Professional Documents
Culture Documents
Cybersecurity pRIVACY LAW - Convocourses
Cybersecurity pRIVACY LAW - Convocourses
Privacy Law
Introduction
ConvoCourses
© Copyright 2023 - All rights reserved.
The content contained within this book may not be
reproduced, duplicated, or transmitted without direct
written permission from the author or the publisher.
Legal Notice:
Disclaimer Notice:
Check us out:
http://convocourses.com
youtube.com/convocourses
Contact us:
contact@convocourses.com
ii
Table of Contents
i
Best Practices ............................................................ 21
COMPUTER FRAUD AND ABUSE ACT (CFAA) ........................... 22
PRIVACY ACT OF 1974 ........................................................ 24
FREEDOM OF INFORMATION ACT........................................... 25
CYBERSECURITY INFORMATION SHARING ACT (CISA) ................ 26
What is CISA? ............................................................ 27
GRAMM-LEACH-BLILEY ACT (GLBA) ..................................... 30
What is GLBA? ........................................................... 31
Financial Privacy Rule: .............................................. 31
Benefits of GLBA ........................................................ 32
Potential GLBA Penalties........................................... 32
Best Practices ............................................................ 33
CALIFORNIA CONSUMER PRIVACY ACT (CCPA) ........................ 33
What is CCPA? ........................................................... 34
Exceptions to CCPA.................................................... 35
Consumer Rights under CCPA ................................... 35
Business Obligations ................................................. 36
Enforcement .............................................................. 36
CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA) ......... 37
What is COPPA? ........................................................ 37
Requirements under COPPA ...................................... 37
Applicability............................................................... 38
ELECTRONIC COMMUNICATIONS PRIVACY ACT (ECPA) ............. 39
What is ECPA? ........................................................... 39
CHAPTER 3: UNDERSTANDING THE NIST 800 RMF
FRAMEWORK ............................................................... 42
WHAT IS THE NIST RMF FRAMEWORK? ................................ 42
Purpose of the RMF ................................................... 43
HOW TO MANAGE SECURITY AND PRIVACY RISK ...................... 44
ii
Organization-Wide Risk Management ..................... 44
RMF Steps and Structure........................................... 47
Information Security and Privacy in RMF .................. 48
System and System Elements .................................... 49
Requirements and Controls ....................................... 51
Security and Privacy Posture ..................................... 51
Supply-Chain Risk Management (SCRM) .................. 51
EXECUTING THE RMF ......................................................... 52
CHAPTER 4: GLOBAL CYBERSECURITY LAWS AND
REGULATIONS .............................................................. 53
EUROPE............................................................................ 53
Cyber Resilience Act (CRA) ........................................ 53
General Data Protection Regulation (GDPR) ............ 55
JAPAN .............................................................................. 58
Act on the Protection of Personal Information (APPI)
................................................................................... 58
CHINA .............................................................................. 63
Cyber Security Law .................................................... 63
Information Security Technology – Personal
Information Security Specification ............................ 64
SINGAPORE ....................................................................... 66
Cybersecurity Act ...................................................... 67
Personal Data Protection Act (PDPA)........................ 69
INDIA ............................................................................... 70
Information Technology (IT) Act ............................... 71
CHAPTER 5: INDUSTRY-SPECIFIC CYBERSECURITY LAWS
AND REGULATIONS ...................................................... 74
HEALTHCARE..................................................................... 76
iii
Health Insurance Portability and Accountability Act
(HIPAA) ...................................................................... 77
Health Information Trust (HITRUST) Common Security
Framework (CSF) ....................................................... 80
RETAIL ............................................................................. 82
Payment Card Industry Data Security Standard (PCI-
DSS) ........................................................................... 83
FINANCIAL SECTOR ............................................................. 85
Sarbanes-Oxley (SOX) Act ......................................... 86
CHAPTER 6: CYBERSECURITY LAWS IN GOVERNMENT AND
DEFENSE ....................................................................... 90
