinct, diverse, and complex segments into a privacy-first and regulation-focused cybersecurity program. If you already have a cybersecurity program in place, then this book will help you hone what's already there into a privacy-centric and regulation-compliant cybersecurity program.

If you don't have a cybersecurity program in place, then…where have you been?

Nevertheless, I am glad you're with us now! This is your opportunity to start building a cybersecurity program from the bottom up that, from inception, will be privacy- and regulation-compliant-focused.

One more thing before we dive right in: Just as it is important to understand what this book is, and who it is for, it is equally important to know what it is not. This is especially true since we will be dealing with topics that are at once scholarly, legal, and technical in nature. This book is not intended to be an academic analysis, a legal brief, or a technical how-to manual, although it will borrow and reflect work from all these disciplines. If you're looking for the latest scholarly book on privacy, an in-depth legal treatment of the California Consumer Privacy Act, or how to configure your firewall, this book is not for you!

This book is intended as a practical, pragmatic, and actionable business guide for people across industries and business sizes who need to understand what all this talk about privacy really means, what the effect of all these laws and regulations are, and how to put it all together in a cybersecurity program to protect what's of value to them.

It relies heavily on the outstanding work of numerous scholars, lawyers, and information technology and cybersecurity professionals, without whom it would not have been possible to write it. You will find a detailed bibliography of sources at the end of the book, and I urge you to use it and dig deeper as you see fit.

For me, each one of these topics, and especially privacy, represent fascinating areas of study. Privacy and cybersecurity force us to confront questions of how we as people manage difficult, complex concepts and how we translate those concepts into actionable laws and ways of doing business.

ABOUT THE AUTHOR

I was born in Athens, Greece. After high school, I chose to come to the United States to study physics and computer science. I did that at the State University of New York, the College at Brockport, in upstate New York. My years at Brockport were formative to me as a person, a scientist, and as a professional. Words for the gratitude and respect I have for the dedicated faculty that shaped my life can easily fill a couple of books, but that is for another time.

After graduating with my bachelor's degree in science, I became an instructor of computer science and a computer systems manager at the Stratford School in Rochester, New York. Following brief graduate work stints at the Rochester Institute of Technology and the University of Rochester, I moved to New York City to serve as the director of academic computing at Pratt Institute. There, under the direction of the vice president of information technology (there were no “chief information officers” back then), I was responsible for the building and management of four computing centers of excellence, each focusing on a specific discipline (art, architecture, engineering, and information science). From there, I was recruited to be the vice president of information technology at the O'Connor Group, a real estate manager and developer in New York City. Then, in the middle of the Reagan Recession, I decided that there was no better time than the present to start my own company, which I did in 1989.

I have been running my own firm ever since, surrounded by partners and colleagues who teach me more and more every single day, and together we deliver a broad spectrum of IT consulting services. I have been privileged to partner with great clients, to engage in fantastic projects of business and technology transformation, and to collaborate with teams that push boundaries and develop incredible business solutions. I lived through the amazing advances in computer science that are now the stuff of lore: I was there during BitNet, sending email messages and watching the message hop from node to node. I was amazed at formatting the first 10 MB hard disks of IBM's new personal computer. I've fed endless floppies in and out of the first Macs. I've built muscles carrying the Compaq “Portable,” which was nicknamed “luggable” for good reason. I've carried pagers and cell phones the size of suitcases. I subscribed to CompuServe and AOL and still have a working Hayes 14.4 modem.

Throughout it all, I have always been fascinated by security, privacy, and the protection of data. Even before “cybersecurity” was a word, I insisted that the sites we designed and managed implemented business-appropriate computer security and disaster recovery. Maybe it was because George Whelan, a partner of mine at the time, was a computer virus collector (he still has them). Maybe, because I remain culturally Greek, naturally cautious and private. Whatever the reason, I always asked, “What happens if ‘this' gets out?” or “How fast can we be back up and running?” Any of my consultants will tell you that even now, the first thing they are taught when they start working for me is that “not checking the backup is a career-ending mistake.”

