GUEST ESSAY: The key differences between ‘information privacy’ vs. ‘information security’

By John Bruggeman

Information privacy and information security are two different things.

Preserving privacy for a greater good

Information privacy is the ability to control who (or what) can view or access information that is collected about you or your customers.

Privacy controls allow you to say who or what can access a database of customer data or employee data.

The rules or policies you put in place to make sure information privacy is maintained are typically focused on unauthorized disclosure of personal information.

Controls need to be in place to protect individuals’ privacy rights, including,  often, their right to be forgotten and be deleted from your company database.

Here are a few examples of demographic data that in combination with sensitive data makes it Personally Identifiable Information (PII).

Demographic data:

•Customer names


•Phone number

•Email address, IP address

When you combine information like that with sensitive data like below you get data that is now regulated.

•Social security number

•Passport number

•Driver’s license

•Credit card information

•Biometric data (fingerprint, eye scan, facial recognition data)

•Health records


When demographic information and sensitive information are combined and then inappropriately disclosed, you end up with a data disclosure incident or a data breach. A data breach typically means the company  must notify customers and local law enforcement, often government agencies like the FTC, or Health and Human Services, or others.

Companies like Google, Facebook, Experian, Entrust, GoodRx, are companies that track what you do online, what you buy, what credit cards you have and loans you’ve taken out. They take all this private information, and then they sell it.

That’s not a data breach, that is not broken security, or a lapse of their information security program, that’s how they make money.

Information security, on the other hand, refers to something else: it is the protection of computers, information systems, networks, and data from unauthorized access, use, or damage. Information security is focused on all three elements of the CIA triad: confidentiality, integrity and availability.

Information security involves using the appropriate controls, tools, and processes to prevent or mitigate attacks, minimize or eliminate threats, and reduce vulnerabilities.

Information security has a foundation of governance, in the form of acceptable use policies and many others, that direct and govern what people can and can’t do with the technology that is in place at an organization. Once you have a solid foundation of what people can and can’t do, then you can put in the processes, procedures, tools, and technologies to implement those controls.

Now let’s look at integrity and the policies, procedures, and tools that a company needs to have to ensure that the data in the system is correct.

Think about your bank account, it is very important for you to know that when you deposit a check into your account the right amount is deposited. It is also important to the bank to make sure that the amount is correct as well, so integrity is key.

The same would be true of the prices of your products for sale on Amazon, or your own website. Making sure that the data stored in your systems maintains its integrity is critical to your information security and the continued success of your business.

Related: Tapping hidden pools of security talent

Availability gets a lot of attention these days, usually when the topic of ransomware comes up. Ransomware uses encryption (typically a good thing) to make your business information un-available.

The criminals encrypt your data with a password or phrase that only they know, and then hold your data hostage until you pay a ransom. If you have a good security program in place, you have backups or other systems that protect your data from being encrypted, or in the case of some other computer incident (flood, power outage, etc.), still available for you to use.

There are a lot more details to consider in an information security program and information privacy, but the way to think about information privacy compared to information security is to understand that information privacy is focused on protecting personal information, while information security is focused on safeguarding the computer, systems, data, and networks.

About the essayist: John Bruggeman is Consulting CISO at CBTS; he is a veteran technologist, CTO, and CISO with nearly 30 years of experience building and running enterprise IT and shepherding information security programs toward maturity.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone