1 00:00:00,350 --> 00:00:02,260 Legal Requirements. 2 00:00:02,260 --> 00:00:03,910 In this lesson, we're going to talk about 3 00:00:03,910 --> 00:00:06,960 some of the legal requirements around privacy. 4 00:00:06,960 --> 00:00:10,320 Now, any type of information or asset needs to consider 5 00:00:10,320 --> 00:00:13,470 how a compromise of that information can threaten 6 00:00:13,470 --> 00:00:16,970 the three core security attributes of the CIA triad: 7 00:00:16,970 --> 00:00:20,140 confidentiality, integrity, and availability. 8 00:00:20,140 --> 00:00:22,030 And I mention this a lot in my courses, 9 00:00:22,030 --> 00:00:23,480 but if you're thinking about CIA, 10 00:00:23,480 --> 00:00:25,300 I like to think about confidentiality 11 00:00:25,300 --> 00:00:27,110 usually has to do with encryption, 12 00:00:27,110 --> 00:00:29,970 integrity usually has to do something with hashing, 13 00:00:29,970 --> 00:00:31,900 and availability usually has to do 14 00:00:31,900 --> 00:00:33,290 something with redundancy. 15 00:00:33,290 --> 00:00:35,730 And so if you keep those three key words in mind, 16 00:00:35,730 --> 00:00:37,480 it'll help you figure out what the right answer is 17 00:00:37,480 --> 00:00:39,140 when you're dealing with CIA triad 18 00:00:39,140 --> 00:00:41,110 and things associated with it. 19 00:00:41,110 --> 00:00:43,130 Now, what we're going to really focus on in this lesson 20 00:00:43,130 --> 00:00:46,270 is the difference between privacy and security. 21 00:00:46,270 --> 00:00:48,320 Now, when we talk about security controls, 22 00:00:48,320 --> 00:00:50,890 there is that focus on CIA attributes 23 00:00:50,890 --> 00:00:52,450 of the processing system. 24 00:00:52,450 --> 00:00:54,870 So if I say this data is encrypted, 25 00:00:54,870 --> 00:00:56,520 well, that is a security control. 26 00:00:56,520 --> 00:00:58,040 That's confidentiality. 27 00:00:58,040 --> 00:00:59,790 If I say this data has been hashed 28 00:00:59,790 --> 00:01:01,360 so I have a digital fingerprint of it, 29 00:01:01,360 --> 00:01:03,480 that tells me we have integrity of it, 30 00:01:03,480 --> 00:01:04,530 but that's all security, 31 00:01:04,530 --> 00:01:07,730 that doesn't tell me whether or not that data is private, 32 00:01:07,730 --> 00:01:09,710 if it's being kept private from other people. 33 00:01:09,710 --> 00:01:11,450 And so that's something we have to think about. 34 00:01:11,450 --> 00:01:13,180 When we talk about privacy, 35 00:01:13,180 --> 00:01:15,630 we're really talking about a data governance requirement 36 00:01:15,630 --> 00:01:17,750 that arises when you're collecting and processing 37 00:01:17,750 --> 00:01:21,230 personal data to ensure the rights of the subject's data. 38 00:01:21,230 --> 00:01:22,840 So if I collect information from you 39 00:01:22,840 --> 00:01:24,040 when you sign up for my course, 40 00:01:24,040 --> 00:01:25,990 I get your name, your email, 41 00:01:25,990 --> 00:01:27,810 maybe your credit card information, 42 00:01:27,810 --> 00:01:30,230 I have to keep that information private. 43 00:01:30,230 --> 00:01:32,290 It doesn't necessarily mean that I have to have it encrypted 44 00:01:32,290 --> 00:01:34,640 in my database, although we do that, 45 00:01:34,640 --> 00:01:37,010 we just have to make sure that nobody else can get that data 46 00:01:37,010 --> 00:01:39,680 who doesn't have a need to know inside our organization. 47 00:01:39,680 --> 00:01:41,570 That's the idea of privacy. 48 00:01:41,570 --> 00:01:43,240 Now, one of the things that I think is unique 49 00:01:43,240 --> 00:01:46,120 is the way privacy is seen across the globe. 50 00:01:46,120 --> 00:01:48,170 Depending on where you are and where you live, 51 00:01:48,170 --> 00:01:50,870 privacy is either a bigger or less deal to you. 52 00:01:50,870 --> 00:01:52,820 For instance, when you go to a website 53 00:01:52,820 --> 00:01:54,450 and you look at the privacy policy, 54 00:01:54,450 --> 00:01:57,020 do you actually read through all of the pages of legalese 55 00:01:57,020 --> 00:01:58,560 to figure out what they're saying they can do 56 00:01:58,560 --> 00:02:00,100 with your private information? 