Instant digital products (PDF, ePub, MOBI) ready for you
Download now and discover formats that fit your needs...
Smart Cities Cybersecurity and Privacy Danda B. Rawat
https://ebookmass.com/product/smart-cities-cybersecurity-and-privacydanda-b-rawat/
ebookmass.com
Medical Device Regulations: A Complete Guide Aakash Deep
https://ebookmass.com/product/medical-device-regulations-a-completeguide-aakash-deep/
ebookmass.com
The Essential Entrepreneur: What It Takes To Start, Scale And Sell A Successful Business 1st Edition Richard Turner
https://ebookmass.com/product/the-essential-entrepreneur-what-ittakes-to-start-scale-and-sell-a-successful-business-1st-editionrichard-turner/
ebookmass.com
Silver Moon Rising Ethan J. Wolfe
https://ebookmass.com/product/silver-moon-rising-ethan-j-wolfe/
ebookmass.com
The Palgrave Handbook of Applied Linguistics Research
Methodology 1st ed. Edition Aek Phakiti
https://ebookmass.com/product/the-palgrave-handbook-of-appliedlinguistics-research-methodology-1st-ed-edition-aek-phakiti/
ebookmass.com
Financial Accounting: As per CBCS Syllabus 2014-15 as Revised in March 2017 for B.Com Semester-I (Bangalore University) Ruqsana Anjum
https://ebookmass.com/product/financial-accounting-as-per-cbcssyllabus-2014-15-as-revised-in-march-2017-for-b-com-semester-ibangalore-university-ruqsana-anjum/ ebookmass.com
The Art of Computer Programming, Volume 4B: Combinatorial Algorithms, Part 2 Donald E. Knuth
https://ebookmass.com/product/the-art-of-computer-programmingvolume-4b-combinatorial-algorithms-part-2-donald-e-knuth/
ebookmass.com
Amputation in Literature and Film: Artificial Limbs, Prosthetic Relations, and the Semiotics of "Loss" (Literary Disability Studies) 1st ed. 2021 Edition Erik Grayson (Editor)
https://ebookmass.com/product/amputation-in-literature-and-filmartificial-limbs-prosthetic-relations-and-the-semiotics-of-lossliterary-disability-studies-1st-ed-2021-edition-erik-grayson-editor/ ebookmass.com
Design Computing and Cognition’22 John S. Gero
https://ebookmass.com/product/design-computing-and-cognition22-john-sgero/
ebookmass.com
Mathematical Modeling and Applied Calculus Joel Kilty https://ebookmass.com/product/mathematical-modeling-and-appliedcalculus-joel-kilty/
ebookmass.com
PRIVACY, REGULATIONS, AND CYBERSECURITY REGULATIONS, AND CYBERSECURITY THEESSENTIALBUSINESSGUIDE ChrisMoschovitis
Copyright©2021byChrisMoschovitis.Allrightsreserved.
PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey.
PublishedsimultaneouslyinCanada.
Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedin anyformorbyanymeans,electronic,mechanical,photocopying,recording,scanning,or otherwise,exceptaspermittedunderSection107or108ofthe1976UnitedStatesCopyright Act,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthrough paymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,Inc.,222 RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600,orontheWebat www.copyright.com.RequeststothePublisherforpermissionshouldbeaddressedtothe PermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201) 748-6011,fax(201)748-6008,oronlineatwww.wiley.com/go/permissions.
LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbest effortsinpreparingthisbook,theymakenorepresentationsorwarrantieswithrespecttothe accuracyorcompletenessofthecontentsofthisbookandspecificallydisclaimanyimplied warrantiesofmerchantabilityorfitnessforaparticularpurpose.Nowarrantymaybecreatedor extendedbysalesrepresentativesorwrittensalesmaterials.Theadviceandstrategiescontained hereinmaynotbesuitableforyoursituation.Youshouldconsultwithaprofessionalwhere appropriate.Neitherthepublishernorauthorshallbeliableforanylossofprofitoranyother commercialdamages,includingbutnotlimitedtospecial,incidental,consequential,orother damages.
Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport,please contactourCustomerCareDepartmentwithintheUnitedStatesat(800)762-2974,outsidethe UnitedStatesat(317)572-3993,orfax(317)572-4002.
Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Some materialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorin print-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedinthe versionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.For moreinformationaboutWileyproducts,visitwww.wiley.com.
