No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

“Privacy” Doesn’t Equal “Security”

by Robert Stines
November 21, 2018
in Data Privacy, Featured
digital eye peeking through binary code

The Importance of Knowing the Difference

With the weekly reports of cyber events and data breaches, cybersecurity is a trending topic. While the concern is warranted, there is some confusion between information privacy and information security. Just because information is private does not necessarily mean it is secure. Executives, compliance professionals and IT departments need to understand the difference and take necessary measures to secure private data in the cyber age.

With the recent rash of data breaches and cyber incidents, companies and individuals alike are understandably concerned about cybersecurity. In a world where consumers are more aware of personal information being collected for financial gain, yet security of this information is almost an afterthought, a data breach can ruin a company’s reputation and financial reports.

The weekly reports of data breaches have resulted in privacy and cybersecurity being on everyone’s lips, yet people do not realize that there is a difference between the two concepts. While the two may overlap, it is important for executives and compliance departments to understand the difference and how the law applies to each.

Information Privacy

“What is the right to privacy and why is privacy protected under the law?”

When asked this question, scholars revert to the article “The Right to Privacy,” written by Samuel Warren and Louis Brandeis, published in the Harvard Law Review in 1890.  According to Warren and Brandeis, the right to privacy is the “the right to be let alone.”

In 1967, Alan F. Westin, in his book “Privacy and Freedom,” defined privacy as the desire of people to freely choose the circumstances and the degree to which individuals will expose their attitudes and behaviors to others. Westin’s definition reflects the shifting attitudes of people from different cultures.

In general, privacy professionals categorize people’s attitudes into three groups:

  1. Privacy fundamentalists (a strong desire to protect privacy),
  2. Privacy unconcerned (a low desire to protect privacy) and
  3. Privacy pragmatists (people whose concerns about privacy will vary depending on the context).

Unfortunately, this sliding scale of privacy that depends on the individual does not provide much guidance to company executives and compliance departments.

Many have a general understanding that the U.S Constitution protects an individual’s privacy. Some are surprised to learn that the Constitution does not mention privacy. Still, the U.S. Supreme Court — the supreme interpreter of the Constitution — has consistently recognized the right to privacy by discussing a “penumbra” of unenumerated constitutional rights arising from numerous constitutional provisions such as the Fourth Amendment limits on government searches.

When analyzing whether an individual has a protected right to privacy, the Supreme Court focuses on the reasonable expectation of privacy. In general, an objective, legitimate and reasonable expectation of privacy is an expectation of privacy generally recognized by society.

Society recognizes that individuals have a right to privacy in their homes. Conversely, one does not have a reasonable expectation of privacy in a public park. The expectation of privacy is reduced when individuals provide private information, such as health or financial information, to third parties such as financial institutions or health care facilities. It becomes even murkier when people share and save private information through the internet, which is then saved on third-party servers (i.e., the cloud).

Whether there is an objective, legitimate and reasonable expectation of privacy for information shared through the internet is an area of much debate. We have all seen certain posts on Facebook or Instagram that challenge the concept of privacy.

There is consensus, however, that through laws like the Heath Information Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA), individuals expect companies to protect their private information. Additionally, through fair information practices, an individual has a right to control his or her information — even in cyberspace.  These rights include the right of notice (who is collecting and using the data) and choice (the ability to opt in or opt out of others collecting and using the data).

When considering the internet and the collection of data, companies should understand that information privacy pertains to the questions of what information is considered personal, what laws govern the collection and use of the information and what sorts of use and disclosure of personal information is authorized.

Examples of Laws to Consider for Information Privacy

HIPAA and GLBA are two bodies of law that compliance departments in health care and financial institutions must always keep top of mind.

The HIPAA Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information protected health information (PHI). Electronic protected health information (ePHI) is any PHI that is transmitted or maintained in electronic media.

Under the GLBA privacy rule, financial institutions are required to store personal financial information in a secure manner, provide notice of their policies regarding the sharing of personal financial information and provide consumers with the choice to opt out of sharing some personal financial information.

Information Security on the Internet

The internet, by its very nature, places personal information at risk of unauthorized access and use. This is evidenced by the data breaches that result in the exposure of millions of individuals’ personal information (mostly financial and medical in nature).

Information security is the protection of information for the purpose of preventing loss, unauthorized access or misuse. The primary goal is to preserve the information by maintaining the confidentiality, integrity and availability of information – otherwise known as the CIA of information and data security.

