No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

“Privacy” Doesn’t Equal “Security”

by Robert Stines
November 21, 2018
in Data Privacy, Featured
digital eye peeking through binary code

The Importance of Knowing the Difference

With the weekly reports of cyber events and data breaches, cybersecurity is a trending topic. While the concern is warranted, there is some confusion between information privacy and information security. Just because information is private does not necessarily mean it is secure. Executives, compliance professionals and IT departments need to understand the difference and take necessary measures to secure private data in the cyber age.

With the recent rash of data breaches and cyber incidents, companies and individuals alike are understandably concerned about cybersecurity. In a world where consumers are more aware of personal information being collected for financial gain, yet security of this information is almost an afterthought, a data breach can ruin a company’s reputation and financial reports.

The weekly reports of data breaches have resulted in privacy and cybersecurity being on everyone’s lips, yet people do not realize that there is a difference between the two concepts. While the two may overlap, it is important for executives and compliance departments to understand the difference and how the law applies to each.

Information Privacy

“What is the right to privacy and why is privacy protected under the law?”

When asked this question, scholars revert to the article “The Right to Privacy,” written by Samuel Warren and Louis Brandeis, published in the Harvard Law Review in 1890.  According to Warren and Brandeis, the right to privacy is the “the right to be let alone.”

In 1967, Alan F. Westin, in his book “Privacy and Freedom,” defined privacy as the desire of people to freely choose the circumstances and the degree to which individuals will expose their attitudes and behaviors to others. Westin’s definition reflects the shifting attitudes of people from different cultures.

In general, privacy professionals categorize people’s attitudes into three groups:

  1. Privacy fundamentalists (a strong desire to protect privacy),
  2. Privacy unconcerned (a low desire to protect privacy) and
  3. Privacy pragmatists (people whose concerns about privacy will vary depending on the context).

Unfortunately, this sliding scale of privacy that depends on the individual does not provide much guidance to company executives and compliance departments.

Many have a general understanding that the U.S Constitution protects an individual’s privacy. Some are surprised to learn that the Constitution does not mention privacy. Still, the U.S. Supreme Court — the supreme interpreter of the Constitution — has consistently recognized the right to privacy by discussing a “penumbra” of unenumerated constitutional rights arising from numerous constitutional provisions such as the Fourth Amendment limits on government searches.

When analyzing whether an individual has a protected right to privacy, the Supreme Court focuses on the reasonable expectation of privacy. In general, an objective, legitimate and reasonable expectation of privacy is an expectation of privacy generally recognized by society.

Society recognizes that individuals have a right to privacy in their homes. Conversely, one does not have a reasonable expectation of privacy in a public park. The expectation of privacy is reduced when individuals provide private information, such as health or financial information, to third parties such as financial institutions or health care facilities. It becomes even murkier when people share and save private information through the internet, which is then saved on third-party servers (i.e., the cloud).

Whether there is an objective, legitimate and reasonable expectation of privacy for information shared through the internet is an area of much debate. We have all seen certain posts on Facebook or Instagram that challenge the concept of privacy.

There is consensus, however, that through laws like the Heath Information Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA), individuals expect companies to protect their private information. Additionally, through fair information practices, an individual has a right to control his or her information — even in cyberspace.  These rights include the right of notice (who is collecting and using the data) and choice (the ability to opt in or opt out of others collecting and using the data).

When considering the internet and the collection of data, companies should understand that information privacy pertains to the questions of what information is considered personal, what laws govern the collection and use of the information and what sorts of use and disclosure of personal information is authorized.

Examples of Laws to Consider for Information Privacy

HIPAA and GLBA are two bodies of law that compliance departments in health care and financial institutions must always keep top of mind.

The HIPAA Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information protected health information (PHI). Electronic protected health information (ePHI) is any PHI that is transmitted or maintained in electronic media.

Under the GLBA privacy rule, financial institutions are required to store personal financial information in a secure manner, provide notice of their policies regarding the sharing of personal financial information and provide consumers with the choice to opt out of sharing some personal financial information.

Information Security on the Internet

The internet, by its very nature, places personal information at risk of unauthorized access and use. This is evidenced by the data breaches that result in the exposure of millions of individuals’ personal information (mostly financial and medical in nature).

Information security is the protection of information for the purpose of preventing loss, unauthorized access or misuse. The primary goal is to preserve the information by maintaining the confidentiality, integrity and availability of information – otherwise known as the CIA of information and data security.

