Excerpts from the following article will appear in the forthcoming book Assessing and Insuring
Cybersecurity Risk from CRC Press, Co-Authored with Ravi Das.
OK so technically they’re acronyms. Our industry needs more of them right? Four-letter words
can lift and build (like “love”) or bring down (like “dumb” or other expletives.) These three
acronyms however have had significant impact on cyber security and privacy. They are GDPR,
CCPA and CMMC.
In this article we’ll do an overview of each, and I suspect there will be a little value for all.
Few companies can escape the impact of these four-letter "words".
Privacy and GDPR – What’s the Big Deal?
A wave of data privacy rights, discussions, laws, and actions have swept the world recently,
but especially since World War II. One can suggest that for GDPR, or the General Data
Protection Regulation, the Holocaust has had everything to do with its inception and passage(1).
Enacted in May of 2018, the general Data Protection Regulation is designed to protect the data
of its member states’ owners, both in terms of cyber breach protection as well as data owners’
rights to see their data, be forgotten, and/or see to the removal of that data.
Like the HIPAA legislation in the US, GDPR expands to cover EU citizen data surrounding almost
all personal elements, including not only the obvious such as name, address, birth date, phone
and credit card numbers etc., but religious affiliation, sexual orientation, political opinions, race,
gender, and more.
History refresher: Concern of privacy data is directly linked to the atrocities of the Nazis who, as
their regime rose to power, systematically abused private data to identify Jews and other
minority groups with extreme objectives – the most atrocious of course being genocide,
torture, manipulation and other terrible acts.
Here are some facts surrounding early data processing during WWII that you will find curious if
In 1930s Germany, census workers went door to door filling out punch cards that
indicated residents’ nationalities, native language, religion and profession. The cards were counted by the early data processors known as Hollerith machines, manufactured
by IBM’s German subsidiary at the time, Deutsche Hollerith Maschinen GmbH
(Dehomag). This history became more widely known after the publication of the 2001
book IBM and the Holocaust: The Strategic Alliance Between Nazi Germany and
America’s Most Powerful Corporation, which argued that those Hollerith machines not
only identified Jews, but also ran the trains that transported them to concentration
camps. Some historians dispute the book’s claims that IBM supported the use of its
machines to carry out genocide and argue that the Nazis also used other methods, as
simple as pen and paper, to round up victims just as effectively; the company hasn’t