Bridging the Gap Between Security and Privacy
Security Geeks and Privacy Peeps
When the general public thinks of security, a common image may be that of IT guys (maybe with ponytails), video cameras, security gates, etc. Conversely, when those same people think of privacy, the first things that come to mind are probably lawyers, headlines involving emerging technologies and the politics surrounding data protection – that is just how those two areas have been consistently presented over the years. These established images have steered the general public into perceiving the two fields and concepts as completely different. As some of you reading this may already know, the interpretation that security and privacy are completely different ideas isn’t accurate – they are more complex and connected than people think.
For those of us working in the information technology world, we tend to see things a little differently. When we think of security, we may tend to think of the IT team, computer help desk, maybe the “fix-it guy”. When we think of privacy, we most likely think of the compliance team or a legal team associated with the organization. “I don’t know. Go ask IT.” or “Have you checked with legal yet?” are pretty common questions nowadays. We realize that the two teams/departments have to interact with each other to some extent to find out what parameters the business can operate in, but still tend to think of the two as unrelated. However, what if there was a commonality between the two? What if there was a simple way to bridge the supposed gap between security and privacy?
In Order to Understand the Commonalities, One Must First Understand the Differences
Admittedly, security and privacy do have different applicability.
Security is security – where the fundamental concept revolves around maintaining the confidentiality, integrity and availability of information (what is commonly referred to today as the CIA triangle). It speaks to who is able to access the information, how the data is kept whole and in its intended form, and the information being on hand when needed. Information is either secure or it is not, and security practices are often applied in accordance with national and international security standards and industry best practices. Today, organizations are expected to apply current industry best practices the right way in order to adequately protect the information of the company, their customers, and other third-party organizations.
Security is relevant for different types and categories of information, as determined by the organization, its customers, and sometimes laws and regulations. All businesses process information that is deemed sensitive (to someone, somewhere), whether it be financial data or trade secrets, patents or legal claims. As such, organizations are expected to have reasonable security measures in place before an end user or business will engage them for services. There is a level of trust involved when conducting business with an organization. When that trust is broken, there can be massive repercussions from a reputation standpoint, as well as a financial standpoint for certain industries. Target and Equifax, among others, are still dealing with the effects to their reputations, as well as their bottom lines. Information security is and remains important at all times, as organizations must protect the trust and information given to them by their customers and end users.
Privacy, on the other hand, comes into play only in certain situations – situations where an organization collects or processes personal data. Privacy is normally enforced by laws, regulations, and bills where personal data is defined to include different information. The definition of personal data is normally broad, and is meant to include various information such as name, address, date of birth, email address, and more, often in relation to finances, healthcare, etc. However, most definitions of personal data essentially boil down to information that is related to an individual and can be used to specifically identify that individual. While the concept of security pertains more to the protection of all data relevant to a business or end user transaction, privacy focuses in on the protection and rights inherent to personal data.
What does “the protection and rights inherent to personal data” mean? In most countries, there are fundamental rights established for individuals speaking to their right to privacy or their right to be left alone. Privacy controls at an organization should help protect those rights and mitigate the risks to those rights present in the services provided. If an information entrusts personal data to your organization, it is your organization’s responsibility to ensure that the personal data is only handled, shared, transmitted and stored as the individual has instructed or authorized in order to preserve their privacy. Just because they have given you their personal data, which could include some very private information about their health or personal life, that does not automatically mean they want it shared with the world or you can do whatever you want with that information.
With security, as mentioned above, information is either secure or it is not. There is no middle ground, no partial security that can be achieved. There are degrees of security controls that can be put in place for information to be more secure, but that implies that the information was already secure in the first place. At the end of the day, if information is not secure, an organization cannot say with confidence that it has a handle on security. With security, an organization will be hard-pressed to find a customer that says they want their information to be less secure or unsecure. With privacy, the whole concept is flipped on its head. Even when personal data is publicly available, and isn’t necessarily considered private, the concepts and controls around privacy could still be present.
That’s right, even if an individual’s personal data is not private, the organization harboring it could still be considered to have a good handle on privacy – that is, if the organization has a proper privacy program in place. Unlike security, privacy is up to the data subject (the individual to whom the information pertains). It is up to the individual as to how much their personal data is processed, the purposes for which it is used and with whom it is shared. The data subject has control over how private his/her information is and will oftentimes elect for less privacy in exchange for more functionality or a better user experience. If the organization is providing data subjects with all relevant options and choices on how to access, handle, retain, transmit and store their data (and has controls in place for data subjects to act on those options and choices), the organization may have a pretty good handle on privacy.
Security and Privacy – One Within and Without the Other
Can security exist without privacy? Sure. Again, it depends on whether the organization collects and/or processes personal data. Without personal data, there is no inherent need for privacy. Can privacy exist without security? No. Security is integral for privacy, and the latter cannot exist without the former. Without security, individuals cannot control who can access their personal data, make sure their information is accurate during processing or be able to modify or access it when necessary. Without proper security controls being in place, the privacy controls will not have a leg to stand on. So, despite their differences in applicability, there is still a discernable bridge between the two concepts.
If you were to picture a Venn diagram, the circle for security would be focused on the confidentiality, integrity and availability of information, as previously noted. The privacy circle would be focused on authorized use, collection and lawful processing of that personal data, as well as data subject rights provided to individuals. The overlap would occur where privacy is concerned about the quality of and access to that personal data. The two circles would overlap for personal data in this area. As security speaks to all information deemed sensitive or confidential in nature, it would include the personal data. If security did not include the personal data, then you would be looking at an incomplete circle for privacy.
An organization’s data management practices should marry the two concepts together even more intricately. Data management should always be the foundation for an organization’s security and privacy practices. Why? An organization’s efforts should be concentrated around where data is collected, processed and stored and the controls applied should directly correlate to the sensitivity and associated risks of the data. Without data management, security and privacy efforts may not be directed in the right areas or cover the right information, so establishing effective data management is crucial to the securing of data, personal or not.
At the end of the day, security and privacy aren’t unrelated, but rather different pieces of the same puzzle. Going forward, your organization may find it beneficial to think of your security and privacy teams/departments as intertwined, rather than separate. The two groups should work together to make sure all associated risks are addressed when processing personal data. With a little synergy, security and privacy teams can build a robust data protection environment, allowing the organization to roll with the punches of any new security or privacy frameworks and regulations that come its way. When in place, leadership of the organization can also sleep soundly knowing that the trust and information given to them by their customers and end users is adequately protected.
About CHRIS LIPPERT
Chris Lippert is a Senior Associate at Schellman and is based in Atlanta, GA. With more than 5 years of experience in information assurance, Chris has a concentration in SOC and privacy engagements. He is a member of the International Association of Privacy Professionals (IAPP) and advocates for privacy by design and the adequate protection of personal data in today’s business world.