LibraryofCongressCataloging-in-PublicationDataisAvailable:
ISBN9781119658740(hardback)
ISBN9781119660118(ePub) ISBN9781119660149(ePDF)
Coverimage:©YuichiroChino/GettyImages,©dem10/GettyImages
Coverdesign:Wiley 10987654321
FOREWORDvii
PREFACEix
ABOUTTHEAUTHORxiii
ACKNOWLEDGMENTSxv
PARTONE— Privacy1
CHAPTER 1 UnderstandingPrivacy3
CHAPTER 2 A(Very)BriefHistoryofPrivacy9
CHAPTER 3 TheLegalCaseforPrivacy(theFinerPrint)21
PARTTWO— Regulations45
CHAPTER 4 IntroductiontoRegulations47
CHAPTER 5 NorthAmericanRegulations57
CHAPTER 6 EuropeanRegulations89
CHAPTER 7 Asia-PacificRegulations119
CHAPTER 8 AfricanRegulations145
CHAPTER 9 SouthAmericanRegulations161
PARTTHREE— PrivacyandCybersecurity171
CHAPTER 10 IntroductiontoCybersecurity173
CHAPTER 11 ACybersecurityPrimer181
CHAPTER 12 Privacy-CentricCybersecurityProgramOverview205
CHAPTER 13 PrivacybyDesignOverview221
CHAPTER 14 CoverYourAssets!235
CHAPTER 15 ThreatAssessment261
CHAPTER 16 Vulnerabilities275
CHAPTER 17 Environments287
CHAPTER 18 Controls301
CHAPTER 19 IncidentResponse321
CHAPTER 20 WelcometotheFuture!Now,GoHome!341
BIBLIOGRAPHY359
INDEX377
FOREWORD Youwillneverdoanythinginthisworldwithoutcourage. Itisthegreatestqualityofthemind,nexttohonor. —Aristotle
Businessestodayarefacedwithincreasingdemandsforprivacyprotections,ever-morecomplexregulations,andongoingcybersecuritychallenges thatplaceheavydemandsonscarceresources.Duringthesedifficulttimesitis importantthatwehavethecouragetoproactivelydealwiththeseimperatives. Thisbookisanessentialtoolforanybusinessexecutivewhoneedstoorchestratethe“handshake”betweenprivacy,security,andongoingregulations.Oh yes,andcourage.
Afewyearsago,Ireturnedtooneofmypassions—security—whenItook overastheleaderofabusinessintheeasternUS.Theselastthreeyearshave beenchallengingbutexciting,andIhaveseenanunprecedentedlevelofinterestbybusinessexecutivesinprivacyandsecurity.Ihavemademoreboard presentationsandbeeninmoremeetingswiththeC-suiteonthesetopics inthelastthreeyearsthanthetenyearsbeforethatcombined.WhenIwas appointedtotheboardoftheISACA(InformationSystemsAuditandControlsAssociation),Iwasthrilledattheopportunitytomakesignificantchange inthesecurityprofession.ButIexpectedtoomuchtoosoon,andtheboard’s messageaftermyfirstpresentationwasclear:“Weneedmoreresearchonthe conceptofinformationsecuritymanagementandhowsecurityisviewedby executivesbeforewemakeanyinvestments.”
Itwasearlyinthenewmillennium,andsecuritywasbecomingatopic ofconversationintheexecutivesuite.EventhoughthefirstCISOhadbeen appointedatCitiin1995,thebodyofknowledgeforsecuritywasdefinedby technicalandproduct-specificcertificationswithnoframeworkstosupport organizations,andprivacyregulationssuchasGDPRwerestilljustadistant thought.
Atthattime,IhadmademyrecommendationtotheboardoftheISACA todrivethesettingof“commonbodyofknowledge”ofthefutureCISO.Ihad astrongbeliefthattherewaswideracceptanceoftheroleanditsimportance inprotectingtheorganization.
Maybeitwasaturningpoint,butseveraleventscametogetherearly inthenewmillenniumtoreinforcethisbelief.“ILOVEYOU”infected millionsofcomputers,followedbythefirstcriminalconvictionofahacker, thewidespreaddisruptioncausedbydenial-of-serviceattacksonMicrosoft systems(andBillGates’sdecreethatMicrosoftproductswouldembed securityaspartoftheproduct),andaseriesofotherhigh-profilehacks.This wasexacerbatedbythefinancialcollapseofEnronanditsimpactonthetrust intheUSeconomicsystem.RegulationfollowedwiththeSarbanes-Oxley Actandmanyothersaroundtheglobe.Itwasanewworld,andthecontinued regulationaroundsecurityandprivacygainedmomentum.
