Visit to download the full and correct content document: https://ebookmass.com/product/privacy-regulations-and-cybersecurity-the-essential-b usiness-guide-1st-edition-edition-chris-moschovitis/
More products digital (pdf, epub, mobi) instant download maybe you interests ...
Smart Cities Cybersecurity and Privacy Danda B. Rawat
https://ebookmass.com/product/smart-cities-cybersecurity-andprivacy-danda-b-rawat/
Medical Device Regulations: A Complete Guide Aakash
Deep
https://ebookmass.com/product/medical-device-regulations-acomplete-guide-aakash-deep/
The Essential Entrepreneur: What It Takes To Start, Scale And Sell A Successful Business 1st Edition
Richard Turner
https://ebookmass.com/product/the-essential-entrepreneur-what-ittakes-to-start-scale-and-sell-a-successful-business-1st-editionrichard-turner/
CIPM Certified Information Privacy Manager All-in-One Exam Guide 1st Edition Gregory
https://ebookmass.com/product/cipm-certified-information-privacymanager-all-in-one-exam-guide-1st-edition-gregory/
The Essential Pocket Guide for Clinical Nutrition
Second Edition
https://ebookmass.com/product/the-essential-pocket-guide-forclinical-nutrition-second-edition/
Data Privacy And GDPR Handbook 1st Edition Edition
Sanjay Sharma
https://ebookmass.com/product/data-privacy-and-gdpr-handbook-1stedition-edition-sanjay-sharma/
Cybersecurity and Cognitive Science 1st Edition Ahmed Moustafa
https://ebookmass.com/product/cybersecurity-and-cognitivescience-1st-edition-ahmed-moustafa/
The Essential Neurosurgery Companion 1st Edition
https://ebookmass.com/product/the-essential-neurosurgerycompanion-1st-edition/
Why Privacy Matters 1st Edition Neil Richards
https://ebookmass.com/product/why-privacy-matters-1st-editionneil-richards/
PRIVACY, REGULATIONS, AND CYBERSECURITY REGULATIONS, AND CYBERSECURITY THEESSENTIALBUSINESSGUIDE ChrisMoschovitis
Copyright©2021byChrisMoschovitis.Allrightsreserved.
PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey.
PublishedsimultaneouslyinCanada.
Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedin anyformorbyanymeans,electronic,mechanical,photocopying,recording,scanning,or otherwise,exceptaspermittedunderSection107or108ofthe1976UnitedStatesCopyright Act,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthrough paymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,Inc.,222 RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600,orontheWebat www.copyright.com.RequeststothePublisherforpermissionshouldbeaddressedtothe PermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201) 748-6011,fax(201)748-6008,oronlineatwww.wiley.com/go/permissions.
LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbest effortsinpreparingthisbook,theymakenorepresentationsorwarrantieswithrespecttothe accuracyorcompletenessofthecontentsofthisbookandspecificallydisclaimanyimplied warrantiesofmerchantabilityorfitnessforaparticularpurpose.Nowarrantymaybecreatedor extendedbysalesrepresentativesorwrittensalesmaterials.Theadviceandstrategiescontained hereinmaynotbesuitableforyoursituation.Youshouldconsultwithaprofessionalwhere appropriate.Neitherthepublishernorauthorshallbeliableforanylossofprofitoranyother commercialdamages,includingbutnotlimitedtospecial,incidental,consequential,orother damages.
Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport,please contactourCustomerCareDepartmentwithintheUnitedStatesat(800)762-2974,outsidethe UnitedStatesat(317)572-3993,orfax(317)572-4002.
Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Some materialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorin print-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedinthe versionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.For moreinformationaboutWileyproducts,visitwww.wiley.com.
LibraryofCongressCataloging-in-PublicationDataisAvailable:
ISBN9781119658740(hardback)
ISBN9781119660118(ePub) ISBN9781119660149(ePDF)
Coverimage:©YuichiroChino/GettyImages,©dem10/GettyImages
Coverdesign:Wiley 10987654321
FOREWORDvii
PREFACEix
ABOUTTHEAUTHORxiii
ACKNOWLEDGMENTSxv
PARTONE— Privacy1
CHAPTER 1 UnderstandingPrivacy3
CHAPTER 2 A(Very)BriefHistoryofPrivacy9
CHAPTER 3 TheLegalCaseforPrivacy(theFinerPrint)21
PARTTWO— Regulations45
CHAPTER 4 IntroductiontoRegulations47
CHAPTER 5 NorthAmericanRegulations57
CHAPTER 6 EuropeanRegulations89
CHAPTER 7 Asia-PacificRegulations119
CHAPTER 8 AfricanRegulations145
CHAPTER 9 SouthAmericanRegulations161
PARTTHREE— PrivacyandCybersecurity171
CHAPTER 10 IntroductiontoCybersecurity173
CHAPTER 11 ACybersecurityPrimer181
CHAPTER 12 Privacy-CentricCybersecurityProgramOverview205
CHAPTER 13 PrivacybyDesignOverview221
CHAPTER 14 CoverYourAssets!235
CHAPTER 15 ThreatAssessment261
CHAPTER 16 Vulnerabilities275
CHAPTER 17 Environments287
CHAPTER 18 Controls301
CHAPTER 19 IncidentResponse321
CHAPTER 20 WelcometotheFuture!Now,GoHome!341
BIBLIOGRAPHY359
INDEX377
FOREWORD Youwillneverdoanythinginthisworldwithoutcourage. Itisthegreatestqualityofthemind,nexttohonor. —Aristotle
Businessestodayarefacedwithincreasingdemandsforprivacyprotections,ever-morecomplexregulations,andongoingcybersecuritychallenges thatplaceheavydemandsonscarceresources.Duringthesedifficulttimesitis importantthatwehavethecouragetoproactivelydealwiththeseimperatives. Thisbookisanessentialtoolforanybusinessexecutivewhoneedstoorchestratethe“handshake”betweenprivacy,security,andongoingregulations.Oh yes,andcourage.
