Short answer: it’s a trick question. Privacy is part of security.
But just because one is part of the other doesn’t mean they are the same. There’s a nuance there that’s important.
The word “security” is shorthand for “information security” or “cybersecurity” in this parlance.
- Information Security is about controlling access to information.
- Privacy is about making sure users’ expectations about use of their personal data are reflected in the real world.
These are extremely similar, but not identical.
The main difference is that with security the policy for protection and use is a given, and with privacy it’s a conversation with the user.
Both are about avoiding misuse of data. The difference is in one component—the policy, i.e., the expectation of how information is supposed to be used.
This is a fantastic description of privacy from a company called Habitu8.
With Privacy, this is an important point because that needs to be captured from the user at various points in the lifecycle of a product or service.
With the larger Information Security field, this expectation of protection and use component is given to us as an explicit policy at the beginning. These people can do this with this data, these people cannot. Etc.
That’s really the difference.
So don’t listen to anyone who says they’re either completely different or completely the same. It’s more nuanced than that.
Both are about protecting information from violating policy—which is information security. Privacy just involves gathering that policy from the user as part of the process.
- January 10th, 2019—Chad Loder has a great point, which results in this discussion, which is that if a DataBroker sells your data to China, it’s going to be hard to convince people that’s a “security” breach. To which I responded that to the user—who presumably still considers themselves the owner of the data—it would absolutely be a security problem. So the discussion just made it crystal clear that the entire issue orbits around the question of who “owns” the data. Because that’s who gets to set the policy.