Posted by Buck Kulkarni on 07 Oct 2014
As organizations develop their responses to their risk and security challenges as well as their regulatory compliance challenges, they and their clients (or other partners on the activity chain), oftentimes, face ambiguity over information security and information privacy. It is natural for a person, especially an IT professional to ask if security does not encompass privacy. After all, if you have secured the information well, it should automatically ensure its privacy too, right?
Well, yes and no!
Let us look at some common scenarios that unfold daily in every organization.
Say you have the credit card details or social security numbers of your employees or customers lying around on a table or open on the computer screen but no one looks at it. Is this a security problem? Or is this a privacy problem?
And then say, someone looks at it without having a need to look but does not misuse it in any manner. Is that a security problem? Or is that a privacy problem?
And then say, an employee copies this information - as easy as taking a picture with your smartphone these days – and walks away without detection. But the employee does not misuse it in any manner, possibly tried to but did not find a buyer. Is that a security breach? Or is that a privacy breach?
And then say an employee finds a buyer for this information. But we don’t know what the buyer did with that data. Is there a security breach? Or is there a privacy breach?
And finally, of course, you have a professional hacker breaking into your computer system and stealing such data from your systems. This is what we most easily understand as a breach of both security and privacy but as you are aware only the extreme cases become news. All the earlier scenarios mentioned above happen far more frequently, are either unknown or pushed under the carpet.
A security breach may or may not result in a privacy breach. Say someone stole a lot of your data from your systems but you had taken certain precautions. Some crucial data was encrypted (the credit card numbers, the SSNs), or you had stored the data in multiple pieces that the hacker is not able to piece back together. Due to these measures, while the hacker may have your data, but may not be able to use it as they cannot build required information from that data. In that case, you have a security breach (for sure) but not a privacy breach.
A privacy breach is somewhat more difficult to grasp. If an employee casually looks at a piece of paper lying around on a desk (or a document open on a computer screen) and sees information such as a patient’s history of disease, medication, insurance information which they were not supposed to see then you have a privacy breach. It does not matter if it wasn’t misused or was misused or there was an intention of misuse.
It is important to remember that we need to make all our employees aware about what constitutes private information or personally identifiable information or protected health information and inculcate a culture where they are continuously aware of the data we store and know what is expected of them and what constitutes a breach.
Security can be centralized in the hands of a few but privacy is everybody’s concern.