In the waning days of the 20th century, privacy was more a marketing hook than an obligation, focused on customer preference and features to help companies earn a competitive edge. Privacy today is a concept more closely associated with the potential for abuse and the very real threat of inappropriate access or exposure, identity theft and fraud--with the responsibility resting squarely on the shoulders of any organization handling personal information for consumers, customers, employees or business partners.
The privacy landscape, particularly relative to IT, is becoming increasingly complex, shaped not just by the tenets of good business but by the demands of a regulatory environment with newly stringent standards. Faced with a plethora of national privacy and data protection laws, labor laws, and trade union and works council agreements, organizations are in a constant exercise to protect the information they hold and the privacy of their workforce. Also weighing in are C-suite leaders and stakeholders who expect more from their IT function than securing personal information. In fact, meeting privacy standards has become inextricably linked with meeting strategic business initiatives as IT professionals find themselves in more demand and with more on their plates.
As all eyes begin to focus on IT, these are some of the areas that deserve close scrutiny and may warrant immediate action.
Information is power: Keeping data classification up to date
While many organizations have data classification policies in place, they may fall short if they're outdated, overly broad and limited to high-level categories, or inaccurate in designating risk thresholds among specific data elements. Along with addressing records management requirements, IT can raise issues and develop solutions related to accurate and complete data classification, privacy, information security and intellectual property protection across all systems, databases and repositories. IT reviews must be conducted periodically to ensure that data classification policies are keeping pace with relevant privacy regulations and risks.
Less is more: Minimizing the use of personal information
Responsive organizations are exploring opportunities to eliminate, truncate, redact or obfuscate personal information, particularly in three primary situations--data transfer, including storage and communication of personal information via portable devices; specific data elements, such as Social Security and credit card numbers and how they're used; and disclosure to third parties, with requirements for transparency regarding use, access and exposure.
Data warehouses can maintain terabytes and petabytes of personal information about customers and employees. Similar amounts are written to disk or tape, pushed to laptop computers and transmitted through e-mail systems to handheld devices. Loss or theft of such equipment and media is the foremost trigger for security breach notification--one that can be avoided if leading safeguards become common practice.
One of the first places to start is with defining clear policy and procedures for the chain of custody over portable media containing personal information and leveraging available technology solutions to help minimize its exposure. For example, not all employees who travel frequently and require access to personal information need fully functioning laptops. Laptop-style "thin clients" that have no memory are gaining attention where high-speed network connections are commonly found. Network-based backup can also help limit the use of traditional tapes and disks, which have been at the center of many of the vanishing acts leading to breach notifications.
Portable storage devices complicate the issue of data retention as well. Organizations need to balance the benefits associated with keeping personal information against the risks associated with protection. The issue becomes more complex when certain personal information held by an organization is not subject to any regulatory retention requirement or a clear definition of how long it can or should be kept. Organizations should minimize extraneous personal information from portable media, and then implement processes and controls for staying on top of retention limits.
Decode or not decode: The evolving use of encryption
Personal information is vulnerable to theft or other loss whether it's considered "at rest" in a computer, a tape or a USB memory device, or "in motion" through an e-mail message. Protection needs to be equally mobile. Encrypting portable devices, media and computer communications (including e-mail messages and attachments) is becoming more prevalent and should become a standard operating procedure in 2008. Organizations that have yet to do so should pilot and implement laptop, e-mail, and portable media encryption solutions for devices and exchanges that involve personal information. Common tools for encrypting e-mail attachments should be provided to business units that routinely handle personal information and made mandatory for transfers to third parties via otherwise unprotected methods.
The three-legged stool: Strict standards for vendors and business partners
Sharing personal information with vendors and business partners is commonplace and necessary in today's global market environment, though it's not yet common. Even more necessary are effective programs that monitor how privacy is managed once that information leaves the organization.
The most critical questions to ask third party vendors are, What will you do with this information? and How are you protecting it? Leading companies have developed vendor risk management processes that account for privacy--performing due diligence during the selection process, putting controls in place for secure information transfer and making compliance with controls a contractual commitment. What must exist, whether through long-term trust building or binding contract, is a solid base of confidence that the vendor can protect personal information and govern its use.
On the road again: Personal information and the telecommuter's way of life
At home, on the road or in a coffee shop, teleworkers are ubiquitous. Increased convenience, however, can also mean increased exposure, bringing the enterprise into uncontrolled territory with networks and computing devices that the organization may not have provided or protected. Extending security to this arrangement, protecting personal information typically processed in portable devices and training people who work in these environments in the safe handling of personal information may pose significant challenges. A good place to start is by equipping mobile and telework devices with security features like virus protection, spyware protection, firewalls and encryption solutions.
In case of emergency: Having a plan for the worst-case scenario
Security compromises can occur even in the best-run organizations. Maturity in incident management involves not just responding to such events but alerting the individuals who may be affected by the security breach. Formal, effective and repeatable processes that have been tested and proven are essential in determining the nature of an event and the steps to take in response. In some cases, deadlines are mandated by regulation, not just by the speed of business; failure to meet those deadlines may become a violation of law. In other cases, inappropriate reactions to events may open the organization to even more damage than the situation warrants, including damage to the brand or its integrity. Avoiding these occurrences requires a robust and consistently implemented plan. Resolving them does also.
It's a small world: Developing privacy procedures for home and abroad
Today, personal information is spread seamlessly across the globe. Accelerating business models and their globalization of businesses, markets and workforces requires harmonization of systems and processes. Organizations must tackle privacy risk management and compliance across many jurisdictions to keep their businesses growing. Such privacy authorities as the Federal Trade Commission, state attorneys general, national data protection commissions and financial and telecommunications regulators have become more active with inquiries, audits and enforcement activities--sometimes in response to employee and customer complaints, other times as part of proactive industrywide initiatives.
Whereas privacy was once a road block to global data, privacy compliance steps now can be the enabler of global markets, global business effectiveness and global IT solutions. Although this doesn't mean that just any transfer or use of personal information will be warranted, it does imply that legitimate activity and transactions can take place with proper policies, procedures and controls.
Building a better mousetrap: Keeping pace with privacy management technology
Insider threat used to drive the need for monitoring. However, monitoring today is also about effectiveness--of the privacy program, of joint or overlapping compliance activities and of the balance between privacy risk and business value. While technology has yielded new tools for addressing and preventing data loss or leakage and for generally monitoring computer, database and network activities, there is still no silver bullet that addresses all the needs for monitoring the use of personal information enterprisewide. Finding the best technical solutions means understanding the capabilities for logs, queries and other controls within existing processes and technologies, determining the gaps and building or buying appropriate solutions to close them. It also means factoring in maintenance and consistent monitoring of operations.
Privacy is a mainstream business issue. These eight areas deserve more than a check-the-box exercise. Each one should be addressed as part of the comprehensive, deliberate management of privacy risk and compliance. Founded on policy and governance, an effective privacy program relies on controls, monitoring, compliance activities and other assurances to keep an effective operation in place.
Brian Tretick is an executive director in the Privacy Risk Advisory Services practice of Ernst & Young in the U.S. He has more than 20 years of professional experience in information security, and has spent the past decade focused on privacy and data protection. He serves the IAPP as a regular member of the CIPP Faculty.
The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.