Like the decades before it, the start of the 21st century has seen exponential growth in data volumes and data repositories/platforms. As a result, bad actors have ratcheted up their illicit international efforts to access troves of valuable data. In turn, worldwide rules and regulations have proliferated and developed stricter protections as to personally identifiable information (‘PII’). Yet, as always, legal developments lag behind ‘in the trenches’ realities. In addition, not only data security technology but also related employee training are in a never-ending race to try and defend against the ever expanding universe of schemes deployed by hackers.

The two of us spend many of our waking hours focused on cyber security defence, and especially the ways that the triad of law, technology and employee-training intersect in that realm. This article addresses three of our expectations:

  1. In the coming years, privacy and data security legal requirements will continue to get stricter;
  2. The persistence of a prior trend, whereby directives, statutes and regulations will remain silent or at most vague (e.g., merely mentioning ‘encryption’) as to technology solutions. Therefore, executives, security officers, lawyers and others will need to keep abreast of new technologies; and
  3. Technology will remain unable to provide a magic bullet. Each organisation will need to maintain a sustained strategy for implementation and for training individuals in order to be vigilant.

Originally published in the Cyber Security Practitioner (May 2017).