Afewyearsago,Ireturnedtooneofmypassions—security—whenItook overastheleaderofabusinessintheeasternUS.Theselastthreeyearshave beenchallengingbutexciting,andIhaveseenanunprecedentedlevelofinterestbybusinessexecutivesinprivacyandsecurity.Ihavemademoreboard presentationsandbeeninmoremeetingswiththeC-suiteonthesetopics inthelastthreeyearsthanthetenyearsbeforethatcombined.WhenIwas appointedtotheboardoftheISACA(InformationSystemsAuditandControlsAssociation),Iwasthrilledattheopportunitytomakesignificantchange inthesecurityprofession.ButIexpectedtoomuchtoosoon,andtheboard’s messageaftermyfirstpresentationwasclear:“Weneedmoreresearchonthe conceptofinformationsecuritymanagementandhowsecurityisviewedby executivesbeforewemakeanyinvestments.”
Itwasearlyinthenewmillennium,andsecuritywasbecomingatopic ofconversationintheexecutivesuite.EventhoughthefirstCISOhadbeen appointedatCitiin1995,thebodyofknowledgeforsecuritywasdefinedby technicalandproduct-specificcertificationswithnoframeworkstosupport organizations,andprivacyregulationssuchasGDPRwerestilljustadistant thought.
Atthattime,IhadmademyrecommendationtotheboardoftheISACA todrivethesettingof“commonbodyofknowledge”ofthefutureCISO.Ihad astrongbeliefthattherewaswideracceptanceoftheroleanditsimportance inprotectingtheorganization.
Maybeitwasaturningpoint,butseveraleventscametogetherearly inthenewmillenniumtoreinforcethisbelief.“ILOVEYOU”infected millionsofcomputers,followedbythefirstcriminalconvictionofahacker, thewidespreaddisruptioncausedbydenial-of-serviceattacksonMicrosoft systems(andBillGates’sdecreethatMicrosoftproductswouldembed securityaspartoftheproduct),andaseriesofotherhigh-profilehacks.This wasexacerbatedbythefinancialcollapseofEnronanditsimpactonthetrust intheUSeconomicsystem.RegulationfollowedwiththeSarbanes-Oxley Actandmanyothersaroundtheglobe.Itwasanewworld,andthecontinued regulationaroundsecurityandprivacygainedmomentum.
ThatyearIbecamechairmanoftheboardofISACA,andthenewbody ofknowledgeaccompaniedbyacertification(CISM)waslaunched.The foundinggroupwasmadeupoffourdedicatedCISOs,andthecertification isstillthestandardforsecuritymanagementprofessionals.
WhichbringsmebacktomygoodfriendChris,withwhomIhaveformed aterrificbondovermutualinterests.Finefoodandwineandaconnection asfirst-generationGreekscementedourfriendship.Recently,wediscussed anddebatedmanytopics,includingtheneedforthoseexecutiveswhounderstandsecurityriskstotransformthatknowledgeintoactionaroundprivacy andsecurityaroundregulation.
IhavefoundChris’sintellectualcuriosityandsenseofhumortobeboth compellingandengaging.Thesetraitsareaperfectvehicletotakethereader onthisjourney,fromthefundamentalsofprivacytotheongoingregulatory pressuresandhowcompaniescanbebetterpreparedattheexecutivelevelto tacklethesechanges.
Chrisisabletointerpretcomplexprinciplesanddistillthemintoanatural flow,wherethereaderistakenonajourney.InHomer’s Odyssey,Circewarned Odysseusoftheimpendingperilssothathewouldbeprepared.Likewise, Chris’sbookpreparestheexecutivetobeawareoftheperilsandopportunities aheadandprovidesaroadmaponhowtoactwithcourageassecurityand privacyregulationscontinuetoproliferate.
Bepreparedanddotherightthingandnotjustbecauseofregulation—do itforyourcustomers,employees,shareholders,andeveryonewhoplacestrust inyouandyourcompany.Usethestep-by-stepapproachfromthisbook, soyouandyourcompanycanbereadyforwhateverchallengesthefuture mighthold.
Itistimetoact,andwiththisguideinhand,youarewellonyourjourney.
MariosDamianides
CyberSecurityLeader,Ernst&YoungLLP ChairoftheBoard,ISACA(2003–2005)
PREFACE “What?I’vebeenworkinglikethisallmylife!Now,you’retellingmethat IhavetobeGDP … umm … GD-whatevercompliant?”
