Privacy Law
Guardians of Confidentiality: The Role of Privacy Professionals in Cybersecurity
by Brett Cook & Samantha Corsey
The three fundamental objectives of a security system are confidentiality, integrity, and availability. Privacy professionals play a key role in crafting effective security strategies. This article will concentrate specifically on the aspect of confidentiality within this triad.
Confidentiality involves protecting sensitive data, such as personal information and trade secrets, from unauthorized access. Without appropriate measures, this data is vulnerable to breaches that can lead to data loss, financial damage, and reputational harm. A privacy professional’s role in the context of confidentiality involves key partnerships with information security teams and IT stakeholders.
A key responsibility of the privacy team is to conduct Data Protection Impact Assessments (DPIAs). DPIAs are essential for new technologies or processes that manage personal information. They enhance the confidentiality aspect of a security program by identifying and mitigating potential risks associated with the processing of personal data. An effective DPIA includes: a) an explanation of the processing’s nature, scope, context, and purpose; b) an inventory of where data might be vulnerable to unauthorized access or disclosure; c) a verification that only data necessary for the intended business objective is collected, which reduces the amount of sensitive information that could potentially be exposed in a breach; and d) a detailed account of how compliance with the Fair Information Privacy Principles was ensured. Several key principles should be emphasized, including Authority, Purpose Specification, Integrity, Access, and Accountability, as they are particularly relevant to our topic. However, all principles should be taken into account when conducting DPIAs. Moreover, it’s crucial to also consider any issues associated with additional technologies such as Artificial Intelligence (AI) when applicable.
Privacy professionals are essential in safeguarding confidentiality during incident response and breach management by collaborating with information security teams to evaluate the effects on personal data, directing the communication plan with impacted parties and regulators, and devising strategies to avert subsequent breaches. Such incidents often involve sensitive populations, including children and the elderly. For instance, in March 2022, a significant cyber-attack compromised the personal information of over one million students in New York City public schools. Under New York legislation, there is an obligation to inform individuals when their personal data is unlawfully accessed. In this case, privacy experts joined forces with the New York City Department of Education to determine the affected parties, leading to notifications being sent out to a vast number of current and former students who were impacted by the attack.
Finally, Privacy professionals are key in crafting and enforcing policies that uphold data confidentiality by setting user access controls, categorizing data, and outlining secure handling practices. A relevant example is the EU AI Act, which mandates accurate and secure AI systems and a robust cybersecurity network. Privacy professionals must stay informed on emerging regulations to guide organizations effectively. They can do so by participating in events like the CLA Annual Privacy Summit, and active involvement in professional groups such as the ABA, IAPP, or FPF.
Brett Cook is Senior Privacy Counsel for Motorola Solutions, Inc. and serves as an Executive Committee Member for CLA’s Privacy Law Section.
Samantha Corsey is an Intellectual Property Project Assistant at Foley & Lardner, LLP.
The views expressed in this article are solely the personal opinions of the authors and do not reflect the views or opinions of their employers.