Cybersecurity Laws and Data Privacy in the 21st Century: How Legislation is Protecting Data Privacy Against the Digitization of Information next

Share

Image Credits: @danny144 on Unsplash (Unsplash License)


In the modern age, the spread of private information online and the increase in digitalization have become significant concerns for many consumers and suppliers. As individuals become more present online, they create a larger digital footprint. According to the Center for Development of Security Excellence, “A digital footprint is the unique trail of data pertaining to a user’s activities, actions, communications, and transactions on the internet.” Digital footprints include information on websites visited, emails or messages, information submitted in online forums, reviews or comments posted, and photos or status updates posted. Various organizations take users’ digital footprints to create online records and store information on customers and consumers, granting an individual consent to share information with said organization. However, since 2008, it has been reported that over 3.8 billion records have been stolen from major organizations such as Yahoo, Target, and the U.S. Office of Personnel Management. That number alone is only a cumulation of the top ten most significant data breaches. Data breaches, as reported by the organization TREND, “occur when a cybercriminal successfully infiltrates a data source and extracts sensitive information. This can be done physically by accessing a computer or network to steal local files or by bypassing network security remotely.” Additionally, as organizations develop more complex usage for personal data, there is an increase in third-party data sharing. “Third-party data is information collected by a provider across other company’s websites, apps, registrations, etc. The provider gathers this data from several businesses with no direct relationship with the customer”. The danger with third-party data sharing is that often, consumers have no idea what information is stolen and where it goes, as company providers who engage in third-party data sharing tend not to disclose that they do so. 

The spread of private information poses many dangers. When cybercriminals access personal data and records, they can use that information to steal someone’s identity. IDX states, “Identity theft occurs when personal identifying information is used without consent. Criminals have found countless ways to use a person’s name, Social Security number, address, date of birth, medical insurance account, credit card information, bank account and bank information, driver’s license, and phone number for their own personal gain.” However, in addition to cybercriminal activity, consumers may also be wary of government use of personal information. In recent years, it has become widely known that the United States government uses information found in online personal records to surveil individuals. Some argue this is good as digitalization allows the government to keep tabs on criminals and lose breaking the law to keep our country safe. Yet, some argue that the government takes it too far and inserts itself too far into the private lives of citizens. Therefore, there is a national debate surrounding the issue of privacy versus security. The question is, where do we draw the line between the right to privacy and the issue of national security? The right to privacy was an idea founding the country as mentioned in the constitution, specifically in the 4th Amendment. With technology rapidly advancing in the 20th century, the attitudes towards privacy rights shifted. As individuals and organizations realized the government had access to private information, their concerns grew that it would gather unnecessary private information on citizens through internet databases. The government assured citizens that they were not collecting unnecessary information and were using databases to collect data on dangerous individuals. Yet, citizens argued that the legal right to privacy trumped possible security measures of government interest. The question is, should we prioritize the rights or safety of our citizens? This debate is ongoing and is currently contemplated by constitutional scholars. Scholars argue that while personal privacy is often deemed less important than public safety, a lack of personal privacy becomes an issue of public safety. Regardless, digitalization has allowed cybercriminals and governments to access consumers’ private information for personal gain or surveillance, emphasizing the danger posed by data breaches, third-party sharing, and extensive digital footprints. 

Different countries approach data privacy through various types and means of legislation. The European Union has a piece of legislation called the General Data Protection Regulation. It is one of the most comprehensive and vast pieces of legislation in the field of data regulation and data privacy. The GDPR is used to synchronize laws regarding data privacy throughout Europe.  The GDPR is a unique piece of legislation for various reasons. For one, it has territorial reach, meaning that the legislation applies to organizations based in the EU and to all organizations that provide goods or services within the EU or to consumers based in the EU. Additionally, the GDPR outlines individuals’ explicit rights regarding data and data privacy. These rights include the right to access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, and rights in relation to automated decision-making and profiling. Yet, the United States has very different types of legislation regarding data privacy. While the EU approaches data privacy through legislation on a multi-national and national level, the United States uses sector-specific and state-level legislation to regulate data privacy. For example, the United States protects consumers’ data regarding healthcare through the Health Insurance Portability and Accountability Act (HIPAA). HIPAA guarantees the privacy of one’s medical information and records and applies to all entities regarding patient care and processing. While there is sector-specific legislation, there is also state-wide legislation, such as the CCPA. The CCPA grants individuals greater control over personal data that businesses might collect on them. Additionally, the CCPA, similar to the GDPR, outlines explicit rights that consumers have regarding data privacy, such as the right to know, the right to delete, the right to opt-out, and the right to non-discrimination. Thus, while the United States and the European Union have implemented legislation to ensure greater data privacy, the means and methods of legislation have varied. 

Cybercrime, as well as legislation protecting against it, is rapidly evolving. Legislation such as the GDPR and HIPPA protect consumers by mandating data protection, legal responses to data breaches, and obligations post-breach. The mandates/legislation protect consumers by forcing businesses to implement safety measures. The legislation mentioned above, as well as similar legislation, provides businesses with the incentive, even if required, to engage in regular risk assessments, preventative safety measures, data encryption, access controls, and incident response plans–these are all measures that further data protection and ensure consumer privacy. The legislation requires businesses to prevent data breaches and protect data privacy and sets the standards for a business’s legal response to a data breach. Legislation requires organizations to take immediate action when data breaches occur. Legislation informs organizations and businesses about the timeframe to inform individuals and government organizations about the breach. Legislation not only informs organizations and businesses about the reporting timeframe but enforces it through penalties, fines, and sometimes legal action. Following a data breach, the legislation outlines obligations organizations must follow. These obligations include notifying those affected, reporting the breach to legal entities, providing supportive services, investigating, and updating or improving security systems. 

The digitalization of information has demonstrated the conveniences provided to consumers and the risks regarding data privacy and security. The creation of the digital footprint and the arrival of increased cybercrime, along with surveillance practices by the government, highlight the importance of advanced data protection methods. Fortunately, legislation and laws like the GDPR and state-level or sector-specific legislation that attempt to protect consumers’ personal data and ensure organizations implement safety measures to protect against data breaches have been enacted. Yet, as the debate between consumer privacy and national security continues, the boundaries of such legal protections are continuously challenged. Our future and digital privacy rely on finding a balance between protecting individuals’ rights and information while ensuring security.