Editor's Note: This article contains updated content from a previous feature published in the January 2003 issue...
of Information Security magazine. For the original article, download the e-zine here.
The need to balance information privacy and security in IT has again come to the forefront of discussions. With situations such as the FBI versus Apple case, where everyone witnessed how law enforcement can (or cannot) gain access to encrypted systems and data; the revelations of spying by the National Security Agency and Central Intelligence Agency; as well as the European Union's forthcoming General Data Protection Regulation (GDPR), privacy conversations and debates are unavoidable.
National security always seems to be the argument when it comes to justifying government spying and gaining control of systems and data that it feels compelled to access. The legal battle between the FBI and Apple sort of fizzled out once the FBI took an alternate path to gaining access to the iPhone that took center stage in the San Bernardino terrorist attack.
There are also the National Security Letters, a provision of the Patriot Act that allows the federal government to demand data on American citizens with little oversight or due process. Many telecommunications and software vendors are quick to proclaim that they are in full support of customer privacy, while at the same time handing over details on internet usage and private communications, effectively negating any such philosophies.
I don't believe the government-centric surveillance arguments will be resolved anytime soon, but that's not where the corporate concern should be. Corporations are not in the business of fighting terrorism and working for the greater good of the country and national security. Instead, they're responsible for finding and keeping customers in order to achieve sales goals and remain profitable.
Given this reality, and in order to achieve the end goal of balancing information privacy and security, I think business leaders, CISOs, IT and security staff members, and legal counsel should instead focus on the privacy of their customers' and employees' information. That's where the money is and that's where the consequences lie. There is much to be gained and much to be lost.
In the privacy vs. security discussion, it's important to look at the bigger picture and think about why information privacy even matters. In essence, it's about making people aware of how their information is used and giving them some semblance of control over it. It's also about organizations establishing safeguards and response procedures in the event information is exposed so that everyone's expectations are set regarding what is to happen.
Difference between privacy and security
There are strong tie-ins between information privacy and security. Generally speaking, you can have security without privacy, but you absolutely cannot have privacy without security. There's no reasonable way to implement privacy controls or to oversee a privacy program without relying on an array of common security controls related to system access, storage, logging or alerting, encryption, and so on.
However, privacy and security are often completely separate functions within the typical organization. People in charge of information privacy are often in different departments, and may even be completely removed from those in charge of information security. In fact, privacy is often viewed as the softer side of information management; namely, paperwork and legalese managed by an attorney. For example, the Notices of Privacy Practices offered up by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) often represent the majority of the organization's HIPAA compliance program, but breaches of protected health information remain a persistent issue.
Fueling the challenge of striking a balance between information privacy and security is the fact that security is seen as an IT-centric issue for which technical people are in charge. While both security and privacy roles go hand in hand, and the overall information risk management of the organization depends on them, that's rarely how things happen, regardless of the organization's size or industry.
Privacy notices, policies and procedures are created, which may look good on paper, but unfortunately, the corresponding security policies and procedures are not there to back up the privacy promises. So, the organization committed to protecting the privacy of its customers will have no reasonable means for actually doing so.
In reality, an organization that promises the privacy of information will be protected, safeguarded or otherwise managed is going to need security controls in place to make it all happen. Ask yourself these questions:
- Does your organization have those controls?
- Are you familiar with all of the regulations you must comply with in terms of security and privacy?
- Are you fully aware of the data sets that you're collecting, where they are located in your environment and how they are currently at risk? What about incident response?
This is one of the biggest areas where security and privacy converge and should be managed together. You may need to perform a privacy impact assessment that can highlight gaps and areas of weakness.
Maintaining information privacy is essentially an outcome of a well-run security program. Knowing what assets you've got, understanding how they're at risk and then doing something to minimize business risks and the impact of incidents is required for both information privacy and security.
Whether it's complying with GDPR, HIPAA or even the government's spying programs, you're dealing with the same core concepts and principles. It's all about what information you have, along with how you're managing it and how you are going to handle requests for such information in the event of a subpoena or National Security Letter.
We operate in a world where people want to use blockchain technology to secure medical records, when, really, all that's needed to keep things in check is for people to follow their own information privacy and security policies and get serious about passwords, patches and system hardening. We're way off course from the ideal state of security based on principles that have been around for decades.
In order to balance out your privacy initiatives, it wouldn't hurt to become familiar with the Federal Wiretap Act, GDPR, Privacy Shield and standards such as the ISO/IEC 27018 standard for cloud privacy.
There are certainly areas of privacy that information security managers and leaders need to understand, especially in terms of breach response and reporting. But let your compliance manager or lawyer figure out the details. Your job is to keep doing what you're doing with security -- understanding your environment better, improving your visibility and fine-tuning your risk analyses. Adjust your policies and technologies as needed, and don't forget the cloud, internet of things and other emerging technologies along the way.
Information privacy and security are, effectively, one and the same. Make sure they're being treated as such across your business.
Find out how CISOs can facilitate cooperation between privacy and security professionals
Learn how changing company culture can help reduce security and privacy risks
Read how data security and privacy are growing concerns in big data analytics