Secured Phone. Book, and Laptop

Security vs Privacy

ByAaron Balchunas

Data is precious, especially people’s personal information. Loss or misuse of that information can cause severe financial and emotional hardship for a victim.

Safeguarding that data grows increasingly difficult. The surface area is wide – more organizations than ever collect and store data on people. Bad actors multiply both in number and sophistication. Regardless of the challenge, protecting data remains a solemn and vital responsibility.

Two terms dominate the discussion in this domain – security and privacy. Sometimes they are used interchangeably, which is incorrect. The concepts are related, but also distinct in focus:

  • Security refers to the protection of data, and the systems that store data
  • Privacy refers to the appropriate use of data by an organization

Organizations store a variety of data types. Security and privacy often focus on customer or employee personally identifiable information (PII). Definitions of PII vary. The broadest definition involves a person’s name plus any other identifiable attribute of that person (such as address, phone number, birth date, etc.).

Some PII is considered more highly sensitive, such as Social Security numbers, bank account or credit card numbers, and driver’s license numbers. Breach or misuse of this data may cause more significant impact to a victim.

Let’s briefly explore the difference between the security and privacy, using PII as an example.

Security

Security focuses on the protection of data, whether that data is:

  • At rest – stored on some system or medium
  • In transit – transmitted between systems, either within an organization or between organizations

Protecting data requires a multitude of controls, integrating people, process, and technology. Any individual control can be compromised or circumvented. Layers of controls – known as defense in depth – can dramatically reduce risk.

No single article can cover the vast expanse and complexity of security controls. In general though, security controls focus on safeguarding against:

  • Malicious access or misuse of data, by either an external or internal entity
  • Accidental misuse or exposure of data, from either carelessness or poor design

Let’s look at an example. An organization stores the sensitive PII of its customers. Security is concerned with ensuring the PII is:

  • Restricted to appropriate personnel using approved mechanisms
  • Accessed only by personnel trained regularly on security awareness
  • Encrypted while transmitted between systems or to other organizations
  • Encrypted while at rest (i.e., stored)
  • Stored on patched systems, free from serious vulnerability
  • Firewalled from untrusted networks
  • Backed up and recoverable
  • Regularly monitored for malicious or unexpected activity

Furthermore, a healthy security program will frequently test controls and systems, to ensure these protections remain effective.

Privacy

Privacy, on the other hand, focuses on the appropriate use of data. This includes:

  • What data is collected
  • How that data is used for business purposes
  • Who the data is shared with
  • How long the data is retained
  • The rights of a person to manage or delete their data

Ultimately, privacy enforces the responsible and transparent use of information. No organization should:

  • Collect or store your information without your knowledge or consent
  • Collect information unnecessary for its business function – i.e., an ice cream parlor does not need your social security number
  • Share your information with a third party without your knowledge or consent
  • Hinder you from having that information deleted, assuming the information is not necessary for the organization to execute a contracted service or function

Most organizations publish a Privacy Policy, informing customers on the usage, sharing, and retention of data. This is often required by law. Organizations may require a customer to explicitly sign the privacy policy policy before entering an agreement.

Privacy Policies are often dense (or worse, vague). Customers often sign without reading. Stay informed – ensure you are comfortable with the usage of your information!

Many laws, both in the US and internationally, are concerned with privacy. This remains an evolving, and passionately debated, landscape.

How They Relate

Security and privacy remain closely intertwined. Both focus on risk. Both intend to protect people. Arguably, both are of equal importance.

You cannot have privacy without security. A security breach of customer data is certainly a breach of privacy as well. Technically, security without privacy is possible – but why do business with an organization that will protect your data but not use it responsibly?

Organizations vary on structure around security and privacy. Most organizations employ a dedicated (or outsourced) security team, usually under an IT or engineering umbrella. Privacy may fall under a legal or compliance team. Other organizations may combine security and privacy under one ‘risk’ tree.

Every organization is different. No one way is ‘correct.’ However, each organization should ensure a clear owner for each function. Do not assume a technical security team will have privacy covered as well. Each function deserves appropriate attention and focus.

The distinction between security versus privacy may be obvious for some. Others may find it murky. I hope this yields some clarity. Take care!

© 2024 Aaron Balchunas
Lucid Resource content is free to use and distribute under two conditions:
(1) my name and copyright remain attached, and
(2) this content is not sold or altered without my written permission