I’ve got spies
Concern around data privacy is on the rise. In the U.S., the Snowden revelations ratcheted up the noise on a consumer level, and the U.K.’s General Data Protection Regulation (GDPR) is forcing companies worldwide to think more seriously about data privacy (in addition to protection). Privacy is oftentimes conflated with security since both areas have a responsibility to keep private data private. However, in reality, these are separate functions with individual duties, though the success of a privacy program is largely dependent on a strong partnership with security, says Kevin Haynes, Chief Privacy Officer at the Nemours Foundation.
In a word where data is a competitive advantage, organizations use any means available to catch as much customer and prospect data as possible. Sometimes that data capture is overt—like when you try to download a report or study and are required to input personal information—and sometimes it’s surreptitious—like when you’re browsing for the best socks to keep your feet warm during a spring snowstorm. Adding insult to injury from a privacy perspective, the recent Federal Communications Commission’s (FCC's) reversal on ISP data collection and sharing was a big blow for privacy advocates but a huge win for service providers themselves. The ruling allows ISPs to not only track and collect all sorts of personal information about subscribers, but also share and/or sell that information with/to third parties.
In truth, the majority of people don’t even know every place their personal information has been provided or acquired, and it’s this quagmire that keeps privacy officers up at night.
We talked and condescended
“People are deeply curious and voracious learners,” says Haynes. While, generally speaking, inquisitiveness and the desire to obtain new information are considered positive personality traits, in a digital world where every action leaves a trail of breadcrumbs, this leaves people extremely vulnerable to the whim of corporations. Citing “The Right to Privacy” by Samuel D. Warren and Louis D. Brandeis, Haynes says, “Each of us does have ‘the right to be let alone.’” As is pertains to the companies collecting and storing data about customers and prospects, Haynes asserts, “We should either get [customers’] permission first or let them know up front what we will be doing with their information.” So often, though, people inadvertently end up on marketing, advertising, or call lists, and tracing back that digital trail to the original handover of information can be challenging.
Furthermore, while customers can ask to be placed on “do not call” lists or request to be removed from marketing or advertising emails (in the EU the Right to be Forgotten is a mandate rather than a request), the personal information about that individual remains in the company’s database(s). As such, that personally identifiable information (PII) is still susceptible to access, breach, or misuse. In other words, cautions Haynes, even if a person is able to remove his or her information from public use, his/her PII continues to be accessible by others within the organization (employees, vendors, contractors, etc.), which doesn’t make the data very private at all. “That is not honoring their right to be let alone,” he says.
I felt silly, you looked splendid
Another worrying aspect of data privacy is what Haynes calls, “The Money Motive.” When certain types of people have the means, opportunity, and motive—in this case, money—peeking into others’ personal data is just too tempting. Haynes references a recent settlement under which Methodist Health System in Dallas agreed to pay a $5.5 million USD fine after discovering that employees had accessed and used patient PII to file phony tax returns. Though the fine may be befitting to the hospital system, affected patients now have to deal with years of putting their identities and lives back in order. Similar stories of hospital employees accessing and selling celebrity patient data have circulated for years, so this case isn’t a one-off situation, and that type of malicious behavior causes Haynes to lose precious sleep.
Laughing words we conjugated
Society’s need for speed is another troublesome aspect of a chief privacy officer’s job. “Maybe the introduction of the drive-through window started the trend of needing things now, getting something done more quickly, and making ourselves available and ready to answer at a moment’s notice,” worries Haynes. This trend has been exacerbated by today’s technology, which is with everyone, everywhere.
But moving quicker isn’t always better. Mistakes are made by people whose good intentions turn into privacy nightmares when attention to detail is overlooked for the sake of saving time. Haynes provides the following real-life scenarios (not attributed to his or any specific company) that pose privacy and/or regulatory concerns:
- A business operations manager not taking the time to fully review a contract to ensure that all the regulatory requirements are being met.
- An employee quickly sending or replying to an email that contains the PII of a person or group without checking to make sure it is going to the appropriate person.
- The development team building a new application that doesn’t include all of the controls necessary to protect privacy, which can lead to very large data breaches.
- An employee clicking a link in an email that allows an attacker inside the network.
The above privacy concerns could easily be categorized as security concerns, too; confidentiality and integrity are two of the three pillars of cybersecurity effectiveness. Security and privacy departments must work hand in hand to ensure data remains private and protected from external threat actors, malicious insiders, or inadvertent loss or exposure. No matter how you look at it, privacy effects security and security effects privacy. The GDPR is an excellent example of how privacy requirements are driving the need for heighten security controls around PII. It’s unfortunate that companies’ marketing and sales departments will continue to collect and store mountains of personal data (much of it unnecessary) which exposes the entire organization to greater risk—both in terms of privacy and security.
Singing songs we always hated
As a Chief Privacy Officer, Haynes spends a lot of time thinking about where privacy can go wrong, and he is very cognizant of the fact that privacy breaches can also be security breaches. Ultimately, he says, the thing that brings the most disquiet is the possibility of loss of trust. “Privacy officers are responsible for ensuring that our organizations remain trustworthy. The people we serve, the people we work with, and the other companies we do business with inherently trust us with their information. If we lose the information, give it away, accidentally release it, or otherwise don’t treat it as they expect, then we lose the trust of those people. It’s not only disappointing on a professional level, but also personally. I really don’t want to hear from one of our patients, ‘You know…I just don’t trust you guys anymore with my child’s care.’ I strongly believe in Nemours and the high level of care we provide for kids, and losing trust in any way hurts.” Sounds a lot like how security practitioners should be approaching data too.
Click here for more information on our InfoSec World Conference & Expo in Orlando.