On April 25, Hogan Lovells partner Harriet Pearson testified before the US House of Representatives on the relationship between cybersecurity and privacy in business. The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Committee on Homeland Security held a hearing on “Striking the Right Balance: Protecting our Nation’s Critical Infrastructure from Cyber Attack and Ensuring Privacy and Civil Liberties” to examine existing privacy protections and learn more about potential improvements. In her testimony, Pearson summarized the challenge:
The relationship between cybersecurity and privacy is complex. On the one hand, cybersecurity that protects data from intrusion, theft, and misuse obviously is a significant privacy safeguard. On the other hand, cybersecurity measures that monitor access and use can implicate the collection of personal information (or data that can be linked to individuals), and thus raises privacy concerns.
Pearson first outlined several cybersecurity-related measures that may require access to personal information, and thus potentially implicate privacy concerns:
- Network and system monitoring
- Background checks
- “Bring Your Own Device” (BYOD) policies
- Supply chain and vendor security measures
- Information sharing with third parties and government agencies
Noting the vital importance of the private sector’s taking measures to protect critical operations and data against increasingly well-documented attacks by criminals and spies, Pearson offered her views on steps business and government can take to integrate privacy into enhanced cybersecurity: First, personal data collection, usage, retention, and sharing should be thoughtfully limited. Second, organizations should be appropriately transparent as to the cybersecurity measures in use. Third, government and business should be supportive of voluntary codes of conduct for the privacy-sensitive deployment of cybersecurity measures and programs. Finally, Congress should clarify the expectations and protections for privacy when businesses share information for cybersecurity purposes.
Pearson’s statement is available here.