• Home
  • /
  • Resources
  • /
  • Cybersecurity Compliance: Privacy Laws in Information Security

Estimated reading time minutes

image of a lock on a door - Destination Certification

Last Updated On: September 6, 2024

As a CISSP candidate or cybersecurity professional, you're likely aware that privacy and security go hand in hand in today's digital landscape. While you're not expected to be a privacy law expert for the CISSP exam, understanding the basics is crucial.

This overview will introduce you to major privacy laws and their general impact on your role in information security. Remember, effective privacy protection in your organization will largely depend on the security measures you implement.

Let's explore how evolving privacy regulations intersect with your cybersecurity responsibilities.

Major Privacy Laws in Different Countries

The following list represents some of the major privacy laws that have a significant impact on data protection practices globally. While not exhaustive, these laws illustrate the diverse and evolving nature of privacy regulations across different jurisdictions. Familiarity with these will help you understand the broader privacy landscape.

Note: One privacy law that you should have a slightly deeper understanding of is GDPR. The reason is that GDRP is considered by many to be the bellwether for privacy laws in countries around the world. GDPR is one of the most comprehensive privacy laws in the world, and many countries have modeled, or are in the process of modeling their privacy laws on GDPR or plan to in the future.

European Union

GDPR (General Data Protection Regulation)

The GDPR is a comprehensive privacy law that applies to organizations processing EU residents' data, regardless of the company's location. As a security professional, you should be aware that it establishes a single set of rules for all EU member states and requires implementing appropriate technical measures to ensure data security.

Each state has an independent Supervisory Authority (SA) to hear and investigate complaints, and data subjects have the right to lodge complaints with these SAs. The law is based on seven principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

GDPR mandates breach notification within 72 hours and imposes significant penalties for non-compliance. While you won't need to know all the details for the CISSP exam, understanding its broad impact on data protection practices is crucial.

United States

Gramm–Leach–Bliley Act (GLBA)

GLBA is a financial services law with significant privacy implications. As a security professional, you should know that it requires financial institutions to explain their information-sharing practices and protect sensitive data. The law mandates the implementation of a written information security plan that describes how the company protects client information.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is crucial for anyone working with healthcare data. It sets national standards for protecting sensitive patient health information. The Security Rule specifically requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.

Sarbanes–Oxley Act (SOX)

While primarily a financial regulation, SOX has important implications for IT security. It requires public companies to establish internal controls and procedures for financial reporting, which often involves securing IT systems that handle financial data. SOX applies to all public companies in the United States, as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the U.S. As a security professional, you may be involved in ensuring these systems meet SOX compliance requirements.

Children's Online Privacy Protection Act (COPPA)

COPPA is designed to protect the privacy of children under 13. If your organization operates websites or online services directed to children, you need to be aware of COPPA's requirements. These include getting parental consent before collecting personal information from children and maintaining reasonable procedures to protect the confidentiality, security, and integrity of children's personal information.

California Privacy Rights Act of 2020

This law expands upon the California Consumer Privacy Act (CCPA). It gives California residents more control over their personal information and creates additional obligations for businesses. As a security professional, you should be aware that it requires businesses to implement reasonable security procedures and practices to protect personal information.

Do note that this law only applies to for-profit organizations doing business in California that meet specific criteria, such as having annual gross revenues over $25 million, handling the personal information of 100,000 or more consumers or households, or deriving 50% or more of their annual revenue from selling or sharing personal information.

Looking for some CISSP exam prep guidance and mentoring?


Learn about our personal CCSP mentoring

Image of Lou Hablas mentor - Destination Certification

Canada

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is Canada's federal privacy law for private-sector organizations. As a security professional, you should know that it requires organizations to obtain an individual's consent when they collect, use or disclose personal information. The law is based on ten fair information principles, including safeguards, which mandate protecting personal information through appropriate security measures

Argentina

Personal Data Protection Law Number 25,326 (PDPL)

Argentina's PDPL is one of the more comprehensive privacy laws in South America. It's similar to the GDPR in many respects. For security professionals, it's important to note that the law requires implementing technical and organizational measures to guarantee the security and confidentiality of personal data, preventing alteration, loss, or unauthorized access.

South Korea

Personal Information Protection Act (PIPA)

PIPA is South Korea's comprehensive privacy law. As a security professional, you should be aware that it requires data handlers to implement technical, administrative, and physical measures to prevent loss, theft, leakage, alteration or damage of personal information. The law also mandates the appointment of a privacy officer, similar to the Data Protection Officer role under GDPR.

