Data Privacy and Data Security Are Not the Same
It's not just semantics. Companies that fail to understand the differences between data privacy and data security put their brands and bottom lines in jeopardy.
Ever since the September 2017 Equifax data breach that exposed the personal information of 147 million Americans, and the many other high-profile data breaches that have happened since, data security and data privacy have become pressing boardroom-level concerns.
"The Equifax debacle is where a lot of the inherent [cybersecurity] issues really surfaced to the business level," said Aaron Shum, practice lead for security, privacy, risk, and compliance at Info-Tech Research Group. "It's where we discovered the level of incompetence that can exist in an organization."
According to the 2019 Edelman Trust Barometer Special Report: In Brands We Trust?, 81% of consumers said that brand trustworthiness plays a major role in their buying decisions. In other words, data breaches today not only represent a bottom-line risk in the form of penalties but they also jeopardize an organization's brand and reputation, directly affecting its ability to attract new customers and retain existing ones.
"Businesses need to treat privacy as both a compliance and business risk issue to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches," said Steve Durbin, managing director of the Information Security Forum in the UK.
More Than Semantics
For many outside of the infosec community, the terms "data security" and "data privacy" are often used interchangeably. In reality, even though they share a common goal, they are not the same, said Greg Ewing, cybersecurity partner at Potomac Law.
"The difference between data privacy and data security is the difference between protecting someone's personal information and the security measures you have in place to protect all of your business' information," he said.
With regulations such as the California Consumer Privacy Act (CCPA) and the EU's General Data Protection Regulation now in effect, this distinction is more than a matter of semantics. The GDPR, for example, imposes serious financial penalties that can range into the billions of dollars for data breaches involving personally identifiable information (PII) of EU citizens. At between $2,500 and $7,500 per PII record, noncompliance penalties under the CCPA can add up quickly, as well.