The relationship between cybersecurity and privacy is complex. On the one hand, cybersecurity that protects data from intrusion, theft and misuse obviously is a significant privacy safeguard. On the other hand, cybersecurity measures that monitor access and use can implicate the collection of personal information and thus raises privacy concerns.
While adoption of cybersecurity defenses will serve to protect personal data - indeed, there can be no data privacy without sufficient security, including cybersecurity - some of the defense techniques may require the monitoring or collection of personal information, and thus implicate privacy concerns:
- First, there is network and system monitoring. Experts agree that in order to detect and defend against cyberattacks, organizations should be aware of how their information networks and IT systems are behaving. Such monitoring typically is focused on non-personal information such as malware indicators, bad IP addresses and network flow data. Of course, the more specifically one monitors, and potentially records, activity, the more potential there is that personal data will be part of the information reviewed and/or collected.
- The next issue is that of background checks. Not all cyberdefense measures involve cybertactics. Organizations frequently find it prudent to conduct background checks - at times quite extensive - on individuals with access to certain sensitive systems and data. By definition, background checks require the collection and use of personal information.
- A new aspect of data security arises from the bring-your-own-device phenomenon. An increasing number of organizations are allowing their workforce to use personally owned smart phones, PCs and other devices. The steps organizations take to secure such devices and the data that might be stored on them often involve access to personal data.
- Steps taken to strengthen supply chain and vendor security may also raise privacy issues. Security conscious enterprises understand that the weakest link in their organization may lie outside their formal control. Measures imposed on their vendors and suppliers may require those third parties to conduct background checks and share other information that has privacy implications.
- Information sharing with third parties and government agencies means that personal information may be shared. Finally, but importantly, experts agree that rapid and preferably automated cross-organizational sharing of cyberthreat information is essential to help detect and defend against cyberattacks. And given the recent passage of H.R. 624, the Cyber Intelligence Sharing and Protection Act [see House Handily Passes CISPA], there can be significant privacy issues raised by such sharing. While each of these areas of cybersecurity techniques raises privacy concerns, those concerns can be addressed responsibly.
Thoughtfully Limited Data Collection
Consistent with the well-known Fair Information Practice Principles, data collection should be thoughtfully limited; used only for the purpose of security or other carefully considered and approved purposes; retained only for as long as needed for security and other legitimate purposes; and shared only with those that need the data for security or other carefully considered and approved purposes, with accompanying limitations on their sharing, use and retention. These are concepts that privacy professionals in American business apply every day, and close collaboration between privacy professionals and security personnel at companies is essential to ensure that the security/privacy balance is correct and that Fair Information Practice Principles are applied to design privacy into cybersecurity programs.
Second, there should be transparency as to the cybersecurity measures that organizations, especially operators of critical infrastructure, increasingly are using. Transparency is fundamental to the Fair Information Practice Principles. When implemented, it reassures individuals that the processing of information that relates to them is not being done in secret, thus enabling them to pursue any recourse available if necessary.
As it relates to cybersecurity measures, transparency would include encouraging companies that are deploying network and systems monitoring to disclose their use of such measures, not in sufficient detail as to defeat their operations but in enough detail that individuals know about the systems monitoring the use of workplace technologies and the like. The more we inform and educate each other about how cybersecurity systems work, and how privacy considerations are addressed in their design and implementation, the more these measures are demystified.
Third, I endorse the development of voluntary codes of conduct for the privacy-sensitive deployment of cybersecurity measures and programs that are common enough to warrant such effort. Examples might include information-sharing codes of conduct, in which organizations that engage in information-sharing partnerships with each other and with governmental agencies develop and commit to adopting privacy-sensitive practices.
Another example is new work by the National Institute for Standards and Technology as mandated by the recently-issued executive order on improving critical infrastructure cybersecurity, to develop a voluntary cybersecurity framework that includes consideration of privacy [see Obama Issues Cybersecurity Executive Order]. As you know, NIST will be consulting with stakeholders in government and industry as it develops the framework.
Finally, the expectations, responsibilities and legal protections for privacy when data is shared with or requested by government need to be clear. Legislation that clarifies the rules surrounding information sharing is a valuable first step, and it is encouraging to see that the privacy issues associated with information sharing have been discussed and that language addressing these issues has been included in the legislation proposed in this Congress.
Further efforts by government and industry leaders, outside of new legislation, will also be useful to educate and enable stakeholders involved in these activities to design privacy into information sharing and related activities.
Harriet Pearson is a partner specializing in cybersecurity and privacy law at the law firm of Hogan Lovells. Pearson is the former chief privacy officer and security counsel at IBM. This blog was adapted from testimony she delivered on April 25 to the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.