Digital privacy is an evolving topic that is increasingly part of the cybersecurity discussion. Private information is transmitted in nearly every interaction of every day, from digital habits such as app and website usage, to purchases, to driving habits. Looking back at recent data breaches, it’s interesting that the largest breaches didn’t involve stolen credit card or social security numbers. Instead personal information is being stolen in large quantities. This private information is not only extremely valuable to us as individuals, but it’s becoming increasingly attractive for cybercriminals as well.
In technical terms, privacy is the right of the individual to control access to and the use of their personal information. This personal information is not simply transactional; it’s information that may be used to define us. For instance, Bluetooth beacons exist in places like hotels, restaurants, cinemas, and grocery stores. Those beacons know exactly where you are, how long you’re in a particular place, and even how long you’re browsing in a certain aisle. Data is being collected on you, and the entity collecting it should be responsible to keep it safe and out of the hands of cybercriminals. We expect our privacy to be respected and our personal information to be protected by organizations with which we do business, even if we’re not physically entering information ourselves.
It is up to the organization to have policies in place that govern how they can – and cannot – use that data. Most businesses have privacy policies on their websites, stating how they, as an organization, secure your personal information. Some states and countries, like California and the nations comprising the European Union, have more strict privacy regulations when it comes to how organization’s collect, use, and disclose data.
In today’s web-based era where most information is being stored in the cloud, personal information is more accessible and vulnerable than ever, and organizations must take extreme measures to protect individuals’ data. If they fail to comply with the rules and individuals’ personal information gets leaked, the organizations could face a huge fine. In recent news, the FTC came to a $5 billion settlement with Facebook because of its damaging privacy practices. This settlement fine set records as being the largest in history and confirms that privacy is being taken more seriously as companies continue to collect data.
Privacy vs. Cybersecurity
In contrast to cybersecurity, privacy is about the individual’s data and protecting the individual. Although the three cybersecurity principals (confidentiality, integrity and availability) can be applied to privacy, the difference is that those cybersecurity foundations are practiced from the perspective of the data controller – and is therefore subjective – not the individual.
So, then, how do cybersecurity professionals take it a step further and incorporate privacy practices into their day? According to the OECD, there are some important principals governing privacy:
- Collection Limitation: Collection of personal data should be limited, obtained by lawful and fair means, and with the person’s knowledge or consent (where appropriate).
- Data Quality: Personal data should be relevant for the purposes they are used for, and the data should be accurate, complete, and kept up-to-date for those purposes.
- Purpose Specification: The purpose for collecting and using the personal data should be specified at the time of collection. Use of the data should be limited to the fulfillment of the purpose(s), and a change of purpose should be communicated when necessary.
- Use Limitation: Personal data should not be disclosed, made available or used for purposes other than specified, except with the consent of the person; or by the authority of law.
- Security Safeguards: Personal data should be protected by reasonable security safeguards against risks such as loss, unauthorized access, destruction, use, modification, or disclosure of data.
- Openness: Entities should have a general policy of openness about developments, practices, and policies regarding personal data, and they should have the means to establish the existence and purposes of its use. They should also disclose the identity and residence of the data controller.
- Individual participation: An individual should have the rights to: 1) obtain information from the data controller or confirmation if they have data relating to them; 2) have their data communicated to them within a reasonable time, in a reasonable manner, and at a reasonable charge; 3) to be given reasons and the right to challenge if a request made under points 2 and 3 are denied; 4) challenge data relating to them, and if successful, have the data erased or amended.
- Accountability: A data controller should be accountable for complying with measures which give effect to the above principles.
All these principals are in place to ensure the data controller follows privacy regulations (as well as cybersecurity practices) which will ultimately help protect the individual’s information. It’s important to note that individuals have a right to know where and how their information is being used and that they can inquire at any time.
Privacy is a hot topic right now compared to just six months ago. This is because we are now using data as currency, and it’s convenient to enter our information. We exchange our data almost daily for access to free online content and services. We exchange our search history with Google each time we do a search. We exchange personal data with Facebook and Instagram. Our data is a new currency. Remember, if the service is free, you are the product, and the data is who you are.
The other reason is convenience. You willingly exchange your data for either convenience or functionality. For example, it’s easier to use a transponder on the highway or use Pay by Plate than go through the toll booth.
The sheer volume of data that's being collected, used, and stored now, as opposed to a couple years ago – leaves us at a greater risk for being compromised. The aggregation and analysis of data happening now is astonishing, and we are willing to give out information in nearly any situation today.
Even with policies, regulations, and laws, we must be aware of privacy risks in nearly every interaction of every day and keep a mindful watch on where we enter our information. It’s our personal responsibility to take precautions to be safe on the Interned and with web-connected devices, and you should always be sure to read the terms and conditions on any website or application where you’re sharing information.