It has often been said that security and privacy are two sides of the same coin.
Among the countless examples, Kent Landfield, chief standards and technology policy strategist at McAfee, wrote this year in a blog post on Data Privacy Day (Jan. 28), “Our approach derives from seeing privacy and security as two sides of the same coin. You can’t have privacy without security. While you can have security without privacy, we strongly believe the two should go hand in hand.”
Similarly, in 2015, Patrick Manzo, who at the time was chief privacy officer at Monster, said, “Data security and data privacy are two sides of the same coin, and we trade that coin for consumer trust.”
And way back in 2004, Richard Clarke, an adviser to several presidents on national security issues, said, “Privacy and security are two sides of the same coin. We cannot have one without the other.”
The sentiment that these men expressed about the linkage of security and privacy is accurate, but the analogy is flawed. A coin is either heads or tails. When one comes up, it eliminates the possibility of the other. Security and privacy, however, are not mutually exclusive – they are complementary. One calls either heads or tails, but one can choose both security and privacy. And that is the choice that members of the security industry are wise to be making.
For some companies, personal data is a product to be leveraged and sold. But for the security industry – a large part of which, after all, is dedicated to securing identities – personal information is a possession to be protected, like any other valuable.
This puts the industry in a unique position: While others are making money by using personal data – in many cases, without the full knowledge of the individuals affected – security companies have opportunities both to distinguish themselves as trustworthy technological partners and to develop business models that are based on ensuring privacy. And the numbers of opportunities are increasing.
The European Union’s General Data Protection Regulation (GDPR) went into effect nearly a year ago. One of the first GDPR fines was assessed against a German retailer whose video camera captured images of people who were outside the immediate vicinity of the establishment and, thus, not within range of the surveillance notification that was posted. Here is where an integrator or other security professional who is educated in privacy compliance could offer value to the end user and protect the privacy of consumers and passers-by through providing guidance regarding the deployment of cameras and, potentially, other devices.
Also last year, California lawmakers passed the Consumer Privacy Act, which will go into effect in 2020. While not as strict as the GDPR, the law imposes what will likely be the most stringent rules in the United States regarding the handling of consumer information. Here, again, the security industry can extend its protective shield by helping its customers understand the relationship between security and privacy.
Several states are considering legislation similar to California’s, and members of Congress may find that consumer data protection is one of the few issues on which they are able to reach bipartisan agreement. A federal law that preempts state statutes is desired by many, including, if not especially, the big tech companies that collect the most data, because abiding by one set of regulations in the United States would be much simpler and less expensive than complying with dozens of varying requirements across the country.
Even the Trump administration, which has made cutting regulations one of its signature issues, appears to be supportive of federal data privacy legislation. At a panel discussion in Washington, D.C., in January, Gail Slater – White House National Economic Council special assistant to the president for technology, telecommunications and cyber policy – noted that the patchwork of state laws is not sound economic policy and pledged, “We will work constructively with Congress.”
Several years ago, the most frequently heard buzzword in the security industry was the “convergence” of physical and logical security. With security equipment now on the network, another convergence is occurring, this one combining security and privacy. Just as the merging of physical security and IT led to new challenges but also to new functionalities and, ultimately, a synergistic result, so too can security and privacy, with diligent planning, strengthen each other to the benefit of consumers, businesses and the industry. No coin flips required.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.