Myfriendandclient,animmigrationattorneyfromwaybackwhen “immigration”wasnotadirtyword,wasangry.Herpracticehadbeenvery successfulovertheyears,dealingwithallsortsofimmigrationissuesacross continents.Theproblemisthatsheisdoingbusinesswithcitizensofthe EuropeanUnion(EU).Worse,shehasapartnerinAthens,Greece,an EU-membercountry.
Fabulous!ShemustcomplywiththeGeneralDataProtectionRegulation oftheEU,betterknownbyitsacronym,GDPR.Forthoseofyoublissfully unawareofGDPR,itisalawpassedbytheEuropeanUnionin2016.Ithas far-reachingconsequencestobusinessesworldwide,includingyours!
Ifyouareabusinesspersonwho,likemyfriend,hasnoideawhereto beginwithGDPR,thenthisbookisforyou!Itisthesequelto Cybersecurity ProgramDevelopmentforBusiness:TheEssentialPlanningGuide (Wiley,2018), andjustlikethatbook,thisoneisdesignedwithyou,abusinessperson,in mind.In Cybersecurity,mygoalwastogiveyouenoughinformationsothat youwouldn’tbeatthemercyofexpertstalkingoveryourheadandaround yourbusinesswhenitcametocybersecurity.Initsintroduction,Iwrote:
Whatiftherewasabookthatputthewholecybersecuritythinginto perspective,usingsimple,directlanguage?Whatifthereweresections andchaptersexplainingwhatisgoingon,whattherisksare,andwhatall thetechnobabblereallymeans?And,whatifthebookhadastep-by-step, actionableapproachonwhatyoucandoaboutallthis?Abookthat aggregatedthecurrentbestpractices,puttheminperspective,injectedmy experienceandmyownpointofview,andhowIappliedallthisacrossall ourclients?
Allthewhilepokingalittlefunatourselves,too?
Thegoal,approach,andstyleremainthesame—onlythistime,the aimistotransformyourhard-earnedcybersecurityawarenessintoone thatisprivacy-centricandregulation-aware.Ifyou’reoneofthemany
businesspeopleouttherewhoarenewtoallthis,juststartingtoconfrontthe newcyberwarrealities,concernedaboutyoursandyourbusiness’privacy, andworriedthatsomeregulationwilldescendtolevyGodknowswhatkind offine,thenyou’reinluck!
Thisbookwillguideyouthroughallthisstep-by-step,section-by-section: privacy,regulations,andcybersecurity.We’llworkthroughthebasics together,aswellasreviewingcasestudiesandexamplesofbestpractices acrossdifferentindustriesanddifferentsizecompanies.
Justlikeinthefirstbook,whichIwillbereferencingfrequently,especially inPartThree,weneedacase-studydisclaimer:Thecasestudiesandexamples presentedthroughoutbothbooksareaggregatedfrommyownworkandfrom theworkofmanycolleagueswhoweregraciousenoughtosharetheirexperiences.Asyouwouldexpect,allnames,industries,andgeographieshavebeen changedtoprotecttheanonymityoftheseclients.Insomeofthecases,multipleproblemswerecombinedintoone.Inothers,manyassignmentswere brokenoutintoasingleone.Thegoalhasbeentodistilltheessentiallesson fromeachcasewhileprotectingtheidentityandrespectingtheprivacyand confidentialityofeveryclient.
Thereisafundamentaldifference,though,betweenthefirstbookandthis one.Thefirstbookdealtstrictlywiththepracticalandpragmaticdesignofa cybersecurityprogramwiththegoalofprotectingyourbusiness.Thisbook synthesizestwodistinct,diverse,andcomplexsegmentsintoaprivacy-firstand regulation-focusedcybersecurityprogram.Ifyoualreadyhaveacybersecurity programinplace,thenthisbookwillhelpyouhonewhat’salreadythereinto aprivacy-centricandregulation-compliantcybersecurityprogram.
Ifyoudon’thaveacybersecurityprograminplace,then wherehave youbeen?
Nevertheless,Iamgladyou’rewithusnow!Thisisyouropportunityto startbuildingacybersecurityprogramfromthebottomupthat,frominception,willbeprivacy-andregulation-compliant-focused.
Onemorethingbeforewediverightin:Justasitisimportantto understandwhatthisbookis,andwhoitisfor,itisequallyimportantto knowwhatitisnot.Thisisespeciallytruesincewewillbedealingwith topicsthatareatoncescholarly,legal,andtechnicalinnature.Thisbookis notintendedtobeanacademicanalysis,alegalbrief,oratechnicalhow-to manual,althoughitwillborrowandreflectworkfromallthesedisciplines.
Ifyou’relookingforthelatestscholarlybookonprivacy,anin-depthlegal treatmentoftheCaliforniaConsumerPrivacyAct,orhowtoconfigureyour firewall,thisbookisnotforyou!
Thisbookisintendedasapractical,pragmatic,andactionablebusiness guideforpeopleacrossindustriesandbusinesssizeswhoneedtounderstand whatallthistalkaboutprivacyreallymeans,whattheeffectofalltheselaws andregulationsare,andhowtoputitalltogetherinacybersecurityprogram toprotectwhat’sofvaluetothem.
