In our experience developing data privacy solutions for businesses, we have often come across the common misconception that cybersecurity and data privacy are the same thing. As we will discuss in this article, they are not. Data privacy solutions require implementation strategies that almost always fall outside the coverage of cybersecurity products.
First some definitions. Cybersecurity solutions are designed to protectan information ecosystem against cyberattacks. This includes protections against ransomeware attacks, DDoS attacks, and other security breaches that have become increasingly familiar in the business world. Cybersecurity focuses on technical implementations that protect both the hardware and software systems that comprise a business’s information ecosystem. Cybersecurity has a stronger focus on protecting a system itself.
Data privacy, on the other hand, is designed to safeguard data used within a business’s data systems. Data privacy addresses data collection, management, availability, unauthorized access, analysis, and compliancewith regulations like Health Insurance Portability and Accountability Act (HIPAA) or the California Consumer Privacy Act (CCPA).
Data privacy shares a number of similarities with security. While there is overlap between the two, privacy is a different concern to security in data systems, and requires different software applications to implement. Having cybersecurity mechanisms in place for digital systems is necessary to protect data but it does not guarantee data privacy. Likewise, solutions that protect consumer information and manage data in accordance with privacy regulations leaves many gaps from a cybersecurity perspective.
Consider this: it’s possible for a security breach to occur that does not cause a privacy breach, and for a privacy breach to not cause a security breach. In the former case, a hacker could launch a successful distributed denial-of-service (DDoS) attack, by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic that takes down the target’s systems and effectively prevents it from carrying out data-driven operations. In this example, the attack has not penetrated into the target’s systems, and no private information (such as identifying information about consumers) was breached, accessed, modified, or stolen.
Shifting now to the latter, imagine an innovative new health startup that sells targeted advertising based on social media users. The startup scrapes information about users on social media platforms and then uses sophisticated analytical tools to determine which users might be suffering from certain medical conditions. Then the startup pushes ads for healthcare products to the same users across social media platforms and browser windows. In this example, the startup has not breached any security systems, as they were granted access to user data from the social media platforms. But clearly, the startup has collected personal information about users without their consent. Most users would consider this a breach of privacy.
Until recently, there was no law in the U.S. preventing startups from analyzing personal information like this. Nevertheless, such tactics for digital marketing are widely used. Consumer privacy laws like the CCPA in California are now changing the rules and regulations around data privacy. Under CCPA, businesses (including social media platforms) are responsible for managing consumer data and are not allowed to sell that data without first receiving consumer consent.
Modern data ecosystems provide companies with the tools to create better services for their customers and more personalized user experiences. Those same systems, however, can also enable tools and functions that generate highly comprehensive statistical models detailing a person’s habits. A data record constructed from different data sources can include hundreds of different items: data that identifies the individual, demographic data, social media data, Internet browsing history, home and neighborhood data, memberships of clubs and societies, shopping preferences, political activities and affiliations, vehicles, travel, health, and more.Managing these types of consumer information in a way that complies with consumer privacy laws requires software tools and implementation strategies that can not be delivered by cybersecurity products.
If cybersecurityis a primarily a job for IT professionals, data privacy requires effort from all employees interacting with consumer data. Think about all the client management tools that sales and marketing teams have access to. Anyone accessing client information in a way that the consumer has not expressly consented to, or in a way that has not been disclosed to the consumer could constitute a privacy breach. But again, because these are employees of the company with authorized access to the business’s client management software, they are not necessarily causing a security breach simply by accessing, modifying, or analyzing consumer information.
As described above, there are many scenarios where cybersecurity and data privacy diverge, both in focus and in implementation. The key takeaway here is that businesses operating in states that have enacted consumer privacy laws (California, Colorado, Virginia) should think carefully about how to protect their information systems from both security and privacy breaches.