One question that I am frequently asked is “what is the difference between privacy and security?” It sounds simple enough, but the response often gets complicated. Maybe an analogy will help.
Privacy, security, and windows
Consider a window in your home. It provides various functions for you. It allows you to look outside. It lets sunlight into your home. A window keeps weather outside. You can open a window to let in fresh air. In an emergency, you can use a window as an exit.
A window is also vulnerable. Just as you can use it as an egress, others can use it as an entrance. To protect against unwanted visitors, you can put bars or a grate in front of the window. This still allows you to keep all of the desired functionality the window provides. This is security.
Just as you can look out a window, others can look in. Preventing unwanted eyes from looking in can be addressed by putting a drape, a curtain, or a shade inside of the window. This is privacy. Obscuring the view inside of your home also provides a little security as intruders may not be able to tell when you are home or see the things you own.
Privacy, security and business information
It is not much different in a business environment with regard to information. Security provides protection for all types information, in any form, so that the information’s confidentiality, integrity, and availability are maintained. Privacy assures that personal information (and sometimes corporate confidential information as well) are collected, processed (used), protected and destroyed legally and fairly.
Just as the drapes on a window may be considered a security safeguard that also protects privacy, an information security program provides the controls to protect personal information. Security controls limit access to personal information and protect against its unauthorized use and acquisition. It is impossible to implement a successful privacy program without the support of a security program.
Just as the bars on a window help prevent intruders from entering into your home while allowing people to look inside, a security program can implement controls without regard for privacy. For example, a security program could require credentials to access a network without restricting access to personal information. You would have security but no privacy, as anyone with valid credentials can see all of the personal information your organization possesses.
What information does a privacy program protect?
A security program protects all the informational assets that an organization collects and maintains. A privacy program focuses on the personal information an organization collects and maintains. So, what is personal information? Answering this question is for the privacy team to address.
One way to define personal information is to look at applicable laws and regulations. Often, in the U.S., statutes and regulations define personal information as first name or initial along with a government issued identification number, financial account information, or health information. While the protection of this type of information provides direct protection against identity theft, theft of funds and discriminatory acts, is this definition comprehensive?
Consider an email address. For many web sites, an email address is half of the credentials needed to sign in. Also, if an email address for an individual is obtained from a particular business, it is easy to create a credible phishing campaign posing as providing a communication from that business.
If a legal definition for personal information is used, email address may not be protected adequately against unauthorized access nor will people be notified if their email address is lost in a data breach.
A privacy program needs to at least consider going beyond the legal definition of personal information to meet the expectations of their organization’s stakeholders. A broader definition of personal information is “any information related to an identified or an identifiable individual.” A privacy program needs, for its organization, to find that balance between the legal definition and the broad definition for personal information.
Protecting personal information
Given the organizational definition of personal information as a foundation, a privacy program needs to define the processing and protection requirements for personal information. The protection requirements include items such as what organizational roles have access to the information, when and how the information may be shared internally and externally, and when and how the information should be destroyed. These requirements should relate to personal information on any media, not just electronically stored.
These and similar privacy-related requirements are provided to the security program to implement appropriate protections and controls. It is not up to a privacy program to state the technology or processes to be used to protect personal information (though the privacy team may have valuable opinions); it is up to the security specialists to make this determination.
Therefore, a privacy program is dependent upon a security program. This creates a necessity to establish a cooperative, interdependent relationship be established between the teams (and the Chief Privacy Officer and Chief Security Officer).
This article was written by Bob Siegel from CIO and was legally licensed through the NewsCred publisher network.