ThatyearIbecamechairmanoftheboardofISACA,andthenewbody ofknowledgeaccompaniedbyacertification(CISM)waslaunched.The foundinggroupwasmadeupoffourdedicatedCISOs,andthecertification isstillthestandardforsecuritymanagementprofessionals.
WhichbringsmebacktomygoodfriendChris,withwhomIhaveformed aterrificbondovermutualinterests.Finefoodandwineandaconnection asfirst-generationGreekscementedourfriendship.Recently,wediscussed anddebatedmanytopics,includingtheneedforthoseexecutiveswhounderstandsecurityriskstotransformthatknowledgeintoactionaroundprivacy andsecurityaroundregulation.
IhavefoundChris’sintellectualcuriosityandsenseofhumortobeboth compellingandengaging.Thesetraitsareaperfectvehicletotakethereader onthisjourney,fromthefundamentalsofprivacytotheongoingregulatory pressuresandhowcompaniescanbebetterpreparedattheexecutivelevelto tacklethesechanges.
Chrisisabletointerpretcomplexprinciplesanddistillthemintoanatural flow,wherethereaderistakenonajourney.InHomer’s Odyssey,Circewarned Odysseusoftheimpendingperilssothathewouldbeprepared.Likewise, Chris’sbookpreparestheexecutivetobeawareoftheperilsandopportunities aheadandprovidesaroadmaponhowtoactwithcourageassecurityand privacyregulationscontinuetoproliferate.
Bepreparedanddotherightthingandnotjustbecauseofregulation—do itforyourcustomers,employees,shareholders,andeveryonewhoplacestrust inyouandyourcompany.Usethestep-by-stepapproachfromthisbook, soyouandyourcompanycanbereadyforwhateverchallengesthefuture mighthold.
Itistimetoact,andwiththisguideinhand,youarewellonyourjourney.
MariosDamianides
CyberSecurityLeader,Ernst&YoungLLP ChairoftheBoard,ISACA(2003–2005)
PREFACE “What?I’vebeenworkinglikethisallmylife!Now,you’retellingmethat IhavetobeGDP … umm … GD-whatevercompliant?”
Myfriendandclient,animmigrationattorneyfromwaybackwhen “immigration”wasnotadirtyword,wasangry.Herpracticehadbeenvery successfulovertheyears,dealingwithallsortsofimmigrationissuesacross continents.Theproblemisthatsheisdoingbusinesswithcitizensofthe EuropeanUnion(EU).Worse,shehasapartnerinAthens,Greece,an EU-membercountry.
Fabulous!ShemustcomplywiththeGeneralDataProtectionRegulation oftheEU,betterknownbyitsacronym,GDPR.Forthoseofyoublissfully unawareofGDPR,itisalawpassedbytheEuropeanUnionin2016.Ithas far-reachingconsequencestobusinessesworldwide,includingyours!
Ifyouareabusinesspersonwho,likemyfriend,hasnoideawhereto beginwithGDPR,thenthisbookisforyou!Itisthesequelto Cybersecurity ProgramDevelopmentforBusiness:TheEssentialPlanningGuide (Wiley,2018), andjustlikethatbook,thisoneisdesignedwithyou,abusinessperson,in mind.In Cybersecurity,mygoalwastogiveyouenoughinformationsothat youwouldn’tbeatthemercyofexpertstalkingoveryourheadandaround yourbusinesswhenitcametocybersecurity.Initsintroduction,Iwrote:
Whatiftherewasabookthatputthewholecybersecuritythinginto perspective,usingsimple,directlanguage?Whatifthereweresections andchaptersexplainingwhatisgoingon,whattherisksare,andwhatall thetechnobabblereallymeans?And,whatifthebookhadastep-by-step, actionableapproachonwhatyoucandoaboutallthis?Abookthat aggregatedthecurrentbestpractices,puttheminperspective,injectedmy experienceandmyownpointofview,andhowIappliedallthisacrossall ourclients?
Allthewhilepokingalittlefunatourselves,too?
Thegoal,approach,andstyleremainthesame—onlythistime,the aimistotransformyourhard-earnedcybersecurityawarenessintoone thatisprivacy-centricandregulation-aware.Ifyou’reoneofthemany
businesspeopleouttherewhoarenewtoallthis,juststartingtoconfrontthe newcyberwarrealities,concernedaboutyoursandyourbusiness’privacy, andworriedthatsomeregulationwilldescendtolevyGodknowswhatkind offine,thenyou’reinluck!