Following decades as a practitioner of both IT governance and cybersecurity management, I decided to make it official and joined Information Systems Audit and Control Association (ISACA), an independent, nonprofit, global association that was founded in 1969, engaging in “The development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.” Joining ISACA was one of the smartest things I ever did. Through IASCA, I got certified in three areas: First in cybersecurity, becoming a Certified Information Security Manager (CISM), then in IT governance, becoming Certified in Governance of Enterprise IT (CGEIT), and finally as a Certified Data Privacy Solutions Engineer (CDPSE).

Not one to stand still, and always fascinated by the beauty in complexity, I decided in 2018 to study privacy and its implications on our society, business, and systems. I subsequently joined the International Association of Privacy Professionals (IAPP). Just like ISACA, the IAPP is an incredible community of privacy experts that have dedicated their life to the study and implementation of sound privacy principles. I found a welcome home there and endless resources to help me in my journey that has led me here, to this book, that I am humbled to share with you.

I am privileged to be able to continue my journey, running my firm tmg-emedia, inc., and to be surrounded by incredible professionals, clients, and friends that teach me the value of hard work, dedication, and love every day.

ACKNOWLEDGMENTS

Every book is a labor of love. This one is no different. After I finished my first baby, Cybersecurity Program Development for Business: The Essential Planning Guide, I knew I wanted to write a second, one specifically focused on Privacy. The initial idea was unformed but persistent. Privacy intrigued me. The “P” word was used practically daily; legislators were passing laws pretending to preserve it while businesspeople were at a loss about what to do with it.

I was clear from the beginning that I did not want to write a scholarly treatment on privacy. Better-equipped scholars of many stripes have produced, and continue to produce, great works on the subject. My approach was to be similar to the first book: What do we need to know on privacy so that we can be informed as citizens and enabled as professionals? More to a pragmatic point, how does all this privacy legislation affect our capacity to design and deliver an effective cybersecurity program?

To answer all these questions, I came up with the format for this book. It would have three distinct parts: one on privacy; one on regulations, worldwide; and one on privacy-centric cybersecurity program development. The latter would be based on the previous book but enhanced by our understanding of privacy, not just as a concept but as a set of concrete regulatory requirements. The result is in your hands!

Books are never solitary efforts. Yes, the image of the writer toiling away at her desk day-in, day-out is true, but the author brings a universe of people to paper. Same with me. Over the course of 31-plus years in the information technology industry, I have had the privilege to meet hundreds of professionals, experts, partners, clients, and vendors who have shaped my thinking, formed my experiences, and honed my expertise. Their influence is reflected in the pages that follow. They wrote the book with me.

From my original partner in the business, George Whelan, who religiously collected and kept live computer viruses on floppy disks, to instructors such as Jay Ranade, who has forgotten more than I'll ever know, to clients who partnered with me and staff who tirelessly worked to solve problems, I owe each one a debt of gratitude that no acknowledgment can do justice.

Still, I must start somewhere, and the right place to start is with an apology for my omissions. They are entirely my own.

Next, I want to acknowledge a debt of gratitude to my clients, my true partners to success. Every day, I am honored and privileged to be your ally and to contribute to your goals. I am constantly humbled by all the things that you teach me every day. I would be remiss if I didn't single out the Hoffman family, Andrew, Mark, and Steve, who have been loyal supporters and mentors since I started the firm 31 years ago; the founding partners at Allegaert Berger and Vogel, Chris, David, and Michael, for their trust in me, their loyalty, and wise counsel through thick and thin; the amazing team at Kapitus for teaching me and my team how to jump onto a rushing freight train; and to Vigdis Eriksen at Eriksen Translations for her trust in us and for her feedback that makes us better every day!

