Table of Contents

Privacy Regulations vs. Security Standards ─ Which One to Follow

Today’s era of real-time and un-interrupted computing demands assurance that data remains protected while at rest, in the flight, or on the runway for individuals and industries.

The term data includes a user’s biometric and demographic data, IoT/OT device configuration data, IT infrastructure configuration data, information system-related data, and data required to carry out operations with the help of Information Technology.

Figure 1: Biometric Data protection

Security Frameworks and Standards

The ISO/IEC 27001:2013 Information Security standard certifies the organization for the management of information systems as per the standard requirements. IEC 62443 cybersecurity framework provides a maturity framework to secure industrial automation and control systems. The National Institute of Standard and Technology (NIST) SP 800-53 Revision 5 and Control Objectives for Information Technologies (COBIT) are governance frameworks. The security framework published by the Center for Internet Security (CIS Top 20) is designed to protect infrastructure, applications, and data by implementing a selective group of controls.

Laws and Regulations

The California Consumer Privacy Act (CCPA) enacted on June 28, 2018, the California Privacy Rights Act of 2020 (CPRA), the Personal Information Protection and Electronic Documents Act (PIPEDA) enacted on January 1, 2001; the US Health Insurance Portability and Accountability Act (HIPAA) enacted on August 21, 1996; and the General Data Protection Regulation (GDPR) enacted on May 25, 2018, protect users’ privacy-related data for the applicable region. However, these laws and regulations have been continuously evolving.

Africa has 54 countries that have 61% of data protection and privacy legislation[1], America has 35 countries and 74% legislation, Asia-Specific 60 countries have 56% of legislation, Europe has 45 countries and 98% of legislation, and the least developed 46 countries have 48% of legislation. There are 71% of countries that have legislation, 9% have draft legislation, and 15% of countries with no legislation regarding data privacy.

Problem Statement

The question arises: With a plethora of cybersecurity standards, frameworks, and regulations, which one should we follow? Is it the adoption of security standards or a framework or adherence to legal and regulatory requirements that provide a path for data protection and privacy? What laws demand on how to deal with the biometric and demographic data of the users?

When an individual becomes a citizen of a country, how does the service provider know which regulations to adhere to? Which authentication document is required to establish the user’s identity? Does a passport suffice, what if the citizen does not have a passport? Do all countries have citizen IDs that can be verified in real-time? Which data is personal or sensitive? How to distinguish this among multiple regulations? Which geographical location to store this data? How to protect it? Which regulations to follow and so on.

When the service provider operates globally to provide products or services to citizens of different countries, it becomes very difficult to ensure adherence to the data protection and privacy requirements of the respective countries.

Definitions, Boundaries, and Interpretations

The boundaries and interpretations of the terms defined under various regulations and security standards are different in each scenario. The purpose of data collection, definition of data processor, minimization, lawfulness, fairness, transparency, pseudonymization, anonymization, controller, processor, right to forget, right to withdraw consent, penalty, and supervision ─ all these terms have different boundaries and are interpreted differently. The underlying security-related technology to protect data may be brought under the same umbrella, however, regulatory compliance requirements would vary.

Personal Data & Sensitive Personal Data

Name, address, citizen ID, or Identification cards issued by the Government are interpreted as personal data across regulations. However, many other attributes and their interpretation through which a user can be identified vary from country to country.

Figure 2: Personal Data and Sensitive Personal Data

As per GDPR, personal data is any information that is a person’s unique identifier. However, according to CCAP, personal information does not include publicly available information that is issued by the Government, such as professional licenses and public real estate/property records.

How to identify and segregate data as per different regulations? How this data is secure in transit and at rest? How is this data processed? By whom and in which country? These are a few immediate questions.

Biometric Data

The GDPR[1] defines biometric data as personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a person that allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Whereas CCAP[2] defines “biometric information” as an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used alone or in combination with each other or with other identifying data, to establish an individual’s identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

The Biometric Information Privacy Act (“BIPA”) of Illinois ensures that individuals are in control of their biometric data and prohibits private companies from collecting it unless they consent with purpose and length of time for which data will be collected, stored, and used.

The ordinance outlaws the use of facial recognition,[3] not only by government agencies but also by private businesses. Portland’s ban on facial recognition is very strict. California, San Francisco, Oakland, and Boston have all passed legislation banning government agencies from using facial recognition.

These are a few examples of privacy-related law that tell us how it is defined and interpreted differently in different countries for personal data, sensitive personal data, its processing by the Government or private agencies, and its rights.

Data Exchange Between Countries’ Geographical Boundaries

The cross boundaries data processing is becoming an integral part of the supply chain framework. The citizens reside in one country, the product is customized as per the specifications in a different geographical location, and it is dispatched and consumed in a different geographical location.

The Cloud service provider replicates data to a disaster recovery site at a different location and the same way data archival is done as per the contract terms. A list of countries[4] has been identified where personal data can flow from the EU, without any further necessary safeguard.

Data Breaches

While dealing with cross boundaries data processing and data exchange for service delivery among multiple countries, adequate provisions must be made to ensure that data breaches are managed and responded to as per the needs of the regulations and expectations of the users.

Fast-Evolving Rules and Regulations

Globally, countries are adopting and updating their privacy laws to protect citizens’ biometric and demographic data. Organizations that do not protect users’ data can attract heavy financial penalties and can lose goodwill. There is no thumb rule across the globe to understand and mitigate technical and regulatory compliance risks arising out of collecting, processing, and storing demographical and biometric data of the citizens.

Wrapping up

Each law has specific technical and regulatory requirements that must be adhered to. Considering the complexity of the prevailing laws, carry out a data privacy and security assessment, supported by a Threat Model that provides a yardstick to define the cybersecurity roadmap. Gradually, a suitable framework or a standard can be adopted at an organizational level to ensure that all privacy and security controls are implemented as per industry standards and are effective.

eInfochips helps companies design, develop and manage secure connected products across device, connectivity and application layers using diverse cybersecurity platform services and tool stacks. Our expertise spans across strategic assessments and transformations, turnkey implementations, and managed security operations. To know more about our services, please reach out to our experts today.

References:
1. https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
2. https://gdpr.eu/
3. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
4. https://www.cnet.com/news/portland-passes-the-toughest-ban-on-facial-recognition-in-the-us/

Picture of Vimal Purohit

Vimal Purohit

Vimal is working as Technical Manager - IoT Cybersecurity at eInfochips. He has 20+ years of experience as a Cybersecurity Professional. He has expertise in Security Architecture, PKI and Key Management, Threat Modeling, Zero Trust solutioning and biometric data protection (PII/SPI) for IoT devices, embedded devices, access control systems and cloud.

Explore More

Talk to an Expert

Subscribe
to our Newsletter
Stay in the loop! Sign up for our newsletter & stay updated with the latest trends in technology and innovation.

Reference Designs

Our Work

Innovate

Transform.

Scale

Partnerships

Device Partnerships
Digital Partnerships
Quality Partnerships
Silicon Partnerships

Company

Products & IPs