Itreliesheavilyontheoutstandingworkofnumerousscholars,lawyers, andinformationtechnologyandcybersecurityprofessionals,withoutwhomit wouldnothavebeenpossibletowriteit.Youwillfindadetailedbibliography ofsourcesattheendofthebook,andIurgeyoutouseitanddigdeeperas youseefit.
Forme,eachoneofthesetopics,andespeciallyprivacy,representfascinatingareasofstudy.Privacyandcybersecurityforceustoconfrontquestions ofhowweaspeoplemanagedifficult,complexconceptsandhowwetranslate thoseconceptsintoactionablelawsandwaysofdoingbusiness.
ABOUTTHEAUTHOR IwasborninAthens,Greece.Afterhighschool,IchosetocometotheUnited Statestostudyphysicsandcomputerscience.IdidthatattheStateUniversity ofNewYork,theCollegeatBrockport,inupstateNewYork.Myyearsat Brockportwereformativetomeasaperson,ascientist,andasaprofessional. WordsforthegratitudeandrespectIhaveforthededicatedfacultythatshaped mylifecaneasilyfillacoupleofbooks,butthatisforanothertime.
Aftergraduatingwithmybachelor’sdegreeinscience,Ibecamean instructorofcomputerscienceandacomputersystemsmanagerattheStratfordSchoolinRochester,NewYork.Followingbriefgraduateworkstints attheRochesterInstituteofTechnologyandtheUniversityofRochester, ImovedtoNewYorkCitytoserveasthedirectorofacademiccomputing atPrattInstitute.There,underthedirectionofthevicepresidentofinformationtechnology(therewereno“chiefinformationofficers”backthen), Iwasresponsibleforthebuildingandmanagementoffourcomputing centersofexcellence,eachfocusingonaspecificdiscipline(art,architecture, engineering,andinformationscience).Fromthere,Iwasrecruitedtobe thevicepresidentofinformationtechnologyattheO’ConnorGroup,areal estatemanageranddeveloperinNewYorkCity.Then,inthemiddleofthe ReaganRecession,Idecidedthattherewasnobettertimethanthepresent tostartmyowncompany,whichIdidin1989.
Ihavebeenrunningmyownfirmeversince,surroundedbypartnersand colleagueswhoteachmemoreandmoreeverysingleday,andtogetherwe deliverabroadspectrumofITconsultingservices.Ihavebeenprivileged topartnerwithgreatclients,toengageinfantasticprojectsofbusiness andtechnologytransformation,andtocollaboratewithteamsthatpush boundariesanddevelopincrediblebusinesssolutions.Ilivedthroughthe amazingadvancesincomputersciencethatarenowthestuffoflore:Iwas thereduringBitNet,sendingemailmessagesandwatchingthemessagehop fromnodetonode.Iwasamazedatformattingthefirst10MBharddisks ofIBM’snewpersonalcomputer.I’vefedendlessfloppiesinandoutofthe firstMacs.I’vebuiltmusclescarryingtheCompaq“Portable,”whichwas nicknamed“luggable”forgoodreason.I’vecarriedpagersandcellphones
thesizeofsuitcases.IsubscribedtoCompuServeandAOLandstillhavea workingHayes14.4modem.
Throughoutitall,Ihavealwaysbeenfascinatedbysecurity,privacy,and theprotectionofdata.Evenbefore“cybersecurity”wasaword,Iinsistedthat thesiteswedesignedandmanagedimplementedbusiness-appropriatecomputersecurityanddisasterrecovery.MaybeitwasbecauseGeorgeWhelan, apartnerofmineatthetime,wasacomputerviruscollector(hestillhas them).Maybe,becauseIremainculturallyGreek,naturallycautiousandprivate.Whateverthereason,Ialwaysasked,“Whathappensif‘this’getsout?” or“Howfastcanwebebackupandrunning?”Anyofmyconsultantswilltell youthatevennow,thefirstthingtheyaretaughtwhentheystartworkingfor meisthat“notcheckingthebackupisacareer-endingmistake.”
FollowingdecadesasapractitionerofbothITgovernanceandcybersecuritymanagement,IdecidedtomakeitofficialandjoinedInformation SystemsAuditandControlAssociation(ISACA),anindependent,nonprofit, globalassociationthatwasfoundedin1969,engagingin“Thedevelopment, adoptionanduseofgloballyaccepted,industry-leadingknowledgeandpracticesforinformationsystems.”JoiningISACAwasoneofthesmartestthings Ieverdid.ThroughIASCA,Igotcertifiedinthreeareas:Firstincybersecurity,becomingaCertifiedInformationSecurityManager(CISM),theninIT governance,becomingCertifiedinGovernanceofEnterpriseIT(CGEIT), andfinallyasaCertifiedDataPrivacySolutionsEngineer(CDPSE).
Notonetostandstill,andalwaysfascinatedbythebeautyincomplexity, Idecidedin2018tostudyprivacyanditsimplicationsonoursociety,business, andsystems.IsubsequentlyjoinedtheInternationalAssociationofPrivacy Professionals(IAPP).JustlikeISACA,theIAPPisanincrediblecommunity ofprivacyexpertsthathavededicatedtheirlifetothestudyandimplementationofsoundprivacyprinciples.Ifoundawelcomehomethereandendless resourcestohelpmeinmyjourneythathasledmehere,tothisbook,that Iamhumbledtosharewithyou.
