IT Compliance Institute, July 5, 2006:

Best Practices

Phantom of the Operation: Defining and Securing Privacy

Organizations often misidentify their top privacy breach threats and overestimate their level of compliance and integrity. Technical controls alone won’t meet privacy requirements, and may even lull companies into a false sense of security. The problem is simple: how do you secure an abstract concept?

By Mathew Schwartz

What’s your organization’s plan for meeting privacy requirements?

IPAA, and various states’ data breach disclosure laws, require organizations to meet minimum standards for securing private information or face monetary penalties and a potential public relations disaster.

As a result, many regulated organizations are applying what they learned from complying with Sarbanes-Oxley (SOX): repeatable, automated controls make for easier and less expensive, ongoing compliance. They are investigating the IT controls needed to regulate access and ensure the integrity of sensitive information.

Technical controls alone, however, won’t meet privacy requirements, and may even lull companies into a false sense of security. The problem is simple: how do you secure an abstract concept? Furthermore, privacy means different things at the state and federal levels, and numerous countries have their own interpretations which global companies must respectively abide.

Thus complying with privacy regulations requires much more than automating IT controls. Organizations must determine what privacy legally means for them, then implement and enforce appropriate policies and procedures. Central to that is dialog: telling customers and employees what you’re doing, and why. As with any discussion, there’s an opportunity for innovative companies to push beyond the letter of the law and use their privacy practices to set themselves apart from the competition.

Poor Privacy Practices Predominate

Compared with SOX compliance, privacy efforts are nascent, notes Alex Fowler, co-leader of PricewaterhouseCooper’s privacy practice. “As the automation of technical controls relates to the management of personally identifiable information, that’s near to non-existent at this point.”

In fact, many companies’ current privacy practices leave substantial room for improvement. Last year, for example, according to a study of 83 companies conducted by Forrester Research, one-third of companies experienced at least one privacy breach. Of those, one-third experienced up to five breaches, while one in five reported six or more breaches. The leading causes of breaches were insiders’ abusing access privileges (39 percent), malware (39 percent); Trojan software (29 percent), PC theft (29 percent), spyware (21 percent), attacks on customers’ desktops (18 percent), unauthorized access by insiders (14 percent), and social engineering (14 percent).

When companies were asked to rank their top concerns, however, they didn’t mesh with actual risks. For example, Forrester found companies’ top concern was system and network vulnerabilities. Yet that ranks next to last on the list of the actual top-11 data privacy risks. By contrast, “authorized insider attack was the most frequently reported kind of breach,” notes Forrester analyst Jonathan Penn, “but it was only a mid-level concern.” Theft of hardware or even paper was a similarly overlooked problem.

Companies spend money commensurate with their perception of top threats. So what happens when they’re wrong? In short, they pay for their errors, and according to the Forrester survey, respondents estimate the average privacy breach cost $50,000. Even so, “the most alarming finding from our survey data is that 25 percent of respondents do not know, or do not know how to determine, the cost of data security breaches,” says Penn.

Don’t Overestimate Controls

Before companies can apply IT controls to secure private information, they must first know which information is most valuable. Even with such information, however, “technical controls ultimately aren’t sufficient, because privacy ultimately isn’t about something that is created and owned,” unlike, for example, a financial record, or a company’s own financial data, says Fowler. “It’s really information about customers, and information about employees,” and while companies may use such information, they’re only stewards. “It’s pretty clear under state, federal, and international laws, that the data really belongs to the individual, and the data is being safeguarded and must be used appropriately by the organization.”

Thus to effectively secure private information, organizations must first answer some seemingly simple questions, says Dan Foody, chief technology officer of Progress Software’s Actional group. For example, “European privacy regulations state that all personal identities must be encrypted. That sounds very simple, but the question is, what’s a personal identity, and where is it?”

Answering the “where is it” question may be especially difficult. “Most of the infrastructure out there requires that on an application-by-application, service-by-service, or message-by-message basis, that you encrypt this part of the message or application,” notes Foody. “So for what should be a very simple, high-level policy, you actually have to implement that as a whole bunch of controls you have to spread all over the place.”

Create a Dialog with Customers

Implementing a privacy policy is one thing; enforcing it is another. “You need to ensure that everyone knows your policies, which is 90 percent of the battle, especially because polices also change,” notes Foody.

Given such difficulties—finding where sensitive information lives, dealing with different countries’ regulations, and continually relaying policies—Fowler recommends organizations take a strategic approach to privacy and foster “a culture of responsible information management.” In other words, when information is shared, share it responsibly, and disclose how and why it’s being shared.

Start with customers. For example, take the generic privacy notices US companies must now send customers annually. The notices detail how the company may use or share a person’s information, and how to opt out. Yet such notices rarely, if ever, report choices a customer already made, such as if they already have opted out. Thus consumers are left in the dark: do they need to opt out again? Did the company lose their previous request?

Organizations can do better, and gain some competitive advantage at the same time, says Fowler. “Most organizations have squandered a key opportunity to let their customer know, at that time of year, that not only are we reaffirming for you that we take privacy seriously—here’s our notice—but we know that you’ve elected to not receive certain marketing or promotional communications, and we continue to respect your wishes today, and will continue to. And if you change your mind, please give us a call.”

Remember Employees

Beyond customers, remember employees are an often overlooked constituency in data privacy discussions. To be sure, many of the data breaches disclosed over the past year and a half don’t involve consumers, per se, but companies’ own employees, plus government employees and military personnel, and even alumni.

Interestingly, as companies are charged with safeguarding their employees’ private information, workplaces themselves are often becoming much less private. “We’re seeing an increase of video surveillance in the workplace, or computer monitoring in the workplace,” notes Fowler. “Seldom are employees involved in the discussion of the use of those technologies.”

A paucity of discussion, however, communicates distrust. Instead, companies might talk about why controls are in place—for example, to protect employees, create a safe workplace, foster trust—and solicit input. While end results count, so often with privacy, “discussion itself is what’s important,” notes Fowler.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.