Australia

Privacy Act and Australian Privacy Principles (APPs)

The Privacy Act and its APPs govern the handling of personal information by Australian government agencies and some private sector organizations. For security professionals, it's crucial to understand that the APPs include requirements for the security of personal information. Organizations must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorized access, modification, or disclosure.

This applies to Australian government agencies and private sector organizations with an annual turnover of more than $3 million, as well as some smaller organizations in specific circumstances.

Personal Data Types Subject to Privacy Laws

The simplest definition of personal data is data that can be used on its own or in combination to identify an individual. While specific definitions can vary depending on jurisdiction and applicable laws, here are the main categories you should be familiar with

  • PI - Personal Information
  • PII - Personally Identifiable Information
  • SPI - Sensitive Personal Information
  • PHI - Personal Health Information

How is personal data defined in a little more detail? As noted above, the definition of personal data varies quite significantly around the world. In the context of one privacy law or regulation in one part of the world, a telephone number might be considered personal data; in a different context, perhaps not.

The same is true for IP addresses, email addresses, and many other types of information. For example, consider the difference between a business and a personal phone. A business phone would need to be known to prospective clients, while a personal phone would not. The same is true for IP addresses, email addresses, and many other types of information. There is no perfect definition of personal data, because it varies significantly around the world, and this points to the notion of direct and indirect identifiers.

  • Direct identifiers include information that relates specifically to an individual, such as their name, address, biometric data, government ID, or other uniquely identifying number.
  • Indirect identifiers include information that on its own cannot uniquely identify an individual but can be combined with other information to identify specific individuals, including, for example, a combination of gender, birth date, geographic indicators, and other descriptors. Other examples of indirect identifiers include place of birth, race, religion, weight, activities, employment information, medical information, education information, and financial information.

In general, these definitions clearly describe each type of identifier. However, as a security professional, it’s important to communicate with the legal team to be absolutely clear about what constitutes personal data and what jurisdictions and regulations apply. This approach allows everybody in the organization to be on the same page, and for the proper security controls to be implemented.

Some examples of direct, indirect, and online identifiers are:

Direct

Indirect

Online

  • Name
  • Phone number
  • Government ID (e.g. SIN, SSN, Driver’s License)
  • Account numbers
  • Certificate / license numbers
  • Biometric data
  • Age
  • Gender
  • Ethnicity
  • City
  • State
  • Zip/postal code
  • Email address
  • IP Address
  • Cookies

FAQs

Do privacy laws apply to data stored in the cloud?

Yes, privacy laws typically apply to data stored in the cloud. The location of data storage doesn't generally exempt it from privacy regulations. Companies using cloud services are still responsible for ensuring the data they collect and store complies with applicable privacy laws.

What is the role of a Data Protection Officer?

A Data Protection Officer (DPO) is responsible for overseeing an organization's data protection strategy and implementation. They ensure the organization complies with privacy laws, conducts data protection impact assessments, and acts as a point of contact for individuals and regulatory authorities on privacy matters.

Do privacy laws apply to small businesses?

Many privacy laws do apply to small businesses, though some laws have exemptions based on company size or data processing volume. However, even small businesses are generally expected to handle personal data responsibly. It's important for small businesses to understand which privacy laws apply to them based on their location, industry, and the type of data they handle.

Strengthen Your Privacy Law Foundation with Destination Certification

The CISSP exam doesn't demand encyclopedic knowledge of privacy laws, but a solid grasp of key concepts is indispensable. Privacy regulations like GDPR and CCPA significantly impact how organizations handle sensitive information, making this knowledge vital for any security professional.

Destination Certification recognizes the importance of this foundational understanding. Our CISSP MasterClass is designed to give you just the right level of knowledge about privacy laws—comprehensive enough to ace your exam and apply in real-world scenarios, without overwhelming you with unnecessary details.

Through our focused curriculum and innovative teaching methods, we ensure you grasp the essential concepts of privacy laws and their implications for cybersecurity. Don't let the complexities of privacy regulations intimidate you. With Destination Certification, you'll build the confidence to tackle these topics in your CISSP exam and beyond.

Image of John Berti - Destination Certification

John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.

John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.

The easiest way to get your CISSP Certification 


Learn about our CISSP MasterClass

Image of masterclass video - Destination Certification
>