Thisbookwillguideyouthroughallthisstep-by-step,section-by-section: privacy,regulations,andcybersecurity.We’llworkthroughthebasics together,aswellasreviewingcasestudiesandexamplesofbestpractices acrossdifferentindustriesanddifferentsizecompanies.
Justlikeinthefirstbook,whichIwillbereferencingfrequently,especially inPartThree,weneedacase-studydisclaimer:Thecasestudiesandexamples presentedthroughoutbothbooksareaggregatedfrommyownworkandfrom theworkofmanycolleagueswhoweregraciousenoughtosharetheirexperiences.Asyouwouldexpect,allnames,industries,andgeographieshavebeen changedtoprotecttheanonymityoftheseclients.Insomeofthecases,multipleproblemswerecombinedintoone.Inothers,manyassignmentswere brokenoutintoasingleone.Thegoalhasbeentodistilltheessentiallesson fromeachcasewhileprotectingtheidentityandrespectingtheprivacyand confidentialityofeveryclient.
Thereisafundamentaldifference,though,betweenthefirstbookandthis one.Thefirstbookdealtstrictlywiththepracticalandpragmaticdesignofa cybersecurityprogramwiththegoalofprotectingyourbusiness.Thisbook synthesizestwodistinct,diverse,andcomplexsegmentsintoaprivacy-firstand regulation-focusedcybersecurityprogram.Ifyoualreadyhaveacybersecurity programinplace,thenthisbookwillhelpyouhonewhat’salreadythereinto aprivacy-centricandregulation-compliantcybersecurityprogram.
Ifyoudon’thaveacybersecurityprograminplace,then wherehave youbeen?
Nevertheless,Iamgladyou’rewithusnow!Thisisyouropportunityto startbuildingacybersecurityprogramfromthebottomupthat,frominception,willbeprivacy-andregulation-compliant-focused.
Onemorethingbeforewediverightin:Justasitisimportantto understandwhatthisbookis,andwhoitisfor,itisequallyimportantto knowwhatitisnot.Thisisespeciallytruesincewewillbedealingwith topicsthatareatoncescholarly,legal,andtechnicalinnature.Thisbookis notintendedtobeanacademicanalysis,alegalbrief,oratechnicalhow-to manual,althoughitwillborrowandreflectworkfromallthesedisciplines.
Ifyou’relookingforthelatestscholarlybookonprivacy,anin-depthlegal treatmentoftheCaliforniaConsumerPrivacyAct,orhowtoconfigureyour firewall,thisbookisnotforyou!
Thisbookisintendedasapractical,pragmatic,andactionablebusiness guideforpeopleacrossindustriesandbusinesssizeswhoneedtounderstand whatallthistalkaboutprivacyreallymeans,whattheeffectofalltheselaws andregulationsare,andhowtoputitalltogetherinacybersecurityprogram toprotectwhat’sofvaluetothem.
Itreliesheavilyontheoutstandingworkofnumerousscholars,lawyers, andinformationtechnologyandcybersecurityprofessionals,withoutwhomit wouldnothavebeenpossibletowriteit.Youwillfindadetailedbibliography ofsourcesattheendofthebook,andIurgeyoutouseitanddigdeeperas youseefit.
Forme,eachoneofthesetopics,andespeciallyprivacy,representfascinatingareasofstudy.Privacyandcybersecurityforceustoconfrontquestions ofhowweaspeoplemanagedifficult,complexconceptsandhowwetranslate thoseconceptsintoactionablelawsandwaysofdoingbusiness.
ABOUTTHEAUTHOR IwasborninAthens,Greece.Afterhighschool,IchosetocometotheUnited Statestostudyphysicsandcomputerscience.IdidthatattheStateUniversity ofNewYork,theCollegeatBrockport,inupstateNewYork.Myyearsat Brockportwereformativetomeasaperson,ascientist,andasaprofessional. WordsforthegratitudeandrespectIhaveforthededicatedfacultythatshaped mylifecaneasilyfillacoupleofbooks,butthatisforanothertime.