NASA CYBER SECURITY POLICIES .......................................... 90
What is NPD 2810? ................................................... 91
Applicability............................................................... 92
Responsibilities .......................................................... 93
DOD SECURITY REQUIREMENTS ............................................ 94
Defense Federal Acquisition Regulation Supplement
(DFARS) ..................................................................... 95
NIST SP 800-171 ........................................................ 97
Cybersecurity Maturity Model Certification (CMMC)
................................................................................. 101
CHAPTER 7: HOW TO IMPLEMENT CYBERSECURITY LAW
COMPLIANCE IN YOUR ORGANIZATION ...................... 104
WHAT LAWS TO COMPLY WITH? ........................................ 104
USING THE NIST CSF TO ENSURE COMPLIANCE WITH LAWS AND
REGULATIONS .................................................................. 107
Origin and Purpose of NIST CSF .............................. 108
Implementation Tiers of NIST CSF ........................... 109
iv
Aligning with Laws and Regulations ....................... 110
EDUCATION ON LAWS AND COMPLIANCE .............................. 110
RISK ASSESSMENTS ........................................................... 112
Step 1: Catalog Information Assets......................... 113
Step 2: Categorize the Risk ...................................... 114
Step 3: Analyze the Risk .......................................... 115
Step 4: Establish Risk Tolerance .............................. 116
CHOOSING A FRAMEWORK ................................................. 117
SETTING AND UPDATING POLICIES AND CONTROLS ................. 118
MONITOR, RESPOND, AND ITERATE ..................................... 119
CHAPTER 8: PRIVACY LAWS AND THEIR IMPACT ON
CYBERSECURITY .......................................................... 121
PRIVACY IS NOT THE SAME AS SECURITY ............................... 121
COMMON CHALLENGES ..................................................... 122
The Complexity of the Environment ........................ 123
Sophisticated Threats .............................................. 123
The Shift of Threat Landscape to Mobile Devices ... 124
“Big Data” Paradox ................................................. 124
Compliance Vs. Risk Management .......................... 124
IMPACT OF PRIVACY LAWS ON ORGANIZATIONS ..................... 125
SECURITY AND PRIVACY TOGETHER ...................................... 127
CHAPTER 9: CYBERSECURITY LAWS AND SYSTEM
CERTIFICATIONS ......................................................... 128
CERTIFICATIONS IN THE LAW .............................................. 129
FISMA ...................................................................... 129
NIST SP 800-37 Authorization Process .................... 129
Office of Management and Budget (OMB) Circular A-
130 .......................................................................... 129
v
ISO 27001 .................................................................... 130
CERTIFICATIONS FOR PCI DSS ............................................ 132
Certification Process................................................ 132
HIPAA CERTIFICATION...................................................... 133
COPPA SAFE HARBOR PROGRAM ....................................... 135
GDPR CERTIFICATION....................................................... 137
CHAPTER 10: FUTURE OF CYBERSECURITY LAWS ......... 140
CYBERSECURITY FOR THE INTERNET OF THINGS ....................... 140
CHILD PRIVACY LAWS ........................................................ 142
AI LAWS ......................................................................... 143
CONCLUSION .............................................................. 147
REFERENCES ............................................................... 150
vi
Cybersecurity and Privacy Law
Chapter 1: Fundamentals of
Cybersecurity and Privacy
Laws
1
ConvoCourses
2
Cybersecurity and Privacy Law
3
ConvoCourses
This book will discuss privacy laws and how they can
differ from cyber laws. We’ll provide practical
information on implementing these laws in
organizations. We will also cover how certifications for
specific laws and regulations can enhance your security
posture while at the same time helping organizations
abide by the said laws. We hope to provide a
comprehensive guide to important cyber and privacy
laws, their role in everyday industry functioning, and
how to incorporate them into your work to remain
compliant while providing the best product or service
for your customers.
4
Cybersecurity and Privacy Law
5
ConvoCourses
Privacy Laws
6
Cybersecurity and Privacy Law
Consent
Purpose
7
ConvoCourses
Disclosure
8
Cybersecurity and Privacy Law
Security Practices
9
ConvoCourses
10
Cybersecurity and Privacy Law
11
ConvoCourses
Impact On Industry
12
Cybersecurity and Privacy Law
Impact on People
13
ConvoCourses
Intellectual Property
Copyright
These protect any asset that can be transmitted
over the internet, including but not limited to
music, movies, books, blogs, etc.
Patents
There can be two types of patents in the digital
world. It can be either for a new software or
business methodology; IP rights protect both.
