Data Privacy & Data Protection: Interconnected, yet one doesn’t secure your Data
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Reading Time: 4 Minutes
Why data privacy and protection were always relevant and important
People are still using safe-boxes for securing information or personal stuff, but the build of the box is nothing if an attacker exposes its location and he/she knows the password.
Data protection has always been important for people, but the main distinction between the past and today’s data is that today’s data are digital and significantly more in volume.
In the past, data protection was the reason why we always used locks on the filing cabinets or our cabinets in general. It’s also the reason why people rent safety deposit boxes in the banks.
People trusted that their information or assets were in safe hands and secured, but what about the trust of the lock manufacturer or the bank in the first place?
Can the lock manufacturer owners, or employees have access to the passwords of their locks along with the lock IDs, in a way that those data can be exposed?
How about the way that your information (name, address, bank account no. etc.) upon registering for the safety deposit box or the information in the safety deposit boxes in the bank were processed and shared?
You knew the information was “protected” but you didn’t know, or at least there was nothing to control who was authorized to access your information.
Many countries over the recent years adopted comprehensive data protection laws, that come in place and regulate who is authorized to access your information and with what parties the data can be shared with.
The World Privacy Map 2021 - Governments worldwide and their data privacy laws/provisions as of 2021 – Source: Morrison & Foerster
The first precursors of data privacy originated more than 100 years ago. The history of data privacy began in 1890 when two US lawyers, Samuel D. Warren, and Louis Brandeis, wrote the article “The Right to Privacy”, which argues the “right to be left alone”(using the phrase as a definition of privacy). From 1948, the year of the Universal Declaration of Human Rights, to 2018 when the GDPR was enforced in Europe, new acts, and laws have been adopted creating a rich history of data privacy and data protection.
Along with those laws, data protection comes in place and they both needed to work together as a proper control mechanism of the data.
Data Breaches Significance
As more of our data becomes digitized, and people share more information online, like their bank accounts, name, username, address, and other personal details, data privacy and protection is taking on serious importance than ever.
Number Of Data Breaches And Individuals Impacted, 2015-2020 - Source: Identity Theft Resource Center
Data privacy and protection have become a top business priority as we enter the new decade.
Data breaches can cause immense problems for the company that is affected but also for its customers because the stolen data are already in the hands of the attackers, or any party responsible for the breach, that has an immediate profit from them, making the data information available for anyone in interest.
Any kind of data breach can cause a lot of damage to a company’s image and resources. Those resources could be money for remediation, money for improving measures to prevent future breaches, and, with the new privacy laws, paying penalties for the incidents appropriate to the budget of the company.
After the breach, the image of the company can be significantly damaged resulting in the hesitation of the existing customers or any other future customers to share their private information again with the company.
Alongside potential lawsuits, a company can be impaired beyond repair. Moreover, the breach affects the present and future business associates of the company, making any breach a serious threat to the company’s sustainability.
Understanding the Purpose of Data Privacy and Data Protection
Regardless of the publicity and frequency of data breaches, key concepts are still misinterpreted by people when it comes to data control, storage, and access, and data privacy and data protection are among them.
Data Privacy
Data privacy defines who has authorized access to your data, it is mainly a legal matter. Focuses on keeping data from being sold or shared, how data are handled and managed inside an organization, and what people who collected the data lawfully can and should do with them. It can be regulations and policies that govern the use of data when shared with an entity, and the user can control which data is shared with whom.
Data Protection
Data protection secures data from unauthorized access use, it is mainly a technical issue. Focuses on protecting data from being stolen by attackers, which could be cybercriminals etc. It’s the company’s responsibility to take the protecting measures, to ensure that the data shared, are shielded from illegal access by unauthorized parties.
Data protection is the tools and procedures that enforce policies and regulations. Besides the data shared, companies need to protect their assets/data from external threats, competition, etc.
Interconnected Yet Distinct: Data Privacy and Data Protection
You can’t have data privacy without data protection, if an attacker can steal your data then its privacy is not guaranteed, risking identity theft. Data privacy is not ensured unless the data are protected by some kind of technology (data protection).
On the other hand, data protection can’t ensure that the data collected are still private, the data can be secured while still not being private.