Iamprivilegedtobeabletocontinuemyjourney,runningmyfirmtmgemedia,inc.,andtobesurroundedbyincredibleprofessionals,clients,and friendsthatteachmethevalueofhardwork,dedication,andloveeveryday.
ACKNOWLEDGMENTS Everybookisalaboroflove.Thisoneisnodifferent.AfterIfinishedmy firstbaby, CybersecurityProgramDevelopmentforBusiness:TheEssentialPlanning Guide, IknewIwantedtowriteasecond,onespecificallyfocusedonPrivacy. Theinitialideawasunformedbutpersistent.Privacyintriguedme.The“P” wordwasusedpracticallydaily;legislatorswerepassinglawspretendingto preserveitwhilebusinesspeoplewereatalossaboutwhattodowithit.
IwasclearfromthebeginningthatIdidnotwanttowriteascholarly treatmentonprivacy.Better-equippedscholarsofmanystripeshaveproduced, andcontinuetoproduce,greatworksonthesubject.Myapproachwastobe similartothefirstbook:Whatdoweneedtoknowonprivacysothatwe canbeinformedascitizensandenabledasprofessionals?Moretoapragmatic point,howdoesallthisprivacylegislationaffectourcapacitytodesignand deliveraneffectivecybersecurityprogram?
Toanswerallthesequestions,Icameupwiththeformatforthisbook.It wouldhavethreedistinctparts:oneonprivacy;oneonregulations,worldwide; andoneonprivacy-centriccybersecurityprogramdevelopment.Thelatter wouldbebasedonthepreviousbookbutenhancedbyourunderstandingof privacy,notjustasaconceptbutasasetofconcreteregulatoryrequirements. Theresultisinyourhands!
Booksareneversolitaryefforts.Yes,theimageofthewritertoilingaway atherdeskday-in,day-outistrue,buttheauthorbringsauniverseofpeopleto paper.Samewithme.Overthecourseof31-plusyearsintheinformationtechnologyindustry,Ihavehadtheprivilegetomeethundredsofprofessionals, experts,partners,clients,andvendorswhohaveshapedmythinking,formed myexperiences,andhonedmyexpertise.Theirinfluenceisreflectedinthe pagesthatfollow.Theywrotethebookwithme.
Frommyoriginalpartnerinthebusiness,GeorgeWhelan,whoreligiouslycollectedandkeptlivecomputervirusesonfloppydisks,toinstructors suchasJayRanade,whohasforgottenmorethanI’lleverknow,toclientswho partneredwithmeandstaffwhotirelesslyworkedtosolveproblems,Iowe eachoneadebtofgratitudethatnoacknowledgmentcandojustice.
Still,Imuststartsomewhere,andtherightplacetostartiswithanapology formyomissions.Theyareentirelymyown.
Next,Iwanttoacknowledgeadebtofgratitudetomyclients,mytrue partnerstosuccess.Everyday,Iamhonoredandprivilegedtobeyourally andtocontributetoyourgoals.Iamconstantlyhumbledbyallthethings thatyouteachmeeveryday.IwouldberemissifIdidn’tsingleoutthe Hoffmanfamily,Andrew,Mark,andSteve,whohavebeenloyalsupporters andmentorssinceIstartedthefirm31yearsago;thefoundingpartnersat AllegaertBergerandVogel,Chris,David,andMichael,fortheirtrustinme, theirloyalty,andwisecounselthroughthickandthin;theamazingteamat Kapitusforteachingmeandmyteamhowtojumpontoarushingfreight train;andtoVigdisEriksenatEriksenTranslationsforhertrustinusandfor herfeedbackthatmakesusbettereveryday!
Inthesamebreath,Iwanttothankmyownpartnersandassociates,whose incredibleexpertise,loyalty,dedication,skills,empathy,andpersonalengagementmakemyandourclients’successpossible.Theyare,alphabetically: AnnaMurray,AtsushiTatsuoka,DanielleChianese,DoelRodriguez,Frank Murray,GregAndrews,JamesRich,JustinSchroeder,LeonTchekmedyian, PedroGarrett,ThomasHussey,TylerRaineri,andYeimyMorel.Thankyou fortheprivilegeofworkingwithyou,forallyoudo,dayandnight,andfor allowingmetoshutmydoorandwrite,write,write!Youmadethispossible! Wheneverthereisabook,thereisaneditorandapublisher.Ihavebeen theluckiestofauthorstohavethebestinboth.First,myeternalgratitude totheone-and-only,walk-on-water-on-her-bad-days,amazingHilaryPoole, myeditor,coauthor,andfriendofcountlessyearsandjustasmanybooks. Hilary,youareamazing!Iabsolutelyrefusetogonexttoakeyboardunless Iamreassuredthatyou’lledittheoutcome.Thankyou!
DeepestthankstoeveryoneatJohnWiley&Sons,oneofthemostprofessionalandexceptionalpublishersintheworld,andespeciallytomyexecutive editor,SheckCho,captainandcommanderextraordinaireandSusanCerra, theproject’smanagingeditor!Thisbookisasmuchyoursasitismine,and Iamgratefulforallyourhelp,guidance,andsupport.