Trademarks
Trademarks are used the same way online as in
the physical world and are mostly used to
protect websites.
14
Cybersecurity and Privacy Law
Domain Disputes
Domains here refer to the web addresses used
by any website, and owners of said domains can
invoke IP rights in case of any dispute for the
domain.
15
ConvoCourses
What is FISMA?
16
Cybersecurity and Privacy Law
FISMA 2014
The replacement of FISMA 2002 with FISMA 2014
deserves to be mentioned as it brought to the forefront
the need to emphasize data and systems protection
within the federal systems. According to the Federal
Information Security Modernization Act, this
replacement updated the practices by:
17
ConvoCourses
FISMA Requirements
FISMA determines many organization requirements,
but an agency must comply with seven main
requirements:
Risk Categorization
Security Controls
18
Cybersecurity and Privacy Law
Risk Assessment
19
ConvoCourses
Continuous Monitoring
20
Cybersecurity and Privacy Law
Best Practices
21
ConvoCourses
22
Cybersecurity and Privacy Law
23
ConvoCourses
24
Cybersecurity and Privacy Law
25
ConvoCourses
26
Cybersecurity and Privacy Law
Act (CISA)
What is CISA?
27
ConvoCourses
28
Cybersecurity and Privacy Law
29
ConvoCourses
30
Cybersecurity and Privacy Law
What is GLBA?
Safeguards Rule:
This rule mandates that companies protect
private information under the GLBA. Firms
must have both physical and technological
means to securely collect, store, transmit, and
process their customers' personal information.
This involves having appropriate software,
31
ConvoCourses
Pretexting Provisions:
This provision dictates that financial
institutions must put measures in place to
prevent unauthorized access to data.
Benefits of GLBA
32
Cybersecurity and Privacy Law
Best Practices
33
ConvoCourses
What is CCPA?
34
Cybersecurity and Privacy Law
Exceptions to CCPA
35
ConvoCourses
Business Obligations
Enforcement
36
Cybersecurity and Privacy Law
What is COPPA?
37
ConvoCourses
Applicability
38
Cybersecurity and Privacy Law
Electronic Communications
Privacy Act (ECPA)
What is ECPA?
39
ConvoCourses
40
Cybersecurity and Privacy Law
41
ConvoCourses
42
Cybersecurity and Privacy Law
43
ConvoCourses
44
Cybersecurity and Privacy Law
45
ConvoCourses
46
Cybersecurity and Privacy Law
47
ConvoCourses
risk.
2. Categorize. Based on impact analysis, identify
and categorize the information and systems
analyzed.
3. Select. Select the security and privacy controls
you wish to implement based on risk
assessments.
4. Implement. Implement, deploy, and
document the selected controls.
5. Assess. Regularly assess if the controls are
relevant and working as intended.
6. Authorize. Based on the risk, authorize the
systems and controls to operate within the
organization.
7. Monitor. Continuously monitor the controls
and re-evaluate the risk within the system.
48
Cybersecurity and Privacy Law
49
ConvoCourses
50
Cybersecurity and Privacy Law
51
ConvoCourses
52
Cybersecurity and Privacy Law
Chapter 4: Global
Cybersecurity Laws and
Regulations
Europe
53
ConvoCourses
54
Cybersecurity and Privacy Law
What is GDPR?
55
ConvoCourses
7 Principles of GDPR
56
Cybersecurity and Privacy Law
57
ConvoCourses
Best Practices
Japan
What is APPI?
58
Cybersecurity and Privacy Law
59
ConvoCourses
60
Cybersecurity and Privacy Law
term.
Data Transfers
61
ConvoCourses
62
Cybersecurity and Privacy Law
China
63
ConvoCourses
64
Cybersecurity and Privacy Law
65
ConvoCourses
Singapore
66
Cybersecurity and Privacy Law
Cybersecurity Act
67
ConvoCourses
68
Cybersecurity and Privacy Law
communication strategy.
• Furthermore, CII owners must formulate a
Business Continuity Plan (BCP) and a Disaster
Recovery Plan (DRP).
69
ConvoCourses
India
70
Cybersecurity and Privacy Law
71
ConvoCourses
72
Cybersecurity and Privacy Law
73
ConvoCourses
Chapter 5: Industry-Specific
Cybersecurity Laws and
Regulations
74
Cybersecurity and Privacy Law
75
ConvoCourses
HealthCare
76
Cybersecurity and Privacy Law
What is HIPAA?
