10 things you should know about privacy protection and IT

These days, IT bears a tremendous responsibility for safeguarding corporate data and protecting personal privacy information. This overview shows just how entrenched privacy concerns have become in the regular operations of the IT organization.

This article is also available as a PDF download.

Personal privacy has become a major public concern. Highly visible data breaches, identity theft, and frauds such as phishing scams have created a huge corporate and consumer burden and threaten trust in Internet and e-commerce services.

Studies have shown that almost half of U.S. residents have "little or no confidence" that adequate steps have been taken to secure their personal data. Compounding this lack of confidence is the increasing sophistication of online crime schemes. It's hard to tell who is legitimate, and a growing number of users are becoming victims of the Internet. Let's look at some privacy concerns and how they affect IT.

#1: Reporting compromised data: It's the law

Several states require that state entities, persons, or businesses disclose to a resident when his or her private information is reasonably believed to have been acquired by someone without authorization. An organization must publicly disclose when personal information in its possession appears to have been compromised. In 2003, California passed a law that requires organizations to notify residents if the organization experienced a data security breach that caused risk to personal information. Currently, 28 states have passed similar laws, and security breach notification bills are pending in more than 15 other states. Notification of a breach is costly, as there is usually a per-person fine.

#2: Customer loyalty is directly dependent on privacy

Consumers rely on the Internet for shopping, banking, government, healthcare, and other services, while trusting that their personal and financial information is protected and inaccessible to unauthorized use. When this trust is broken, customer loyalty can evaporate--overnight. The costs of identity theft and other fraud are too great to risk doing business with organizations known for mistrust of private information.

Between 2001and 2004, more than 196 privacy-related legal actions were raised against 255 corporate defendants, including financial services, health care, pharmaceutical, information services, e-commerce, manufacturing, media, and retail. More than 33 class action suits have also been filed. Here are some interesting figures on how Web consumers view privacy:

  • 86% are concerned about privacy of personal data.
  • 45% never provide real names to sites.
  • 5% use software to hide computer identities.
  • 86% favor "opt-in" that requires permission before using data.
  • 94% want privacy violators to be punished.

#3: IT pros bear most of the burden for privacy

Here are a few things to consider when developing systems:

  • Know the types of data you are working with that include PII (personally identifiable information.) This includes the user's name and e-mail address, health care, and credit card or social security numbers. Don't collect more data than necessary.
  • Know how to implement mechanisms for notifying users that their personal data may be collected and offer them ways to opt out or consent to the collection of their data. A record of opt-out acknowledgement may also be required.
  • Determine where the system vulnerabilities lie: in the application, database, wireless network, Web access, or other interfaces.
  • Understand the steps to secure PII from misuse or unauthorized access, including access controls, encryption, physical security, and auditing. Encryption is probably the best defense. When an encrypted laptop is stolen, at least the data is protected.

#4: A data classification policy is essential

Today, data managers are expected to become steward of their organization's information. They're asked to view the data under their care as a valuable asset and manage it based on what or who it represents. An organization should have a policy definition of classified, confidential, and public information and clearly define data that's the most valuable and/or secret.

A key component of this policy is a data security plan that addresses the foreseeable risks to the integrity of the information maintained in an organization's systems. Control of and access to PII data is the subject of recent privacy regulations in the United States. The European Union also has specific requirements to protect its residents.

#5: Identifying critical systems helps risk analysis

Once you have a clear picture of how the data is classified and have identified potential data risks, target the systems that manage the data for a more detailed analysis of risks to data integrity.

A benefit of this exercise is to have better risk-ranking of major IT processes and systems, allowing you to focus on higher potential privacy risk areas. Auditing controls that are expected by law for critical systems that contain "regulated" data is a best practice.

#6: Organizations carry the burden of proof

Did you get hacked? Was it successful? What data was affected? How many customers? What states? Even unsuccessful attacks may have to be disclosed, unless an organization can prove that no personal information was made available to or accessed by an unauthorized party. As a result, an organization's intrusion detection and prevention systems must be effective and create reliable records of their effectiveness.

If a company concludes that a security incident didn't result in unauthorized access to personal data, but a customer suffers identity theft as a result of the attack, the organization will probably be found liable. Disclosing and reporting a breach is almost sure to damage the organization with financial consequences. Notification alone costs about $100 per customer per incident. So if 10,000 customers are affected, the incident will cost at least $1,000,000.

#7: CPOs oversee privacy issues

The primary role of the chief privacy officer (CPO) is to establish privacy policies for both customers and employees and to review and rule on related issues. A CPO usually chairs a privacy committee in larger organizations to provide guidance on managing incidents, privacy policies, security awareness, and many other privacy issues. The buck stops here when there's a decision to be made on technology or business that can affect compliance.

The CPO is becoming very busy these days, fielding questions on legal issues that usually have an impact on IT. IT is often responsible for finding solutions to privacy issues, such as intelligent encryption.

#8: Privacy incident management can prevent future risks

Who gets notified and when? Privacy incident management is not unlike other incident response functions, except when it comes to notification. Notification requirements are usually spelled out in the law, but notification can still be an arduous process. The CPO will likely oversee the incident response team that determines the cause and severity of the incident and issues report findings. An important outcome of investigating an incident and finding the root cause is remedying systems against similar risks in the future.

#9: Boundaries are blurring

Who is responsible when data is shared between organizations in the course of business? What if a breach is caused by one of your organization's outsourcers? If your employees' 401K data is on an insecure laptop owned by the 401K provider and the laptop is stolen, who bears the burden?

IT outsourcing is popular, but whose responsibility is it to protect you when an employee or a vendor happens to leave a USB stick on the counter at Starbucks when paying for a latte? If this device contains insecure private information, the mishap could constitute a data breach.

It's most critical to have privacy and security language in all IT contracts with third parties. Incidents can't always be prevented, but you can buy some indemnity if you draft a proper contract. Data security in contracts is becoming more common; use your legal team if necessary.

#10: White collar crime threatens privacy

A huge market exists for selling personal information, especially credit card numbers. The average rate for an ID is about $50. The infrastructure for online crime is more sophisticated than you can imagine. Marc Gaffan, a marketer at RSA Security Inc., offered this description of the problem in the article "The Net's not-so-secret economy of crime": "There's an organized crime industry out there with defined roles and specialties. There are communications, rules of engagement, and even ethics. It's a whole value chain of facilitating fraud, and only the last steps are actually dedicated to translating activity into money."

A Web site called TalkCash.net was a fraud marketplace for its members. To become a member, an applicant was asked to submit a few credit card numbers to show that he or she was really a "crook." This site is no longer open for business.

The 2005 National Survey on White Collar Crime, sponsored by the National White Collar Crime Center (nw3c), shows that nearly half of U.S. households were victimized by a white collar crime within the past 12 months. The FBI has no lack of work.

To obtain a copy of the 2005 Internet Crime Report for your state, visit www.ic3.gov/media/annualreports.aspx.

A few privacy resources