57 00:02:00,100 --> 00:02:03,650 Most people don't, but if you're in some place like Europe, 58 00:02:03,650 --> 00:02:05,970 they take privacy much more seriously, 59 00:02:05,970 --> 00:02:08,240 and they have things like the right to be forgotten 60 00:02:08,240 --> 00:02:10,740 and they have GDPR which says that you have to write 61 00:02:10,740 --> 00:02:12,660 your privacy policy in a very clear 62 00:02:12,660 --> 00:02:14,140 and easy to understand method, 63 00:02:14,140 --> 00:02:16,390 not legalese like we do here in the States. 64 00:02:16,390 --> 00:02:18,840 So even just the difference between European countries 65 00:02:18,840 --> 00:02:20,650 and the United States has a big difference 66 00:02:20,650 --> 00:02:22,520 in the way we view privacy. 67 00:02:22,520 --> 00:02:24,320 Now, because of the cultural differences 68 00:02:24,320 --> 00:02:26,280 and the cultural pressure that's been applied, 69 00:02:26,280 --> 00:02:28,920 there are different legal requirements in different areas. 70 00:02:28,920 --> 00:02:30,500 There are legal requirements that will affect 71 00:02:30,500 --> 00:02:32,230 your corporate governance and policies 72 00:02:32,230 --> 00:02:35,310 in regards to privacy of your user's data. 73 00:02:35,310 --> 00:02:37,550 As a company that works worldwide with people, 74 00:02:37,550 --> 00:02:39,400 we have students all over the world, 75 00:02:39,400 --> 00:02:40,720 we have to be aware of that 76 00:02:40,720 --> 00:02:42,970 and so we keep in mind what the legal requirements are 77 00:02:42,970 --> 00:02:45,270 in the different areas we're operating in. 78 00:02:45,270 --> 00:02:46,760 Now, one of the biggest requirements 79 00:02:46,760 --> 00:02:47,900 and one of the best requirements 80 00:02:47,900 --> 00:02:50,590 in terms of privacy is GDPR. 81 00:02:50,590 --> 00:02:53,150 This is the General Data Protection Regulation. 82 00:02:53,150 --> 00:02:54,620 And this says that personal data 83 00:02:54,620 --> 00:02:57,240 cannot be collected, processed, or retained 84 00:02:57,240 --> 00:02:59,870 without the individual's informed consent. 85 00:02:59,870 --> 00:03:01,970 Now, when I talk about informed consent, 86 00:03:01,970 --> 00:03:04,740 this means that the data must be collected and processed 87 00:03:04,740 --> 00:03:06,300 only for the stated purpose 88 00:03:06,300 --> 00:03:09,550 and that purpose must be clearly described to the user 89 00:03:09,550 --> 00:03:12,010 in plain language, not legalese. 90 00:03:12,010 --> 00:03:13,560 So if you go to a website and they say 91 00:03:13,560 --> 00:03:15,870 give us your name, your email, and your home address 92 00:03:15,870 --> 00:03:17,670 so that we can sell you this product 93 00:03:17,670 --> 00:03:19,260 and then deliver it to your house, 94 00:03:19,260 --> 00:03:20,710 that's the stated purpose. 95 00:03:20,710 --> 00:03:23,050 That doesn't mean that they can now send you mailers 96 00:03:23,050 --> 00:03:25,410 every single week to your home address 97 00:03:25,410 --> 00:03:26,980 to try and get you to buy more stuff 98 00:03:26,980 --> 00:03:29,050 unless that was part of their privacy policy 99 00:03:29,050 --> 00:03:30,280 that you accepted. 100 00:03:30,280 --> 00:03:33,020 So GDPR says they have to be up front with this. 101 00:03:33,020 --> 00:03:35,530 Now, GDPR also provides the right for a user 102 00:03:35,530 --> 00:03:38,140 to withdraw consent at any time. 103 00:03:38,140 --> 00:03:40,340 It also gives them the ability to inspect, amend, 104 00:03:40,340 --> 00:03:42,410 or erase data that's held about them. 105 00:03:42,410 --> 00:03:44,910 We like to call this the right to be forgotten. 106 00:03:44,910 --> 00:03:47,770 If you're a resident and citizen of the European Union, 107 00:03:47,770 --> 00:03:50,700 you can call up the company or fill out their form and say, 108 00:03:50,700 --> 00:03:53,350 I want you to forget everything you've ever known about me 109 00:03:53,350 --> 00:03:55,020 and they have to go into their database 110 00:03:55,020 --> 00:03:56,530 and scrub you out of it. 111 00:03:56,530 --> 00:03:58,050 That is part of that law. 112 00:03:58,050 --> 00:03:59,330 It gives you a lot of protections 113 00:03:59,330 --> 00:04:01,010 if you're a European citizen. 