77
ConvoCourses
78
Cybersecurity and Privacy Law
Covered Entities
79
ConvoCourses
80
Cybersecurity and Privacy Law
HITRUST Requirements
81
ConvoCourses
Retail
82
Cybersecurity and Privacy Law
What is PCI-DSS?
83
ConvoCourses
84
Cybersecurity and Privacy Law
Penalties
Financial Sector
85
ConvoCourses
What is SOX?
86
Cybersecurity and Privacy Law
87
ConvoCourses
Penalties
88
Cybersecurity and Privacy Law
89
ConvoCourses
90
Cybersecurity and Privacy Law
91
ConvoCourses
Applicability
92
Cybersecurity and Privacy Law
Responsibilities
93
ConvoCourses
94
Cybersecurity and Privacy Law
What is DFARS?
95
ConvoCourses
Requirements
• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity
96
Cybersecurity and Privacy Law
NIST SP 800-171
Requirements
97
ConvoCourses
98
Cybersecurity and Privacy Law
• Defense contractors
• Organizations providing financial services
• Web and communication service providers
• Healthcare data processors
99
ConvoCourses
• Systems Integrators
• Colleges and universities that utilize federal
data or information
• Research institutes and labs receiving federal
grants and information
Best Practices
100
Cybersecurity and Privacy Law
What is CMMC?
101
ConvoCourses
What is Protected?
Certification Levels
102
Cybersecurity and Privacy Law
103
ConvoCourses
104
Cybersecurity and Privacy Law
105
ConvoCourses
106
Cybersecurity and Privacy Law
107
ConvoCourses
108
Cybersecurity and Privacy Law
services.
• Detect: Identify potential cybersecurity events
promptly.
• Respond: Take action regarding a detected
cybersecurity event.
• Recover: Restore any capabilities or services
impaired due to a cybersecurity incident.
109
ConvoCourses
improvement state.
110
Cybersecurity and Privacy Law
Compliance
111
ConvoCourses
Risk Assessments
112
Cybersecurity and Privacy Law
issues.
• Technical experts from the system team.
113
ConvoCourses
114
Cybersecurity and Privacy Law
115
ConvoCourses
116
Cybersecurity and Privacy Law
Choosing a Framework
117
ConvoCourses
118
Cybersecurity and Privacy Law
119
ConvoCourses
120
Cybersecurity and Privacy Law
121
ConvoCourses
Common Challenges
122
Cybersecurity and Privacy Law
Sophisticated Threats
123
ConvoCourses
124
Cybersecurity and Privacy Law
125
ConvoCourses
126
Cybersecurity and Privacy Law
127
ConvoCourses
128
Cybersecurity and Privacy Law
FISMA
129
ConvoCourses
ISO 27001
130
Cybersecurity and Privacy Law
131
ConvoCourses
Certification Process
132
Cybersecurity and Privacy Law
So, while the specifics are different, the PCI DSS has a
similar assessment and validation process (or
"certification and accreditation") to ensure that
companies follow the required security practices.
However, unlike FISMA, which focuses on government
information systems, PCI DSS is focused on the
security of credit card data in the private sector.
HIPAA Certification
133
ConvoCourses
134
Cybersecurity and Privacy Law
135
ConvoCourses
136
Cybersecurity and Privacy Law
GDPR Certification
137
ConvoCourses
138
Cybersecurity and Privacy Law
139
ConvoCourses
140
Cybersecurity and Privacy Law
141
ConvoCourses
142
Cybersecurity and Privacy Law
AI Laws
Copyright Concerns:
143
ConvoCourses
AI in Cybersecurity:
Regulatory Frameworks:
144
Cybersecurity and Privacy Law
Ethical AI:
AI Governance:
145
ConvoCourses
146
Cybersecurity and Privacy Law
Conclusion
147
ConvoCourses
148
Cybersecurity and Privacy Law
149
ConvoCourses
References
Www.complianceonline.com.
https://www.complianceonline.com/resources/cybersecurity
-compliance-plan.html
19). Www.justice.gov.
