Data Security versus Data Privacy
What’s the difference, and which one requires the lawyers?
Data security and date privacy are often interchangeably used within the same umbrella of compliance-y sounding buzz words — e.g., cybersecurity, infosec, cyber-info security.
While there’s one common thread- the data-there’s a subtle nuance in what they each mean.
Think of your company as a castle.
Inside the castle, you have all kinds of information.
You have your own confidential information (your financials, your code, your contracts) and your customer’s information (your customer’s name, their confidential information, and maybe even their social security numbers).
Data security is the moat around your castle. It prevents intruders from entering into the castle and stealing your information.
Data privacy is what you do with the information inside your castle. Do you send it to the marketing department in the second tower for outreach? Do you keep it in the cellar where nobody can see it? Do you share it with visitors who show up at your doorstep?
Data security is all about keeping your castle as secure as possible. You keep checking the moat to make sure it is going to work.
Data privacy is all about putting up a huge banner on top of your castle telling the world what you’re doing with the information inside your castle. It is about being transparent and providing control to your consumers over the data you collect from and about them.
Data security promises protection.
Data privacy promises transparency.
The problem often is that the going-ons inside the castle must always match what you’re telling the world. In a fast paced start-up environment, your product team might decide that they want to start collecting customer’s email addresses so they can re-target them for marketing. This decision may go unnoticed as a routine marketing plan.
But, if your banner — your privacy disclosure —doesn’t reflect this practice, you might be in trouble.
Data security as a pseudo compliance department
Data security is not really a legal or compliance issue. After all, we can all agree that data breaches are a bad thing, and we don’t really need regulations to tell us that.
In fact, regulations provide little guidance when it comes to how we protect this information.
The Gramm-Leach Bliley Act (GLBA) which governs the use of confidential information in the financial services industry (banks, fintechs) says you must have “reasonable safeguards” to protect your information.
What is “reasonable safeguards” you ask? Ask a person who has dedicated their entire career to figuring out how to prevent data breaches and they will tell you that it very much tells you nothing.
And so within an organization, the practice of building and maintaining your moat is often dependent on very smart people who spend much of their time figuring out the latest tricks that hackers might use to steal your information.
The only time the compliance or legal team might get involved is if you do have an unexpected breach in which case there may be a patchwork of requirements-from your contractual obligations to state specific requirements-of what you need to disclose about your breach, to whom, and how quickly.
If you’ve ever gotten an email from your favorite large vendor that your information might have been compromised in a data leak, well, that email was probably required to be sent to you by law.
Data privacy is so hot right now!
Data privacy-or what you do with customer information and how you disclose it- is a very, very hot topic right now.
Unlike Europe, which has a central framework called the GDPR, the U.S. has lacked a federal law designed to govern privacy.
The GLBA and HIPAA govern financial services and healthcare, respectively, but there is no prescriptive rule that governs how all companies treat your information and what you’re required to disclose.
The result is a patchwork of laws at the state level. California has been the most active participant here with the California Consumer Privacy Act last amended by the California Privacy Rights Act.
Other states like Virginia, Colorado, Connecticut, Utah, Oregon, Montana have followed suit. The bottom line of these laws are similar which is that companies must:
- Disclose. Share what information they collect, what they do with that information, and with whom they share that information
- Restrict. Honor the customer’s right to control what you can do with that information and with whom you can share it.
- Delete. If asked, comply with a customer’s request to have their information be deleted.
The first step always starts with proper disclosure.
You likely have a privacy policy on your website and, for fintechs, in your product UX.
Make sure you check in with your product team from time to time to understand what information they’re collecting and what they’re doing with that information (is it just for internal research, is it to process the customer’s application, are we sharing the information?) and then ensure this is all reflected in your privacy policy.
Once your disclosure (e.g., the banner on top of your castle) is up to date, you need to figure out what to do if a customer comes knocking on your front door.
In some cases, you may not need to answer the door. State privacy regulations generally only apply to businesses of a certain size in their state. So, for example, in California, you must meet one of the following criteria.
- Gross revenue of over $25 million.
- Buys, sells, or shares the personal information of 100,000 or more consumers or households.
- Derives 50% or more of annual revenue from selling or sharing personal information.
But, if you meet the threshold, you will want to follow a very strict and regimented process for when one of the customers contacts you.
Because privacy is such a sizzlin’ hot topic right now, both regulators and lawyers looking for an easy win will look for any slight foot fault to come after you.
While we hope you found this post helpful, please note that the information in this post is not intended to be legal or regulatory advice.
Fintech Law and Compliance 101 is affiliated with https://www.itsaffinity.com/ a compliance learning management platform built specifically for fintechs