Relationship Between Cybersecurity and Privacy

Overview

Cybersecurity and privacy are independent and separate disciplines and yet some of their objectives overlap and are complementary. Cybersecurity programs are responsible for protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction (i.e., unauthorized system activity or behavior) to provide confidentiality, integrity, and availability as well as ensuring organizations comply with applicable cybersecurity requirements. Privacy programs are responsible for managing the risks to individuals associated with data processing throughout the information lifecycle from collection to disposal, providing predictability, manageability, and disassociability as well as ensuring organizations comply with applicable privacy requirements. The Venn diagram illustrates this relationship between cybersecurity and privacy risks, showing both where they overlap and where they are distinct. Both cybersecurity and privacy inform a comprehensive approach to managing organizational risk.

While the overlap between cybersecurity and privacy risk management is important, the distinction between the two is also critical to understand. Managing cybersecurity risk contributes to managing privacy risk (e.g., controlling access to data protects against privacy breaches by limiting who can access data and the actions they can perform), but managing cybersecurity risk alone is not sufficient because data processing activities can introduce privacy risks that are unrelated to cybersecurity incidents. Some data processing activities and technologies inherently introduce privacy risk but may be necessary for valid mission, business, or operational purposes. These privacy risks must be managed when they arise. Privacy risk management fosters trust in the organizations, products, systems and services that support society.