https://www.justice.gov/jm/jm-9-48000-computer-
fraud#:~:text=The%20Computer%20Fraud%20and%20Ab
use
14). GDPR.eu.
https://gdpr.eu/article-42-data-protection-certification/
https://www.bbvaopenmind.com/en/technology/digital-
world/future-of-cybersecurity-predictions-trends/
150
Cybersecurity and Privacy Law
https://securityscorecard.com/blog/building-a-
cybersecurity-compliance-plan/
Justice Assistance.
https://bja.ojp.gov/program/it/privacy-civil-
liberties/authorities/statutes/1285
https://www.techtarget.com/whatis/definition/General-
Data-Protection-Regulation-GDPR
1996(HIPAA)|CDC. Www.cdc.gov.
https://www.cdc.gov/phlp/publications/topic/hipaa.html#:~:
text=The%20Health%20Insurance%20Portability%20and
151
ConvoCourses
https://blog.charlesit.com/what-is-dfars-and-what-does-it-
mean-to-be-compliant
https://www.upguard.com/blog/worst-hipaa-violation-cases
Www.upguard.com.
https://www.upguard.com/blog/cybersecurity-regulations-
and-frameworks-healthcare
(n.d.). Www.insurance.ca.gov.
https://www.insurance.ca.gov/0400-news/0100-press-
releases/anthemcyberattack.cfm
152
Cybersecurity and Privacy Law
https://www.endpointprotector.com/blog/data-protection-
in-japan-appi/
Trade Commission.
https://www.ftc.gov/enforcement/coppa-safe-harbor-
program#:~:text=The%20Children%27s%20Online%20Pri
vacy%20Protection
https://digital-strategy.ec.europa.eu/en/library/cyber-
resilience-act
https://en.wikipedia.org/wiki/DDoS_attacks_on_Dyn
https://www.digitalguardian.com/blog/what-glba-
compliance-understanding-data- protection-
153
ConvoCourses
requirements-gramm-leach-bliley-act
https://www.cuicktrac.com/dfars-compliance
(n.d.). Www.cisa.gov.
https://www.cisa.gov/topics/cyber-threats-and-
advisories/federal-information-security-modernization-
act#:~:text=Overview
Unblock.federalregister.gov.
https://www.ecfr.gov/current/title-16/chapter-I/subchapter-
C/part-312
https://www.csoonline.com/article/3619534/hitrust-
explained-one-framework-to-rule- them-all.html
Garg, R. (2021, October 24). All you need to know about the
154
Cybersecurity and Privacy Law
IPleaders.
https://blog.ipleaders.in/all-you-need-to-know-about-the-
childrens-online-privacy- protection-act-coppa/
from
https://iclg.com/practice-areas/cybersecurity-laws-and-
regulations/1-why-ai-is-the-future- of-cybersecurity
https://linfordco.com/blog/hitrust-csf-framework/
SecurityMetrics.
https://www.securitymetrics.com/blog/what-hitrust-
compliance
155
ConvoCourses
https://www.investopedia.com/terms/c/classaction.asp
https://www.hipaajournal.com/hipaa-explained/
Vitals.
https://securityvitals.com/3-considerations-before-
choosing-a-risk-management-framework/
https://www.facebook.com/thehackernews. (2022,
https://thehackernews.com/2022/12/what-stricter-data-
privacy-laws-mean.html
https://www.thalesgroup.com/en/markets/digital-identity-
and-security/iot/inspired/iot- regulations
156
Cybersecurity and Privacy Law
https://www.hipaajournal.com/what-is-hipaa-certification/
https://Blog.netwrix.com/.
https://blog.netwrix.com/2022/09/28/dod_cyber_security_r
equirements/
https://corpgov.law.harvard.edu/2016/03/03/federal-
guidance-on-the-cybersecurity- information-sharing-
act-of-2015/
Law. Www.soscanhelp.com.
https://www.soscanhelp.com/blog/the-future-of-cyber-
security-law
157
ConvoCourses
https://www.techtarget.com/searchcio/definition/complianc
e-audit
Cybersecurity. Lexology.
https://www.lexology.com/library/detail.aspx?g=f5adb291-
7dc9-4ade-af4b- 4d3cda9c9c29
from
https://udrc.lkouniv.ac.in/Content/DepartmentContent/SM_
aec24985-8fe2-4500-8414- 85de787ab1e6_30.pdf
FierceHealthcare.
