INTRODUCTION
The aim of this chapter is to analyse ‘Security by Design’ (SbD) as an emerging concept in EU Law, especially in the fields of information security and data protection. This is especially relevant in light of the growing amount of data breaches and ever-increasing pervasiveness of Internet of Things (IoT) devices. This is even more so if we take into account the worrying trend, especially from important market players, to tolerate risks of data breaches and therefore keep IT security investments relatively low. The first part of this chapter will substantiate the notion of SbD by deciphering the exact meaning of the concepts of ‘design’ and ‘security’, with a strong focus on the IT sector. The second part will then explore the emergence of SbD as a principle in the EU legislative framework. In that context, a comparison will be made with the ‘Data Protection by Design’ (DPbD) paradigm, which has been one of the cornerstones of the data protection reform. The last part will then highlight some of the challenges inherent to the ‘by design’ approach.
DECODING ‘SECURITY BY DESIGN’: A TALE OF ‘SECURITY’ AND ‘DESIGN’
Before delving into the substance and challenges of the SbD paradigm, it is crucial to clarify the exact scope of the notions that lie at the heart of that approach, namely: ‘security’ and ‘design’. In the ICT context, ‘security’ has been defined by the European Union Agency for Network and Information Security (ENISA) as the protection against the threat of theft, deletion or alteration of data stored or transmitted within a system. Such a definition echoes the so-called ‘CIA triad’ – namely confidentiality, integrity and availability – which has been recognised as the basis of information security over the last decade. While the notion of security traditionally encompasses the protection of both physical (e.g. a data centre) and non-physical (e.g. the data processed on the said servers) assets, the present contribution will – for the sake of conciseness – be limited to the analysis of the second component.
‘Design’, on the other hand, refers to “the process by which an agent creates a specification of a soft ware artefact intended to accomplish goals, using a set of primitive components and subject to constraints”. Alternatively, the notion of ‘soft ware design’ has been referred to as “all the activities involved in conceptualising, framing, implementing, commissioning, and ultimately modifying complex systems”.