Aftergraduatingwithmybachelor’sdegreeinscience,Ibecamean instructorofcomputerscienceandacomputersystemsmanagerattheStratfordSchoolinRochester,NewYork.Followingbriefgraduateworkstints attheRochesterInstituteofTechnologyandtheUniversityofRochester, ImovedtoNewYorkCitytoserveasthedirectorofacademiccomputing atPrattInstitute.There,underthedirectionofthevicepresidentofinformationtechnology(therewereno“chiefinformationofficers”backthen), Iwasresponsibleforthebuildingandmanagementoffourcomputing centersofexcellence,eachfocusingonaspecificdiscipline(art,architecture, engineering,andinformationscience).Fromthere,Iwasrecruitedtobe thevicepresidentofinformationtechnologyattheO’ConnorGroup,areal estatemanageranddeveloperinNewYorkCity.Then,inthemiddleofthe ReaganRecession,Idecidedthattherewasnobettertimethanthepresent tostartmyowncompany,whichIdidin1989.
Ihavebeenrunningmyownfirmeversince,surroundedbypartnersand colleagueswhoteachmemoreandmoreeverysingleday,andtogetherwe deliverabroadspectrumofITconsultingservices.Ihavebeenprivileged topartnerwithgreatclients,toengageinfantasticprojectsofbusiness andtechnologytransformation,andtocollaboratewithteamsthatpush boundariesanddevelopincrediblebusinesssolutions.Ilivedthroughthe amazingadvancesincomputersciencethatarenowthestuffoflore:Iwas thereduringBitNet,sendingemailmessagesandwatchingthemessagehop fromnodetonode.Iwasamazedatformattingthefirst10MBharddisks ofIBM’snewpersonalcomputer.I’vefedendlessfloppiesinandoutofthe firstMacs.I’vebuiltmusclescarryingtheCompaq“Portable,”whichwas nicknamed“luggable”forgoodreason.I’vecarriedpagersandcellphones
thesizeofsuitcases.IsubscribedtoCompuServeandAOLandstillhavea workingHayes14.4modem.
Throughoutitall,Ihavealwaysbeenfascinatedbysecurity,privacy,and theprotectionofdata.Evenbefore“cybersecurity”wasaword,Iinsistedthat thesiteswedesignedandmanagedimplementedbusiness-appropriatecomputersecurityanddisasterrecovery.MaybeitwasbecauseGeorgeWhelan, apartnerofmineatthetime,wasacomputerviruscollector(hestillhas them).Maybe,becauseIremainculturallyGreek,naturallycautiousandprivate.Whateverthereason,Ialwaysasked,“Whathappensif‘this’getsout?” or“Howfastcanwebebackupandrunning?”Anyofmyconsultantswilltell youthatevennow,thefirstthingtheyaretaughtwhentheystartworkingfor meisthat“notcheckingthebackupisacareer-endingmistake.”
FollowingdecadesasapractitionerofbothITgovernanceandcybersecuritymanagement,IdecidedtomakeitofficialandjoinedInformation SystemsAuditandControlAssociation(ISACA),anindependent,nonprofit, globalassociationthatwasfoundedin1969,engagingin“Thedevelopment, adoptionanduseofgloballyaccepted,industry-leadingknowledgeandpracticesforinformationsystems.”JoiningISACAwasoneofthesmartestthings Ieverdid.ThroughIASCA,Igotcertifiedinthreeareas:Firstincybersecurity,becomingaCertifiedInformationSecurityManager(CISM),theninIT governance,becomingCertifiedinGovernanceofEnterpriseIT(CGEIT), andfinallyasaCertifiedDataPrivacySolutionsEngineer(CDPSE).
Notonetostandstill,andalwaysfascinatedbythebeautyincomplexity, Idecidedin2018tostudyprivacyanditsimplicationsonoursociety,business, andsystems.IsubsequentlyjoinedtheInternationalAssociationofPrivacy Professionals(IAPP).JustlikeISACA,theIAPPisanincrediblecommunity ofprivacyexpertsthathavededicatedtheirlifetothestudyandimplementationofsoundprivacyprinciples.Ifoundawelcomehomethereandendless resourcestohelpmeinmyjourneythathasledmehere,tothisbook,that Iamhumbledtosharewithyou.
Iamprivilegedtobeabletocontinuemyjourney,runningmyfirmtmgemedia,inc.,andtobesurroundedbyincredibleprofessionals,clients,and friendsthatteachmethevalueofhardwork,dedication,andloveeveryday.