More specifically:

  • Confidentiality ensures that access to data is limited to authorized parties,
  • Integrity is the assurance that the data is complete and authentic and
  • Availability is knowledge that the data is accessible.

When there is a breach leading to disclosure of personal information, confidentiality is compromised because parties now have unauthorized access to the information. This is what occurred in the Equifax, Target and Anthem data breaches.

When there is a cyber incident that allows wrongdoers to access and change information, the integrity of the information is at risk. The infamous Stuxnet worm that was meant to attack Iran’s nuclear power program is a great example of a cyber incident that affected the integrity of data. Imagine a situation where hackers gain access to a patient’s medical records and change the prescribed dosage of medications. This could result in a cyber incident that leads to physical harm.

In a ransomware or distributed denial-of-service (DDoS) attack, availability of information is compromised. This is what occurred in the NotPetya cyberattack that resulted in companies such as FedEx, Merck and Mondelez reporting disruption to their operations and earnings.

If any of the CIA attributes are compromised, then security failed to protect the information.

Laws to Consider for Information Security

There is no federal legislation that imposes information security standards across all industries, but the health care and financial sectors have federally imposed information security regulations and guidelines.

The HIPAA Security Rule is designed to require covered entities to implement “reasonable” security measures in a technology-neutral manner.

Covered entities and business associates must maintain reasonable and appropriate administrative, technical and physical safeguards for protecting ePHI. Specifically, covered entities and business associates must:

  1. Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance by their workforce.

The GLBA has a “Safeguards Rule” that requires financial institutions to develop and implement a comprehensive information security program, defined as a program that contains administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.

The Federal Trade Commission (FTC) has the power (under the FTC Act) to bring actions against companies that misrepresent their information security practices or failed to provide reasonable procedures to protect personal information.

To increase the complexity in the area of information security, some states have enacted laws requiring companies to take information security measures to protect a person’s sensitive information. Some of these laws address the collection of personal information and breach notification requirements.

What are you collecting, storing and disclosing?

In summary, the personal data an organization collects, stores and shares is an issue of information privacy. How and where the personal data is stored, exchanged and protected is the question of information security.

As the use of the internet continues to grow and it becomes the primary medium for electronic communications and information exchange, companies big and small need to develop an information management program that examines practices and controls for managing collected personal information.

At the very least, a company should inventory the personal information it collects, stores, uses and discloses. With this inventory, the company should classify the data according to its level of sensitivity. Not all personal information is private and worthy of security measures. For personal information, a company should document the flow of the data — meaning where is it stored, who sees it, who shares it, what type of security measures protect the information and when is it destroyed. Knowing where personal data flows is crucial to identify areas for compliance attention.

The takeaway: There is a difference between information privacy and security.

  • Know the difference.
  • Know what laws apply to your sector.
  • Know what you are doing to comply with the privacy and security rules.

Good luck!


Tags: Data BreachHIPAARansomware
Previous Post

How to Address Workplace Bullying

Next Post

TRACE: Russian Troll Farms

Robert Stines

Robert Stines

Robert A. Stines is a Partner in the Tampa, Florida office of Freeborn & Peters, LLP. A member of the firm’s Litigation Practice Group and Emerging Technologies Industry Team, he is a trial lawyer whose practice is focused on business commercial disputes, professional liability defense and cyber law. An IAPP U.S.-law certified privacy professional, he also advises businesses on cybersecurity and data privacy issues. He can be reached at rstines@freeborn.com. To read his blog, visit https://www.techlawx.com/blog.

Related Posts

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

checklist

5 Tips to Gain Compliance on Your Compliance Training

by Stu Sjouwerman
October 12, 2022

We know that compliance doesn’t necessarily equal security and that training employees is vital to preventing cyber attacks. But a...

data spillage

Instead of Crying Over Spilled Data, Shore up Your Governance Practices

by Rich Hale
October 12, 2022

The reputational damage and compliance failures that result from a data spillage incident are well-known, and as the volume of...

lloyds of london

Now That Lloyd’s Won’t Cover Nation-State Cyber Attacks, What Do Organizations Need to Know?

by Jonathan Armstrong and André Bywater
August 31, 2022

Lloyd’s of London, the world’s leading insurance market, says that cyber insurance policies it issues after March 31, 2023 will...

Next Post
illustration of internet troll at laptop

TRACE: Russian Troll Farms

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT