Privacy can be defined as the ability of a person to withhold information about himself so that the information is not shared with or revealed to others. Virtually every country has some laws regarding privacy protection that limit the ability of governments and other organizations to collect, store, and use information related to individuals. The need to protect privacy is also enshrined in human rights laws. New laws—including one being proposed by the EU—will up the ante on protecting privacy even further.
But it is not just legal compliance that is the driving force behind the need to protect privacy. At the recent RSA 2014 Conference in San Francisco, Jeff Northrop, CTO of the International Association of Privacy Professionals, gave a presentation entitled “Privacy As a Growing Risk.” During this session, Northrop identified privacy as a rapidly emerging and disruptive force and stated that privacy must become part of the purview of the information security professional. A primary challenge for organizations in making this change is to think differently about the way that they handle data and to ensure that they are acting in a reasonable manner.
To illustrate why the need to protect privacy is a growing concern, Northrop referred to real-life cases where individuals have demanded the right to protect their privacy, and pointed to differences among geographic regions and how emerging technologies are changing privacy dynamics.
Among the points he made was that privacy demands good security, but having too much security in place risks violating individual privacy. Perfect security does not necessarily mean perfect privacy. Organizations are responsible for their own information systems and should understand what is needed to protect them and what potential problems can result from poor choices regarding privacy versus security. Following modern security practices is a must in order to protect privacy.
Understanding data in a modern organization requires specialized knowledge. Taking into account that Europe is not the US, and their privacy rights and requirements to protect privacy differ in many aspects, each organization must understand its obligations within the geographic regions in which it operates, and should bake those obligations into its formal policies and procedures.
All organizations must also be informed about the basic concepts of privacy to ensure that they stay within the boundaries. Many laws require that individuals provide their “consent” in order for an organization to collect, use, or disclose their personal information. As the Internet of Things becomes a reality, data streams will grow exponentially in volume, meaning that there will be an even greater stream of personal information available. To ensure that an organization respects the concept of consent, security officers must be involved with information requests from marketing and product development to ensure that their demands are reasonable and within the confines of the law.
In conclusion, Northrop provided a number of recommendations for integrating privacy into the security profession:
- The C-suite must recognize privacy as a risk to mitigate.
- Implement data breach protection and response.
- Implement privacy controls into security programs.
- Help maximize data use, not just minimize.
- Help your organization go global.
- Be a conduit to legal, marketing, and human resources.
- Help to properly vet new systems and solutions.
By integrating privacy into the information security function, security personnel will be in a better position to provide input into the overall strategic goals of their organization — allowing them to achieve global expansion, maximize or monetize data use, or help to prevent highly damaging data breaches from occurring.