ACKNOWLEDGMENTS Everybookisalaboroflove.Thisoneisnodifferent.AfterIfinishedmy firstbaby, CybersecurityProgramDevelopmentforBusiness:TheEssentialPlanning Guide, IknewIwantedtowriteasecond,onespecificallyfocusedonPrivacy. Theinitialideawasunformedbutpersistent.Privacyintriguedme.The“P” wordwasusedpracticallydaily;legislatorswerepassinglawspretendingto preserveitwhilebusinesspeoplewereatalossaboutwhattodowithit.
IwasclearfromthebeginningthatIdidnotwanttowriteascholarly treatmentonprivacy.Better-equippedscholarsofmanystripeshaveproduced, andcontinuetoproduce,greatworksonthesubject.Myapproachwastobe similartothefirstbook:Whatdoweneedtoknowonprivacysothatwe canbeinformedascitizensandenabledasprofessionals?Moretoapragmatic point,howdoesallthisprivacylegislationaffectourcapacitytodesignand deliveraneffectivecybersecurityprogram?
Toanswerallthesequestions,Icameupwiththeformatforthisbook.It wouldhavethreedistinctparts:oneonprivacy;oneonregulations,worldwide; andoneonprivacy-centriccybersecurityprogramdevelopment.Thelatter wouldbebasedonthepreviousbookbutenhancedbyourunderstandingof privacy,notjustasaconceptbutasasetofconcreteregulatoryrequirements. Theresultisinyourhands!
Booksareneversolitaryefforts.Yes,theimageofthewritertoilingaway atherdeskday-in,day-outistrue,buttheauthorbringsauniverseofpeopleto paper.Samewithme.Overthecourseof31-plusyearsintheinformationtechnologyindustry,Ihavehadtheprivilegetomeethundredsofprofessionals, experts,partners,clients,andvendorswhohaveshapedmythinking,formed myexperiences,andhonedmyexpertise.Theirinfluenceisreflectedinthe pagesthatfollow.Theywrotethebookwithme.
Frommyoriginalpartnerinthebusiness,GeorgeWhelan,whoreligiouslycollectedandkeptlivecomputervirusesonfloppydisks,toinstructors suchasJayRanade,whohasforgottenmorethanI’lleverknow,toclientswho partneredwithmeandstaffwhotirelesslyworkedtosolveproblems,Iowe eachoneadebtofgratitudethatnoacknowledgmentcandojustice.
Still,Imuststartsomewhere,andtherightplacetostartiswithanapology formyomissions.Theyareentirelymyown.
Next,Iwanttoacknowledgeadebtofgratitudetomyclients,mytrue partnerstosuccess.Everyday,Iamhonoredandprivilegedtobeyourally andtocontributetoyourgoals.Iamconstantlyhumbledbyallthethings thatyouteachmeeveryday.IwouldberemissifIdidn’tsingleoutthe Hoffmanfamily,Andrew,Mark,andSteve,whohavebeenloyalsupporters andmentorssinceIstartedthefirm31yearsago;thefoundingpartnersat AllegaertBergerandVogel,Chris,David,andMichael,fortheirtrustinme, theirloyalty,andwisecounselthroughthickandthin;theamazingteamat Kapitusforteachingmeandmyteamhowtojumpontoarushingfreight train;andtoVigdisEriksenatEriksenTranslationsforhertrustinusandfor herfeedbackthatmakesusbettereveryday!
Inthesamebreath,Iwanttothankmyownpartnersandassociates,whose incredibleexpertise,loyalty,dedication,skills,empathy,andpersonalengagementmakemyandourclients’successpossible.Theyare,alphabetically: AnnaMurray,AtsushiTatsuoka,DanielleChianese,DoelRodriguez,Frank Murray,GregAndrews,JamesRich,JustinSchroeder,LeonTchekmedyian, PedroGarrett,ThomasHussey,TylerRaineri,andYeimyMorel.Thankyou fortheprivilegeofworkingwithyou,forallyoudo,dayandnight,andfor allowingmetoshutmydoorandwrite,write,write!Youmadethispossible! Wheneverthereisabook,thereisaneditorandapublisher.Ihavebeen theluckiestofauthorstohavethebestinboth.First,myeternalgratitude totheone-and-only,walk-on-water-on-her-bad-days,amazingHilaryPoole, myeditor,coauthor,andfriendofcountlessyearsandjustasmanybooks. Hilary,youareamazing!Iabsolutelyrefusetogonexttoakeyboardunless Iamreassuredthatyou’lledittheoutcome.Thankyou!
