Most Boards and executives treat cybersecurity and data privacy as though they are the same. That is a mistake. Cybersecurity and data privacy are related but distinct concepts, as discussed below.
Cybersecurity
If you ask most people about cybersecurity, they almost always jump right to trying to keep criminal hackers from breaking into a computer or computer network to steal credit card numbers, bank account information, or intellectual property. But cybersecurity is much broader than that. The goal of cybersecurity is to prevent unauthorized access to information or resources. This means that, from an external threat perspective, cybersecurity must also consider issues such as:
- keeping others from using your online data storage to distribute malware to others, or to store information collected from malware;
- keeping others from installing software on your computer that mines bitcoins; or
- keeping others from exploiting poor software coding techniques to place fraudulent orders.
In addition to addressing external threats, Cybersecurity also addresses on internal threats. This can include issues such as:
- keeping unauthorized employees from accessing payroll, accounting, or other information;
- using the organization’s resources for non-organizational purposes (e.g., using a server to host the employee’s internet radio station); or
- using the organization’s computers for illegal purposes.
Data Privacy
Data privacy deals with how information about an individual, such as their name, phone number, national ID number, etc., is stored and shared. More specifically, data privacy laws seek to inform the data subject (the person whose data is at issue) about a variety of issues, including:
- what data is collected;
- how the data is used;
- whether and how the data is shared; and,
- what the data subject can do to have their data removed or “forgotten”.
By being better informed about how their information is stored and shared, the individual can make a conscious decision as to whether to continue to do business with the organization, and whether to request the removal of their data.
Data Privacy Violations Without Cybersecurity Incidents
Most people seem to understand these distinctions, yet they still struggle with envisioning how you can have a data privacy violation without a cybersecurity incident. Here’s a simple example:
Bill has been binge-watching some cooking videos online, and came across many interesting recipes for different nacho-style foods. He knows his friends will go nuts for them, so he decides to throw a party next weekend. He searches online and finds a small vendor (SmokedFishSalt.com) who has the halibut-smoked sea salt that he saw mentioned in one video. Bill is a very savvy online buyer, and reads SmokedFishSalt.com’s Privacy Policy, which says that they only share information with partners to facilitate the transaction. Pleased with what he reads, Bill places his order, asking for it to be sent Priority Mail. Bill’s order arrives, and the party is a big success due in no small part to the special salt. A few days later, Bill begins getting E-mail and postcards from other specialty foods suppliers, including SpikedPotato.com. So many, in fact, that both his inbox and mailbox are flooded. Bill gets annoyed, and decides it is time to take action.
In the scenario above, if SmokedFishSalt.com uses some of the Postal Services online shipping tools, SmokedFishSalt’s sharing of Bill’s information with the Postal Service is unlikely to be seen as violating the privacy policy. They are a necessary part of the transaction. But if SmokedFishSalt shared Bill’s information with SpikedPotato.com, this would likely violate SmokeFishSalt’s privacy policy. Bill’s information would be exposed without his consent, and this would be a data privacy violation without there having been any kind of cybersecurity incident.
Cybersecurity Incidents Without Data Privacy Violations
Just as you can have data privacy violations without having a cybersecurity incident, you can also have a cybersecurity incident without having a data privacy breach. As an example, there was a recent news report of a bank that had been hacked. When the security team investigated, they found that the cyber criminals had installed software on many machines throughout the bank. From what the security team could tell, the software was “only” mining for bitcoin. No depositor, account, or other information was being accessed by the software.
Wrapping up
Cybersecurity and data privacy are two separate but related issues. The issues they cause can, and frequently do, overlap, but an organization needs to carefully consider each separately, and officers and Directors must understand that the organization’s investments in one area do not necessarily equate to investments in the other.