Teaching Students Data Security and Data Privacy: A Brief Comparison
It’s safe to say that data security and data privacy are both focused on the same overall goal: the protection of information assets.
While data security and data privacy are two separate concepts, many times students believe that these terms mean the same thing, and you can’t blame them at all. I can tell you that the question “What’s the difference between data privacy and data security?” is asked every semester.
After receiving these questions over the years from various students, I thought it would make sense to provide a brief comparison on the topics of data security and data privacy in the event your students begin to raise the same questions if they haven’t already done so.
The Intersection of Confidentiality and Data Privacy
From an education perspective, it’s always good to start with the basics: the CIA Triad, which stands for Confidentiality, Integrity and Availability. The C in the CIA Triad (confidentiality) is probably where the confusion begins for many students new to the area of cybersecurity.
Confidentiality ensures that information is provided on a need-to-know basis. Many corporations and institutions have policies aligned to this principle to ensure that access to certain resources is controlled based on an individual's job function.
Confidentiality is successfully achieved when least-privilege principles are enforced. Additionally, controls focused on data protection ensure that data in transit, and data at rest are encrypted; thus, preventing unauthorized access without significant effort. Confidentiality can apply to various types of information that reside within companies such as finances, patents, vendor contracts, operating procedures, and strategic plans.
From a company perspective, confidentiality can also be applied to employee data, such as date of birth, health information, marital status, and mailing addresses. Here’s where the differences can be emphasized.
Confidentiality is defined as the state of information being kept secret based on access entitlements, data classification, and the protection of personal privacy and proprietary information.
Privacy is personal and is specific to any data point that can be traced back to a person.
Overall, data that is considered confidential should have the proper controls in place to restrict access. As previously mentioned, data that is private is focused on people. Privacy has become a strong subset of confidentiality over the years based on various regulations both domestic and international.
It is important for students of cybersecurity to understand the importance of confidentiality, and the ever-evolving area of data privacy laws in place that require companies and institutions to protect the personal data of customers and employees.
There are additional considerations of data privacy that should also be shared with students. For example, students should understand that there are controls to ensure that privacy-related data should be handled and stored in accordance with the laws of an individual's place of residence. It’s also important for students to know that there are fines for non-compliance with data privacy. It should be noted that data privacy fines for companies that mismanage private information for European citizens have been significant over the past five years.
Where It All Comes Together
Like the lyrics of a famous Frank Sinatra song, “You Can’t Have One Without the Other.” Specifically, you can’t have data privacy without data security.
When teaching your students about the C.I.A. triad, be sure to focus on the data privacy aspect. Over the years, Cyber Teams have been encouraged to work very closely with Data Privacy Teams. Having these teams collaborate will allow companies and institutions to maintain a strong security posture.
It may also be a good idea to spend some time discussing the importance of data privacy from a cyber perspective with students. Cyber threats such as social engineering and data breaches are all drivers that lead to data privacy-related incidents. While there are technical controls to mitigate data privacy risk, there’s the element of education that provides an extra layer of control. As educators, we have that opportunity (and obligation) to incorporate data privacy principles into our cyber curriculums.
Expanding Your Cybersecurity Education Program
As a cybersecurity educator, you don’t have to grow your program alone. In "Expanding Your Cybersecurity Education Program," you’ll get all the most up-to-date guidance, information, and resources needed to scale your cybersecurity program no matter where you teach, freeing you up to do what you do best: Teach your students.
Download the GuideAbout the Author:
Rodney F. Davis is an adjunct professor at Syracuse University’s College of Professional Studies where he teaches courses focused on Enterprise Risk Management, Cybersecurity, Networking, Forensic Accounting (Fraud Prevention), and Vendor Risk Management. Rod has a total of 29 years professional experience, 27 of which are focused on operational risk, regulatory oversight, technology, and cyber security within the financial services industry. Rod is also a member of an international team of cyber risk professionals responsible for creating and approving certification exam items for ISACA (Information Systems Audit and Control Association).
Related Content:
- How to Teach Cybersecurity in the AI Era
- The Vital Link for Cybersecurity Instructors: Bridging the Gap Between Technical Skills and Business Acumen
- Instructors Provide Guidance on Teaching the Cybersecurity Workforce of the Future