Without security, there can be no privacy, so the two subjects are forever entwined. Legally, however, the issues are quite different. Fred H. Cate, professor of law at Indiana University and senior policy adviser to the Center for Information Policy Leadership, explains the distinction as succinctly as anyone. “I think of privacy as the use of the data by somebody you gave it to, and security as the theft of the data or the interception of the data by the unknown third party,” he says. “If I buy a ticket from Travelocity, what Travelocity does with my data is a privacy issue. If somebody hacks into Travelocity and steals that data, that’s a security issue. And we’ve had a tendency to confuse the two.”
Although some cases do involve both security and privacy, two sets of legal precedents are likely to emerge. Privacy lawsuits?such as the ones well-known Attorney Arthur Miller discusses on Page 72?involve business decisions to use information in a certain way. The security-related lawsuits discussed in this article involve situations where information security fails, causing an unintended use of information or systems.