What is the difference between security and privacy?

Many of my clients are small and midsized businesses. They often express confusion over what each of these terms (neither of which have a universally-accepted definition) actually means, how they are different, and how they are similar. This is important for business leaders to understand so they can make appropriate decisions within their information security and privacy management programs. Especially in small and midsize businesses, where there may not be a specific position to address either of these important topics. Let’s start with considering at a high level the differences between information security and privacy.

A few weeks ago I got a message from a long-time business friend saying that he saw someone using a quoted passage from one of the articles I wrote that was published in 2002 in the email signature block of a message he received from someone associated with EDUCAUSE. Cool! But, he said, it was attributed to “Anonymous.” (Huh? Well, that’s a bit of a downer.) Here is the passage from my article that the person used in the email signature block (I added in the numbers):

1. Security is a process…privacy is a consequence.
2. Security is action…privacy is a result of successful action.
3. Security is a condition…privacy is the prognosis.
4. Security is the strategy…privacy is the outcome.
5. Privacy is a state of existence…security is the constitution supporting the existence.
6. Security is a tactical strategy…privacy is a contextual strategic objective.
7. Security is the sealed envelope…privacy is the successful delivery of the message inside the envelope.

I’m glad to see when my writing is being used; especially after all these years from the original publication! I’ve actually used these comparisons several times in the privacy and security classes I’ve taught over the past 12 years. And please, if you are also using these, they should not be attributed to “Anonymous” or any others besides me.  🙂

I want to take this opportunity to add some additional comparison statements to my 12-year-old list above (which all still apply) that address some statements I’ve heard several of my clients, and many of my students, make. 

“Encryption ensures privacy.” Not true.

Very simply put, encryption is a security tool used to scramble information, of all kinds. It can certainly be used to keep unauthorized entities from seeing personal information. However, privacy involves so much more than simply hiding information. You need to also control how the information is used, how it is shared, giving individuals access to their associated information, allowing individuals to have choices about how their information is used and shared, and disposing of information securely, just to name a few. Organizations need to choose and follow a comprehensive privacy framework to ensure all privacy principles are addressed. Some of the more popular, vetted and widely accepted privacy frameworks include:

• OECD Privacy Principles (updated in the latter half of 2013)
  
• AICPA/CICA Generally Accepted Privacy Principles (GAPP)
  
• U.S. Fair Information Practices (FIPs)
  
• APEC Privacy Framework
  
• Australian National Privacy Principles
  

There are more, but these should provide you with a good frame of reference for what is available. I tend to use the OECD principles and GAPP the most, particularly for doing privacy impact assessments (PIAs).

Privacy by Design (PdD) is a philosophy for how businesses will address privacy throughout the full lifecycle of their operations, and can be incorporated into any of the privacy frameworks listed above.

So, considering encryption as a confidentiality security tool results in privacy/security comparison #8:

Security enables confidentiality…privacy often requires confidentiality.

 

“Privacy is law-specific and security is IT-specific.” Not true.

Many of the students I’ve had, clients I’ve helped, and a large portion of the articles I’ve read about privacy point to the existence of laws to determine whether or not there are privacy issues. This is addressing the privacy topic completely backwards.

Here’s a very important point: privacy laws have historically been created AFTER a large number of privacy problems, breaches and negative impacts have occurred.

Just because there is not a privacy law for a topic does NOT mean there are no associated privacy risks for that topic. Just consider all the privacy issues related to big data analytics and the Internet of Things; current privacy laws do not address that wide range of associated privacy risks. However, we know that many privacy concerns exist in those areas. My very rough estimate is that privacy laws cover only 50% – 60% of all privacy risks (and that guess is probably high).

Information security is also is also about so much more than protecting IT assets; it is necessary to protect information in all forms. Hart copy, audible, visible and any other way in which information can be presented. Information security is necessary to protect no only personal information, but also all other types of information, and supporting information assets, as well, from the moment that information is created, through the entire information use lifecycle, through to the time in which it is disposed. The three privacy information security areas include:

1) Technical (which many organizations mistakenly believe is the only area involved);

2) Administrative (the management of the information security activities, the policies and supporting procedures, the training and awareness, and all other actions involving human activities); and

3) Physical (the protection of all areas and devices where information, in all forms, is stored).

Considering the above brings additional security/privacy comparison #9:

Privacy is much more than simply a legal issue, and information security is much more than simply a technical issue.

 

“Security conflicts with privacy.” Usually not true.

Every day I read an article and/or hear someone say that you cannot have both security and privacy. Simply not true. Information security controls are necessary to accomplish privacy goals.  It seems many equate security with safety; and then assume that security involves actions such as those of the NSA doing wide-scale surveillance of phone calls, and social media sites such as Facebook tracking all the activities of their users. Certainly in these situations those actions create privacy conflicts. However, those actions in and of themselves are not information security activities in the true sense of the term, even though information security tools may be being used to accomplish the surveillance and tracking. Just in the same way that information security tools support privacy, they can also be used to support many other activities. Those other activities are what are conflicting with privacy, not information security itself.

Which leads us to one more security/privacy comparison, #10:

Security is an information asset focused set of tools and actions…privacy is a personal information usage and protection focused set of tools and actions. 

 

Bottom Line…

Information security and privacy have a lot of overlaps, but they ultimately involve different actions and different goals, and require those performing them to be able to take different perspectives. You must have information security controls for all types and forms of information assets, of which personal information is a subset. Small, midsize and large businesses must implement information security controls to mitigate their own unique privacy risks that exist within their business environment.

For related information that demonstrates the need for information security and privacy pros to work together, see the 2014 IBM/Ponemon Study: “Cost of Data Breach Study: Global Analysis“.

 

This post was brought to you by IBM for Midsize Business  (http://goo.gl/t3fgW) and opinions are my own. To read more on this topic, visit  IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

Tags: data protection law, encryption, FIPs, GAPP, IBM, Information Security, information security risks, infosec, midmarket, OECD, PbD, privacy, Privacy by Design, privacy law, privacy principles, privacy professor, privacy risks, privacyprof, Rebecca Herold

This entry was posted on Thursday, July 31st, 2014 at 2:32 pm and is filed under privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.