6.1 Key Concepts in Data Privacy and Data Security

The Importance of Enterprise Digital Data Privacy and Data Security

Data privacy and security play a critical role in our ever-expanding digital world. As businesses, governments, and other large enterprises transition to digital platforms, the amount of data created has exponentially increased. Historically, small companies and large enterprises have sought to contain their trade secrets, customer information, and intellectual property rights through training and other mitigating measures. In a nondigital landscape, access to sensitive information was often controlled through physical security, which is the protection of buildings, hardware, and assets. This included measures such as locked cabinets, secure rooms, and need-to-know restrictions, where only those with explicit permission could access certain data. Personnel were trained to handle information carefully, and physical controls were in place to ensure that unauthorized individuals couldn’t gain access. However, as technology has advanced, more data are now being stored electronically, transmitted via the internet, and accessed from the cloud. Thus data are now much more susceptible to breaches, accidental disclosures,and exploitation by bad actors. A bad actor is a person or entity who hacks or cracks into a computer or system with malicious intent. Data privacy involves ensuring the responsible use of personal information throughout the data life cycle, and it underpins the fundamental principles of ethical business practices. For example, a customer signs up for an online service, and their data are collected, stored, and used for account setup and personalized recommendations. After the service is canceled, the data are archived for compliance purposes and eventually deleted following retention policies.

It is no secret that unauthorized access to confidential data, often leading to the exposure of sensitive information, called a data breach, occurs often. However, what is staggering is the sheer number of user accounts that have been compromised as a result. For example, in April of 2024, billions of records from a background check service known as National Public Data (NPD) were exposed, affecting hundreds of millions of people. The exposed records contained sensitive items such as Social Security numbers, birth dates, and mailing addresses.³

In 2024, a data breach involving AT&T compromised approximately 100 million customer records, exposing sensitive personal information, including names, addresses, and Social Security numbers. This incident highlighted vulnerabilities in data storage and the growing challenges of securing customer information against increasingly sophisticated cyberattacks.

Another major breach in 2024 affected Change Healthcare, a service provider to UnitedHealth. A ransomware attack disrupted health-care operations nationwide, affecting claims processing and payments for weeks. It was revealed that sensitive medical data, such as diagnoses, test results, and treatments for a substantial proportion of Americans, had been stolen. The financial and operational fallout from this attack underscored the critical importance of cybersecurity in health care.

Information generation has not grown in a steady, linear fashion; rather, it has increased exponentially as companies have leveraged digital assets to maintain growth amid competition. For example, in the late 1970s, the internet was in its early stages of development. The World Wide Web became publicly available in 1991, and at that point, the internet was primarily text-based with limited multimedia content. As shown in Figure 6.2, the internet is remarkably different today from its original iteration.

Figure 6.2 The World Wide Web has seen many improvements and expansions since its first development in 1979. (credit: modification of work “History of online service” by “Viviensay”/Wikimedia Commons, CC0 1.0)

The volume of data has increased exponentially due to the digital evolution, with global internet traffic growing from 100 GB per day in 1992 to 150.7 TB per second by 2022,⁴ driven by vast amounts of content generated and shared across various platforms. These figures highlight the explosion of data generation and consumption over the past few decades, an explosion that’s been driven by technological advancements and the digitization of various aspects of life. The challenge today lies not only in managing the volume of this data, but also in harnessing it effectively and ethically. In other words, it is a complex challenge that underscores the importance of data privacy and security.

Data privacy and security are no longer mere IT issues. Rather, they form an essential aspect of an enterprise’s strategic planning. Today, businesses are expected to be stewards of the data they hold, protecting information from breaches and ensuring its appropriate use. As a result, enterprises are investing significantly in data security measures and privacy protocols to safeguard customer data (and thereby maintain trust) and to comply with increasingly stringent regulations. Security breaches can result in massive financial and reputational damage. Thus, the need for robust data privacy measures is critical.

Consider the cases of Solar Winds and MGM Resorts. Solar Winds is a company that develops software to manage and control computer networks. It was targeted in 2020 in an attack that affected thousands of organizations globally and highlighted how vulnerable even the most sophisticated, well-protected networks are.^5,6 In 2023, MGM Resorts in Las Vegas, Nevada, was one victim of a ransomware attack that caused significant outages of systems such as door locks, key card readers, and other hotel amenities. The damage from the attack cost MGM over $100 million in lost revenue and was executed through BlackCat operators who used social engineering techniques to gain access to critical systems.⁷ These attacks underscore that data privacy is integral to maintaining consumer trust and the smooth operation of critical infrastructure, and in extreme cases could be a national security concern.

Finally, it is essential to acknowledge the international dimensions of data privacy. In an interconnected world where enterprises often operate across borders, understanding the nuances in privacy regulations and practices in different regions is key because the location of the source of the data takes precedence over the customer’s citizenship location. Whether it’s the more consumer-centric privacy model of the EU’s General Data Protection Regulation (GDPR), the sector-specific approach in the United States, or the diverse and evolving landscape of data privacy regulations in Asia and Australia, businesses need to be equipped to navigate these varying landscapes while upholding their commitment to data privacy and security.

