Introduction:

The use of the internet has increased rapidly over the past few decades, significantly influencing daily human life. Technological advancements such as cloud computing, robotic processes, and predictive analytics have further accelerated this transformation. As a result, the need for data privacy has grown substantially, given that these technical innovations have become more susceptible to cyberattacks. Personal information is typically stored on websites, social media platforms, applications, including banking apps, to facilitate the provision of services. However, few applications, websites and social media platforms exceed than their limits in relations to the data usage or do not provide adequate safeguards for the data collected which may result in data breach. The right to Privacy is a fundamental human right, as enshrined in Article 14(1) of Constitution of Pakistan; “The dignity of man and, subject to law, the privacy of home, shall be inviolable”. The constitutional provision refers to the privacy of home, however, the apex courts broaden the scope of the article and read it in in such a manner where the right to privacy is everywhere. Data privacy provides the person to control as to what extent his personal information may be shared and in order to safeguard such privacy concerns, Data Protection laws exist to ensure that the personal data is handled with due care. The term “Data Privacy” and “Data protection” can often be used interchangeably but there is a significant difference among the two, Data privacy defines who has access to the provided data whereas data protection provides the framework to restrict access to the data. On the other hand, talking about “Cybersecurity”, referred to as the practice of defending Information technology (IT) which includes computers, servers, electronic systems, mobile devices, network and most importantly data from “malicious cyber-attacks” or in simple words, it refers to taking precautions to protect data from being lost, hacked, or attacked. Knowing possible information dangers, such as viruses and other harmful software, is necessary. This article discusses the critical issues of cybersecurity and data privacy and the potential challenges faced by them. Also, it will also emphasize on the need of both legal and technological safeguards required in Pakistan to secure the sensitive information in the light of western practices.

 Cybersecurity and its linkage to Data Privacy:

 Protecting personal information and data from unauthorized access, use, disclosure, interruption, alteration, or destruction is known as data privacy. This might involve things like making sure that personal data is only gathered and used for legal and permitted reasons, giving people control over their personal data and guarding against unauthorized access to or disclosure of it. Data privacy is a subcategory of cybersecurity, which focuses on safeguarding against unauthorized access to, or assaults by hackers or malicious programs. This can involve things like putting in place strict password policies, encrypting data while it’s in motion and while it’s still on a device, updating and patching software frequently to address security flaws and bugs, and using firewalls and other security tools to prevent unauthorized access to networks and systems, Monitoring for possible security risks and acting fast to address any events as they arise are other components of cybersecurity. For the protection and integrity of information and personal data in the digital era, both data privacy and cybersecurity are crucial. The linkage among the two can be explained as when it comes to privacy laws, they require the entities such as businesses to safeguard or secure the personal information, they have of an individual. As long as businesses acquire, handle, and maintain personal data, privacy and security are intimately interwoven. To explain it further, consider the instance where your personal information is given when you purchase online with the assumption that it would be secure. A company puts itself in serious danger by failing to secure customer privacy: not only are there harsh fines for businesses that disregard or overlook security, but a loss of consumer confidence may quickly harm your brand’s reputation. There is tantamount of evidence which shows the clear linkage between data privacy and cybersecurity and the linkage affect one another as cybersecurity is the programme designed to protect the networks and devices from external threats. The world has evolved and this is the world full of technology where everything has become online, typically businesses, companies, social media, websites etc enforce them in order to protect the confidential information of themselves and their clients, enhance customer confidence and maintain employee productivity because in the technological world, all the data is being transferred across public networks. However, such may be subject to cybercrimes as the cybercriminals attack such platforms to benefit themselves by using unlawful means of cyberattacks because in this technology era, the criminal no longer needs to put themselves in the vicinity of the act, there are other means to do so such as placing proxy servers or other devices which can steal your data from miles away.

 Potential repercussions of a cyberattack:

 There are a number of repercussions that might affect a person or a company. Depending on the type of crime that has been committed against you, these will vary. Unsurprisingly, the targeted digital landscape will see a significant influence. That could require a website to be totally redone, or at the absolute least, the amount of protection you have in place, to be changed. Additionally, a social network account might be lost, it can have a Psychological impact, a person’s mental health could suffer if personal information is stolen, it can lead towards an economic impact, the attacker may have taken the money by using your information, or it can damage the repute of a person, and especially when one is a leader of a business, might suffer a lot. As per Harvard Business Review, if there are severe cyberattacks, smaller companies 60% will be out of business so a strong management is required to cater the cyber risks as it is necessary for effective cooperate performance.