114 00:04:01,010 --> 00:04:02,680 Now, if you're an American citizen, 115 00:04:02,680 --> 00:04:04,000 we don't have that right. 116 00:04:04,000 --> 00:04:05,780 So if I'm sitting in Maryland 117 00:04:05,780 --> 00:04:08,440 and I want to be forgotten, I can't do it. 118 00:04:08,440 --> 00:04:09,390 That's just not something 119 00:04:09,390 --> 00:04:10,610 that the companies have to do for me. 120 00:04:10,610 --> 00:04:12,020 I can request they do that, 121 00:04:12,020 --> 00:04:14,410 but they are not by law required to do it. 122 00:04:14,410 --> 00:04:15,800 So there are different protections 123 00:04:15,800 --> 00:04:17,310 depending on where you live in the world. 124 00:04:17,310 --> 00:04:19,330 And as a company operating in different areas, 125 00:04:19,330 --> 00:04:21,170 you need to be aware of this. 126 00:04:21,170 --> 00:04:23,540 Now, what happens if you have a data breach? 127 00:04:23,540 --> 00:04:26,070 Well, this depends again where you are 128 00:04:26,070 --> 00:04:27,800 and what laws you fall under. 129 00:04:27,800 --> 00:04:29,890 For instance, if you deal with GDPR, 130 00:04:29,890 --> 00:04:31,430 you have responsibilities. 131 00:04:31,430 --> 00:04:34,290 Within 72 hours, if you're doing business within Europe, 132 00:04:34,290 --> 00:04:36,810 you have to notify the regulators and the users 133 00:04:36,810 --> 00:04:38,350 that you had a data breach. 134 00:04:38,350 --> 00:04:41,190 So once again, this is an area where the European citizens 135 00:04:41,190 --> 00:04:43,450 have better rights than the Americans do 136 00:04:43,450 --> 00:04:45,340 based on the laws that are in each of those countries 137 00:04:45,340 --> 00:04:47,020 at the time of this filming. 138 00:04:47,020 --> 00:04:49,270 Now, let me give you a quick word of warning. 139 00:04:49,270 --> 00:04:51,950 Data breaches can happen both accidentally 140 00:04:51,950 --> 00:04:53,890 and through malicious interference. 141 00:04:53,890 --> 00:04:55,440 Just because you had a data breach 142 00:04:55,440 --> 00:04:57,430 doesn't mean that some hacker got in. 143 00:04:57,430 --> 00:04:58,667 It could have been a system administrator 144 00:04:58,667 --> 00:04:59,970 did the wrong thing. 145 00:04:59,970 --> 00:05:01,600 They entered the wrong command in the database 146 00:05:01,600 --> 00:05:02,760 and they dumped it to the screen 147 00:05:02,760 --> 00:05:03,840 and now people are able to see 148 00:05:03,840 --> 00:05:05,400 everybody's social security numbers 149 00:05:05,400 --> 00:05:07,420 or their dates of birth or their names. 150 00:05:07,420 --> 00:05:09,700 This is all types of things that have happened in the past. 151 00:05:09,700 --> 00:05:10,980 So just keep that in mind. 152 00:05:10,980 --> 00:05:12,760 It's not always a malicious actor. 153 00:05:12,760 --> 00:05:13,960 It's not always a hacker. 154 00:05:13,960 --> 00:05:16,980 Sometimes it's our own internal staff who makes mistakes. 155 00:05:16,980 --> 00:05:18,900 Now, I've mentioned GDPR a couple of times here 156 00:05:18,900 --> 00:05:20,170 already in this lesson, 157 00:05:20,170 --> 00:05:22,460 but I want you to remember when I'm talking about GDPR, 158 00:05:22,460 --> 00:05:24,740 I'm talking about a law inside of Europe 159 00:05:24,740 --> 00:05:27,150 and GDPR does provide stronger protections 160 00:05:27,150 --> 00:05:30,390 than most federal or state laws in the United States. 161 00:05:30,390 --> 00:05:32,060 Most of the laws here in the United States 162 00:05:32,060 --> 00:05:34,960 are very industry-specific or state-specific. 163 00:05:34,960 --> 00:05:37,530 So we might have laws that affect the financial industry 164 00:05:37,530 --> 00:05:39,080 or the healthcare industry, 165 00:05:39,080 --> 00:05:41,580 but we don't have ones that protect all of our citizens 166 00:05:41,580 --> 00:05:42,503 all of the time.