Risks and Consequences of Unprotected Personal Data and Sensitive Information

Unprotected personal data and sensitive information pose a variety of risks, with far-reaching consequences that extend beyond the digital realm. Cyber threats such as data breaches and identity theft—which is the act of stealing someone’s information and assuming their identity—represent some of the most immediate risks of unprotected personal data. Sometimes bad actors may wait for months or years before exploiting the breached data to prevent suspicion that the data have been breached.

In 2024, IBM’s annual Cost of a Data Breach report revealed that the global average cost of a data breach has reached $4.88 million, marking a 10 percent increase from the previous year. This underscores the growing financial impact of data breaches on organizations worldwide.⁸ Beyond the financial loss, a data breach can also result in a severe loss of customer trust, tarnishing the organization’s reputation. This may take years to rebuild and could lead to a long-term decrease in the company’s market value.

One of the most striking examples of this is the Equifax breach in 2017, which exposed the personal information, including Social Security numbers, of nearly 147 million people. In its aftermath, the company faced hundreds of millions of dollars in legal fees and reparations, and the value of its stock fell by more than 30 percent.⁹ As of 2024, Equifax has had to pay over $425 million to users affected by the breach and has invested in over $1.6 billion to improve security and technology.¹⁰

How Enterprise Security and Risk Policies Impact Data Privacy

Enterprise security and risk policies are fundamental in shaping an organization’s approach to data privacy. To ensure the effectiveness of these policies, organizations often turn to established frameworks such as those recommended by the Information Systems Audit and Control Association (ISACA), where white papers and research articles offer valuable insights into best practices. The MIS Quarterly Executive (MISQE), Journal of Management Information Systems (JMIS), Communications of the ACM (CACM), Journal of the Association for Information Systems (JAIS), and Communications of the AIS (CAIS) serve as reputable sources of the latest advancements in the science of privacy. While Privacy by Design and privacy engineering are closely related, they focus on different, albeit complementary, goals. Privacy by Design aims to integrate privacy considerations into the design and operation of IT systems, business practices, and networked infrastructure right from the outset.

Privacy by Design and Privacy Engineering

To make these principles actionable, standards such as the ISO/IEC 27701 for privacy information management, and frameworks such as Privacy by Design (PbD) by Ann Cavoukian¹⁴ are invaluable. Cavoukian characterized this Privacy by Design approach as proactive more so than reactive; it anticipates privacy invasion events before they occur. These tools allow businesses to convert abstract, principles-based legal mandates into implementable technical privacy controls compatible with existing security measures. The Privacy by Design model employs seven principles, such as being proactive and embedding privacy, into the design (Figure 6.3). By adhering to such standards, organizations can mitigate risks and foster trust, which is particularly vital in an age where data breaches and cyberattacks are increasingly sophisticated and damaging.

Figure 6.3 There are seven foundational principles of Privacy by Design. (attribution: Copyright Rice University, OpenStax, under CC BY 4.0 license)

Considering all these threats, several national and international organizations, corporations, and governments have taken measures to promote data protection and integrity. Through features such as app tracking transparency and clear privacy labels on the App Store, Apple provides users with greater visibility and control over how their data are used, although the overall architecture of their system remains relatively closed compared with more open platforms.

Data scientists suggest that data are providing an endless stream of new digital capital. However, organizations that fail to take data privacy and security seriously may lose their competitive edge as well as customer trust, and/or face regulatory action. Tackling the massive scale and complexity of data management requires the implementation of robust, risk-based frameworks.

An emerging field in this context is privacy engineering, which is fundamentally about incorporating privacy principles directly into the design and development of IT systems, networks, and business practices. By making privacy an integral part of the design and development process rather than an afterthought, enterprises can effectively mitigate risks and better protect user data. Some examples of privacy engineering include:

• Google’s Differential Privacy: This practice allows Google to leverage the ability to learn from aggregate data while ensuring that returned search results and map addresses do not permit anyone to learn about a particular individual. Google has used this with Google Maps to help show the busy times at restaurants and other locations without divulging the location history data of users.
• Apple’s Privacy Labels: Apple has developed Privacy Labels for its App Store. These labels provide simple, straightforward summaries of an app’s privacy practices, and they are written in plain language, letting consumers know what data an app collects and whether the data are linked to them or used to track them.
• Microsoft’s Data Loss Prevention (DLP): Microsoft developed a data loss prevention solution to prevent sensitive information from leaking out of the organization. This solution identifies sensitive information across several platforms, such as Exchange Online, SharePoint, OneDrive for Business, and Microsoft Teams. This measure ensures that data are not inadvertently shared with the wrong groups. While DLP does well with implementing controls that prevent data loss, it does not focus on physical security.