Toalltheprivacy,cybersecurity,andgovernanceprofessionalsaround theworld,workingtirelesslyinthefield,inacademia,inresearchinstitutions,ingovernmentagencies,andmilitaries,thisbookpalesincomparisonto yourachievementseveryday.Icannotemphasizethisenough:Withoutyour
endlesseffortsinbreakingnewground,expandingandenhancingourscientificunderstanding,andguidingusthroughthemaze,wewouldbelost.All yourworksrepresentthelighthousesthathelpsusnavigate,andifIaspireto anything,itisforthisbooktoaidinreflectingyourlight,interpretingyour guidance,andaddingwindtothesails.
Tothemanyinternationalorganizationsthathelpallpractitionerslearn, hone,andapplytheircraft,aswellasdeveloptheframeworkswedependon, mygratitudeforyourongoingcontributions,tirelesscuration,andunending support.ImustparticularlysingleoutCERT,ENISA,IAPP,ISACA,(ISC)2 , ISECOM,ISO,ISSA,NIST,NSA,OECD,OWASP,andSANS,withmy apologiesforomittingthemanyotherdeservingorganizationsworldwide.My specificthankstoIAPPandISACAfortheircontinuoussupportandendless resources.TheISACANewYorkchapterremainsahomeawayfromhome formeandcountlessprofessionalsintheNewYorkmetroarea.
Tothemanyfriendswhosupportedmeinsomanyways,through encouragement,advice,andlove:JeanneFrank,Iknowyou’rewatchingfrom Heaven!Youwererightaboutthebook!AlexandMari,RichieandCharlene, Sherryl,Sotos,DimitrisandKoralia,andlastbutnotleast,Madina,my princessIndira,andmyprinceKamron:Idon’tknowwhatIdidtodeserve anyofyou,butIcan’timaginelifewithoutyou!Thankyou!
Finally,toAnnaMurray,anamethatkeepsonrepeatingintheseacknowledgmentsbutfromwhereIsit,notenough!Youarethemostbrilliant,expert, capable,tenacious,fierce,loving,accepting,andgivingperson,amazingprofessional,andtalentedwriterIknow!EverydayIthankmyluckystarsthat broughtyoutomylifeasmypartnerinthebusinessandmypartnerinlife. Youare,andalwayswillbe,thebrighteststarinthedarkofnight,guidingme home.Thankyou!
CHAPTER 1 Understanding Privacy Benevixit,benequilatuit.
IncaseyourLatinisrusty,Ovid’squoteabovetranslatesto:“Tolivewell istoliveconcealed.”Myinterpretationisdifferent:“Tolivewellistolivein privacy.”
Butlet’snotgetaheadofourselveshere.What,exactly,is privacy?What doesitmean?Whatdoweunderstandwhenwedescribesomethingas “private”?
Dowemean secret? Issomethingprivatealsosecret?Certainly,thereverse isnottrue:wecanhavemanysecretsthatarenotprivate!Theymaybesecrets ofothers,secretnegotiations,secretdeals,andsoon.
Dowemean personal? Isitdatacoupledwithourpersonhood?Ifso,isall personaldataprivate?Whataboutourname?Aretheredegreesofprivacy?
Definingprivacyhaspuzzledmindsfargreaterthanmine,andthedefinitionsforprivacyhavebeenjustasgrandanddiverse.Let’sstartwithour perennialfriendsatMerriam-Webster.Theydefineprivacyas:
—Ovid,Tristia
4PRIVACY,REGULATIONS,ANDCYBERSECURITY 1.a:thequalityorstateofbeingapartfromcompanyorobservation: SECLUSION
b:freedomfromunauthorizedintrusion
2.a:SECRECY
b:aprivatematter:SECRET
3.archaic:aplaceofseclusion
The OxfordEnglishDictionary,ontheotherhand,definesprivacyas:
1.Astateinwhichoneisnotobservedordisturbedbyotherpeople. 1.1Thestateofbeingfreefrompublicattention.
And,oneofmyfavorites,Wiktionary’sdefinition,coversallthebases, albeitsometimescyclically:
1.Thestateofbeingsecludedfromthepresence,sight,orknowledge ofothers.
2.Freedomfromunwantedorunduedisturbanceofone’sprivatelife.
3.Freedomfromdamagingpublicity,publicscrutiny,surveillance, anddisclosureofpersonalinformation,usuallybyagovernment oraprivateorganization.
4.(obsolete)Aplaceofseclusion.
5.(obsolete,law)Arelationshipbetweenpartiesseenasbeingaresult oftheirmutualinterestorparticipationinagiventransaction,contract,etc.;Privity.
6.(obsolete)Secrecy.
7.(obsolete)Aprivatematter;asecret.
Nottobeleftout,ofcourse,isthelegaldefinitionofprivacy. Black’sLaw Dictionary definesprivacyas:
Therightthatdeterminesthenoninterventionofsecretsurveillance andtheprotectionofanindividual’sinformation.Itissplitinto 4categories:
1.Physical:Animpositionwherebyanotherindividualisrestricted fromexperiencinganindividualorasituation;
2.Decisional:Theimpositionofarestrictionthatisexclusivetoan entity;
3.Informational:Thepreventionofsearchingforunknowninformation;and
4.Dispositional:Thepreventionofattemptsmadetogettoknowthe stateofmindofanindividual.