The risk posed by ChatGPT to cyber security:

 Globally, with the advent of ChatGPT, millions of users got astounded by the innovation of this language model in November. Nevertheless, for many people, curiosity rapidly gave way to sincere concern with regards to this tool`s potential to further the objectives of malicious actors. In particular, ChatGPT created additional vulnerabilities for hackers to exploit and compromise the sophisticated cybersecurity tools. The major risks include the potential for phishing attacks through convincing message generation, the facilitation of malware and ransomware deployment, enabling social engineering tactics, automation of various attack phases, compromising data privacy through information extraction, enabling impersonation, and scalability in disruptive attacks like DDoS. With that, ChatGPT has also created issues in relation to Intellectual property as designs, data or other various intellectual works are being copied unlawfully. It’s crucial that executives acknowledge the rising influence of AI and take appropriate action in a sector that has already suffered from a 38% global rise in data breaches according to the Jim Hilton Harvard Business Review in 2022.

Concerns in relation to Pakistan:

 Personal data should be protected at all costs because a minor breach can create complications for the stakeholders and cause a lot of damage. In recent times, Pakistan has been subject to numerous data breaches including a cyberattack on Federal Board of Revenue (FBR) system compromising the data of millions of taxpayers, data leaks from National Database and Registration authority (NADRA), although it is responsible for ensuring the “due security, secrecy and necessary safeguards for protection of data and information according to the NADRA Ordinance 2000. K-Electric, the company which manages the generation, transmission and distribution of power was subject to a cyberattack, Meezan Bank’s database of 69,189 bank accounts were put on sale on the dark web as a result of a cyber-attack costing the bank data worth $3.5 million, however due to speedy action the loss was managed. Other than these, the increasing sophistication of cybercrimes and the state-sponsored attacks by different countries pose a great threat to Pakistan. Such instances raise questions on the country’s cybersecurity strategy and the state has failed to legislate on the issue of Personal data protection. In order to effectively defend its residents’ rights online, Pakistan should prioritize the creation of strong data protection and cybercrime legislation.

Primarily, the awareness should be raised in order to makes sure that the individuals identify any such instances and risks. So that they protect themselves, certain protection mechanisms should be available to them. The strengthening of legal infrastructure is very significant as the present laws do not cope up with the modern technological changes and their downsides for example sophisticated cyber-attacks have become very common and they make it difficult for the individuals, departments or companies to defend against them. Some of the laws and policies include The Prevention of Electronic Crimes Act, 2016, the National Cybersecurity Policy, 2021 and the citizen Protection (Against online Harm), 2020.

Several Intergovernmental and regional organizations have set out principles to combat the online threats which include the “Asia- Pacific Economic Cooperation (APEC), The Organization for Economic Cooperation and development (OECD) and The European Commission.

 Western best practices:

The West has invested a lot in technological sectors, Governments all across the world have begun passing rules governing what kinds of data can be gathered from users, how that data can be used, and how data should be stored and secured as technological advancements have boosted data collecting and surveillance capabilities. Following are some of the most significant regulatory privacy regimes to understand which not only regulate but also provide guidance and safeguard the legal rights of subjects by providing remedies in case of rights violated with the technological advancements: “General Data Protection Regulation, 2018 (GDPR) for EU and California Consumer Privacy Act, 2018 (CCPA) for USA and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). The NIST CSF is a voluntary framework that outlines the best procedures, rules, and requirements for successful risk management and mitigation. One of the most popular compliance programs that helps businesses manage and lower risks is this one. In this instance, the NIST CSF offers five components to help businesses and security experts recognize and lower cybersecurity threats. Identification, protection, detection, response, and recovery are the components.

