Privacy

Privacy

by John Bandler

Privacy is important for every individual and every organization. Privacy threats include data breaches and companies who overshare, violating their privacy promises regarding customer information. Privacy is the subject of rapidly growing laws and regulations and is worth attention from every organization. For organizations, sound privacy practices can be good for business and avoid a legal problem. For individuals, privacy awareness is important for each of us and our families.

Privacy's origins and the types

Personal privacy is a concept that has existed for hundreds, even thousands of years. In 1890 Louis Brandeis, who would go on to be a Supreme Court Justice, co-authored a law review article on the subject and suggested an individual right to privacy which included a right to be left alone.

We can think of four main areas of privacy:

• Information privacy (data privacy)
• Communications privacy
• Territorial privacy
• Bodily privacy

My focus here is information privacy, the information (data) about consumers (including you and me) that is collected, stored, used, and shared.

Data privacy vs. cybersecurity and information security (for an organization)

Here's how I think of privacy versus cybersecurity from an organization's perspective.

For simplicity we combine cybersecurity and information security into a single oval for this Venn diagram. (Cybersecurity is a subset of information security, as I discuss in my introduction to information security article).

Also, we call "data privacy" simply "privacy" for this diagram to reduce the word clutter, and we think of that as mostly about individual rights and organization decisions about how personal information about the individual is collected, stored, secured, shared, and used.

Thus, data privacy includes security, but also other many other elements. And cybersecurity involves securing many types of data and information systems, including individual (consumer) personal information but also others. So that's why they intersect in a large part but each also has distinct components. The intersection is not to scale and subject to debate.

Privacy vs. cybersecurity (for an individual)

Individuals can look at privacy and cybersecurity from a different perspective.

They don't need to worry about protecting an entire organization, nor about protecting customer or consumer data, they just need to protect their own privacy and cybersecurity.

From that perspective, cybersecurity and privacy can be generally addressed together, and the overlap between the circles is greater, and the unique areas are smaller. As you review settings on a device or platform, you can review your privacy and cybersecurity settings at nearly the same time.

Privacy laws and regulations

Today, consumers have varying privacy statutory legal rights depending upon applicable jurisdictions and sectors.

Here's a few thoughts to keep in mind:

• "Privacy laws" and "cybersecurity laws" overlap. Indeed, almost every privacy law has a cybersecurity and data breach reporting component. I depict this in my diagram on cybersecurity and privacy law.
• The U.S. legal framework for privacy laws and regulations is a patchwork.
• A patchwork of laws and regulations, state vs. federal, and overlapping regulators and laws.

The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018 and applies to many U.S. organizations who collect personal information of EU citizens.

In the U.S., the Federal Trade Commission Act carries some privacy protections for consumers with requirements for business. Individual sectors such as finance and health have their own privacy requirements.

In the absence of an overarching federal privacy law, states have started to enact their own privacy statutes, starting with California then followed by others. The reach of these state laws extends beyond the borders.

Typical privacy legal requirements

Privacy laws generally create rights for consumers regarding information about them held by a business. This consumer rights mean legal obligations for the business. Privacy rights include:

• Notice about privacy practices; how the company collects, stores, uses, and shares information about the consumer.
• Ability to access data about the consumer, correct it, ask it be deleted or limit processing, or transfer data to another service provider.

A business privacy program should generally follow these principles:

• Be lawful, fair, and transparent
• Limit collection, use, and processing of personal data
• Keep personal data only as long as needed (then purge)
• Keep personal data accurately
• Keep personal data secure with good cybersecurity
• Be accountable for the above.

For organizations, privacy is a component of information governance

Organizations should think of cybersecurity, privacy, and business needs holistically and under the umbrella of information governance. This means managing the information technology, systems and data of a company, something well-run companies strive to do. This starts with having written policies for privacy, cybersecurity, and incident response.

This management can start with Bandler’s Three Platforms to Connect for compliance concept to align legal requirements with internal policy and company action. These should also be aligned with the Fourth Platform of business mission. When we add guidance to help us we have the Five Components for Policy Work.

Cybersecurity is a component of privacy, and a solid cybersecurity program protects organizations from cybercrimes such as data breaches, ransomware, and email based thefts as covered in earlier articles. Protection can start with Bandler’s Four Pillars of Cybersecurity which anyone can understand.

For individuals, privacy is important too

We should make conscious choices for our privacy, about the information we share, and we should teach the younger generations about this as well (and learn from them).

Conclusion

Knowledge of privacy is important for individuals and organizations. Individuals should strive to improve their awareness of privacy threats and choices they face. Organizations should develop privacy policies, comply with applicable legal requirements and protect consumer privacy.

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

Additional reading

• Introduction to Cybersecurity and Information Security
• Cybersecurity Laws and Regulations Part 1 (general legal overview)
• About the CIPP/US Privacy Certification and How to Study for It
• Law
• Cyberlaw
• Introduction to Law (an outline)
• Cybersecurity, Privacy, You, and Your Organization
• External articles
  • Privacy, you, and your business, John Bandler, Westchester & Fairfield County Business Journals, June 6, 2022, https://westfaironline.com/148491/privacy-you-and-your-business/
  • CIPP/US: 5 things to know about privacy and cybersecurity law, John Bandler, InfoSec, February 2, 2022, https://resources.infosecinstitute.com/certification/cipp-us-5-things-to-know-about-privacy-and-cybersecurity-law/
  • Privacy And You: Take A Step Forward On Data Privacy Day, John Bandler, informationsecuritybuzz.com, January 31, 2022, https://informationsecuritybuzz.com/articles/privacy-and-you-take-a-step-forward-on-data-privacy-day/
• Online courses
  • CIPP/US prep course for infosec professionals at Infosec Skills, a Cengage Company (use BANDLER50 coupon code)
  • CIPP/US prep course for lawyers and law students at Udemy

This article is hosted at https://johnbandler.com/privacy, copyright John Bandler, all rights reserved.

This article is also available on https://johnbandler.medium.com/privacy-7804466a1f4a (though not kept as up to date).

Originally posted 7/16/2022, updated 3/14/2024.