Every organization that provides a service for an individual can provide an example of how data privacy and data protection are not ensuring each other.
When you give your data for a let’s say, a subscription, you are trusting the service provider with your financial and personal information, and that the information is protected and cannot be accessed by cybercriminals (unauthorized access). Also, you trust the service provider to respect your data privacy by not misusing the information you provided them with (controlled authorized access).
It can be summarized into who the organization intends to share your data or not, and how they are planning to protect your data from everyone else.
The Importance of Data Privacy and Protection in Today’s Context
Governments are regulating laws and measures while companies are putting the work in, to keep their data secure and their customer’s data secure and private. Data that will be compromised and get into the wrong hands, can lead to a serious and bad chain of events.
Today, where most of our data become digitized, the words privacy and protection (security) have taken greater importance in our lives, with one breach after the another, people need to be more aware of what is possible to happen to their data due to the much higher volume of data being stored online.
A breach at a school could put students’ information in the hands of hackers who are willing to sell them to the dark market or commit identity theft. If a government agency or a military force, faces a data breach, this can lead to the exposure of confidential documents in the hands of an enemy state.
In England, an NHS data breach affected 150,000 patients in 2018, and that was one of the many data breaches that affected the healthcare system all over the world. Such a data breach can be very disastrous for the hospital affected, and even more for the patient’s information that is in the hands of criminals willing to misuse them.
Preventable risks and recommendations on data protection and privacy
The first step of risk avoidance begins from an individual point of view when asking the question of whether submitting his/her data is necessary at all. From government completion forms to gym membership forms, you always have to ask what data you want to share and why is necessary in the first place.
Regularly assessing and monitoring your social media settings in the privacy section, is a good start to grasp an idea of what data the social media platforms have about you in the first place, and how they use them, because you may be sharing more data than you wanted to.
Having multiple accounts on different platforms is without a doubt, a common thing for an average internet user. If only one password is used for all the platforms is like having multiple safe boxes but one master key that can open all of them, making them all vulnerable at once.
If a cyber-criminal compromises one of those platforms automatically can have access to all your accounts (one email most of the time, same password). The use of strong and unique-different passwords for your online accounts is mandatory in today’s world.
Password managers can solve that headache when it comes to remembering all your passwords. Preferably hosting your password data locally or in a trusted cloud server are great choice regarding a password manager selection.
For all-round data protection, encryption is the best option.
One simple way to achieve this, is with the use of VPN (Virtual Private Network), encrypting the tunnel of communications between internet nodes and your devices. A hacker can hack the connection but your data are going to be encrypted, thus unreadable. Moreover, your ISP won’t be able to sell information about your browsing habits to advertisers or even the government.
Choosing a VPN Service that is not known for data leakage, or correctly configuring your VPN settings, is crucial, and still, hackers can get into your machine, with VPN On, and Man in the Middle Attacks can take place, which allows the use of reading in plain text, and using keyloggers, so it’s more of a combination of measures rather than one.
Using a service provider that offers end-to-end encryption.
End-to-end encryption is the most reliable method for protecting digital information, where the line of communication is encrypted at both ends of the conversation, preventing third parties from accessing the data being transferred.
Also known as asymmetric cryptography, end-to-end encryption is all about creating a public and private key pair, where public keys are used to encrypt the message and the private, one to decrypt the message. The endpoints(users) have the keys to encrypt and decrypt the data, making the providers’ servers, or cybercriminals impossible to read them even if they intercept them.
In the case of an email provider like Google’s Gmail, the possession of the decryption keys is in their hands, which, has enabled them in the past to target the account users with targeted ads, based on their emails’ content.
Facebook, WhatsApp, Outlook, and Telegram, are among the biggest service providers that have end-to-end encryption.
That’s as far as technology services can go when it comes to data protection and privacy. The rest is up to the user to make everything possible to keep their data private and secure, using the “right” tools, services, and mindset.
Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Are you looking for a better way to secure your business? Whether you need a product audit, vendor security assessment, or overall security testing, we can help. Our team of experts will work with you to identify your specific security needs and provide tailored recommendations to improve your overall security posture.
To find out more about how Black Hat Ethical Hacking can help you, check out our Solutions