25 years ago, privacy and security were rarely used in the same sentence. 20 years ago, as technology began to grow exponentially, industry experts began to publicize the relationship between the two. Now, in 2019, the terms once deemed distant cousins, are now as closely related as brother and sister.
What is security?
The National Institute of Standards and Technology defines security as “Freedom from those conditions that can cause loss of assets with unacceptable consequences”. Simply put, security is the controls an organization has in place to protect information from unauthorized access.
What is privacy?
Privacy is personal. Privacy is defined by the European Data Protection Supervisor as the “ability of an individual to be left alone, out of public view, and in control of information about oneself.” Regardless of how privacy is defined, the most impact on individuals occurs when privacy is interpreted by governments and organizations collecting data.
Theoretically, individuals should have the right to be the gatekeepers of their personal information. However, this isn’t always the case. As a result, new or amended privacy laws are popping up like daisies all over the world highlighting where personal information is collected, processed and stored. Having said that, the question becomes, how is this information protected? The answer? Security.
How are security and privacy related?
Privacy laws require companies to keep personal information safe through security. As long as organizations collect, process, and store personal data, privacy and security go hand-in-hand. Let’s walk through some scenarios:
First, online shopping. When a consumer shops online and they enter personal information, they assume it will be protected. At minimum, a consumer enters their first and last name, phone number, home and shipping address, email address and credit card information at the time of purchase. By law, organizations must protect the consumer’s personal information from being maliciously or accidentally exposed once they have access to the data.
An organization puts itself at serious risk by not protecting consumer privacy. Not only are there harsh fines for companies who neglect security, but the loss of consumer confidence can easily tank sales and put a company out of business.
The second scenario, a doctor’s office visit. Not only does a doctor’s office have the names, addresses, credit card information, etc. of patients, but they also have their social security number and all their personal health information. The health care industry has some of the most strict privacy and security regulations in the industry for this reason – and the fines to match.
In these two examples, it’s clear why the relationship between privacy and security within organizations needs to be a strong one.
How is the industry coping?
I would love to paint a picture that organizations are reacting to the closer-than-ever relationship between privacy and security with grace, however, that’s not the case.
For years security has been made a priority within organizations, while privacy has been the “red-headed stepchild” without a dedicated space. In Europe and in other parts of the world, it’s the expectation for organizations to have dedicated privacy resources. However, in the United States, legal, compliance, information security, and governance, are just a few places where organizations have placed privacy. Often, resources are split into those departments to tackle any privacy issues at an ad hoc level. In this approach, privacy is not given the respect it deserves and will cause complications in the long run.
A frequent question asked as privacy fever strikes the United States is “Where does an organization start if they haven’t made privacy a priority?” The short answer is to first implement privacy by design so that your organizations implements privacy controls into the design and operation of IT systems, networked infrastructure, and business practices just as you would security. Second, it’s critical to understand that implementing good privacy requires administrative work as well as logical work. By devoting time and resources to privacy, an organization can begin to strengthen security and privacy relationship.
LEAD PRIVACY ANALYST