https://www.fiercehealthcare.com/tech/anthem-to-pay-
39m-to-state-ags-to-settle- landmark-2015-data-breach
158
Cybersecurity and Privacy Law
https://blog.ipleaders.in/technological-developments-social-
impact-caused-cyber-law/
technology-act-2000/
2023, from
https://www.vsg-law.com/practice-areas/cybersecurity-
whistleblower-lawyer/nasa- contractor-requirements/
https://csrc.nist.gov/projects/risk-management/about-rmf
Nodis3.Gsfc.nasa.gov.
https://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPD&c=28
10&s=1E
159
ConvoCourses
Brookings; Brookings.
https://www.brookings.edu/articles/cybercrime-dilemma-is-
it-possible-to-guarantee-both- security-and-privacy/
https://www.priv.gc.ca/en/opc-actions-and-
decisions/research/explore-privacy-
research/2014/cs_201412/
Acquisition.gov; ACQ.gov.
https://www.acquisition.gov/nfs/part-
1852%E2%80%94solicitation-provisions-and-contract-
clauses#Section_1852_204_76_T48_6042344114
https://www.itgovernanceusa.com/pci_dss
160
Cybersecurity and Privacy Law
Www.pdpc.gov.sg.
https://www.pdpc.gov.sg/Overview-of-PDPA/The-
Legislation/Personal-Data-Protection-Act/Data-Protection-
Obligations
https://Www.nortonrosefulbright.com/En/Knowledge/Publi
cations/Imported/2018/07/18/05.
https://www.nortonrosefulbright.com/en/knowledge/public
ations/f959f04d/personal-information-security-specification
January28). Www.auditboard.com.
https://www.auditboard.com/blog/privacy-vs-security/
Signon.thomsonreuters.com.
https://uk.practicallaw.thomsonreuters.com/3-508-5021?
transitionType=Default&contextData=(sc.Default)
161
ConvoCourses
&firstPage=true
https://reciprocity.com/blog/5-steps-to-performing-a-
cybersecurity-risk-assessment/
https://www.cybersaint.io/cybersecurity/frameworks-and-
standards/dfars
countries. Medium.
https://wizardingcodes.medium.com/cyber-laws-in-
different-countries-505524434229
https://www.geeksforgeeks.org/information-technology-
act-2000-india/
162
Cybersecurity and Privacy Law
https://www.csoonline.com/article/3410278/the-biggest-
data-breach-fines-penalties-and- settlements-so-
far.html
Www.accountablehq.com.
https://www.accountablehq.com/post/the-hipaa-privacy-
rule
https://Blog.netwrix.com/.
https://blog.netwrix.com/2021/06/18/cybersecurity-
maturity-model-certification- compliance/
www.upguard.com.
https://www.upguard.com/blog/fisma
163
ConvoCourses
www.upguard.com.
https://www.upguard.com/blog/sox-compliance
https://legal.thomsonreuters.com/en/insights/articles/unders
tanding-california-consumer- privacy-
act#:~:text=The%20CCPA%20grants%20consumers%20se
veral
Know. UpCounsel.
https://www.upcounsel.com/cyber-law
https://blog.ipleaders.in/data-protection-and-privacy-
policies-in-cyber-law/
164
Cybersecurity and Privacy Law
https://thediplomat.com/2017/06/chinas-cybersecurity-law-
what-you-need-to-know/
https://www.cube.global/resource/what-global-cyber-and-
cybersecurity-regulations-are- there/
https://www.schneiderdowns.com/cybersecurity/what-is-
hitrust#:~:text=The%20HITRUST%20Common%20Securi
ty%20Framework
https://www.titania.com/resources/guides/nist-800-171/
Wikimedia Foundation.
https://en.wikipedia.org/wiki/Facebook%E2%80%93Camb
165
ConvoCourses
ridge_Analytica_data_scandal
Wikimedia Foundation.
https://en.wikipedia.org/wiki/Cybersecurity_Law_of_the_P
eople %27s_Republic_of_China
https://www.theguardian.com/technology/2019/mar/17/the-
cambridge-analytica-scandal- changed-the-world-but-it-
didnt-change-facebook
166