Background work > Digital security and privacy

Digital security and privacy protection have become public policy priorities in an increasingly digital and data-dependent economy and society. A key challenge for governments, businesses and individuals is to reduce these risks to increase trust without inhibiting the opportunities offered by the digital economy

Digital security risks

Digital security risk has traditionally been approached as a technical problem but the changing nature and scale of digital security incidents is driving countries to re-evaluate their strategies and policies. In recent years, many governments and stakeholders have emphasised the importance of considering digital security risk as a strategic economic issue for organisations which needs to be addressed at the highest level of corporate governance, as recommended by the OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity.

The recommendation and its companion document provide guidance for a new generation of national strategies on the management of digital security risk aimed to optimise the economic and social benefits expected from digital openness, which will require co-operation between government, the private sector and civil society.

Managing risks

Managing Digital Security and Privacy Risk, a background report for the June 2016 OECD Ministerial on the Digital Economy, discusses how increased connectivity and data-driven innovation have brought about significant economic and social opportunities while changing the scale and scope of digital security and privacy challenges. These developments highlight the need for an evolution in policies and practices to build and maintain trust in the digital economy. Building on key messages of the OECD Digital Security Risk Recommendation and the OECD Privacy Guidelines, the report articulates why an approach grounded in risk management is essential to ensure that measures are appropriate to and commensurate with the risk. It also examines what further work is needed to understand how public policy can work jointly with private sector to overcome barriers and address the special challenges faced by small and medium enterprises (SMEs).

Personal data and privacy

A growing number of entities such as online retailers, platforms, Internet Service Providers (ISPs), financial service providers (banks, credit card companies, etc.) and governments are increasingly collecting vast amounts of personal data. Additional information can be derived by “mining” available data for patterns and correlations, many of which do not need to be personal data. Advances in data analytics now make it possible to infer sensitive information from data which may appear trivial at first, such as past individual purchase behaviour or electricity consumption. The misuse of these insights can implicate the core values and principles which privacy protection seeks to promote, such as individual autonomy, equality and free speech, and this may have a broader impact on society as a whole. 

While protection by the law is essential, privacy in an increasingly data-driven economy would benefit from a multifaceted strategy, reflecting a whole-of-society vision, and supported at the highest levels of government, as called for in the OECD Privacy Guidelines and the 2016 Cancun Ministerial Declaration on the Digital Economy. Such strategies need to strike the right balance between the social and economic benefits of enhanced reuse and sharing of data and analytics, and individuals’ and organisations’ legitimate concerns about such openness, including the protection of privacy and intellectual property rights. Coordinated privacy strategies at the national level would enhance privacy protection in an increasingly data-driven environment.

>> More on information security and privacy

Insuring companies against cyber risks

It is widely assumed that most companies have been, will be, or don't know they have been affected by "cyber" incidents. Although quantitative measurement is still emerging and raises significant challenges, the frequency and scope of cyber incidents is growing significantly and cyber risk is viewed as one of the main concerns to doing business. For insurance to have a significant impact on risk reduction, the market must be offering a material level of coverage to a large share of companies and individuals at risk. This is not currently the case.

Prepared at the request of the G7 Presidency, the report Supporting an Effective Cyber Insurance Market provides an overview of the market for cyber insurance, including the available coverage and potential gaps as well as the current challenges in terms of data availability, quantification of cyber risks, awareness and misunderstanding about coverage. It identifies potential policy measures to address some of the main challenges to the development of an effective cyber insurance market.

Trust in the digital economy

In a special 2014 Eurobarometer report on cybersecurity, two concerns reported by Internet shoppers in the European Union were misuse of personal data and security of online payments. According to a Per Research Center poll the same year, 91% of Americans surveyed agreed that consumers have lost control of their personal information and data. 

In a 2014 OECD survey on the digital economy, governments identified security as the second highest priority area and privacy as the third out of 31 possibilites, with only broadband coming higher. 

The OECD Digital Economy Outlook 2015 contains a chapter devoted to trust in the digital economy. It covers a select number of trends, which taken together provide an overview of digital security and privacy both in terms of the risks and responses.