The GDPR regulates the personal data of European Union citizens as to their collection, their storage and provides the citizens the right to control their personal data including the right to be forgotten. A key Article, Article 5 of GDPR provides some grounds as to the handling of individuals data. A lot of nations including Canada, Japan, Australia, Singapore, and others have thorough data protection regulations in place. Some of them, like the UK’s Data Protection Act and Brazil’s General Law for the Protection of Personal Data, are extremely comparable to the GDPR.

On the other hand, CCPA provides individuals control over their personal data, including the ability to request that businesses not sell their personal data, and requires that consumers be informed about the personal data that is gathered in the state of California and this piece of legislation is regarded as one of the pioneering laws of framing rules for consumer data. The CCPA places less emphasis on accountability related responsibilities then does the GDPR; rather it emphasizes transparency obligations, prohibits entities from selling customer information. Regarding Data rights, CCPA provides its customers the right to sue businesses or receive damages if they fail to take reasonable steps in order to avoid data breaches. As per CCPA, the Attorney General’s office is responsible to assure that the businesses adhere to the CCPA rules.

In certain nations, there are additional industry-specific privacy regulations. For instance, the Health Insurance Portability and Accountability Act (HIPAA) in the United States regulates how personal healthcare data ought to be managed.

The NIST CSF is a voluntary framework that outlines the best procedures, rules, and requirements for successful risk management and mitigation. One of the most popular compliance programs that helps businesses manage and lower risks is this one. In this instance, the NIST CSF offers five components to help businesses and security experts recognize and lower cybersecurity threats. Identification, protection, detection, response, and recovery are the components.

Way forward:

The first and a major step on the part of the Government should be to enact laws which focus on data rights, their safeguards and ensure citizens’ privacy at all costs in every sector as privacy is considered as a fundamental right. The Security and Exchange Commission Pakistan (SECP) should increase enforcement in order to ensure the companies maintain adequate cyber security controls and make guidelines which the companies should abide, including the instructions with regards to the reporting of cyberattack incidents. To safeguard and sustain company operations, both government and private institutions must establish and implement specific cybersecurity policies and procedures.

The strengthening of cybersecurity infrastructure in Pakistan is very crucial as the world is moving towards cyberwars and the highly sophisticated and well-funded state-sponsored cyber-attacks are a great threat to the National security of the state. The government and private companies should collaborate to invest in strengthening, including better detection and response capabilities and also levelling up the information sharing between government and private sectors.

One of the drawbacks in Pakistan is that various applications or private companies including the mobile network ones do not have the capabilities of swiftly handling such cases, and this handling is unfortunately not accessible for every common individual. Government needs to have a check and balance on them and appoint monitoring bodies for undertaking this task effectively. Moreover, international collaborations are also very significant for devising appropriate and up-to-date infrastructure which assist in  protection, investigation and responses to cyberattacks. Our youth should be given opportunities to gain exposure and develop skills which enhance their capabilities of tackling the modern technological advancements.

In conclusion, as information technology continues to permeate every aspect of our society, the potential for large-scale or high-consequence incidents that could harm and disrupt crucial services becomes more pronounced. To safeguard our economy and the daily lives of individuals, it is imperative to adopt a comprehensive approach. This includes the implementation of efficient risk assessment plans, the establishment of robust security and technical controls, the continuous refinement of cybersecurity policies, and regular testing and monitoring. By diligently addressing these aspects, we can better protect ourselves from the evolving landscape of cyber threats and ensure a safer and more resilient digital future.

References:

1. What is Data Privacy -bit.ly/3PJXGNT
2. Mohsin, Kamshad, Data Privacy and Cybersecurity (December 11, 2022). Available at SSRN: https://ssrn.com/abstract=4299439 or http://dx.doi.org/10.2139/ssrn.4299439
3. What is the relationship between Data privacy and Cybersecurity- https://www.tutorialspoint.com/what-is-the-relationship-between-data-privacy-and-cybersecurity#
4. An Introcution to Cybersecurity and Data Protection – https://online.york.ac.uk/resources/introduction-to-cyber-security-data-protection/#cybersecurity
5. 4 areas of cyber risk that boards need to address, Sander Zaijlmaker, Chris Henter and Michael Siegei – Harvard Business Review
6. Cyber Surveillance and Big Data – RSIL
7. What are the Laws governing data privacy-bit.ly/3LrgAGw