In the same breath, I want to thank my own partners and associates, whose incredible expertise, loyalty, dedication, skills, empathy, and personal engagement make my and our clients' success possible. They are, alphabetically: Anna Murray, Atsushi Tatsuoka, Danielle Chianese, Doel Rodriguez, Frank Murray, Greg Andrews, James Rich, Justin Schroeder, Leon Tchekmedyian, Pedro Garrett, Thomas Hussey, Tyler Raineri, and Yeimy Morel. Thank you for the privilege of working with you, for all you do, day and night, and for allowing me to shut my door and write, write, write! You made this possible!

Whenever there is a book, there is an editor and a publisher. I have been the luckiest of authors to have the best in both. First, my eternal gratitude to the one-and-only, walk-on-water-on-her-bad-days, amazing Hilary Poole, my editor, coauthor, and friend of countless years and just as many books. Hilary, you are amazing! I absolutely refuse to go next to a keyboard unless I am reassured that you'll edit the outcome. Thank you!

Deepest thanks to everyone at John Wiley & Sons, one of the most professional and exceptional publishers in the world, and especially to my executive editor, Sheck Cho, captain and commander extraordinaire and Susan Cerra, the project's managing editor! This book is as much yours as it is mine, and I am grateful for all your help, guidance, and support.

To all the privacy, cybersecurity, and governance professionals around the world, working tirelessly in the field, in academia, in research institutions, in government agencies, and militaries, this book pales in comparison to your achievements every day. I cannot emphasize this enough: Without your endless efforts in breaking new ground, expanding and enhancing our scientific understanding, and guiding us through the maze, we would be lost. All your works represent the lighthouses that helps us navigate, and if I aspire to anything, it is for this book to aid in reflecting your light, interpreting your guidance, and adding wind to the sails.

To the many international organizations that help all practitioners learn, hone, and apply their craft, as well as develop the frameworks we depend on, my gratitude for your ongoing contributions, tireless curation, and unending support. I must particularly single out CERT, ENISA, IAPP, ISACA, (ISC)2, ISECOM, ISO, ISSA, NIST, NSA, OECD, OWASP, and SANS, with my apologies for omitting the many other deserving organizations worldwide. My specific thanks to IAPP and ISACA for their continuous support and endless resources. The ISACA New York chapter remains a home away from home for me and countless professionals in the New York metro area.

To the many friends who supported me in so many ways, through encouragement, advice, and love: Jeanne Frank, I know you're watching from Heaven! You were right about the book! Alex and Mari, Richie and Charlene, Sherryl, Sotos, Dimitris and Koralia, and last but not least, Madina, my princess Indira, and my prince Kamron: I don't know what I did to deserve any of you, but I can't imagine life without you! Thank you!

Finally, to Anna Murray, a name that keeps on repeating in these acknowledgments but from where I sit, not enough! You are the most brilliant, expert, capable, tenacious, fierce, loving, accepting, and giving person, amazing professional, and talented writer I know! Every day I thank my lucky stars that brought you to my life as my partner in the business and my partner in life. You are, and always will be, the brightest star in the dark of night, guiding me home. Thank you!

PART ONEPrivacy

CHAPTER 1Understanding Privacy

In case your Latin is rusty, Ovid's quote above translates to: “To live well is to live concealed.” My interpretation is different: “To live well is to live in privacy.”

But let's not get ahead of ourselves here. What, exactly, is privacy? What does it mean? What do we understand when we describe something as “private”?

Do we mean secret? Is something private also secret? Certainly, the reverse is not true: we can have many secrets that are not private! They may be secrets of others, secret negotiations, secret deals, and so on.

Do we mean personal? Is it data coupled with our personhood? If so, is all personal data private? What about our name? Are there degrees of privacy?

Defining privacy has puzzled minds far greater than mine, and the definitions for privacy have been just as grand and diverse. Let's start with our perennial friends at Merriam-Webster. They define privacy as:

a: the quality or state of being apart from company or observation: SECLUSION

b: freedom from unauthorized intrusion

a: SECRECY

b: a private matter: SECRET

archaic: a place of seclusion

The Oxford English Dictionary, on the other hand, defines privacy as:

A state in which one is not observed or disturbed by other people.

