Information Privacy and Security
In cyberspace, there is a difference between privacy and security that is sometimes misunderstood. The two concepts are similar and overlap in certain aspects, but companies and individuals who use the Internet should understand the distinction.
Privacy on the Internet
Privacy is difficult to define. When asked the question, scholars revert to the article, "The Right To Privacy" written by Samuel Warren and Louis Brandeis, and published in the Harvard Law Review in 1890 (yes, that long ago). According to Warren and Brandeis, the right to privacy is the "the right to be let alone." In 1967, Alan F. Westin, in his book "Privacy and Freedom" defined privacy as the desire of people to freely chose the circumstances and the degree to which individuals will expose their attitudes and behaviors to others. Westin's definition reflects the shifting attitudes of people from different cultures.
On the Internet, information privacy pertains to the questions of what information is considered personal, what laws govern the collection and use of the information, and what sorts of use and disclosure of personal information is authorized.
When individuals, voluntarily or unknowingly, provide information about themselves over the Internet, most people agree that there is a reasonable expectation that the information will be protected. Yes, we have all seen certain posts on Facebook or Instagram that challenge the concept of privacy. However, no matter what an individual does on the Internet, that individual has a right to control his or her data, which includes the right of notice (who is collecting and using the data) and choice (opt in or opt out of others collecting and using the data).
Security on the Internet
The Internet, by its very nature, places personal information at risk of unauthorized access and use. This is evidenced by the data breaches that result in the exposure of millions of individuals' personal information (mostly financial and medical in nature).
Information security is the protection of information for the purpose of preventing loss, unauthorized access or misuse. The primary goal is to preserve the information by maintaining the confidentiality, integrity, and availability of information. More specifically:
Confidentiality ensures that access to data is limited to authorized parties,
Integrity is the assurance that the data is complete and authentic,
Availability is knowledge that the data is accessible.
The CIA of information and data (wink wink)
When there is a breach leading to disclosure of personal information, confidentiality is compromised because hackers now have unauthorized access to the information. The integrity of the information is also at risk because hackers can change the information for their benefit. In a ransomware or DDoS attack, availability of information is compromised.
If any of the CIA attributes are compromised then security failed to protect the information.
There is no federal legislation that imposes information security standards across all industries. But, the healthcare, and financial sectors have imposed information security regulations and guidelines. The Federal Trade Commission (FTC) also regulates companies that misrepresent their information security practices or fail to provide reasonable procedures to protect personal information.
The FTC has sanctioned companies when they failed to implement adequate protection measures for sensitive personal information or when they provided inadequate disclosures to consumers.
Each state has enacted laws to address the collection of personal information and breach notification.
What are you collecting, storing and disclosing?
The use of the Internet will continue to grow as it becomes the primary medium for electronic communications, commerce and information exchange. Information privacy and security are at the forefront of cyber law issues.
The personal data that an organization collects, stores and shares is an issue of information privacy.
How and where the personal data is stored, exchanged, and protected is the question of information security.
Companies and consumers/users should understand what information is considered personal/private; how personal information is being collected, used and shared on the Internet; and, the risk of the information being compromised and disclosed to nefarious characters.