It’sworthwhiletopayattentiontothosefourcategories:physical,decisional,informational,anddispositional.We’llbereturningtothoseinmore detailwhenwetakeonthemeaningsofprivacyforyourbusiness.
It’snotthatIhavesomethingtohide, IhavenothingIwantyoutosee.
—AmandaSeyfried
Definitionsofprivacyhaveevolvedovertime,andourunderstandingof theconceptisconstantlychanging.Therefore,itwouldbenaivetoassume thatPrivacywithacapitalPcanberenderedviaalegaldefinition,complexor not,oradictionaryentry.
Privacyhasbeen,andremains,thesubjectofrigorousacademicstudy. Anthropology,sociology,psychology,history,andotherdisciplineshavebeen lookingintotheconceptanddevelopingtheirowndefinitionsandmodelsto describePrivacy.
Itisclearlyoutofscopeforthisbooktogetintodetailsontheacademic researchonprivacyordoaliteraturereview.Forourpurposesafewdrops fromtheoceanwillsuffice.
6PRIVACY,REGULATIONS,ANDCYBERSECURITY ThetwogiantsinprivacyresearchareconsideredtobeAlanWestin (1929–2013),professorofpubliclawandgovernmentatColumbiaUniversity,andIrwinAltman(1930),professorandchairmanofthePsychology DepartmentoftheUniversityofUtah,nowemeritus.
Westin’sbook PrivacyandFreedom (1968)isconsideredtobethefoundationaltextonthesubject.Westindefinesprivacyasfollows:
Privacyistheclaimofindividuals,groups,orinstitutionstodetermine forthemselveswhen,how,andtowhatextentinformationaboutthem iscommunicatedtoothers.
Westingoesontodescribefourstatesofprivacy,andfourfunctions orpurposesofprivacy.Hedefinestheprivacystatesassolitude,intimacy, anonymity,andreserve,andthepurposesaspersonalautonomy,emotional release,self-evaluation,andlimitedandprotectedcommunication.
Westin’spositionisthatprivacyoperatesatthreelevels:Theindividual,thegroup,andtheorganizationallevel.Healsoconstrainshistheory ofprivacyasapplicabletowesternsocietiesonly.In2002,Westinproposed what’sknownastheWestinsegmentation,classifyingthepublicintothree groups:theprivacyfundamentalists,whoplaceapremiumonprivacyand makeupabout25percentofthepopulation;theprivacyunconcerned,who couldn’tcarelessaboutprivacyandmakeupabout20percentofthepopulation;andtheprivacypragmatists,theremaining55percent,whoareawareof thetrade-offbetweenprivacyandexternalofferings.
Forhispart,Altmanoutlinedhisprivacyregulationtheoryin TheEnvironmentandSocialBehavior (1975).Putverysimply,privacyregulationtheory hastodowiththefactthatpeoplehavedifferentprivacystandardsatdifferent timesandindifferentcontexts.Forexample,yourdefinitionofwhatconstitutes“privateinformation”inyourrelationshipwithyourspouseisclearly differentthaninyourrelationshipwithyourchildren,andit’salsodifferent withyourbossandyetagainwithyourcoworkers.
AccordingtoAltman,thisphenomenonisdueto“theselectivecontrolof accesstotheself,”whichhasfiveproperties:
■ Temporaldynamicprocessofinterpersonalboundaries(feelings aboutprivacychangebasedoncontext);
■ Desiredandactuallevelsofprivacy(whatwehopeforandwhatwe getcandiffer);
■ Non-monotonicfunctionofprivacy(whatconstitutesthe“optimal” amountcanincreaseordecrease);
■ Bi-directionalnatureofprivacy(privacyinvolvesboth“inputs”and “outputs”);and
■ Bi-levelnatureofprivacy(individualprivacyisdifferentfromgroup).
Altmanwentontodescribeadditionalfeaturesofprivacy,includingunits ofprivacy,itsdialecticnature,anddesiredversusachievedprivacy.
AltmanandWestinshareaviewofprivacyasaverydynamicstatewith multipleinputsandoutputs—essentiallyasysteminconstantstateofrebalancing,dependingontheenvironment.Theirworkhasspurredbothvigorous academicdebatesandhundredsofresearchersmovingthefieldforwardby expandingonthesetheories,addingandelaboratingontheprivacyfeatures, aswellasdrivingalotofexperimentalworkallovertheworld.Themajority resultsofthisresearchtodateseemtovalidateWestinandAltman,building ontheirsolidfoundationalwork.
AlsoofnoteisNancyMarshall’swork,forinstanceherarticle“Privacy andEnvironment”(1972).MarshalldevelopedthePrivacyPreferenceScale, thefirstofitskind,basedonheridentificationofsixprivacystates:intimacy, solitude,anonymity,reserve,seclusion,andnotneighboring.Communication studiesscholarVirginiaKupritzhelpedintroduceobjectiveenvironmental measurementsofprivacy,furtherexpandingAltman’sworkbyreorganizing itandintroducingadditionalpsychologicalandcognitivevariables.Kuptritz alsodidsignificantresearchonthearchitecturaleffectonprivacy.
