Getting our Security Terminology Right

March 31, 2020

With cybercrime making headlines and new data privacy laws hitting the books in states around the country, IT teams are swamped with work. However, not all those duties really belong in that department.

According to the National Conference of State Legislatures (NCSL), new devices and applications aimed at making shopping and purchases easier for consumers has set the stage for increased state legislation. According to the organization:

These devices have the capability to collect and share personal information to an extent not possible previously, and sometimes in ways that are not apparent to consumers. Concerns about privacy are heightened when breaches, cyberattacks and unauthorized sharing of personal information are reported in the media.

Europe’s General Data Protection Regulation (GDPR) went into effect this past May, followed the next month by California’s new Consumer Privacy Act. NCSL’s website lists dozens of pending bills in legislatures in 26 states and Puerto Rico.

But data privacy is quite different than information security and is best handled by a different department in the company. The distinction is subtle and often missed even by industry veterans.

To explain why, let’s start with some definitions.

According to the Oxford Dictionary, Information Security is “the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this.”

This made Joseph Lowe, Mortgage Cadence’s information security manager, nod his head in agreement.

“Information security protects the confidentiality of the data,” Lowe said. “Privacy relates to appropriate use of that data and the rights of consumers.”

Division of Labor

The new data privacy laws that we’re seeing in California, New York and Europe, all relate to the rights of individuals to have some level of control over how their information is used by the companies that gather it and their right to correct inaccurate information. That’s data privacy.

But Lowe’s department, information security, is about data confidentiality. “Confidentiality requires me to keep your data confidential, but my department has no control over how the company chooses to use that information,” he said. “That’s what we guard with data privacy rules.”

Security, Lowe says, is all about controlling access to the information the company stores about its customers and ensuring that anyone who gains control of that information is authorized to do so. Many will argue that it’s the same thing because should a breach occur, and an unauthorized party get control of the data, they will almost certainly use it in a manner that is at odds with data privacy laws.

But Lowe says that the new laws don’t touch data confidentiality except to require that should a breach occur, the company must notify its customers that their data is at risk. If information is inappropriately disclosed, that’s an information security problem. Privacy laws give consumers the right to be notified if their data is at risk, but that moves out of IT and over to the legal department.

“My team will be responsible for handling containment of the incident, recovery of the data, and making sure that it doesn't happen again,” Lowe said. “The legal department will comply with the privacy regulations and notify the customers.”

The Quality of the Data

The other misconception that Lowe says is common relates to what parties are responsible for the quality of the data. In our industry, loan quality is completely dependent upon the quality of the information used to underwrite and close the transaction. It has to be right. But who’s job is that?

Information security has very little to do with the accuracy of the data, making it a very small issue within the department. They don’t have any tools that will tell them whether the information in the file is correct or not.

What they do focus on is the integrity of the data. In other words, if an authorized user types the name “John” into a field, that field contains that data until such time as another authorized user with an authorized purpose changes that data field.

If an authorized user enters inaccurate information, Lowe’s team will likely never know. Similarly, if an authorized user makes inappropriate use of company data, Lowe’s team would probably not detect it. But the legal team might.

“Privacy is all about the consumer where security is all about the business and protecting the information we hold in trust for the consumer,” Lowe says. They are both important, but different disciplines handled by different departments.

Even with bulletproof information security, data privacy compliance risk would still be an issue for our industry. When a breach occurs, those laws will likely be broken and the company will be required to take action to notify its customers. And according to Lowe, it’s becoming increasingly clear to many that breaches will continue to occur.

We’ll tell you why he believes that in our next article.


Contact ALTA at 202-296-3671 or communications@alta.org.