DeepestthankstoeveryoneatJohnWiley&Sons,oneofthemostprofessionalandexceptionalpublishersintheworld,andespeciallytomyexecutive editor,SheckCho,captainandcommanderextraordinaireandSusanCerra, theproject’smanagingeditor!Thisbookisasmuchyoursasitismine,and Iamgratefulforallyourhelp,guidance,andsupport.
Toalltheprivacy,cybersecurity,andgovernanceprofessionalsaround theworld,workingtirelesslyinthefield,inacademia,inresearchinstitutions,ingovernmentagencies,andmilitaries,thisbookpalesincomparisonto yourachievementseveryday.Icannotemphasizethisenough:Withoutyour
endlesseffortsinbreakingnewground,expandingandenhancingourscientificunderstanding,andguidingusthroughthemaze,wewouldbelost.All yourworksrepresentthelighthousesthathelpsusnavigate,andifIaspireto anything,itisforthisbooktoaidinreflectingyourlight,interpretingyour guidance,andaddingwindtothesails.
Tothemanyinternationalorganizationsthathelpallpractitionerslearn, hone,andapplytheircraft,aswellasdeveloptheframeworkswedependon, mygratitudeforyourongoingcontributions,tirelesscuration,andunending support.ImustparticularlysingleoutCERT,ENISA,IAPP,ISACA,(ISC)2 , ISECOM,ISO,ISSA,NIST,NSA,OECD,OWASP,andSANS,withmy apologiesforomittingthemanyotherdeservingorganizationsworldwide.My specificthankstoIAPPandISACAfortheircontinuoussupportandendless resources.TheISACANewYorkchapterremainsahomeawayfromhome formeandcountlessprofessionalsintheNewYorkmetroarea.
Tothemanyfriendswhosupportedmeinsomanyways,through encouragement,advice,andlove:JeanneFrank,Iknowyou’rewatchingfrom Heaven!Youwererightaboutthebook!AlexandMari,RichieandCharlene, Sherryl,Sotos,DimitrisandKoralia,andlastbutnotleast,Madina,my princessIndira,andmyprinceKamron:Idon’tknowwhatIdidtodeserve anyofyou,butIcan’timaginelifewithoutyou!Thankyou!
Finally,toAnnaMurray,anamethatkeepsonrepeatingintheseacknowledgmentsbutfromwhereIsit,notenough!Youarethemostbrilliant,expert, capable,tenacious,fierce,loving,accepting,andgivingperson,amazingprofessional,andtalentedwriterIknow!EverydayIthankmyluckystarsthat broughtyoutomylifeasmypartnerinthebusinessandmypartnerinlife. Youare,andalwayswillbe,thebrighteststarinthedarkofnight,guidingme home.Thankyou!
CHAPTER 1 Understanding Privacy Benevixit,benequilatuit.
IncaseyourLatinisrusty,Ovid’squoteabovetranslatesto:“Tolivewell istoliveconcealed.”Myinterpretationisdifferent:“Tolivewellistolivein privacy.”
Butlet’snotgetaheadofourselveshere.What,exactly,is privacy?What doesitmean?Whatdoweunderstandwhenwedescribesomethingas “private”?
Dowemean secret? Issomethingprivatealsosecret?Certainly,thereverse isnottrue:wecanhavemanysecretsthatarenotprivate!Theymaybesecrets ofothers,secretnegotiations,secretdeals,andsoon.
Dowemean personal? Isitdatacoupledwithourpersonhood?Ifso,isall personaldataprivate?Whataboutourname?Aretheredegreesofprivacy?
Definingprivacyhaspuzzledmindsfargreaterthanmine,andthedefinitionsforprivacyhavebeenjustasgrandanddiverse.Let’sstartwithour perennialfriendsatMerriam-Webster.Theydefineprivacyas:
—Ovid,Tristia
4PRIVACY,REGULATIONS,ANDCYBERSECURITY 1.a:thequalityorstateofbeingapartfromcompanyorobservation: SECLUSION
b:freedomfromunauthorizedintrusion
2.a:SECRECY
b:aprivatematter:SECRET
3.archaic:aplaceofseclusion
The OxfordEnglishDictionary,ontheotherhand,definesprivacyas:
1.Astateinwhichoneisnotobservedordisturbedbyotherpeople. 1.1Thestateofbeingfreefrompublicattention.
And,oneofmyfavorites,Wiktionary’sdefinition,coversallthebases, albeitsometimescyclically:
1.Thestateofbeingsecludedfromthepresence,sight,orknowledge ofothers.
