Most Boards and executives treat cybersecurity and data privacy as though they are the same. That is a mistake. Cybersecurity and data privacy are related but distinct concepts, as discussed below.
If you ask most people about cybersecurity, they almost always jump right to trying to keep criminal hackers from breaking into a computer or computer network to steal credit card numbers, bank account information, or intellectual property. But cybersecurity is much broader than that. The goal of cybersecurity is to prevent unauthorized access to information or resources. This means that, from an external threat perspective, cybersecurity must also consider issues such as:
- keeping others from using your online data storage to distribute malware to others, or to store information collected from malware;
- keeping others from installing software on your computer that mines bitcoins; or
- keeping others from exploiting poor software coding techniques to place fraudulent orders.
In addition to addressing external threats, Cybersecurity also addresses on internal threats. This can include issues such as:
- keeping unauthorized employees from accessing payroll, accounting, or other information;
- using the organization’s resources for non-organizational purposes (e.g., using a server to host the employee’s internet radio station); or
- using the organization’s computers for illegal purposes.
Data privacy deals with how information about an individual, such as their name, phone number, national ID number, etc., is stored and shared. More specifically, data privacy laws seek to inform the data subject (the person whose data is at issue) about a variety of issues, including:
- what data is collected;
- how the data is used;
- whether and how the data is shared; and,
- what the data subject can do to have their data removed or “forgotten”.
By being better informed about how their information is stored and shared, the individual can make a conscious decision as to whether to continue to do business with the organization, and whether to request the removal of their data.
Data Privacy Violations Without Cybersecurity Incidents
Most people seem to understand these distinctions, yet they still struggle with envisioning how you can have a data privacy violation without a cybersecurity incident. Here’s a simple example:
Cybersecurity Incidents Without Data Privacy Violations
Just as you can have data privacy violations without having a cybersecurity incident, you can also have a cybersecurity incident without having a data privacy breach. As an example, there was a recent news report of a bank that had been hacked. When the security team investigated, they found that the cyber criminals had installed software on many machines throughout the bank. From what the security team could tell, the software was “only” mining for bitcoin. No depositor, account, or other information was being accessed by the software.
Cybersecurity and data privacy are two separate but related issues. The issues they cause can, and frequently do, overlap, but an organization needs to carefully consider each separately, and officers and Directors must understand that the organization’s investments in one area do not necessarily equate to investments in the other.