Mostrecently,TobiasDienlin,ascholarincommunicationsscienceand mediapsychologyattheUniversityofHohenheim,hasproposedaPrivacy ProcessModelthatattemptstointegrateallmajorworkonprivacyintoone cohesivemodel.ItintegratestheworkofWestin,Altman,andnumerous others,anddifferentiatesbetween“factualprivacycontextandsubjective
privacyperceptions,”adistinctionthatDienlinpositsasimportantbothonline andoffline.Hismodelhasfourprivacydimensions—informational,social, psychological,andphysical—thathearguesareequallyapplicabletoboth physicalanddigitalworlds.
Asyouwouldexpect,thesedebatesandworkonprivacyarefarfromover. Forthatmatter,theymayneverbeover.Notonlydoestechnologycontinue toevolve,butsodowe,acrossculturesandgeographies.Theendresultis aconstantlychanginglandscapeinwhichwemustnavigatecarefully,constantlychallengingourvaluesandprotectingwhatwethink,atthetime,isnear anddeartoouridentityaspeople,communitymembers,andvalue-creating citizens.
CHAPTER 2 A(Very)BriefHistory ofPrivacy Therighttobeletaloneisindeedthebeginningofall freedom.
—WilliamO.Douglas
(Dissentingopinion, PublicUtilitiesCommissionv.Pollak [1952])
Havingagraspontheconceptofprivacyisuseful,butit’snotenoughfor ourpurposes.Wewillsoonhavetoconfrontregulationsgoverningprivacy thatdirectlyimpactthewaywedobusiness.Itisparamountthatweunderstandnotonlyprivacyasaconceptbutprivacy incontext. Inotherwords,howdidwegethere?
Sincetimeimmemorial,allcultures,allovertheworld,havehadsome understandingofprivacyasaconcept.Somecodifieditintolaws,whileothersintegrateditwithreligiousbeliefs.Thereissubstantialscholarshiponthe subject,andyou’llfindselectedentriesinthebibliographytokickoffyour in-depthreview.Forourpurposeshere,afewsnippetswillsufficetogiveasa senseofhistoryandscope.
TheancientGreeks,borrowingfromtheEgyptians,veneratedtheGod ofSilenceandSecrets,Harpokrates.Heisusuallypicturedasamischievous littleboywithhisfingertohislipsasifheissaying“Shhh!”(You’vegottostart somewhere,Iguess!)ButtheGreeks,beinggeometrysavvy,didn’tjustinclude asecretivegodintheirpantheon.Theyalsodesignedtheirlivingspacesby placingwhatwewouldconsiderwindowopeningsinsuchawaythatitwould limittheviewofanoutsideobserverpeeringin.
TheancientChinese,meanwhile,had—andstillhave—averydifferent andcomplexunderstandingofprivacy.Inbroadterms,thewordforprivacy, yin-si,isacompositeoftwomeanings:yinfor“hidden”andsifor“notfor publicdisclosure.”Assuch,yin-siwasmeanttodescribetheconceptofprivacy, butinanegativelight—thetermcarriesthesenseofashamefulsecret.
AccordingtoscholarsofancientChineseculture,theChineseweremore focusedinthegovernanceofthestate,andinprotectingthegovernancestructure,thanprotectingtheindividual.Thiswasultimatelycodifiedinacollectionofmorality-drivenlawsgoverningbehavioracrossmanylevels,eventually compiledbynoneotherthanConfucius.Inhis Analects,hewrote,“Donot watchwhatisimproper.Donotlistentowhatisimproper.Donotspeaknor actimproperly.”Healsowrotethatthatgossipandhearsaywereimproper andurgedeveryonetodouble-checktheirInternetsourcesbeforeforwarding theirmother-in-law’sconspiracytheoryemails.(Yes,Gladys!Wedidlandon themoon,theearthisnotflat,andvaccinesdosavelives!Moveon!Letitgo!)
Astemptingasitistogothrougheachancientempireonebyone(Egyptians,Babylonians,Greek,Assyrian,Persian … ),I’llspareyoutheindividual detailsandfocusontheonethingtheyhadincommonwithregardstoprivacy:theydidn’thaveany!Certainlynotasweunderstand—orstruggleto understand—privacytoday.
UntiltheMiddleAges,privacywasnotparticularlypossible.Mosthouses hadoneroom.Mostcommonspaceswereopen.Tobesure,somecultures morethanotherstooksomestepstopreservewhatwetodaywouldidentify asprivacy,butingeneral,itwasatimeofcommunallivingwithlittleconsiderationofindividualprivacy.
Iamnotsuggestingthatthiswasnecessarilybychoice.Butitwasthe realityforthevastmassesofpeople,allovertheworld.Tobesure,onewould expectthattheywouldratherhavetheirownindividualrooms,andsoforth, butthatwasnotpossible,mostlyforsocioeconomicreasons.Forthatmatter,ClellanFordandFrankBeachintheir PatternsofSexualBehavior (1951) demonstratedthatprettymuchuniversallyandirrespectiveofculture,humans wouldprefertheirintimatemomentstobeprivate—evenifthatmeanstaking themoutside.(Isupposethisisthereverseof“getaroom,”backwhenrooms werenotanoption!)
Theoneswhodid“havearoom,”aswegotcloserandclosertothe Renaissance,weretherich,livingintheircastlesandpalaces.It’saroundthis
