Privacy

10 things you should know about privacy protection and IT

These days, IT bears a tremendous responsibility for safeguarding corporate data and protecting personal privacy information. This overview shows just how entrenched privacy concerns have become in the regular operations of the IT organization.

This article is also available as a PDF download.

Personal privacy has become a major public concern. Highly visible data breaches, identity theft, and frauds such as phishing scams have created a huge corporate and consumer burden and threaten trust in Internet and e-commerce services.

Studies have shown that almost half of U.S. residents have "little or no confidence" that adequate steps have been taken to secure their personal data. Compounding this lack of confidence is the increasing sophistication of online crime schemes. It's hard to tell who is legitimate, and a growing number of users are becoming victims of the Internet. Let's look at some privacy concerns and how they affect IT.

#1: Reporting compromised data: It's the law

Several states require that state entities, persons, or businesses disclose to a resident when his or her private information is reasonably believed to have been acquired by someone without authorization. An organization must publicly disclose when personal information in its possession appears to have been compromised. In 2003, California passed a law that requires organizations to notify residents if the organization experienced a data security breach that caused risk to personal information. Currently, 28 states have passed similar laws, and security breach notification bills are pending in more than 15 other states. Notification of a breach is costly, as there is usually a per-person fine.

#2: Customer loyalty is directly dependent on privacy

Consumers rely on the Internet for shopping, banking, government, healthcare, and other services, while trusting that their personal and financial information is protected and inaccessible to unauthorized use. When this trust is broken, customer loyalty can evaporate--overnight. The costs of identity theft and other fraud are too great to risk doing business with organizations known for mistrust of private information.

Between 2001and 2004, more than 196 privacy-related legal actions were raised against 255 corporate defendants, including financial services, health care, pharmaceutical, information services, e-commerce, manufacturing, media, and retail. More than 33 class action suits have also been filed. Here are some interesting figures on how Web consumers view privacy:

  • 86% are concerned about privacy of personal data.
  • 45% never provide real names to sites.
  • 5% use software to hide computer identities.
  • 86% favor "opt-in" that requires permission before using data.
  • 94% want privacy violators to be punished.

#3: IT pros bear most of the burden for privacy

Here are a few things to consider when developing systems:

  • Know the types of data you are working with that include PII (personally identifiable information.) This includes the user's name and e-mail address, health care, and credit card or social security numbers. Don't collect more data than necessary.
  • Know how to implement mechanisms for notifying users that their personal data may be collected and offer them ways to opt out or consent to the collection of their data. A record of opt-out acknowledgement may also be required.
  • Determine where the system vulnerabilities lie: in the application, database, wireless network, Web access, or other interfaces.
  • Understand the steps to secure PII from misuse or unauthorized access, including access controls, encryption, physical security, and auditing. Encryption is probably the best defense. When an encrypted laptop is stolen, at least the data is protected.

#4: A data classification policy is essential

Today, data managers are expected to become steward of their organization's information. They're asked to view the data under their care as a valuable asset and manage it based on what or who it represents. An organization should have a policy definition of classified, confidential, and public information and clearly define data that's the most valuable and/or secret.

A key component of this policy is a data security plan that addresses the foreseeable risks to the integrity of the information maintained in an organization's systems. Control of and access to PII data is the subject of recent privacy regulations in the United States. The European Union also has specific requirements to protect its residents.

#5: Identifying critical systems helps risk analysis

Once you have a clear picture of how the data is classified and have identified potential data risks, target the systems that manage the data for a more detailed analysis of risks to data integrity.

A benefit of this exercise is to have better risk-ranking of major IT processes and systems, allowing you to focus on higher potential privacy risk areas. Auditing controls that are expected by law for critical systems that contain "regulated" data is a best practice.

#6: Organizations carry the burden of proof

Did you get hacked? Was it successful? What data was affected? How many customers? What states? Even unsuccessful attacks may have to be disclosed, unless an organization can prove that no personal information was made available to or accessed by an unauthorized party. As a result, an organization's intrusion detection and prevention systems must be effective and create reliable records of their effectiveness.

If a company concludes that a security incident didn't result in unauthorized access to personal data, but a customer suffers identity theft as a result of the attack, the organization will probably be found liable. Disclosing and reporting a breach is almost sure to damage the organization with financial consequences. Notification alone costs about $100 per customer per incident. So if 10,000 customers are affected, the incident will cost at least $1,000,000.

#7: CPOs oversee privacy issues

The primary role of the chief privacy officer (CPO) is to establish privacy policies for both customers and employees and to review and rule on related issues. A CPO usually chairs a privacy committee in larger organizations to provide guidance on managing incidents, privacy policies, security awareness, and many other privacy issues. The buck stops here when there's a decision to be made on technology or business that can affect compliance.

The CPO is becoming very busy these days, fielding questions on legal issues that usually have an impact on IT. IT is often responsible for finding solutions to privacy issues, such as intelligent encryption.

#8: Privacy incident management can prevent future risks

Who gets notified and when? Privacy incident management is not unlike other incident response functions, except when it comes to notification. Notification requirements are usually spelled out in the law, but notification can still be an arduous process. The CPO will likely oversee the incident response team that determines the cause and severity of the incident and issues report findings. An important outcome of investigating an incident and finding the root cause is remedying systems against similar risks in the future.

#9: Boundaries are blurring

Who is responsible when data is shared between organizations in the course of business? What if a breach is caused by one of your organization's outsourcers? If your employees' 401K data is on an insecure laptop owned by the 401K provider and the laptop is stolen, who bears the burden?

IT outsourcing is popular, but whose responsibility is it to protect you when an employee or a vendor happens to leave a USB stick on the counter at Starbucks when paying for a latte? If this device contains insecure private information, the mishap could constitute a data breach.

It's most critical to have privacy and security language in all IT contracts with third parties. Incidents can't always be prevented, but you can buy some indemnity if you draft a proper contract. Data security in contracts is becoming more common; use your legal team if necessary.

#10: White collar crime threatens privacy

A huge market exists for selling personal information, especially credit card numbers. The average rate for an ID is about $50. The infrastructure for online crime is more sophisticated than you can imagine. Marc Gaffan, a marketer at RSA Security Inc., offered this description of the problem in the article "The Net's not-so-secret economy of crime": "There's an organized crime industry out there with defined roles and specialties. There are communications, rules of engagement, and even ethics. It's a whole value chain of facilitating fraud, and only the last steps are actually dedicated to translating activity into money."

A Web site called TalkCash.net was a fraud marketplace for its members. To become a member, an applicant was asked to submit a few credit card numbers to show that he or she was really a "crook." This site is no longer open for business.

The 2005 National Survey on White Collar Crime, sponsored by the National White Collar Crime Center (nw3c), shows that nearly half of U.S. households were victimized by a white collar crime within the past 12 months. The FBI has no lack of work.

To obtain a copy of the 2005 Internet Crime Report for your state, visit www.ic3.gov/media/annualreports.aspx.

A few privacy resources

6 comments
AnsuGisalas
AnsuGisalas

Only keep what you absolutely need to know?

Kelly Monroe
Kelly Monroe

As an IT consultant I am fully aware that IT management is struggling with whether social media is productive or obstructive for companies and their employees. Software is being developed and policy and restrictions are being decided everyday by IT managers. The security of company networks are at stake but the potential for innovation using social media is a large enough carrot for the discussion of how to properly utilize the medium continues. Palo Alto networks came up with a whitepaper, http://bit.ly/d2NZRp, which will explore the issues surrounding social media in the workplace. It is important to not only understand the immediate benefits of doing business how one lives, but the threat it presents to a company's greater ROI and productivity when it comes to the server's safety and security. Check it out: http://bit.ly/d2NZRp and http://bit.ly/cR80Al

Oz_Media
Oz_Media

The article refers to US law and even then not for all states. So really the one KEY thing you need ot know, is how your OWN state, province or territory applies laws regarding privacy protection. In Canada, this has always been far tighter than in the US. Personal privacy law is common knowledge to most businesses and employes here.

JodyGilbert
JodyGilbert

Is your organization doing an effective job of protecting personal information? What changes have you seen that are designed to bolster privacy protection and ensure compliance?

Tig2
Tig2

One of the bigger struggles is knowing what to manage to for each State and recognising the differences between the States as well as the Fed... and the guidelines based on industry. Optimally, privacy in general would be "One size fits all" with industry specific guidelines added on. HIPPA has different rules than SOX and a company may or may not have to manage to both. Regardless, I think that business continues to give security, privacy, and compliance short shrift. That thinking must end. The potential for life changing damage is just too high.

NickNielsen
NickNielsen

It would be relatively easy to do, as well. Simply extend the Privacy Act of 1974 to apply to all personal data and not just identifying information, and require businesses to comply and not just government. Only the individual can release or authorize the release of data and must authorize each individual release, which is actually more strict than either SOX or HIPAA. The Privacy Act does not, however, have the onerous "what we're doing to comply" requirements associated with HIPAA and SOX; the only requirement I am aware of is that the authorization for release must remain with the information until it is destroyed.

Editor's Picks