Three 4-Letter Words That Changed Cyber Security: GDPR, CCPA, CMMC

Excerpts from the following article will appear in the forthcoming book Assessing and Insuring

Cybersecurity Risk from CRC Press, Co-Authored with Ravi Das.

OK so technically they’re acronyms. Our industry needs more of them right? Four-letter words

can lift and build (like “love”) or bring down (like “dumb” or other expletives.) These three

acronyms however have had significant impact on cyber security and privacy. They are GDPR,


In this article we’ll do an overview of each, and I suspect there will be a little value for all.

Few companies can escape the impact of these four-letter "words".

Privacy and GDPR – What’s the Big Deal?

A wave of data privacy rights, discussions, laws, and actions have swept the world recently,

but especially since World War II. One can suggest that for GDPR, or the General Data

Protection Regulation, the Holocaust has had everything to do with its inception and passage(1).

Enacted in May of 2018, the general Data Protection Regulation is designed to protect the data

of its member states’ owners, both in terms of cyber breach protection as well as data owners’

rights to see their data, be forgotten, and/or see to the removal of that data.

Like the HIPAA legislation in the US, GDPR expands to cover EU citizen data surrounding almost

all personal elements, including not only the obvious such as name, address, birth date, phone

and credit card numbers etc., but religious affiliation, sexual orientation, political opinions, race,

gender, and more.

History refresher: Concern of privacy data is directly linked to the atrocities of the Nazis who, as

their regime rose to power, systematically abused private data to identify Jews and other

minority groups with extreme objectives – the most atrocious of course being genocide,

torture, manipulation and other terrible acts.

Here are some facts surrounding early data processing during WWII that you will find curious if

not disturbing:

In 1930s Germany, census workers went door to door filling out punch cards that

indicated residents’ nationalities, native language, religion and profession. The cards were counted by the early data processors known as Hollerith machines, manufactured

by IBM’s German subsidiary at the time, Deutsche Hollerith Maschinen GmbH

(Dehomag). This history became more widely known after the publication of the 2001

book IBM and the Holocaust: The Strategic Alliance Between Nazi Germany and

America’s Most Powerful Corporation, which argued that those Hollerith machines not

only identified Jews, but also ran the trains that transported them to concentration

camps. Some historians dispute the book’s claims that IBM supported the use of its

machines to carry out genocide and argue that the Nazis also used other methods, as

simple as pen and paper, to round up victims just as effectively; the company hasn’t