This article was written by James Farr, Senior Security Consultant
Privacy vs. Security
Privacy and security often work hand in hand to support each other, but each has its own distinct role. Data privacy includes policies and procedures that define how information is gathered, stored, accessed, and destroyed. Security is comprised of the people, processes, and technologies put into place to protect data from unauthorized access and use. In most instances, an organization should have separate individuals perform the privacy and security roles.
Privacy Regulation
Keeping personal information private is becomingly increasingly difficult as information is shared, purchased, and sold by organizations to find ways to better serve its customers and explore new opportunities.
Privacy regulations pertain to any information that can be used to identify an individual such as name, address, phone number, email address, account numbers, usernames, etc. The definition of private information varies across state, federal, and international regulations, so be sure to check the specifics for each regulation that you must comply with.
The United States does not have a comprehensive federal privacy law, but 12 states already have data privacy laws and another 12 states introduced privacy bills in 2023. Additionally, several countries enacted their own privacy laws such as the European Union’s General Data Protection Regulation (GDPR), China’s Personal Information Protection Law (PiPL), and South Africa’s Protection of Personal information Act (PoPIA).
Most privacy regulations outline the requirements to obtain user consent prior to collecting their information, to collect only the required information for the services being offered, and have a policies and procedures in place to secure private information. The applicability and specific requirements depend on the practice field and physical location of your business and states of residence of the individuals being served.
Third Party Access
Third party data breaches pose a significant risk to an organization’s privacy posture. A recent data breach against Zeroed-In Technologies resulted in the possible release of over 1.9 million names, dates of birth, and Social Security Numbers of customers and employees. Organizations need to review all vendor contracts and agreements to ensure that their privacy and security practices align with that of the organization.
AI Privacy Now
Artificial Intelligence (AI) made big headlines in 2023 and the time to address the approved use of AI is overdue. Start with ensuring that the proper use of AI is included in new or existing policies. Next is to include AI training in your security awareness materials. AI is rapidly changing, so policies and training should be reviewed on a frequent basis.
Conclusion
The following action steps are recommended for any organization:
- Limit the amount of data to the minimum necessary for the task at hand.
- Follow changes in the privacy landscape at state, federal, and internal levels as it applies to your organization.
- Know where your private data is and have current documented policies and procedures that outline the process for acquiring, accessing, storing, and disposing of private information.
- Provide training to instill a culture that instills data privacy is everyone’s responsibility.