More specifically:

  • Confidentiality ensures that access to data is limited to authorized parties,
  • Integrity is the assurance that the data is complete and authentic and
  • Availability is knowledge that the data is accessible.

When there is a breach leading to disclosure of personal information, confidentiality is compromised because parties now have unauthorized access to the information. This is what occurred in the Equifax, Target and Anthem data breaches.

When there is a cyber incident that allows wrongdoers to access and change information, the integrity of the information is at risk. The infamous Stuxnet worm that was meant to attack Iran’s nuclear power program is a great example of a cyber incident that affected the integrity of data. Imagine a situation where hackers gain access to a patient’s medical records and change the prescribed dosage of medications. This could result in a cyber incident that leads to physical harm.

In a ransomware or distributed denial-of-service (DDoS) attack, availability of information is compromised. This is what occurred in the NotPetya cyberattack that resulted in companies such as FedEx, Merck and Mondelez reporting disruption to their operations and earnings.

If any of the CIA attributes are compromised, then security failed to protect the information.

Laws to Consider for Information Security

There is no federal legislation that imposes information security standards across all industries, but the health care and financial sectors have federally imposed information security regulations and guidelines.

The HIPAA Security Rule is designed to require covered entities to implement “reasonable” security measures in a technology-neutral manner.

Covered entities and business associates must maintain reasonable and appropriate administrative, technical and physical safeguards for protecting ePHI. Specifically, covered entities and business associates must:

  1. Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance by their workforce.

The GLBA has a “Safeguards Rule” that requires financial institutions to develop and implement a comprehensive information security program, defined as a program that contains administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.

The Federal Trade Commission (FTC) has the power (under the FTC Act) to bring actions against companies that misrepresent their information security practices or failed to provide reasonable procedures to protect personal information.

To increase the complexity in the area of information security, some states have enacted laws requiring companies to take information security measures to protect a person’s sensitive information. Some of these laws address the collection of personal information and breach notification requirements.

What are you collecting, storing and disclosing?

In summary, the personal data an organization collects, stores and shares is an issue of information privacy. How and where the personal data is stored, exchanged and protected is the question of information security.

As the use of the internet continues to grow and it becomes the primary medium for electronic communications and information exchange, companies big and small need to develop an information management program that examines practices and controls for managing collected personal information.

At the very least, a company should inventory the personal information it collects, stores, uses and discloses. With this inventory, the company should classify the data according to its level of sensitivity. Not all personal information is private and worthy of security measures. For personal information, a company should document the flow of the data — meaning where is it stored, who sees it, who shares it, what type of security measures protect the information and when is it destroyed. Knowing where personal data flows is crucial to identify areas for compliance attention.

The takeaway: There is a difference between information privacy and security.

  • Know the difference.
  • Know what laws apply to your sector.
  • Know what you are doing to comply with the privacy and security rules.

Good luck!


Tags: Data BreachHIPAARansomware
Previous Post

How to Address Workplace Bullying

Next Post

TRACE: Russian Troll Farms

Robert Stines

Robert Stines

Robert A. Stines is a Partner in the Tampa, Florida office of Freeborn & Peters, LLP. A member of the firm’s Litigation Practice Group and Emerging Technologies Industry Team, he is a trial lawyer whose practice is focused on business commercial disputes, professional liability defense and cyber law. An IAPP U.S.-law certified privacy professional, he also advises businesses on cybersecurity and data privacy issues. He can be reached at rstines@freeborn.com. To read his blog, visit https://www.techlawx.com/blog.

Related Posts

new york and us flags

New York Tightens the Breach Clock: 30 Days to Notify

by Melissa Crespo and Reiley Porter
May 12, 2025

State joins growing national trend toward broader personal information definitions and stricter notification timelines for data compromises

virginia state flag

Are You Ready for Virginia’s Sweeping Reproductive Health Privacy Law?

by Meghan O’Connor
April 29, 2025

Broadly defined ‘reproductive and sexual health information’ may affect any company doing business in the state

demystifying data de ID collage

Demystifying Data De-Identification for US Privacy Compliance

by L. Hannah Ji-Otto, David Chen and Julie Kilgore
October 30, 2024

De-identification is a valuable tool for protecting consumer privacy, but the process requires diligent compliance with multiple state and federal...

group looking at data breach details digital art collage

Navigating Data Breach Compliance & Communication

by Salim Gheewalla
October 28, 2024

Compliant response starts well before an incident occurs

Next Post
illustration of internet troll at laptop

TRACE: Russian Troll Farms

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights