An IT security guru published an article today (in comity I do not provide a link). No surprise there. What surprised me is that I thought he put in a very creditable effort to grasp the point about privacy. Unfortunately he still missed by a mile. Not his fault, he’s an IT guy. At least he tried.
I think we need to consider not only the marginally novel idea that privacy and security are distinct concepts (which most people are beginning to grasp), but also the definitely novel idea that they actually ought to be treated as distinct (which few people get). This is a management problem: management might consider getting a grip and stop dumping both privacy and security on IT as Cinderellas. IT, having a hammer, naturally thinks the universe consists of nails and acts accordingly – so both privacy and security are suddenly both IT security issues. Not their concern (nor their fault) that in much data privacy law security is a minor, sometimes near-irrelevant component. Additionally, the phrase “data protection” is most unhelpful, confusing IT geeks and (too many) lawyers alike into thinking it’s all about protection of data, rather than protection of privacy.
To put this in perspective, look at the looming EU General Data Protection Regulation. Why not do a Mythbusters textual analysis of IT/data security within GDPR? I’ve actually done a quick scan-count of the number of Recitals and Articles (May 2014 draft) that deal with security (yes of course I know you’re all thinking either “he doesn’t get out much” or “how sad is that?”). Anyway, here are my un-audited figures:
– Out of circa 140 Recitals, one deals directly with security (plus 3 contain drive-by references)
– Out of circa 80 Articles, one deals directly with security (likewise 7 contain honorable mentions)
Those figures speak for themselves (even if I missed anything). So think of it at best as a duality: to put it in simple terms, security is what you do to try to keep the bad guys out; privacy is (*in part*) what you do as damage control – before the horse bolts rather than afterwards. Or, perhaps, think of it in terms of old-fashioned risk concepts. To put it in risk-speak, security is about minimizing probability, while privacy is about minimizing or, better, eliminating impact. That’s by no means the whole story about privacy, but at least it puts it side by side with security in context. (Edit: In fairness security is not a subset of privacy any more than privacy is a subset of security – thanks Tero!)
Sadly I have more bad news: sometimes only privacy is in play. It’s hardly surprising data security often totally fails to stop data privacy breaches. If you accept their status as distinct domains, this pretty much can be deduced a priori as a matter of logic. That’s why there are frequent data breach scenarios in which there is no conceivable connection to data security in the enterprise. For example the security risk of sold or “shared” data drops to zero once you’ve sold or “shared” it. Think about it. That’s the precise moment the business, by executing the same data transfer, has also maximized its data privacy risk.
Likewise we need to expand our risk assessments to cover private as well as public risk. It doesn’t matter that you’ve trying to cover off your public risk with BCRs, SCCs, the Orwellian bad-taste Safe Harbor joke, or whatever. You know, I know, everyone knows, you mostly do that stuff only to keep the regulators happy, or to get your customers thinking that the regulators are happy.
But what makes you think that navel-gazing / box-ticking will protect you from liability in tort? If third parties commit crimes or data breaches as a result of say a transfer, you still may have private risk to come back and bite you on your perfectly “compliant” posterior. And not just the torts your General Counsel will know. Common law torts (and occasionally statutory torts) applicable in any forum in which the local Courts will accept jurisdiction will do very nicely, thank you.
For example (one of many), take everyone’s latest favorite disaster du jour, the Lenovo-Superfish-Komodia fiasco. I might be contemplating my very own personal class action, starting with me as first plaintiff. Yes of course I know it’s already being litigated, but there may well be alternative or complementary litigation available to a desperate or cynical plaintiff such as myself. For instance, the ancient but recently redefined economic tort of “unlawful means conspiracy” might (or might not) fit like a glove. Again, this is just one example, but it’s a fun one for legal geeks. It may not matter that you acted in good faith. It may not matter that a third or fourth party did all the damage. It may not even matter that that was your best legal advice. You see, unlawful means conspiracy doesn’t use the ordinary meaning of “conspiracy”. Acting in concert to do something that (even unbeknownst to you and your lawyers) happens to be unlawful (as well as a necessary pre-requisite of the harm and some other factors) might just satisfy the judge, no matter how much you annoy her by throwing your Data Protection Seals (I’m looking at you, Redmond) or your BCRs or SCCs or a blizzard of DoC Unsafe Harbor registrations at her.
It’s primarily an English tort, you say? Sure (though it’s spreading a bit), but I myself bought my infected Lenovo machine (ok I cleaned it myself almost immediately, but that’s not the point of this parable) seven weeks ago in a bricks ‘n mortar English store. One solid strike. And I’m resident in England and Wales. Another strike. Lenovo might even have an office or agent here (I haven’t bothered to find out, the store has seductively deep pockets anyway so who cares who pays, but I imagine by now you’ve spotted a pattern). Yep, the English courts just might (or might not) accept jurisdiction and, more importantly, might (or might not) think that English law is the proper law to be applied to the tortfeasor. So wheel in the tort. Class action, anyone?
(for avoidance of doubt I’m not soliciting, I don’t do mass torts so please don’t write to me with one of those “I know my rights” plaintiff begging letters)
Interim inference for risk management: no matter how “perfect” your “probability” management, aka your security, it’s not working is it? (If you disagree, I respectfully suggest you’re having a Clint Eastwood moment: do you feel lucky?) So, as a last resort, why don’t we start focusing on “impact” management – non-reversible pseudonymization etc etc etc instead? Take privacy seriously at last? This is hardly rocket science, is it? Sure it impacts the bottom line value of your data sales to people, but (crunching one of the GDPR numbers) as much as say 1-5% of world-wide turnover?
One final point: don’t automatically assume your legal insurers will cover you for the next $10-100 million claim against you, especially for new subject matter. The satellite litigation between disappointed class action defendants and their insurers supplies some of the most entertaining case law around…
So: sound-bite answers to the title question of privacy v security? Both are important; they’re ontologically distinct; don’t confuse them.
(oh and chuck out all your “old-school” – I’m being polite – best-practice voodoo risk “assessments”, assuming they’re the ones that contain meaningless magic numbers calculated from other meaningless magic numbers using arbitrary methodologically unsound algorithms plucked out of somebody’s best-practice behind, and start focusing on quantifiable monetized impact risk – but I think that would be a topic for an hypothetical other time)
All feedback welcome (especially from “dislikers”, if you feel able to explain your position). Though I have some latitude from being in the IT camp as well, I sincerely apologize to anyone I inadvertently may have offended in anything said above.
Nothing said above is legal advice and it may not be relied upon by any person for any purpose whatsoever.
(First published here)
Privacy Law, Privacy IT 