As more organizations digitally transform and modernize their business applications, more private information that was once stored on company-owned and managed equipment is being moved to the cloud where different digital risks potentially exist. When it comes to personal data, consumers often mistakenly believe the security policies, procedures, and posture of the organizations with whom they share information is consistent with the privacy they expect. In this post, we help clarify how 'security' and 'privacy' concepts differ in the world of digital data.
In April 2018, a U.K. court ruled in favor of a businessman in his “right to be forgotten” lawsuit against Google. The defendant’s landmark win was based on a 2014 EU (European Union) ruling that “irrelevant” and outdated data should be erased on request. Google claims that since the 2014 ruling it has received at least 2.4 million requests for links to be removed from their search results and has removed over 800,000 pages in response. However, this loss could set a major precedent for what was once a gray area in which organizations who collect, store, and use consumer data could decide what is considered “relevant” information. This case is a great example of the symbiotic, but not always equivalent relationship between privacy and security. The defendant expected privacy in return for his time served, remorse for his indiscretions, and dedication to rehabilitation. Google held that access to lawful information was the public’s right and that removing that access increased the risk for repeated wrongdoing by the defendant, which outweighed the defendant’s right to privacy.
Data Privacy
For the purposes of this article, data privacy refers to the public expectation to have complete control over who accesses their private information and how they use it. As more of our personally identifiable information (PII) is digitally shared in the cloud, organizations must consider the ethical, legal, and business implications of engaging with that data for their day-to-day business needs. Issues regarding who is responsible for ensuring that data remains private and what data is classified as private are regularly called into question in today’s headlines. Most recently, the EU has been in the data privacy spotlight with the GDPR (General Data Protection Regulation) which became effective May 25, 2018. However, one doesn’t have to look far to find other headlines in which data privacy is a recurring theme:
Apple vs FBI: In 2015, the FBI sought access to a locked phone in order to obtain evidence against Syed Rizwan Farook and Tashfeen Malik, the "San Bernardino shooters". The FBI argued that the request was analogous to a landlord’s obligation to provide access to a residence when presented with a warrant. Apple argued doing that would set a dangerous precedent for encryption and data privacy. The FBI was eventually able to gain access to the phone through a third party and dropped the case without an official ruling.
Facial recognition in China: In April 2018, Chinese officials were able to locate a suspected criminal at a concert that attracted over 60,000 visitors using facial recognition cameras. This technology is receiving a warm welcome throughout China, where concern for privacy is much lower than in other countries. Face-scanning equipment has been used not only for catching suspects at crowded locations, like train stations and festivals, but also to speed up transactions at airports, ATMs, and even fast-food restaurants.
The legal requirements and understanding of data privacy varies greatly and continues to be controversial, as disputes between organizations which fail to do their due diligence to protect personal data and consumers who feel their privacy has been breached, arise each day.
Data Security
Data security refers to the practices and processes organizations put in place to ensure the personal and sensitive information they create, process, transmit, and store isn’t being accessed by unauthorized parties or being used beyond legitimate and agreed upon purposes. Data security includes any policies, procedures, or measures taken to keep information private. These measures cover a gamut that is quite extensive because of the involvement of both people and technology. Data security can refer to system access, or even access hierarchy with varying access permissions to view certain information inside of a system. A sound data policy incorporates best practice security measures for on-premises and cloud digital environments, consumer privacy expectations, and next-wave market disruptors that could impact data safety and control.
Most data security regulations will have controls to ensure organizations are performing a certain level of due diligence to be compliant with the handling of sensitive data. The goal of these regulations is to ensure the data privacy that consumers expect is achieved within the organizations and businesses we engage with every day. A growing number of regulations have been put in place in the modern era of digital business to secure consumer data:
HIPAA (U.S. Health Insurance Portability and Accountability Act of 1996) provides data privacy and security provisions for safeguarding medical information. Under this legislation, patients can expect that information shared with a medical provider or other covered entity stays private, due to the serious and highly publicized consequences for those who violate that trust.
GDPR (EU General Data Protection Regulation) is the most significant change to EU security and privacy regulations in more than 20 years. These new regulations impact any organization who does business in the EU, or collects, stores, or uses data about EU citizens. One of the many data security measures required under this new legislation is pseudonymization. This process replaces most identifying fields within a data record with one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. This new policy transforms personal data so that the need for storing data in systems is still possible without risking the privacy of the individuals within the system.
We are entering a new era in which new systems (such as social networks) are collecting and disseminating more personal information than ever before. Understanding the basics of what this means for our privacy and the security of that data is critical, not just for the organizations we work for and support, but also in our private lives. Security experts anticipate more policies and regulations will be implemented as breaches continue to occur and consumers become more aware not only of what data organizations have about us, but also how they use it. Understanding the sensitive nature of personal information and its uses will be at the heart of data security regulations. Organizations which go beyond checking requirement boxes into the realm of maximum transparency and user control will be better prepared for evolving privacy expectations that will come with business innovation and the technologies of the future.
Valorem pushes the boundaries of technology to build end-to-end digital strategy solutions for securing business data, optimizing business processes and innovating user experiences. Our Cybersecurity Assessment Program can help you understand your current security posture and make a plan to reach your goals faster. Click here to learn more