People often ask me: what’s the difference between protecting data and protecting personal data (or PII). It’s true, privacy and security have a lot in common. But there are fundamental differences in the levels of data protection that privacy demands over security. Let’s take a look at the objectives of the safeguards, the overlap between privacy and security and some run through some examples which highlight the differences.
Cybersecurity rests on three principles commonly called the CIA triad: confidentiality, integrity, and availability.
The principles revolve around your company’s ownership over the information.They are there to serve the company’s interests in using such information and keeping your competitive edge. It is also worth noting that you and only you can decide which data is worth protecting depending on what you consider to be crucial to your business.
Confidentiality is the principle that essentially boils down to: “protected information shall be kept secret from unauthorized persons”. In simple words, protection against internal and external threats of exposure. The controls covering confidentiality aim to reduce the chance or impact of confidential information being disclosed.
While confidentiality always takes the crown and is often perceived as the only objective of cybersecurity, integrity and availability are also important.
Say, for example, a key account manager who has read/write access to your CRM system has changed the billing system and diverts payments from clients to his own bank account by issuing doctored invoices. Confidentiality is not broken in this case, yet a certain vulnerability has been exploited; the data’s integrity has been tampered with.
Accordingly, companies should design and implement measures to protect their information against unexpected or unauthorized alteration.
No one likes service downtime. If you are providing a service that is essential, such as banking, being available becomes an obligation and you have to report certain downtimes to the regulator (e.g. those exceeding 15 minutes).
The rationale behind this is that when information is unavailable, it can lead to harm. Availability is the principle aimed at protecting against this harm.
Imagine you received a support request message from a customer asking to change their billing plan. The ticket is closed and purged after 30 days. Once the billing cycle comes, the customer disputes the change, saying you have to prove that the message was sent by an authorized person.
Even though none of the above 3 principles have been breached, valuable data has been lost. This is where non-repudiation comes into play: it’s an attribute of an information system which ensures that its users cannot deny having performed actions within it.
The first laws protecting privacy were enacted in Europe in the 70s. They, as well as laws in the US and Canada that followed, define privacy as an individual’s right to control data that relates to them.
That is the essence of the difference between privacy and cybersecurity. Cybersecurity protects your assets, while privacy focuses on protection of individual’s rights.
Privacy protects people against two types of harm: subjective and objective:
For example, feeling under surveillance or negativity from excessive collection of data.
For example, if exercise data collected via a smart watch app is used to administer medical treatment, mistakes in data or algorithms could cause bodily harm due to incorrect dosages being given.
To prevent or reduce these types of harms, lawmakers and industry groups have come up with a number of principles of data protection. A good example of such principles are the Generally Accepted Privacy Principles.
The main focus of these principles is to assess the likelihood and impact of harm to individuals and provide them with the tools to manage such risks, e.g. so that individuals can provide and withdraw consent, obtain information from Privacy Notices, etc.
It’s not completely surprising that people think privacy is just part of security because there is quite a lot of overlap between the two. But, then again, there are also marked differences.
A cybersecurity incident that concerns personal data is always a privacy incident. This is because not only are you losing control over your assets (which is a breach of cybersecurity principles), but also because the individual’s data is processed in an unexpected and uncontrolled manner (which is a breach of privacy). If data is accessed by hackers, they are likely to exploit and resell this data, leading to possible financial harm to the person concerned.
As a result, protecting your systems against, for example, ransomware or hackers, will cover both cybersecurity and privacy.
But not every privacy incident is a cybersecurity incident. This is because sometimes the individual suffers unjust harm even though all systems are working as intended.
Let’s take the example of a popular women's health app called Flo. Back in January 2021 it reached a settlement with the FTC on privacy violations. The crux of the case is that Flo shared health data, including period and ovulation data, with Facebook and Google which used the data for their own benefit, including targeted advertising.
No cybersecurity principles were breached: Facebook and Google only received data that Flo decided to provide them. The problem is that users experienced discomfort and loss of control over their data. And that is a privacy violation.
As you can see, the measures that have to be put in place are different.
While security software like next-generation firewalls and data loss prevention services can shore up defences against security incidents, legal measures such as privacy policies, data processing impact assessments, and records of processing activities are used to ensure privacy of PII.
In fact the difference is so large that there exists a privacy gap between the things the information assets security software protects and the legal measures designed to protect consumer data.
Learn about privacy incidents and risks
While you would not be alone in thinking they are the same, we can definitely say that privacy is not cybersecurity in disguise. While there is much overlap, privacy requires its own approach.
If you would like to learn more about how you can improve your privacy, book a call with Soveren.
