In 2014 and 2015, one of the biggest events in cybersecurity law was the Federal Trade Commission’s (FTC) lawsuit against Wyndham Worldwide Corporation, which sanctioned Wyndham for unfair business practices after three data breaches compromised the sensitive financial data of more than 600,000 of its customers. We are only two months into 2016 and the conversation is dominated by Apple’s feud with the Federal Bureau of Investigation (FBI) over whether Apple must crack its own security systems to access an iPhone belonging to Syed Rizwan Farook, who—with his wife, Tashfeen Malik—went on a shooting rampage in San Bernardino, California, in December 2015.
Put another way, last year a federal agency made headlines by ordering a business to strengthen its cybersecurity systems because they were capable of being penetrated. Today, a federal agency is making headlines by ordering a business to weaken its cybersecurity systems to render them capable of being penetrated.
To understand how we got here (and at least one reason these mixed signals are important), we must understand the distinction between digital privacy and cybersecurity. In essence, digital privacy is the accessibility of data. Cybersecurity is one of the methods by which we limit accessibility and preserve digital privacy. Actual security policies, which increasingly restrict access to data based on necessity, is another, arguably more important method.