On the other hand, privacy engineering refers to the technical and operational aspects of implementing privacy principles in systems and services. Its goal is to operationalize the concepts of Privacy by Design through specific methodologies, tools, and technologies. Privacy engineering focuses on developing practical solutions and practices that protect individuals’ privacy and meet regulatory requirements. This includes creating data protection features, ensuring secure data processing, and developing privacy-preserving technologies. While Privacy by Design sets the framework and objectives for privacy, privacy engineering focuses on actual implementation of those objectives in the real world. Like Privacy by Design, privacy engineering focuses more on the technical aspects of implementing data protection controls. One example of a social media company that uses this idea is Snapchat, which limits the amount of time a message can be viewed once it is sent.

Careers in IS

Data Privacy and Security Career Options

With its ever-evolving challenges and emerging practices, the area of data privacy and security offers many exciting opportunities. Those seeking to work in this field may consider these roles, for example:

• Privacy analyst/privacy consultant: A specialist who assesses and advises organizations on complying with data protection laws and regulations. They analyze privacy policies, conduct privacy impact assessments, and recommend strategies to protect personal data.
• Chief privacy officer (CPO): A high-level executive responsible for an organization’s data privacy policies and procedures. The CPO ensures compliance with privacy laws, oversees data protection strategies, and manages privacy risks.
• Cybersecurity analyst: A professional who focuses on protecting an organization’s computer systems and networks. They monitor breaches, investigate security incidents, and implement security measures to safeguard sensitive data.
• Information security manager: A role responsible for overseeing and managing an organization’s information security program. They develop and implement policies and procedures to protect data from unauthorized access, disclosure, alteration, and destruction.
• Compliance officer: A role that involves ensuring an organization meets external regulatory requirements and internal policies, especially concerning data protection and privacy laws.
• Data protection lawyer: A legal professional specializing in data protection and privacy law. They advise clients on compliance with data protection regulations, represent in case of data breaches, and help draft privacy policies.

Data Privacy Regulations and Standards

Data privacy regulations and standards have become increasingly important in today’s data-driven world. With vast quantities of personal data being collected and processed daily, these regulations ensure the safeguarding of personal information and provide a standardized approach for businesses to manage data privacy. Across the globe, nations are developing regulations to address this ever-evolving need. For example, the Personal Data Protection Act (PDPA) in Singapore strives to protect personal data across the economy by serving as a complement to sector-specific legislative and regulatory frameworks.¹⁷ Meanwhile, in Brazil, the Lei Geral de Proteção de Dados (LGPD) came into effect in August 2020, aligning the country more closely with the global trend toward stricter data privacy regulations.¹⁸ The General Data Protection Regulation (GDPR) is a comprehensive data protection law in the European Union that sets guidelines for the collection and processing of personal information of individuals within the EU.¹⁹ The GDPR represents a major shift in data privacy regulations. It has introduced several significant changes, including stricter requirements for consent, which is the explicit permission given by an individual for the collection, processing, and use of their personal information. Additionally, the GDPR expanded data subject rights (such as the right to be forgotten, the right to data portability, and the right to object to processing), and steeper penalties for noncompliance, up to 4 percent of an organization’s global annual turnover or 20 million euros, whichever is higher.²⁰

In a similar manner, the California Consumer Privacy Act (CCPA), a law that increases privacy rights and consumer protection for residents of California, has set a benchmark for data privacy in the United States²¹ (Table 6.1). While it only applies to businesses that meet certain criteria (such as having gross annual revenues over $25 million), the CCPA is influencing data practices beyond California. It is likely to inspire similar legislation in other states, or potentially at the federal level.²² Under the CCPA, businesses must disclose what data they collect, sell, or share, and consumers can opt out of the sale of their data, request deletion of their data, or access the data that businesses have collected about them.

However, it’s not just regulatory compliance that organizations need to consider. Industry standards also play a crucial role in shaping how businesses protect personal data. For instance, the International Organization for Standardization (ISO) has introduced ISO/IEC 27701, an extension to ISO/IEC 27001, the international standard for information security management systems. ISO/IEC 27701 provides guidance on how to manage privacy information, essentially translating privacy principles from regulations like the GDPR into actionable controls. This involves not only technical measures, but also administrative ones, such as defining roles and responsibilities, maintaining records of processing activities, and ensuring proper data breach response procedures.²³ By adopting ISO/IEC 27701, organizations can demonstrate their commitment to privacy, reassure customers and stakeholders, and potentially gain a competitive advantage.

Businesses will also need to consider other relevant regulations in their respective jurisdictions. For instance, in Canada, businesses must comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), which establishes basic rules for the use, collection, and disclosure of personal information by private sector organizations during commercial activities. Similarly, in Australia, the Privacy Act 1988 mandates how personal information is to be handled.

Moving forward, as data privacy issues continue to rise in prominence, we can expect further evolution in both legislation and industry standards. Companies will need to stay vigilant and adaptive, not just to avoid penalties, but also to earn and maintain their customers’ trust and loyalty. This is particularly true in an era where data privacy is increasingly seen as a differentiator and a competitive advantage. Trust in how businesses handle personal data can significantly impact their brand reputation, customer relationships, and, ultimately, their bottom line.

The landscape of data privacy is becoming increasingly complex, and staying abreast of these regulations and standards is crucial for businesses.