Professional Documents
Culture Documents
The Rise of Cybersecurity and Its Impact On Data Protection
The Rise of Cybersecurity and Its Impact On Data Protection
2 EDITORIAL 73
Editorial
The rise of cybersecurity and its impact on data
protection
Cybersecurity is attracting more attention than ever— botnet exploited vulnerabilities in the Internet of Things
not just in headlines, but among policymakers, industry devices to overwhelm the Dyn domain server, causing
leaders, academics, and the public. Successful cyberat- major Internet platforms and services to be unavailable
tacks are becoming more frequent and threatening as ad- in the U.S. and Europe. Enterprising security researchers
versaries become more determined, more sophisticated, have hacked insulin pumps, drones in flight, and cars
and more likely to be connected with a nation state. No on the road.
one and nothing seems safe. The May WannaCry ran- It is no wonder that cybersecurity is attracting
somware attack affected more than 300,000 computers more attention, but such attention raises important is-
in 150 countries. The presidential elections in France sues for personal privacy and the data protection tools
and the United States (U.S.) have been the subject of we use to protect it. The relationship between security
major attacks, followed by strategically timed disclo- and data privacy has always been complicated. Privacy
sures. Yahoo, in the midst of its sale to Verizon, reported depends absolutely on security. No obligation to pro-
that information of approximately 1.5 billion user ac- vide privacy, whether entered into voluntarily or com-
counts had been stolen. In the United States (U.S.), the pelled by law, will be meaningful if the data to be
NSA and the CIA appear to be haemorrhaging top secret protected are accessed or stolen by unauthorized third
documents apparently stolen by insiders, while the U.S. parties. As a result, all modern data protection princi-
Office of Personnel Management was unable to protect ples include an obligation to protect security as well.
21.5 million records on government employees and con- For example, the influential 1980 Guidelines on the
tractors holding security clearances. Protection of Privacy and Transborder Flows of Personal
Part of the escalating attention to cybersecurity is the Data, adopted by the Committee of Ministers of
result of society’s growing reliance on digital systems to the Organization for Economic Cooperation and
control important infrastructure, such as cars, airplanes, Development (OECD) in 1980, included the Security
utilities, supply chains, and industrial systems. In 2010, Safeguards Principle as one of the eight foundational
for example, the U.S. and Israel reportedly cooperated principles of data protection: ‘Personal data should be
in the development and use of Stuxnet, a software pro- protected by reasonable security safeguards against
gram that destroyed centrifuges critical to Iran’s nuclear such risks as loss or unauthorised access, destruction,
weapons program by inferring with their control sys- use, modification or disclosure of data.’ This principle
tems. Hackers used cyberattacks to temporarily shutter was retained in the 2013 revision of the Guidelines
three power distribution companies in western Ukraine (the OECD Privacy Framework), and supplemented
and operations at a Venezuelan oil unloading facility. by additional security-related language covering
In 2014, cyberattacks on a German iron plant caused data breaches. And security has been recognized in ev-
widespread damage. In 2015, thieves stole $81 million ery significant codification of data protection law
by exploiting weak security at the Central Bank of since then, including the EU Data Protection
Bangladesh to persuade the network that controls inter- Directive, the U.S. Federal Trade Commission’s fair
national transfers of money between banks to transfer information practice principles, the APEC Privacy
the money from the Federal Reserve Bank of New York Framework, and the EU General Data Protection
to the thieves’ accounts. The following year, the Mirai Regulation.
C The Author 2017. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com
V
74 EDITORIAL International Data Privacy Law, 2017, Vol. 7, No. 2
Data privacy and cybersecurity are often advanced by diminishing the individual and human rights compo-
common tools, such as encryption, data minimization, nents of data protection law.
and limits on collecting, retaining, and transferring per- Many data protection professionals in industry and
sonal data. In short, what is good for privacy is often government have historically lacked training or expe-
good for security as well. rience in computer science or other technologies.
But this is not always the case. Despite the founda- Fortunately, this is beginning to change. However,
tional importance of information security for modern pressure to focus more attention on cybersecurity is-
by breaches and the range of parties who may be should, at a minimum, be paying close attention to the
injured. emergence of cybersecurity. Even better would be to
Civilization needs better protection for cybersecurity— think constructively and proactively about how to take
far better than we have seen to date–urgently, but it advantage of this important development to ensure that
also needs better data protection. The significance of people everywhere enjoy strong, effective protections
the possible effects on data protection—both positive for their privacy and for the security of their data.
and negative—of the increased attention being paid