Ever since the September 2017 Equifax data breach that exposed the personal information of 147 million Americans, and the many other high-profile data breaches that have happened since, data security and data privacy have become pressing boardroom-level concerns.
“The Equifax debacle is where a lot of the inherent [cybersecurity] issues really surfaced to the business level,” said Aaron Shum, practice lead, Security, Privacy, Risk, and Compliance, at Info-Tech Research Group. “It’s where we discovered the level of incompetence that can exist in an organization.”
According to the 2019 Edelman Trust Barometer Special Report: In Brands We Trust?, 81% of consumers said that brand trustworthiness plays a major role in their buying decisions. In other words, data breaches today not only represent a bottom-line risk in the form of penalties, but they also jeopardize an organization’s brand and reputation, directly impacting its ability to attract new customers and retain existing ones.
“Businesses need to treat privacy as both a compliance and business risk issue to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches,” said Steve Durbin, managing director of the Information Security Forum in the UK.
More than semantics
For many outside of the infosec community, the terms ‘data security’ and ‘data privacy’ are often used interchangeably. In reality, even though they share a common goal, they are not the same, said Greg Ewing, cybersecurity partner at Potomac Law.
“The difference between data privacy and data security is the difference between protecting someone’s personal information and the security measures you have in place to protect all of your business’ information,” he said.
With regulations like the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) now in effect, this distinction is more than a matter of semantics. The GDPR, for example, imposes serious financial penalties that can range into the billions of dollars for data breaches involving personally identifiable information (PII) of EU citizens. At between $2,500 and $7,500 per PII record, non-compliance penalties under the CCPA can add up quickly, as well.
With the COVID-19 pandemic showing no signs of abating, more people are spending more time online than ever. The massive shift in online usage both pre- and post-COVID-19, combined with the general distrust of how large social media and entertainment companies monetize customer data, is not going unnoticed by state regulators. According to the National Conference of State Legislators, privacy bills are now under consideration in 30 states.
“Data privacy is, in essence, a subset of an organization’s data security,” Ewing said. “The distinction is important because, although the tools used to maintain data privacy and to ensure data security may overlap, the two are generally addressed differently by different teams using different tools.”
This overlap can cause confusion, leaving companies who focus just on data security with the false impression that, by default, data privacy also is protected. This is not the case. Unlike data security, which focuses on protecting all of an organization’s data from theft or corruption (like during a ransomware attack), data privacy is more granular. To ensure data privacy, organizations must understand, track, and control things like who is authorized to access the data and where the data is stored — in a Health Insurance Portability and Accountability Act (HIPAA)-compliant cloud, for example.
A good example of differences between data privacy and data security was the harvesting of 87 million Facebook user profiles by the now-defunct political consulting firm Cambridge Analytica during the 2016-17 US presidential election, said Joshua Kail, a communications consultant who ran agency-side PR for Cambridge Analytica until it shut down in May 2018. Even though the data was secure, Facebook abused its own privacy policy and a 2011 FTC consent decree regarding the use of user data.
“It was a strange instance of a failure of data security from [Facebook’s] perspective in that they basically handed the data over and then it was used in an inappropriate way, rather than a traditional malicious cyberattack,” he said. “As far as data privacy is concerned, we all lost that the moment we signed up with an account. Really, it wasn’t ‘our data’ that was used by Cambridge, it was Facebook’s data about us. This distinction is where the real danger in current data policies lives.”
Kail recently appeared on Bill Detwiler’s TechRepublic Dynamic Developer podcast discussing data privacy and data rights.
A matter of trust
While data privacy is becoming more regulated every year, it is still a matter that, today, largely comes down to trust, said Kayne McGladrey, a cybersecurity strategist at Ascent Solutions. As the backlash in the wake of the Cambridge Analytica scandal shows, what people expect from the companies they do business with is just as important as the laws that govern the use of their data.
“Today’s data privacy is primarily concerned with the processing of personal data based on laws, regulations, and social norms,” McGladrey said. “Often this is represented by a consumer ignoring an incomprehensible privacy policy (that would take nearly 20 minutes to read) before clicking a button to acknowledge their consent to that policy. Their acceptance of the policy allows the organization to handle their data in documented ways, such as using it to show them targeted advertising based on their inferred interests. However, if that organization sold those personal data to another organization to do something unexpected (like using it to suppress protected free speech) without the consumer’s consent, that would be a breach of privacy, either by regulatory control or by a violation of social norms.”
Given all that has happened in the past few years — the constant drumbeat of massive data breaches and the ever-escalating cyber attacks on businesses and individuals — it is not surprising that people feel their data is no longer safe in the hands of the companies they do business with, or the governments that mandate its collection.
Because of this mistrust, the imperative for businesses to get out in front of these issues could not be greater, said Lili Ana, Information Security Governance manager at loanDepot.
“As the hacking industry rapidly grows and cybercriminals become more well-funded, and as the global transformation of digital at-home workplaces continues to be the new normal, companies must take action to understand information security and how data privacy and data security work together to protect businesses and consumers,” Ana said. “Investing in safeguarding your business in a proactive approach is far less costly than the alternative, which is a data incident or breach that not only can destroy a business but can ruin reputation, credibility, and consumer trust.”