1.1 The state of being free from public attention.

And, one of my favorites, Wiktionary's definition, covers all the bases, albeit sometimes cyclically:

The state of being secluded from the presence, sight, or knowledge of others.

Freedom from unwanted or undue disturbance of one's private life.

Freedom from damaging publicity, public scrutiny, surveillance, and disclosure of personal information, usually by a government or a private organization.

(obsolete) A place of seclusion.

(obsolete, law) A relationship between parties seen as being a result of their mutual interest or participation in a given transaction, contract, etc.; Privity.

(obsolete) Secrecy.

(obsolete) A private matter; a secret.

Not to be left out, of course, is the legal definition of privacy. Black's Law Dictionary defines privacy as:

The right that determines the nonintervention of secret surveillance and the protection of an individual's information. It is split into 4 categories:

Physical: An imposition whereby another individual is restricted from experiencing an individual or a situation;

Decisional: The imposition of a restriction that is exclusive to an entity;

Informational: The prevention of searching for unknown information; and

Dispositional: The prevention of attempts made to get to know the state of mind of an individual.

It's worthwhile to pay attention to those four categories: physical, decisional, informational, and dispositional. We'll be returning to those in more detail when we take on the meanings of privacy for your business.

It's not that I have something to hide,

I have nothing I want you to see.

—Amanda Seyfried

Definitions of privacy have evolved over time, and our understanding of the concept is constantly changing. Therefore, it would be naive to assume that Privacy with a capital P can be rendered via a legal definition, complex or not, or a dictionary entry.

Privacy has been, and remains, the subject of rigorous academic study. Anthropology, sociology, psychology, history, and other disciplines have been looking into the concept and developing their own definitions and models to describe Privacy.

It is clearly out of scope for this book to get into details on the academic research on privacy or do a literature review. For our purposes a few drops from the ocean will suffice.

The two giants in privacy research are considered to be Alan Westin (1929–2013), professor of public law and government at Columbia University, and Irwin Altman (1930), professor and chairman of the Psychology Department of the University of Utah, now emeritus.

Westin's book Privacy and Freedom (1968) is considered to be the foundational text on the subject. Westin defines privacy as follows:

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.

Westin goes on to describe four states of privacy, and four functions or purposes of privacy. He defines the privacy states as solitude, intimacy, anonymity, and reserve, and the purposes as personal autonomy, emotional release, self-evaluation, and limited and protected communication.

Westin's position is that privacy operates at three levels: The individual, the group, and the organizational level. He also constrains his theory of privacy as applicable to western societies only. In 2002, Westin proposed what's known as the Westin segmentation, classifying the public into three groups: the privacy fundamentalists, who place a premium on privacy and make up about 25 percent of the population; the privacy unconcerned, who couldn't care less about privacy and make up about 20 percent of the population; and the privacy pragmatists, the remaining 55 percent, who are aware of the trade-off between privacy and external offerings.

For his part, Altman outlined his privacy regulation theory in The Environment and Social Behavior (1975). Put very simply, privacy regulation theory has to do with the fact that people have different privacy standards at different times and in different contexts. For example, your definition of what constitutes “private information” in your relationship with your spouse is clearly different than in your relationship with your children, and it's also different with your boss and yet again with your coworkers.

According to Altman, this phenomenon is due to “the selective control of access to the self,” which has five properties:

Temporal dynamic process of interpersonal boundaries (feelings about privacy change based on context);

Desired and actual levels of privacy (what we hope for and what we get can differ);

Non-monotonic function of privacy (what constitutes the “optimal” amount can increase or decrease);

Bi-directional nature of privacy (privacy involves both “inputs” and “outputs”); and

Bi-level nature of privacy (individual privacy is different from group).

Altman went on to describe additional features of privacy, including units of privacy, its dialectic nature, and desired versus achieved privacy.

