There is a saying used frequently in information security, “You can’t have privacy without security, but you can have security without privacy.” The adage suggests that proper security plans are required to provide protection to private data. Despite the growing ubiquity of this inclusive/exclusive model, many fail to distinguish the difference between security and privacy, often incorrectly using them interchangeably.
How should you mentally draw the distinction between security and privacy? The following points will help you to speak more pointedly regarding the relationship between security and privacy initiatives within your organization as you collect more data and as your customers grow increasingly concerned about their own privacy.
Where Does Security End and Privacy Begin?
If that’s what you’re asking, you’re asking the wrong question. That insinuates that there is a clear-cut separation. Rather, we should be asking, “How are privacy and security connected?” Although a touch oversimplified, an easy way to frame the relationship between privacy and security is that privacy is the right to be free from public observation and security is the actual protection from that public observation.
In terms of data privacy, your customers (and consumers at large) should be notified of the breadth of information collected and the intended purpose of that information by your organization. This notification is generally in the organization’s privacy policy. Privacy becomes the choice of the informed consumer – “Am I willing to provide this scope of information for this particular product or service?” If so, he agrees to the terms of that agreement. If not, he pursues an alternate service or no service at all.
On the flipside of that coin, how your organization protects that customer information is the data security in this example. When the individual agrees to your privacy policy, he entrusts your organization with his personal data.
If You’re Collecting More Data, You’d Better Be Protecting More Data
Are you big on Big Data? If you plan on collecting more customer information in 2018, then you better have plans to protect that data and your organization’s reputation.
While your customers may be willing to forgo their private data for the sake of convenience, their participation in your data collection efforts creates a vacuum of responsibility for your organization. A Pew Research report suggests that consumers care more and more about their data privacy and thus are more likely to scrutinize organizations that jeopardize their personal data.
Your customers also have the law on their side – at least somewhat. While the United States does not have a single, overarching privacy law similar to the upcoming GDPR in the EU, it uses a conglomerate of laws to protect certain types of information (HIPAA, PCI DSS, etc.) or the information of certain protected groups (ADA, COPPA/CIPA, etc.). In the coming years, we should expect to see federal laws likely to put an even greater responsibility on enterprise organizations unwilling or unable to comply.
How You Should Consider Privacy Versus Security
It is important for you and your organization to consider the relationship between security and privacy in planning future initiatives. In this regard, when adopting a security-first mindset, think about how the personal data collected by your organization could impact your customers or your employees. Invest in a holistic security plan that accounts for how all data is managed both in transit and at rest. Likewise, think about how you can take necessary precautions in limiting the amount of data collected in the first place. Data that isn’t collected doesn’t need to be protected.
Need more help drawing the line connecting security and privacy within the context of your organization? We can help. Leverage N2K’s Cyber Resolve board and executive training programs within your organization.