While attending MPower 2018 a few weeks ago, I had the chance to sit down with Tom Gann, chief public policy officer and head of government relations with McAfee. Gann and I had begun an interesting conversation about privacy laws during a pre-conference reception, and I was thrilled to have a chance to continue the conversation. Data privacy issues have become a pet project of mine over the past year, ever since I began to learn and write more about GDPR, and here was my chance to talk to someone who sees data privacy regulations from both the security side and from the government relations side.
One thing I wanted to talk about was the intersection of privacy and security. Gann told me there is a misconception that privacy and security are in conflict with each other, and that’s not true. Privacy purists often think that cybersecurity tools track a lot of personal data and invade privacy.
That said, he continued, what we’re seeing is an evolution of the privacy community, driven by significant data breaches. Lots of PII has made its way into the Dark Web, thanks to some of the huge data breaches of the past few years, so much so that the price of Social Security numbers has dropped considerably. He added:
I think what the privacy community is seeing is that unless organizations are obligated to implement security, the fight to protect privacy won’t be won. That’s been a shift over the last five or so years.
What that means for the future is a much better relationship between the privacy community and the security industry, and this will spill over into rules and regulations. What we should strive for is a balanced outcome of federal laws that are designed to level the privacy playing field when it comes to consent but at the same time obligating organizations of all sizes to take privacy seriously.
GDPR is a good start, said Gann, because it provides a good roadmap on how to think from a privacy point of view. The NIST cybersecurity framework is designed to engineer in the steps needed to improve privacy. Those are policies that are building a foundation. It’s then up to the organization to implement security that can track data as it comes in and how it is used, and then build a security tool that meets both security and privacy obligations. Gann stated:
We think ultimately the shift will continue and there is an important evolution going on whereby security and privacy advocates can come together better.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba