We see too often that the terms privacy and security (cybersecurity) are used interchangeably and felt it was important to help people understand that they are not the same thing. Yes, there is a relationship between the two, but again, they are not the same thing.
If you ask a group of cybsecurity professionals whether they are privacy buffs the likely answer you’ll get is “no”.
To help illustrate this we wanted to provide an example that is easy to understand.
You get your W2 in the mail and leave it on the kitchen table. Your neighbor visits you for coffee the following morning and sits at the same kitchen table. You leave the room and your neighbor sneaks a peak at your W2, and later that day tells your other neighbor how much money you made last year. This is an invasion of privacy. It’s similar to the Facebook and Cambridge Analytica debacle. You entrusted your information with Facebook to only use it to provide certain services, but you probably didn’t agree to the harvesting of your data to be sent to a third party to be used for political purposes.
The W2 that you received was most likely generated in an electronic system that stored particular pieces of sensitive information. Some smart cybersecurity and technology people were responsible for developing the policies, procedures, defining standards and implementing controls to protect the systems processing your W2 data. This was to prevent unauthorized access to the data, ensure the secure processing of it, etc.
Hopefully with this quick post you can see that there is a difference between the two examples above. While the W2 is the overlapping piece, keeping the information away from prying eyes (what you’re neighbor has now) and the data (the bits of information stored in the electronic system) are different.
It is important to make this distinction because if you are looking for the ultimate in privacy and security, you need to employ practices for both.
We do believe that because of the evolving regulatory environment and people’s expectation of privacy and data protection, whether it be physical or digital, the terms will blend and it will probably just be called security. (kind of like what it’s always been known as)