data privacyThe terms data privacy and data security are sometimes swapped back and forth as though they mean the same thing. They don’t, though they are tightly interlocked.

One way to consider how they’re different is to think of data privacy as the who and what of confidential information that must be kept safe and data security as the how, the means for keeping it safe.

Put another way, data privacy focuses on the individual whose private information is at stake and data security focuses on the mechanisms for protecting the information.

When businesses use data that is entrusted to them –- think of all the personal details that change hands when opening a credit card or getting hired for a job – the data is to be used according to agreed-upon purposes.

Privacy is the customer’s or client’s right to keep his or her data to himself or herself. Companies that have sold or disclosed consumer data without getting prior approval can be found to have violated individual privacy rights.

So the right internal controls, policies and practices in handling private information are imperative. But they’re not enough. That’s where data security comes in. It’s the shield that ensures that unauthorized parties aren’t poking around in your confidential information or stealing it. It’s the firewalls, antivirus software and encryption, the limiting employee and vendor access to critical data, and the securing of laptops and other electronic devices.

A watershed moment in data security came in August when the Third Circuit in FTC vs. Wyndham Worldwide Corp confirmed the Federal Trade Commission’s authority to sanction companies for having insufficient data security. The case arose from a series of breaches against the Wyndham hotel chain between 2008 and 2010 that resulted in the theft of credit card information and Personally Identifiable Information of 619,000 Wyndham customers.

Data security until recently zeroed in on building complex walls to keep out hackers and other malicious actors. But as the protections got ever harder to penetrate, cybersecurity experts say something got lost along the way: The ability to be agile, to duck. Because breaches are a virtual certainty, given time.

Check out this data visualization that looks at the biggest data hacks as of October 2015.

“In the last few years we’ve pivoted on the motion that we can protect everything,” said James Caulfield, assistant vice president for information security at the Federal Reserve Bank in Richmond, Va.“We know they can get inside. So now the focus is on reducing the amount of time before detection.”

Organizations should have tough but nimble data security in place and also a plan to respond to intrusions if they happen. These steps will help businesses meet the legal obligations of possessing sensitive information.

But in the end, they are only the means to the desired goal: Data privacy.