What role does IT play in privacy protection?
November 12, 2008, 4:40am PST | Length: 00:06:12
One of the side effects of the information age is that personal privacy has become a major concern for average citizens. And IT often bears much of the responsibility for safeguarding privacy and protecting personal information. This episode of Sanity Savers for IT executives discussed some of the ways that privacy concerns are influencing the standard operating procedures of the IT organization.
Jason Hiner: One of the side effects of the information age is that personal privacy has become a major concern for average citizens. And who do think bears much of the responsibility for safeguarding privacy and protecting personal information? That's right: IT.
I'm Jason Hiner, and today on Sanity Savers for IT executives, I'll discuss some of the ways that privacy concerns are influencing the standard operating procedures of the IT organization.
The first thing IT needs to be aware of is the obligation to report when data has been compromised.
Many states require that government entities, businesses, and individuals disclose to a resident when his or her private information is reasonably believed to have been acquired without authorization.
For example, in 2003, California passed a law that requires organizations to notify residents if the organization experienced a data security breach that caused risk to personal information. Now 28 states have passed similar laws, and security breach notification bills are pending in more than 15 other states.
To protect personal information, the IT organization must focus on privacy concerns from the ground up. Here are a few things to consider when developing systems:
- Flag the types of data you're working with that include personally identifiable information. This includes the user's name, e-mail address, credit card numbers, social security, and/or health care information.
- Put a mechanism in place for notifying users that their personal data may be collected and offer them ways to opt out or consent to the collection of their data.
- Determine where potential compromises could happen: in the application, database, wireless network, Web access, or other interfaces.
Did someone attempt to steal your data? Was it successful? What data was affected? How many customers? What states? These are kinds of questions you will need to constantly be aware of.
Even unsuccessful attacks may need to be disclosed, unless you can absolutely PROVE that no personal information was made available to or accessed by an unauthorized party. This means that your intrusion detection and prevention systems must be effective and you need to create reliable records of their effectiveness.
Disclosing and reporting a breach is almost sure to cost you, too. Notification alone runs about $100 per customer per incident. So if 10,000 customers are affected, the incident will cost at least $1,000,000.
There are also the issues of data sharing and boundaries. For example, who is responsible when data is shared between organizations in the course of business? What if a breach is caused by one of your outsourced partners? If your employees' 401K data is on an insecure laptop owned by the 401K provider and the laptop is stolen, who bears the burden?
IT outsourcing is popular, but whose responsibility is it to protect you when an employee or a vendor happens to leave a USB stick on the counter at Starbucks? If this device contains insecure private information, the mishap could constitute a data breach.
It's critical to have strict privacy and security language in ALL IT contracts with third parties. Incidents can't always be prevented, but you can buy some indemnity if you draft a proper contract. Data security is becoming a common section of these contracts. Use your legal counsel to help get it right.
Today, IT leaders are expected to become stewards of their organization's information. So what you need is a policy definition of classified, confidential, and public information, and you should clearly define data that's the most valuable and/or secret.
Again, a key component of this policy is a data security plan that addresses the foreseeable risks to the integrity of the information maintained in your systems. Control of and access to personal data is also the subject of recent privacy regulations in the United States. And, the European Union also has specific requirements to protect its residents. We should ALL expect more regulations and governments scrutiny around privacy in the future.
Highly visible data breaches, identity theft, and scams such as phishing attacks threaten consumers' trust in Internet and e-commerce services created a burden for businesses. For better or worse, IT is on the frontlines when it comes to restoring trust and protecting personal data.
I m Jason Hiner and this has been an episode of Sanity Savers for IT Executives. For more, go to sanity.techrepublic.com. And if you have your own sanity savings tips, e-mail them to us at email@example.com. If we use one of your tips on the show, we'll send you a TechRepublic coffee mug. Thanks for watching. See you next time.