Altman and Westin share a view of privacy as a very dynamic state with multiple inputs and outputs—essentially a system in constant state of rebalancing, depending on the environment. Their work has spurred both vigorous academic debates and hundreds of researchers moving the field forward by expanding on these theories, adding and elaborating on the privacy features, as well as driving a lot of experimental work all over the world. The majority results of this research to date seem to validate Westin and Altman, building on their solid foundational work.

Also of note is Nancy Marshall's work, for instance her article “Privacy and Environment” (1972). Marshall developed the Privacy Preference Scale, the first of its kind, based on her identification of six privacy states: intimacy, solitude, anonymity, reserve, seclusion, and not neighboring. Communication studies scholar Virginia Kupritz helped introduce objective environmental measurements of privacy, further expanding Altman's work by reorganizing it and introducing additional psychological and cognitive variables. Kuptritz also did significant research on the architectural effect on privacy.

Most recently, Tobias Dienlin, a scholar in communications science and media psychology at the University of Hohenheim, has proposed a Privacy Process Model that attempts to integrate all major work on privacy into one cohesive model. It integrates the work of Westin, Altman, and numerous others, and differentiates between “factual privacy context and subjective privacy perceptions,” a distinction that Dienlin posits as important both online and offline. His model has four privacy dimensions—informational, social, psychological, and physical—that he argues are equally applicable to both physical and digital worlds.

As you would expect, these debates and work on privacy are far from over. For that matter, they may never be over. Not only does technology continue to evolve, but so do we, across cultures and geographies. The end result is a constantly changing landscape in which we must navigate carefully, constantly challenging our values and protecting what we think, at the time, is near and dear to our identity as people, community members, and value-creating citizens.

CHAPTER 2A (Very) Brief History of Privacy

Having a grasp on the concept of privacy is useful, but it's not enough for our purposes. We will soon have to confront regulations governing privacy that directly impact the way we do business. It is paramount that we understand not only privacy as a concept but privacy in context.

In other words, how did we get here?

Since time immemorial, all cultures, all over the world, have had some understanding of privacy as a concept. Some codified it into laws, while others integrated it with religious beliefs. There is substantial scholarship on the subject, and you'll find selected entries in the bibliography to kick off your in-depth review. For our purposes here, a few snippets will suffice to give as a sense of history and scope.

The ancient Greeks, borrowing from the Egyptians, venerated the God of Silence and Secrets, Harpokrates. He is usually pictured as a mischievous little boy with his finger to his lips as if he is saying “Shhh!” (You've got to start somewhere, I guess!) But the Greeks, being geometry savvy, didn't just include a secretive god in their pantheon. They also designed their living spaces by placing what we would consider window openings in such a way that it would limit the view of an outside observer peering in.

The ancient Chinese, meanwhile, had—and still have—a very different and complex understanding of privacy. In broad terms, the word for privacy, yin-si, is a composite of two meanings: yin for “hidden” and si for “not for public disclosure.” As such, yin-si was meant to describe the concept of privacy, but in a negative light—the term carries the sense of a shameful secret.

According to scholars of ancient Chinese culture, the Chinese were more focused in the governance of the state, and in protecting the governance structure, than protecting the individual. This was ultimately codified in a collection of morality-driven laws governing behavior across many levels, eventually compiled by none other than Confucius. In his Analects, he wrote, “Do not watch what is improper. Do not listen to what is improper. Do not speak nor act improperly.” He also wrote that that gossip and hearsay were improper and urged everyone to double-check their Internet sources before forwarding their mother-in-law's conspiracy theory emails. (Yes, Gladys! We did land on the moon, the earth is not flat, and vaccines do save lives! Move on! Let it go!)

As tempting as it is to go through each ancient empire one by one (Egyptians, Babylonians, Greek, Assyrian, Persian …), I'll spare you the individual details and focus on the one thing they had in common with regards to privacy: they didn't have any! Certainly not as we understand—or struggle to understand—privacy today.

Until the Middle Ages, privacy was not particularly possible. Most houses had one room. Most common spaces were open. To be sure, some cultures more than others took some steps to preserve what we today would identify as privacy, but in general, it was a time of communal living with little consideration of individual privacy.

I am not suggesting that this was necessarily by choice. But it was the reality for the vast masses of people, all over the world. To be sure, one would expect that they would rather have their own individual rooms, and so forth, but that was not possible, mostly for socioeconomic reasons. For that matter, Clellan Ford and Frank Beach in their Patterns of Sexual Behavior (1951) demonstrated that pretty much universally and irrespective of culture, humans would prefer their intimate moments to be private—even if that means taking them outside. (I suppose this is the reverse of “get a room,” back when rooms were not an option!)

The ones who did “have a room,” as we got closer and closer to the Renaissance, were the rich, living in their castles and palaces. It's around this time that the notion of privacy starts getting some traction. In fact, the historian Peter Smith declared that “Privacy (is) the ultimate achievement of the Renaissance!” Interestingly, privacy was made possible by the intersection of technology (namely, Gutenberg's press) and the Catholic Church. It might seem counterintuitive, but a mandatory one-on-one confession between the individual and God (as decreed in the Great Council's declaration of 1215), was a dramatic departure from the communal way of enforcing morality. Then, once printed bibles became commonplace, the devout could study and contemplate in private isolation, further distancing themselves from the community. A dramatic shift was underway, one that would take a couple of centuries to take hold, away from the “community” and toward individual privacy.

The fun started in 1604 with England's attorney general Sir Edward Coke and his famous ruling in Semayne's Case. The ruling has become popularly known as “The Castle Doctrine,” because it starts with “… the house of every one is to him as his Castle and Fortress as well for defence against injury and violence, as for his repose.” But in fact Coke's writing is substantially more complex than just that notion. He went on to clarify the specifics of how this fortress is to be used and also set limits on how the authorities (at the time, the Sheriff) could gain access. Think warrants! A good start!

For the next two and a half centuries, the western world was busy doing everything from establishing the slave trade, to publishing the King James Bible, mourning the death of Shakespeare, completing the Taj Mahal, chopping off the head of Charles the First, developing calculus, establishing trade with China, printing the first daily newspaper, losing 30,000 souls in the Lisbon earthquake, signing the US Declaration of Independence, starting the French Revolution, painting portraits of Napoleon, watching Charles Babbage invent the first computer, reading Lincoln's Emancipation Proclamation, covering their ears when Nobel set off his first dynamite, and saying “cheese” to George Eastman's perfected Kodak box camera.

The Legal Case for Privacy (the Big Print)

It is at this point where our review of privacy history takes on a different focus: Privacy's legal status. I, personally, find all these foundational privacy law cases and opinions absolutely fascinating, and wanted to include them all here, exuberantly sharing them with you! But my editor reminded me that I also love eating raw sea urchins, which—like my choice of reading—may be an acquired taste.

Therefore, I have taken her wise advice and split the legal case section in two: the Big Print section (here), and the Fine Print section (Chapter 3). In the first section, we'll go over the legal review on a high level, discussing why and how these cases and opinions shaped our thinking and led to the regulations we all deal with today. In the Fine Print section that follows in Chapter 3, I will present more detailed excerpts of the opinions for those that want to revel in the original writing of these great legal minds.

With that in mind, let's begin!

If I were to pick the major milestones for privacy law evolution in the western world, I would select the ones enumerated in Table 2.1.

Slouching toward Privacy

It is no surprise that privacy law is culture dependent. European cultures tend to reflect a stronger community identity, and privacy laws reflect that difference. American culture, by contrast, tends toward the individualistic, and the development of privacy laws reflect that.

A hugely significant moment was an 1890 article in the Harvard Law Review, “The Right to Privacy” by Samuel Warren and Louis Brandeis. Extensive quotes from the article are included in the Fine Print section; for now, a quick overview.

Warren and Brandeis were writing in the context of then-recent inventions of photography and audio-recording devices, which the authors claimed, “have invaded the sacred precincts of private and domestic life.” Warren and Brandeis wrote, “The press is overstepping in every direction the obvious bounds of propriety and of decency.” Their article was a defense of, as they called it, “the right to be let alone.”

“The Right to Privacy” was the first attempt at pulling together accepted US standards into some kind of coherent legal standing for privacy. The argument is essentially that a right to privacy, while not spelled out in the Constitution literally, nonetheless exists in common law. They cite the Fourth Amendment as a strong undergirding for the right, specifically, “to be secure in their persons, houses, papers and effects.” The article also cites the Fifth Amendment, which comes into play because, just as people shouldn't be forced to say things they don't want to, they should not be forced to share information, either.

Table 2.1 Milestones in the Evolution of Privacy Law

Year

Milestone

1888

Thomas M. Cooley, Justice and later Chief Justice of the Michigan Supreme Court, writes:

“A Treatise on the Law of Torts or the Wrongs Which Arise Independently of Contract.”

1890

Samuel D. Warren and Louis Brandeis publish “The Right to Privacy” in the

Harvard Law Review

.

1902

Roberson v. The Rochester Folding Box Company

antiprivacy judgment gives rise to Section 50 and 51 of New York State's Civil Rights Law.

1905

The Georgia Supreme Court accepts Warren and Brandeis unanimously in

Pavesich v. New England Life Ins. Co

.

1939

The American Law Institute's first revision of Restatement of Torts to include privacy concepts.

1948

The Universal Declaration of Human Rights is adopted, including Article 12: The Right to Privacy.

1950

The European Convention on Human Rights is adopted, including Article 8, an expanded right to privacy.

1967

The Freedom of Information Act (FOIA) is enacted in the Unites States.

1977

The American Law Institute revises again the Restatement of Torts to include modern privacy concepts.

1980

The Organization for Economic Co-operation and Development (OECD) issues its first guidelines on data privacy protection.

1981

The Council of Europe adopts Treaty 108: Convention for the protection of individuals with regard to automatic processing of personal data.

1983

The Federal Constitutional Court of Germany (Bundesverfassungsgericht) strikes down the Personal Identifiable Information component of the German census, marking a milestone in individual privacy rights.

1995

The European Data Protection Directive 95 is adopted, the predecessor to today's General Data Protection Regulation (GDPR).

2014

The European Union Court of Justice rules that EU law grants EU citizens “the right to be forgotten” from search engines.

2018

The European Union adopts the General Data Protection Regulation (GDPR).

2020

California passes the strictest privacy law in the United States, the California Consumer Protection Act (CCPA).

Today, “The Right to Privacy” is recognized as a foundational moment in American jurisprudence. But it certainly didn't start out that way! The New York Court of Appeals, for example, defied the arguments of Warren and Brandeis, in their ruling for the defendant in Roberson v. The Rochester Folding Box Company. That case was brought when Ms. Roberson objected to her image being used by the defendant without her permission in flour packaging boxes.

On the other hand, in the case of Pavesich v. New England Life Ins. Co, the Georgia Supreme Court unanimously accepted Warren and Brandeis's pro-privacy arguments and found for the plaintiff. (As with the Warren/Brandeis article, you can find a lot more detail on the Georgia case in the Fine Print section.)

What's more, even though the New York Court of Appeals hadn't found Brandeis persuasive, some sense that he had a point must had begun to take root in the public consciousness. The Court's decision sparked such a strong public outcry on Ms. Robeson's behalf that the New York State Legislature passed a law (section 50 and 51 of New York State's Civil Rights Law, still in the books, albeit amended) prohibiting anyone from using images of individuals without their consent.

The law was the first to specifically enumerate privacy as a right.

Right of privacy. A person, firm or corporation that uses for advertising purposes, or for the purposes of trade, the name, portrait or picture of any living person without having first obtained the written consent of such person, or if a minor of his or her parent or guardian, is guilty of a misdemeanor.

