This month’s Semper Sec theme is ‘Privacy.’
I was asked to address the question, “Does privacy still matter?
Short Answer: Yes, more than ever!
First, let’s look at why someone might ask the question.
#1 AI continues to grow in power and makes privacy more difficult.
Absolutely!
#2 More powerful encryption-breaking tools (quantum or otherwise) are in
our future, making current privacy protections less effective. I agree!
#3 Organizations with our data already have been multi-breached, so
much of our data is out in the world! That’s a fact!
#4 Cyber bad people and villainous social engineers are more adept than
ever. Obvious 101!
#5 Panic and hysteria about privacy breaches can do more harm than
good. Agree, IF it makes for hopelessness and immobilizes defense!
Is there any real point anymore with focusing on privacy? My question back
is “Is there any real point in trying to keep cockroaches out of your
kitchen?” You are not going to eliminate all cockroaches. You are not going
to eliminate food in your kitchen. Why bother?
Anyone who has dealt with cockroaches would respond: Filth and disease
carried by cockroaches do serious harm. You do the best you can to keep
them at bay by food use cleanliness, sealing food, and enforced family
rules about leaving food out and cleaning up. You carefully use insecticides
where required.
Substitute ‘Loss of Personal Data Control and Privacy Breaches’ for ‘Filth
and disease carried by cockroaches,’ and ‘data’ for ‘food.’ Substitute
‘compliance control systems’ for ‘family rules,’ and ‘other measures’ for
‘poisons.’ Re-read the previous paragraph. That is my point, and the rest of
the article focuses on what can be done, with a solid privacy focus.
One of my favorite privacy focus examples from the professional literature
is the ‘birthday note’ example. The CEO wants you to send company
birthday greetings to employees. Check with HR on the overall idea, but
you don’t need dates of birth! You just need month and day at most, or even better just a month for that type of greeting. Yeah, AI or a human social engineer can probably figure the DOB out by adding other personal data, but you have made it harder, the purpose of all cybersecurity compliance systems.
As I have written before: If you won’t/can’t do anything else on privacy:
1) Take in the least amount of personal data you can, teammate or client data.
2) Encrypt WELL everything you can and keep your encryption cutting-edge!
3) Have written and enforced rules on how you normally manage personal data that you would be proud to show to anyone (law enforcement, media, etc.) in the event of a breach.
My new readings that prove my point (Cyber Dad always has book references!):
Zuboff, Shosana. The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. PublicAffairs, 2020.
Berners-Lee, Tim. This is for Everyone: The Unfinished Story of the World Wide Web. New York: Farrar, Strauss, and Giroux, 2025. Great privacy future ideas.
Boghosian, Heidi. Cyber Citizens: Saving Democracy with Digital Literacy. Boston: Beacon Press, 2025.
And the absolute best for last:
Solove, Daniel. On Privacy and Technology. New York: Oxford University Press, 2025.
We’ve attached a helpful reference on CCPA and the other 19 states with consumer privacy compliance rights. This topic is expected to gain momentum over the next year or two, and many of our clients are already asking about it.
https://sempersec.com/wp-content/uploads/2026/01/US-State-Data-Privacy-Laws-2025.xlsx