“Privacy” Doesn’t Equal “Security”

The Importance of Knowing the Difference

With the weekly reports of cyber events and data breaches, cybersecurity is a trending topic. While the concern is warranted, there is some confusion between information privacy and information security. Just because information is private does not necessarily mean it is secure. Executives, compliance professionals and IT departments need to understand the difference and take necessary measures to secure private data in the cyber age.

With the recent rash of data breaches and cyber incidents, companies and individuals alike are understandably concerned about cybersecurity. In a world where consumers are more aware of personal information being collected for financial gain, yet security of this information is almost an afterthought, a data breach can ruin a company’s reputation and financial reports.

The weekly reports of data breaches have resulted in privacy and cybersecurity being on everyone’s lips, yet people do not realize that there is a difference between the two concepts. While the two may overlap, it is important for executives and compliance departments to understand the difference and how the law applies to each.

Information Privacy

“What is the right to privacy and why is privacy protected under the law?”

When asked this question, scholars revert to the article “The Right to Privacy,” written by Samuel Warren and Louis Brandeis, published in the Harvard Law Review in 1890.  According to Warren and Brandeis, the right to privacy is the “the right to be let alone.”

In 1967, Alan F. Westin, in his book “Privacy and Freedom,” defined privacy as the desire of people to freely choose the circumstances and the degree to which individuals will expose their attitudes and behaviors to others. Westin’s definition reflects the shifting attitudes of people from different cultures.

In general, privacy professionals categorize people’s attitudes into three groups:

1. Privacy fundamentalists (a strong desire to protect privacy),
2. Privacy unconcerned (a low desire to protect privacy) and
3. Privacy pragmatists (people whose concerns about privacy will vary depending on the context).

Unfortunately, this sliding scale of privacy that depends on the individual does not provide much guidance to company executives and compliance departments.

Many have a general understanding that the U.S Constitution protects an individual’s privacy. Some are surprised to learn that the Constitution does not mention privacy. Still, the U.S. Supreme Court — the supreme interpreter of the Constitution — has consistently recognized the right to privacy by discussing a “penumbra” of unenumerated constitutional rights arising from numerous constitutional provisions such as the Fourth Amendment limits on government searches.

When analyzing whether an individual has a protected right to privacy, the Supreme Court focuses on the reasonable expectation of privacy. In general, an objective, legitimate and reasonable expectation of privacy is an expectation of privacy generally recognized by society.

Society recognizes that individuals have a right to privacy in their homes. Conversely, one does not have a reasonable expectation of privacy in a public park. The expectation of privacy is reduced when individuals provide private information, such as health or financial information, to third parties such as financial institutions or health care facilities. It becomes even murkier when people share and save private information through the internet, which is then saved on third-party servers (i.e., the cloud).

Whether there is an objective, legitimate and reasonable expectation of privacy for information shared through the internet is an area of much debate. We have all seen certain posts on Facebook or Instagram that challenge the concept of privacy.

There is consensus, however, that through laws like the Heath Information Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA), individuals expect companies to protect their private information. Additionally, through fair information practices, an individual has a right to control his or her information — even in cyberspace.  These rights include the right of notice (who is collecting and using the data) and choice (the ability to opt in or opt out of others collecting and using the data).

When considering the internet and the collection of data, companies should understand that information privacy pertains to the questions of what information is considered personal, what laws govern the collection and use of the information and what sorts of use and disclosure of personal information is authorized.

Examples of Laws to Consider for Information Privacy

HIPAA and GLBA are two bodies of law that compliance departments in health care and financial institutions must always keep top of mind.

The HIPAA Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information protected health information (PHI). Electronic protected health information (ePHI) is any PHI that is transmitted or maintained in electronic media.

Under the GLBA privacy rule, financial institutions are required to store personal financial information in a secure manner, provide notice of their policies regarding the sharing of personal financial information and provide consumers with the choice to opt out of sharing some personal financial information.

Information Security on the Internet

The internet, by its very nature, places personal information at risk of unauthorized access and use. This is evidenced by the data breaches that result in the exposure of millions of individuals’ personal information (mostly financial and medical in nature).

Information security is the protection of information for the purpose of preventing loss, unauthorized access or misuse. The primary goal is to preserve the information by maintaining the confidentiality, integrity and availability of information – otherwise known as the CIA of information and data security.

More specifically:

• Confidentiality ensures that access to data is limited to authorized parties,
• Integrity is the assurance that the data is complete and authentic and
• Availability is knowledge that the data is accessible.

When there is a breach leading to disclosure of personal information, confidentiality is compromised because parties now have unauthorized access to the information. This is what occurred in the Equifax, Target and Anthem data breaches.

When there is a cyber incident that allows wrongdoers to access and change information, the integrity of the information is at risk. The infamous Stuxnet worm that was meant to attack Iran’s nuclear power program is a great example of a cyber incident that affected the integrity of data. Imagine a situation where hackers gain access to a patient’s medical records and change the prescribed dosage of medications. This could result in a cyber incident that leads to physical harm.

In a ransomware or distributed denial-of-service (DDoS) attack, availability of information is compromised. This is what occurred in the NotPetya cyberattack that resulted in companies such as FedEx, Merck and Mondelez reporting disruption to their operations and earnings.

If any of the CIA attributes are compromised, then security failed to protect the information.

Laws to Consider for Information Security

There is no federal legislation that imposes information security standards across all industries, but the health care and financial sectors have federally imposed information security regulations and guidelines.

The HIPAA Security Rule is designed to require covered entities to implement “reasonable” security measures in a technology-neutral manner.

Covered entities and business associates must maintain reasonable and appropriate administrative, technical and physical safeguards for protecting ePHI. Specifically, covered entities and business associates must:

1. Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit;
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
3. Protect against reasonably anticipated, impermissible uses or disclosures; and
4. Ensure compliance by their workforce.

The GLBA has a “Safeguards Rule” that requires financial institutions to develop and implement a comprehensive information security program, defined as a program that contains administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.

The Federal Trade Commission (FTC) has the power (under the FTC Act) to bring actions against companies that misrepresent their information security practices or failed to provide reasonable procedures to protect personal information.

To increase the complexity in the area of information security, some states have enacted laws requiring companies to take information security measures to protect a person’s sensitive information. Some of these laws address the collection of personal information and breach notification requirements.

What are you collecting, storing and disclosing?

In summary, the personal data an organization collects, stores and shares is an issue of information privacy. How and where the personal data is stored, exchanged and protected is the question of information security.

As the use of the internet continues to grow and it becomes the primary medium for electronic communications and information exchange, companies big and small need to develop an information management program that examines practices and controls for managing collected personal information.

At the very least, a company should inventory the personal information it collects, stores, uses and discloses. With this inventory, the company should classify the data according to its level of sensitivity. Not all personal information is private and worthy of security measures. For personal information, a company should document the flow of the data — meaning where is it stored, who sees it, who shares it, what type of security measures protect the information and when is it destroyed. Knowing where personal data flows is crucial to identify areas for compliance attention.

The takeaway: There is a difference between information privacy and security.

• Know the difference.
• Know what laws apply to your sector.
• Know what you are doing to comply with the privacy and security rules.

Good luck!