You may have noticed that New York's courts had one response to Warren and Brandeis, while Georgia's courts had the opposite. This brings us to a key point: privacy legislation in the United States is initiated by the states and, as you would expect, reflects the individual state priorities. This makes for a hodge-podge of laws that companies that do business in multiple states have to follow, giving rise to substantial lobbying efforts in Washington for passage of a federal privacy law that can preempt the state ones. I suspect, and hope, that federal law will be enacted, but for now… don't hold your breath!

But while the US legislature dithers, more cohesive, and far more protective/restrictive privacy laws continue to be enacted by the Europeans. The consequence, given the market size of the European Union, is that EU rules are—basically by default—setting the tone for all business, worldwide. After all, if you must comply with GDPR for Europe, you might as well comply with GDPR globally. It makes no sense to implement GDPR for only your European operations, while maintaining a separate data governance environment for your US operations. Too expensive to maintain, and it takes one mistake to have you found in violation of GDPR, so why risk it?

Debating Privacy in the US

Mostly in the US, and to a lesser extent around the world, privacy legislation is fiercely debated. These debates have been going on since Warren and Brandeis, and they reflect both ideological, cultural, and legal disagreements on what privacy is, and to what degree it requires protection.

For example, Professor Frederick Davis in his 1959 essay “What Do We Mean by ‘Right to Privacy'?” writes:

The concept of a right to privacy was never required in the first place, and that is whole history is an illustration of how well-meaning but impatient academicians can upset the normal development of law.

A few years later, Professor Harry Kalven, in his 1966 “Privacy in Tort Law—Were Warren and Brandeis Wrong?” wrote:

The lack of legal profile and the enormity of the counterprivilege converge to raise for me the question of whether privacy is really a viable tort remedy. The mountain, I suggest, has brought forth a pretty small mouse.

Finally, in 1983 Diane L. Zimmerman's “Requiem for a Heavyweight: A Farewell to Warren and Brandeis's Privacy Tort” in the Cornell Law Review concludes in part:

After ninety years of evolution, the common law private-facts tort has failed to become a usable and effective means of redress for plaintiffs. Nevertheless, it continues to spawn an ever-increasing amount of costly, time-consuming litigation and rare, unpredictable awards of damages. In addition, this “phantom tort” and the false hopes that it has generated may well have obscured analysis and impeded efforts to develop a more effective and carefully tailored body of privacy-protecting laws.

Many of the most troubling privacy questions today arise not from widespread publicizing of private information by the media, but from electronic eavesdropping, exchange of computerized information, and the development of data banks. Much of this information, which individuals supply as a necessary prerequisite to obtaining important benefits like credit, medical care, or insurance, can cause serious harm, even if circulated only to one or two unauthorized recipients. Privacy law might be more just and effective if it were to focus on identifying (preferably by statute) those exchanges of information that warrant protection at their point of origin, rather than continuing its current, capricious course of imposing liability only if the material is ultimately disseminated to the public at large.

Today, the debate is far from over, and it rages on worldwide. That said, there is no question that with the explosion of big data, artificial intelligence, increased data processing capacity, and a constant hunger for analysis, everyone from consumers to industry and constituents to legislators recognize that they need to do “something.”

The what and how remain elusive.

Confidentiality vs. Privacy

We started this journey with the various definitions of privacy. We went on to get a feel on how privacy concepts and law evolved over time. As intellectually fascinating all this has been, we need to get back to today's business reality! What does all this mean for us, exactly?

For one, we now know that the definition of privacy is—at best—elastic and will change over time. We know, as per Black's Legal Dictionary, that it has multiple dimensions (let's review: the dimensions are physical, decisional, informational, and dispositional).

We need to be able to synthesize what we know about privacy at the conceptual level, what we know our business needs to be, what regulations we need to comply with, and conjure our own “business” definition of privacy, so that we can use it to implement our cybersecurity program around it. This definition must be a living definition of privacy—one we look at carefully and frequently, and one that we must be willing to modify as our society and laws change.

Let's start with what cybersecurity is. In my previous book on