Data protection and cybersecurity

On the occasion of International Computer Security Day, November 30, 2022.

Regardless of the industry, authorities require organizations to protect all confidential or personally identifiable information collected from customers, employees, or business partners in the course of business.

Over the past decade, hundreds of millions of personal data containing personal information have been lost or stolen through data breaches in companies, some government agencies, and other organizations. Security breaches result in stolen data that ends up in the hands of cybercriminals or identity theft.

As a result, laws, standards, or industry regulations have been passed that require organizations to implement and maintain best security practices to adequately protect the confidential information they collect and use.

Regulatory requirements and definitions with regard to compliance may vary depending on the jurisdiction. They are divided into four categories:

• Data protection/privacy laws

• Laws regulating electronic transactions

• Cybercrime laws

• Consumer protection laws.

In addition, lawyers have professional and ethical responsibilities to take all necessary measures to safeguard confidential information related to clients. ABA Model Rule refers to the secure protection of data in Rules 1.1, 1.4, and 1.6, and recently issued three formal ethics opinions (1) 477 "Protection of client confidential information communication" (May 2017); (2) Formal Opinion 483 "Lawyer Obligations After an Electronic Data Breach or Cyberattack" (October 2018), and (3) Formal ABA Opinion 498, “Virtual Practice” (February 2021).

These rules require that lawyers, when using technology, 1) use competent and reasonable measures to safeguard the confidentiality of client-related information, 2) communicate with clients about the use of technology and obtain informed consent from clients where appropriate, and 3) properly supervise the use of technology and client data protection in their relationship with other professionals, employees, or vendors.

Security policies and programs include administrative and physical protections, as well as technical. But above all, the entire staff must be knowledgeable and properly trained to use information systems appropriately.

For greater cybersecurity resilience, the issue needs to be addressed from a strategic perspective, incorporating information security within business continuity risks. ISO 27000 Standards provide recommendations for the use of policies and organizational structures to reduce risk. The framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) highlights the role of corporate governance and its influence on culture, emphasizing the importance of leadership, core values, and human talent development and training, among others. The clear commitment of leaders in risk management, including cybersecurity, is essential for success. But security is everyone's responsibility, not just leaders or IT.

Recent challenges show the need to incorporate more sophisticated technical protections. Innovation and new technologies can help improve data protection and cybersecurity.

The development of Artificial Intelligence began in the 1950s, with the name being used for the first time in 1956. Different forms of artificial intelligence can help identify, interpret unusual activities and automate better necessary courses of action for defense, detection, and response. The most commonly used are algorithms and machine learning. A special type of machine learning is called "deep learning" algorithms.

Due to the availability of Big Data and the development of "deep learning" algorithms, they have allowed exponential progress in recent years, improving the capabilities of AI systems to see, listen, read and analyze on a large scale. This, in turn, has allowed the development of new applications. Multifactor authentication that includes biometric elements such as voice recognition, images, or facial geometry has improved user confidence in the security of their data. Blockchain technologies provide greater security in critical transactions between parties, using a network of systems distributed over the Internet to record them.

However, there are several challenges on incorporating new technologies into cybersecurity programs, the most relevant being specialized labor and associated costs. Therefore, it is recommended to use specialized providers in that matter. Another option is to use cloud-based operations-related services, as long as they offer formal security certification with an SOC 2 report (Security Operations Center).

Accepting and adapting organizations to digital transformation will be essential to improve cybersecurity programs, although no program will be 100% effective. However, it can significantly reduce the volume and impact of attacks.

Angelina Angelov