People toss around the terms “privacy” and “security” like they’re totally interchangeable. By layperson definition they are decidedly not the same. And they’re not the same in terms of our digitally connected world either. This post is your guidebook to knowing the difference and sounding super smart while you explain it to others who are less enlightened.
Webster tells us that privacy is primarily used in two ways. The first is “the quality or state of being apart from company or observation.” The second is “freedom from unauthorized intrusion.” Security is “the quality or state of being secure, such as a) freedom from danger or b) freedom from fear or anxiety.”
When you want privacy, you want to be left alone; nobody you didn’t pre-approve bugging you for any reason. When you want security, you want to be free of fear—like there is no chance of danger or harm.
A Childhood Example
Let’s rewind to you at age 12. When you were curled up in bed, writing in your diary, you wanted privacy. No brother reading over your shoulder or banging on the bedroom door and begging you to play.
When your parents left you home alone for the first time, you wanted security—every door and window locked with a few important phone numbers at the ready just in case.
The emotions behind these two scenarios overlap somewhat. It’s unsettling when your privacy is interrupted. It’s unsettling and harmful when your security is compromised. The desire for both requires thoughtful preparation.
Privacy and Security Are Related
In our digitally connected world, privacy and security overlap in similar ways. Privacy is the right that you have to control your personal information (PI). Security is how your PI is protected. (Feel free to interchange your PI with your business’s equivalent—employee or customer data, trade secrets, contracts, patents, etc.)
Keep in mind that your PI is everywhere. Every time you set up an account online, every time you make a purchase in a store with a credit card, every doctor’s office you’ve ever visited, etc. All of these entities have your personal information stored digitally.
Go back to the example of your 12-year-old self. When your brother barged into your room uninvited and began reading your diary over your shoulder, your privacy was compromised. But you were still secure. The doors of the house were locked and you were not in danger.
But let’s imagine a slightly darker scenario. Your family has gone out for the day, and someone has left the back door unlocked and hanging open. That sneaky neighbor kid down the street has noticed. Your security is at risk! He enters your home, reads your diary (bye bye privacy), and pockets the cash from your piggy bank (hello harm).
A Grownup Example
Consider a pretty boring transaction of adulthood: joining a gym. It’s the new year and you want to improve your health, so you sign up for a few personal training sessions and a monthly membership.
The gym gets not only your money but also your bank account information (for a monthly draft) and a bunch of other PI. Your name and address go in their database, matched up to that bank info. They input your birthdate, health insurance information (in case of emergency), next of kin (also…emergencies), and some details on your medical history (so they can create a personalized fitness plan) into their client database.
Somewhere in all the paperwork you signed, you agreed to allow the gym to use some of your data. They might just want it so they can mail you a birthday card. But what they’re probably doing is selling it to marketers for advertising campaigns.
Your privacy has been compromised (you agreed to it but didn’t read the fine print). You’re added to mailing lists for athletic clothing and dietician services. Your junk mail increases, but the good news is that you’re still secure.
Everything changes when a gym employee opens a phishing message disguised as a package tracking email. The bad “tracking” link installs malware that opens up access to the gym’s customer database. Now both your privacy (personal information) and security (bank and insurance info) are compromised. Your PI is up for sale on the dark web and the breach will likely cost you (and the gym) time, money, and sanity to fix.
Does Cybersecurity Cover Both Privacy and Security?
High-quality, consistent cybersecurity protocols and incident response plans address some aspects of privacy and all aspects of security.
Good cybersecurity considers what data is collected in the course of doing business. The gym in the scenario above might have stopped to ask, “Do we want or need to be responsible for all of the information we are gathering? Are we secure enough to be storing this much PI?”
Cybersecurity also considers how the data can be used and shared. For instance, which staff are allowed to look at the customer database? Do staff members need different permission settings that allow viewing only certain information? A personal trainer needs to be able to log in and access a customer’s health history, but not her bank account info.
There are some privacy concerns that are not covered by cybersecurity controls and must be addressed independently. For instance, privacy regulations require companies to have a process to respond to individuals’ requests to find out what information the company has about them. Other regulations give individuals the right to request the information be deleted.
Protection against unauthorized access is the security component of cybersecurity. The personal trainer who sees a gym member’s bank account number is authorized to access her data. They probably won’t do anything malicious with it, but they could. Security prevents an overtly malicious breach—where data is viewed/collected with the intent to harm.
Is Your Business Monitoring Both Privacy and Security?
Has your business evaluated its cybersecurity policies lately? Are you adequately cautious about privacy? Are your employees trained on what is considered PI and how to protect it? What is your incident response plan in the case of a security breach?