With the dawn of the General Data Protection Regulation (GDPR), and with more states adopting or strengthening existing privacy laws, the need for developing a strong risk management approach to privacy is crucial to organizations. Over the past 10 to 15 years, we have learned that organizations continue to approach compliance (e.g., Payment Card Industry Data Security Standard (PCI DSS compliance) using a “check-a-box” approach. The problem occurs when organizations ignore the basic risk management fundamentals and lull their organizations into a false sense of security.
As history has shown us, regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the PCI DSS, and the Federal Information Security Management Act (FISMA) have evolved and continue to be refined in response to the various breaches that have occurred. With the arrival of the GDPR and state privacy laws such as the Texas Health and Safety Code, the Nevada Security and Privacy Law, and the California Consumer Privacy Act of 2018 (CCPA), organizations must monitor the ever-changing regulatory landscape to achieve compliance with these laws without ignoring or neglecting the other areas that make up an overall information security program. The best way to achieve this goal is for organizations to adopt a privacy risk management strategy to identify, prioritize, and manage those risks, just as they would information security risks.
GDPR AND CCPA: WHY PRIVACY RISK MANAGEMENT IS MORE IMPORTANT THAN EVER
As part of this white paper, we will look at both the GDPR and CCPA privacy laws and how they impact companies and individuals.
GENERAL DATA PROTECTION REGULATION
In 2012, the European Union (E.U.) began writing a major update to the existing E.U. Data Protection Directive that was published in 1995. With this new regulation, the E.U. introduced the GDPR. The main intent of the GDPR is to provide a set of standardized data protection laws across all the member countries to make it easier for E.U. citizens to understand how their personal data is being used, and to raise any complaints, even if they are not in the country where the data is located. What makes complying with the GDPR exceptionally challenging to organizations is that they do not even need to have a physical presence in an E.U. country to be subject to the regulation. They only need to collect personal data from an E.U. resident. With a fine of up to 20 million euros (around $22.4 million as of July 22) or 4% of global revenues of an organization (whichever is greater) for violating a key article in the regulation, it is imperative that organizations realize that the protection of personal data is being taken seriously by the E.U. and that the penalties an organization can face due to a loss or misuse of this data can be financially crippling.
One important thing to note regarding the GDPR is that the regulation has been written in a way that does not specify everything about what constitutes personal data to prevent the law from becoming outdated if a new way of identifying people appears. Any data that identifies a person is considered personally identifiable information (PII). Examples of PII include traditional data elements such as names, identification and/or Social Security numbers, genders, as well as things like IP addresses and GPS location data. The GDPR also defines an additional category of PII, sensitive personal information, which covers data such as genetic information, political opinions and religious beliefs.
Over the course of 18 years assessing organizations, one of the areas of immaturity I have seen in all industry verticals is risk management, especially in communicating information security risks to stakeholders or leaders within the organization who are not information security literate so that they can effectively prioritize and manage those risks alongside managing risks that are not IT or security driven, such as market risk, financial risk, or credit risk. As privacy laws such as the GDPR and CCPA add privacy risks to the equation, developing a privacy risk management strategy to complement or integrate into a security risk management program is vital.
For an example of how privacy can be viewed through the prism of risk management we can look at Article 25 (Data Protection by Design and Default) and Article 32 (Security of Processing) of the GDPR. Each article begins with the following statement:
“TAKING INTO ACCOUNT THE STATE OF THE ART, THE COSTS OF IMPLEMENTATION AND THE NATURE, SCOPE, CONTEXT AND PURPOSES OF PROCESSING AS WELL AS THE RISK OF VARYING LIKELIHOOD AND SEVERITY FOR THE RIGHTS AND FREEDOMS OF NATURAL PERSONS, THE CONTROLLER AND THE PROCESSOR SHALL IMPLEMENT APPROPRIATE TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE A LEVEL OF SECURITY APPROPRIATE TO THE RISK, INCLUDING INTER ALIA AS APPROPRIATE…”
As you read further into each article, it becomes apparent that organizations must develop inherent knowledge of who has access to protected data, how is that data protected, and what data protection gaps exist. In addition, as security or privacy professionals, it is our duty to understand the likelihood and severity of risks that could result in a breach that would violate the rights of data subjects and lead to penalty enforcement.
CALIFORNIA CONSUMER PRIVACY ACT OF 2018
In 2018, the California state legislature passed, and Governor Jerry Brown signed into law, the CCPA, which amends Part 4 of Division 3 of the California Civil Code. The CCPA is intended to enhance the privacy rights and protections for California residents. The law goes into effect on January 1, 2020, and has many similarities to the GDPR.
THE LAW INTENDS TO PROVIDE CALIFORNIA RESIDENTS WITH RIGHTS TO:
- Know what personal data is being collected about them
- Know whether their PII is sold or disclosed and to whom
- Say no to the sale of PII
- Access their own PII
- Receive equal service and price, even if they exercise their privacy rights under the law
Under the sanctions and remedies section of the law, companies that experience data theft or a data security breach can be brought into civil class action lawsuits and pay damages between $100 and $750 per California resident and incident, or actual damages, whichever is greater, and any punitive damages the court finds appropriate. Also, companies face fines of up to $7,500 per each intentional violation and $2,500 per each unintentional violation. While these sanctions are not as severe as ones levied by the GDPR law, a small- or medium-sized organization could still be financially impacted should they experience a loss of data or suffer a breach that affects California residents.
As we see with both the GDPR and CCPA, understanding the cost, complexity to the organization, and benefits of addressing privacy gaps within an organization is a classic risk management issue. While there are some great techniques organizations can use to address risk management, such as setting up a steering committee, the first step should be choosing a framework to address privacy risks to integrate into an organization’s security risk management program, if one exists.
PRIVACY RISK MANAGEMENT FRAMEWORKS
As there are various frameworks that can be used to address security risk management, there are frameworks that have been developed for addressing privacy risk management. We look at three of those frameworks here.
GENERALLY ACCEPTED PRIVACY PRINCIPLES
Generally Accepted Privacy Principles (GAPP) is a privacy framework that was developed through a partnership between the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA). The goal of GAPP is focused on a single guiding privacy objective: that PII must be “collected, used, retained, and disclosed in compliance with the commitments in the entity’s privacy notice and with criteria set out in the GAPP issued by the AICPA/CICA.”
As we see, “security in privacy” is one of the core principles in GAPP, and as we investigate the supporting criteria, GAPP defines the requirement to protect personal information against both physical and logical unauthorized access. GAPP is recognized by the International Association of Privacy Professionals (IAPP) for use with both the GDPR and state privacy laws. This framework is the de facto framework used by Certified Public Accountant (CPA) firms and is a solid choice to use as a foundation for building a privacy risk management program.
IN SUPPORT OF THE FRAMEWORK’S PRIMARY OBJECTIVE, GAPP FOCUSES ON THE FOLLOWING 10 PRINCIPLES:
- Choice and consent
- Use, retention, and disposal
- Disclosures to third parties
- Security in privacy
- Monitoring and enforcement
The HITRUST alliance, formed in 2007, is collaboration between health care, technology, and information security leaders whose mission is to create a comprehensive framework that is prescriptive and certifiable for organizations. Until recently, its sole focus was on health care. However, with the release of version 9.1, the HITRUST Common Security Framework (CSF) added the GDPR to the framework. Version 9.2 added Singapore’s Personal Data Protection Act to the overall CSF. The CSF also covers all state privacy laws and provides the ability to conduct System and Organization Controls (SOC) 2 reporting through the CSF portal.
While the current version of the CSF is free to download, organizations who wish to certify against the CSF will need to purchase a subscription from the HITRUST alliance and contract with a CSF assessor to perform the CSF certification process. If an organization is willing to spend the money required to obtain certification, this is a comprehensive risk management framework that will encompass both information security and privacy needs.
NIST PRIVACY FRAMEWORK
The National Institute of Standards and Technology (NIST) will be releasing their Privacy Framework in October 2019, which is being designed to complement the NIST Cybersecurity Framework (CSF). The Privacy Framework will give organizations the ability to build a security and privacy risk management program using both frameworks together. The Privacy Framework will provide a common language for understanding, managing, and communicating privacy risk with internal and external stakeholders. Like the CSF, the Privacy Framework is made up of “The Core.” The Core consists of three elements: functions, categories, and subcategories.
The functions within the Privacy Framework break down as follows:
1. IDENTIFY > 2. PROTECT > 3. CONTROL > 4. INFORM > 5. RESPOND
As we see, functions 1, 2, and 5 correspond with the NIST CSF, while functions 3 and 4 focus on data privacy. This correspondence will allow organizations who have adopted the NIST CSF as their security risk management framework to now build out their privacy risk management framework with minimal re-engineering. While organizations can already utilize the NIST CSF and Risk Management Framework (RMF) (NIST Special Publication 800-37 Rev. 1) to address GDPR requirements, adoption of the Privacy Framework will provide organizations with a granular approach for data privacy.
With an increasing number of states enacting more stringent privacy laws, and other countries looking to enact personal data protection for their citizens, now is the time for organizations to take the steps necessary to build and implement a strong privacy risk management framework that will complement existing security risk management frameworks. Having a strong privacy risk management framework is a critical first step in an overall privacy program and is needed to provide maturity to an existing information security program.