At the “The Debate Between Security and Privacy Continues: WhereDo We Draw the Line?” panel at ALM’s 2016 CyberSecure conference inNew York, privacy and security experts spanning government,corporations, and law firms raised key questions about howcompanies, individuals, and law enforcement interests can balancetheir needs to secure data across these policy lines.

Moderator Mauricio Paez, partner at Jones Day, explained thatthere is a significant gap between policy and regulationimplemented at the state level and “ground level,” people who dealwith that policy in their work, like chief information officers atlarge companies and law enforcement agents, all the way down toindividual users.

Sachin Kothari, director of online privacy, compliance andstandards at AT&T, said that this disconnect often stymiesgrowth for large companies. Because policy demands specificprotocols for data structures and housing, Kothari said thatcompanies struggle to adapt developments in data streams likeInternet of Things (IoT) technology.

“It can really hamper and limit companies from being able tosecure user data,” he said.

Additionally, Kothari noted that data regulation intended toprotect user privacy can also hamper company innovation around newdata streams. “There is a challenge to protect data and implementnew technology,” he said.

Panelists somewhat agreed that current policy around informationsecurity and regulation can create some unnecessary challenges.Because of the complexity and confusion created by currentinformation security regulations, many companies feel they need tocall in legal reinforcements to cope with extensive and perhapsexcessive amounts of regulation.

“You need to have a good understanding of privacy law, becauseyou’ll feel like your hands are tied,” Kothari added.

Bill Sieglein, founder of the CISO Executive Network, said hiswork as a CISO requires a balancing act. In investigating breaches,the CISOs Sieglein works with are looking to identify potentialsites of a breach. In doing so, though, “you might be stepping onprivacy’s toes,” he said.

Amie Stepanovich, U.S. policy manager for D.C.-based globaldigital rights advocacy group Access Now, said privacy and securityshould be considered less as conflicting interests and more aspartners in policy. “They should work together,” she said. “Thereis a mutually beneficial relationship between privacy andsecurity.”

Law enforcement’s access to user and company data has garneredincreased scrutiny over the last few years, but panelists largelyagreed that law enforcement have a key role to play in datasecurity.

Paez suggested that law enforcement need substantial, if notuniversal, access to data across privacy lines because of theirprotective role. “It’s about guarding data from unauthorized accessand use,” Paez posited.

Stepanovich added that user privacy is a “fundamental humanright” and should be the foremost concern in developing policyaround what data law enforcement can access. Though encryption doesprevent law enforcement agencies from gaining full access to alldata at any time, Stepanovich said there could be more problematicconsequences to creating data security infrastructure with built-inholes for law enforcement to gain universal access.

Rather, Stephanovich suggested the legal industry shift thediscussion around this issue to helping law enforcement protectagainst breaches and identify cyberattackers, rather than simplybulldozing privacy safeguards like encryption. Law enforcement needto “get the data they need to solve crimes, not to bypassencryption,” she noted.

Mikhail Dvilyanski, supervisory special agent of the cyberbranch of the FBI, agreed with Stepanovich’s assessment, but urgedaudience members to consider what security problems could arisewhen law enforcement is unable to properly investigate certainbreaches or crimes.

“We should think about the implications if we say that lawenforcement is not able to get certain data,” Dvilyanski said.