2.Freedomfromunwantedorunduedisturbanceofone’sprivatelife.
3.Freedomfromdamagingpublicity,publicscrutiny,surveillance, anddisclosureofpersonalinformation,usuallybyagovernment oraprivateorganization.
4.(obsolete)Aplaceofseclusion.
5.(obsolete,law)Arelationshipbetweenpartiesseenasbeingaresult oftheirmutualinterestorparticipationinagiventransaction,contract,etc.;Privity.
6.(obsolete)Secrecy.
7.(obsolete)Aprivatematter;asecret.
Nottobeleftout,ofcourse,isthelegaldefinitionofprivacy. Black’sLaw Dictionary definesprivacyas:
Therightthatdeterminesthenoninterventionofsecretsurveillance andtheprotectionofanindividual’sinformation.Itissplitinto 4categories:
1.Physical:Animpositionwherebyanotherindividualisrestricted fromexperiencinganindividualorasituation;
2.Decisional:Theimpositionofarestrictionthatisexclusivetoan entity;
3.Informational:Thepreventionofsearchingforunknowninformation;and
4.Dispositional:Thepreventionofattemptsmadetogettoknowthe stateofmindofanindividual.
It’sworthwhiletopayattentiontothosefourcategories:physical,decisional,informational,anddispositional.We’llbereturningtothoseinmore detailwhenwetakeonthemeaningsofprivacyforyourbusiness.
It’snotthatIhavesomethingtohide, IhavenothingIwantyoutosee.
—AmandaSeyfried
Definitionsofprivacyhaveevolvedovertime,andourunderstandingof theconceptisconstantlychanging.Therefore,itwouldbenaivetoassume thatPrivacywithacapitalPcanberenderedviaalegaldefinition,complexor not,oradictionaryentry.
Privacyhasbeen,andremains,thesubjectofrigorousacademicstudy. Anthropology,sociology,psychology,history,andotherdisciplineshavebeen lookingintotheconceptanddevelopingtheirowndefinitionsandmodelsto describePrivacy.
Itisclearlyoutofscopeforthisbooktogetintodetailsontheacademic researchonprivacyordoaliteraturereview.Forourpurposesafewdrops fromtheoceanwillsuffice.
6PRIVACY,REGULATIONS,ANDCYBERSECURITY ThetwogiantsinprivacyresearchareconsideredtobeAlanWestin (1929–2013),professorofpubliclawandgovernmentatColumbiaUniversity,andIrwinAltman(1930),professorandchairmanofthePsychology DepartmentoftheUniversityofUtah,nowemeritus.
Westin’sbook PrivacyandFreedom (1968)isconsideredtobethefoundationaltextonthesubject.Westindefinesprivacyasfollows:
Privacyistheclaimofindividuals,groups,orinstitutionstodetermine forthemselveswhen,how,andtowhatextentinformationaboutthem iscommunicatedtoothers.
Westingoesontodescribefourstatesofprivacy,andfourfunctions orpurposesofprivacy.Hedefinestheprivacystatesassolitude,intimacy, anonymity,andreserve,andthepurposesaspersonalautonomy,emotional release,self-evaluation,andlimitedandprotectedcommunication.
Westin’spositionisthatprivacyoperatesatthreelevels:Theindividual,thegroup,andtheorganizationallevel.Healsoconstrainshistheory ofprivacyasapplicabletowesternsocietiesonly.In2002,Westinproposed what’sknownastheWestinsegmentation,classifyingthepublicintothree groups:theprivacyfundamentalists,whoplaceapremiumonprivacyand makeupabout25percentofthepopulation;theprivacyunconcerned,who couldn’tcarelessaboutprivacyandmakeupabout20percentofthepopulation;andtheprivacypragmatists,theremaining55percent,whoareawareof thetrade-offbetweenprivacyandexternalofferings.
Forhispart,Altmanoutlinedhisprivacyregulationtheoryin TheEnvironmentandSocialBehavior (1975).Putverysimply,privacyregulationtheory hastodowiththefactthatpeoplehavedifferentprivacystandardsatdifferent timesandindifferentcontexts.Forexample,yourdefinitionofwhatconstitutes“privateinformation”inyourrelationshipwithyourspouseisclearly differentthaninyourrelationshipwithyourchildren,andit’salsodifferent withyourbossandyetagainwithyourcoworkers.
AccordingtoAltman,thisphenomenonisdueto“theselectivecontrolof accesstotheself,”whichhasfiveproperties:
