Cybersecurity is not Privacy

You've spent time, effort, and money building a solid cybersecurity structure for your organization. You believe you have privacy — specifically, data privacy — also covered.

Unfortunately, that may not be the case. Good cybersecurity does not equal good data privacy. Understanding this critical distinction will help you better protect your organization!

But why?

There is a saying in data privacy, "You can have good information security without good privacy, but you cannot have good privacy without good information security." 

In other words, you may have the best cyber/information security program possible, with no external or internal threat that can breach your data or systems. But your organization may not have sound privacy practices, so it may violate privacy laws and regulations by abusing (intentionally or not) privacy requirements.

The CIA Triad doesn't include privacy

Ensuring privacy requires doing more than just protecting the information that you collect. For instance, the CIA Triad (Confidentiality, Integrity, and Availability) is a common model that many use to lay a foundation for developing security systems. Yet it does not contain privacy. 

Privacy protects individuals and how their information is used. Think about it this way: I trust you enough to provide my name, date of birth, home address, bank account information, and favorite sports team. I trust you will secure that information. I also trust that you will not sell my information (without my explicit consent) to others.  But if you employ the CIA Triad without consideration for privacy, you might. Why would you sell my information without my explicit consent? To make money, of course! But should you?

Why privacy matters

Nowadays, many jurisdictions, including California, grant persons the "right to be forgotten," or the right to have their data collected by an organization deleted upon termination of their business engagement with that organization. 

If you’re that organization, you may have security protections around that person’s data. Still, if you do not delete it when requested, you may have a privacy violation.

There are many privacy requirements regarding personal data that are unrelated to cybersecurity concerns. Some might be:

• What data can be collected?

• How is it collected? 

• How is it used beyond the initial intended purpose?

• Who is it shared with internally in your organization and externally? 

• Will it be sold to third parties?

None of these are related to good cybersecurity or protecting the data from security threats. Instead, those requirements center on protecting the personal rights of the individual providing the information. Some big named companies have dealt with hefty fines in parts of the world for abusing privacy while simultaneously providing world-class security. Sound familiar, Google?

Privacy requires security

You and your organization need sound security practices to protect personal data privacy. You may comply with all privacy regulations (and many more to come). Still, if you allow the data to be breached due to inadequate or inefficient security measures, you have not fulfilled your privacy obligations. Having all your customers' personal information posted on the "dark web" is not protecting their privacy. "Unintended disclosure" is a bad thing both for privacy and cybersecurity.

Closing thoughts

When you set up cybersecurity for your organization, please avoid falling into the trap of thinking that you also have set up good privacy. While related, the two areas of protection differ and require complementary but differing "duty of care" requirements. Protecting personal confidentiality does not allow an organization to abuse or misuse that information. Security does not equal privacy, but privacy requires security.

Sharing this article is the stuff that dreams are made of… right? Whateves, just share it. 🤣

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD