Often the way personal data is handled and managed is not the way it is supposed to be, especially regarding its security. There are some grave concerns about how various forms of sensitive personal data, such as financial, health, etc., are secured fundamentally. Without having the appropriate security measures and processes in place, bad actors or cybercriminals would have access to vast amounts of sensitive personal data leading to complete chaos in data management. To handle this critical and massive amount of data, we need to understand the thin line between data security and data privacy often used interchangeably.
Today, we will discuss differentiating factor between data security & data privacy and the various factors such as encryption, tokenization, & masking affecting both of them.
Data Security Vs. Data Privacy
The actual difference between data privacy and data security belongs to the fact that which data is protected and how it’s protected. Data Security is about protecting data from malicious threats and bad actors, whereas data privacy is about using data responsibly.
Data security is related to securing sensitive and critical data. Data security is primarily focused on deterring unauthorized & illegitimate access to data, via compromises, breaches or leaks, regardless of who the unauthorized party is. Enterprises use IT tools and technology such as firewalls, access control, user authentication & identification, network access control, and internal security measures to prevent such access. This also includes latest security technologies such as encryption, tokenization and masking to further enhance the data protection by making it unreadable—which, in the event of a breach, can block cybercriminals from exposing the massive amount of sensitive data.
Data privacy is more of responsible use of data with specific disclaimers to avoid being misused and less about protecting data itself from bad actors. The use case for data privacy is somewhat different from data security; however, privacy is complemented with the data security measures such as de-identification of personal data (linking of personal data to its original subject), obfuscation and many more.
It is common to see that data security and data privacy words are used synonymously, although they are very much different in their application. Data security can be implemented on its own, whereas data privacy needs security as a pillar to stand on its own. In simple words, data privacy enables limited access, whereas data security employs various processes or methods to provide that limited access.
Data Security and Data Privacy vs. Compliance
Now that we have understood about the data security and data privacy, we need to deep dive further to understand how the various industry regulations help organizations transform their data protection landscape.
The Payment Card Industry Data Security Standard (PCI DSS) provides a framework for protecting the payment card information and cardholder data. PCI DSS is fundamentally associated with standards provided for the security controls about the storage, processing, and transmission of payment data, including the personal data such as name, address, etc., This standard applies to merchants, banks, any third parties involved, and any other entity handling cardholder data.
The California Consumer Privacy Act (CCPA) aims for the consumer to retain ownership, power, and security of your personal information if you are a citizen of the state of California by establishing the significant rights to consumers such as:
The right to know what and where personal information is being collected, sold, and disclosed about them
The ability to deny the sale of personal information.
The right to have equal service and price if one decides to exercise their privacy rights.
The right to be able to have personal information deleted
The Health Insurance Portability and Accountability Act (HIPAA) provides a set of standards to protect the sensitive data of patients across the US. This regulation standard is complex as it includes a vast amount of health care data of US citizens. Companies dealing with Protected Health Information (PHI) must have administrative, physical, and technical security measures to be HIPPA compliant. There are covered entities providing treatment, accepting payments, operating in healthcare, or business associates, including anyone who has patient information and provides support in treatment, payments, or operations. General Security Rules require covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI.
Ensuring confidentiality, integrity, and availability of all PHI covered entities create, receive, maintain or transmit.
Identify and protect against reasonably anticipated threats to the security or integrity of the information.
Protect against reasonably anticipated, impermissible uses or disclosures.
Ensure compliance by covered entities’ workforce.
The General Data Protection Regulation (GDPR) is a digital data privacy standard for EU citizens. GDPR states the general guidelines for personal data, such as whose data should be protected, type of personal data, and how the data should be managed and protected. GDPR applies to all companies, which collect and process EU resident’s data. Non-EU companies would need to appoint a GDPR representative and be held liable for all fines and sanctions.
The New York Department of Financial Services (NYDFS) cybersecurity regulation is a set of rules applicable to the covered financial institutions. NYDFS applies to all the financial institutions operating under DFS licensure, registration, or charter or DFS regulated. The NYDFS Cybersecurity Regulation states the strict guidelines for cybersecurity rules and detailed cybersecurity plan designed by CISO, implementation of cybersecurity policy, and an ongoing maintenance and reporting system for cybersecurity incidents.
The Health Information Technology for Economic and Clinical Health Act (HITECH) was mandated to embrace the purposeful usage of electronic health records (EHR) technology by U.S.-based healthcare providers and their business associates. HITECH means healthcare providers need to show that they are using certified EHR technology to avoid data breaches of unencrypted electronic health records.
The HITECH Act also encouraged the stricter enforcement of the Privacy and Security Rules of HIPAA by making security audits of all healthcare providers compulsory. These audits are performed to investigate and determine whether health care providers meet minimum specified standards or not to conclude if they comply with the HIPAA’s Privacy Rule and Security Rule.
Let’s discuss how Data Security and Data Privacy can be achieved with the help of the following security technologies:
Encryption for Data Security and Data Privacy:
Encryption provides data security for various forms of confidential data such as cardholder data, protected health information (PHI), personal identifiable information (PII), etc., by encrypting/decrypting with a mathematically derived key possessed by an authorized party. Data security becomes critical in the present environment when there are bad actors present everywhere on the internet. Many encryption applications protect personal data during data-at-rest and data-in-transit, however, leaving sensitive data unguarded in plain-text during processing.
Although encryption became defacto standard for all data-in-transit and data-at-rest use cases, it still alone doesn’t provide the complete data privacy solution for sensitive data throughout its lifetime.
Tokenization for Data Security and Data Privacy:
Tokenization plays an important and vital role while providing Data Security and Data Privacy as it has the capabilities to satisfy the requirements of both. Since the tokenization provides the functionality of pseudonymization, it can be treated as a redundant safeguarding mechanism to protect in the event of a security breach. With this technology’s help, even if the data in the organization’s system is compromised, it’s not much of use for bad actors as pseudonymization desensitizes the data by deidentifying it and making useless for cybercriminals.
Since the data is desensitized in the organization’s system, the risk associated with data privacy is countered. So, it is clear that with the help of tokenization, our data security gets the needed strength, and on the other hand, data privacy also becomes robust because of the desensitization of personal data.
Masking for Data Security and Data Privacy:
Data masking plays an instrumental role in data privacy by guarding the confidential information such as credit card information, PHI, PII etc., by replacing the actual data with the functional fictious data to be used in scenarios when the actual data is not needed. Gartner describes it as a technology that “can dynamically or statistically protect sensitive data by replacing it with fictitious data that looks realistic to prevent data loss in different use cases.” Data masking uses various mechanisms to alter the data using character or number substitution, character shuffling, or encryption algorithms. So, data masking, also known as data obfuscation or data pseudonymization, helps in handling data privacy issues for personal data to a great extent.
Data security and data privacy are two different approaches towards handling confidential personal data for individuals; however, often confused interchangeably. It is evident that data masking and tokenization have a deep focus on providing measures for data privacy, whereas encryption’s core focus is on data security. Considering the facts from all three security technologies, we can say that no single technology can completely secure personal information. All of them must work in conjunction to protect sensitive personal data from theft at different stages of their lifecycle.
Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.