What new knowledge have you acquired while researching this book?
When performing research for a book one always learns new things. The most relevant were the many ways that a person’s privacy can be breached and how people can protect themselves. The book Privacy in Technology - Standards and Practices for Engineers and Security and IT Professionals and other information about the CIPT certification can be found at the IAPP website. Below is the first chapter of the book.
Understanding the Need For Privacy in the IT Environment
1.1 Evolving Compliance Requirements Amy walked down a long narrow hallway toward the data center where she works. Her brow was furrowed as she mulled over the conversation she would soon be immersed in during an emergency meeting with company executives. Amy is the CIO of a large multinational high-tech firm. When she started working there in 2000, there was no LinkedIn, Twitter or Facebook. Her biggest worries back then were minimizing spam, running backups and improving network performance. Viruses and cyber attacks were few and far between. In recent months, she has had to update her IT plans to account for the firm’s bring your own device (BYOD) program, e-Privacy Directive updates, Children’s Online Privacy Protection Act (COPPA) rule changes and possible Do Not Track requirements from the Tracking Protection Working Group of the W3C(World Wide Web Consortium).1 In addition, the recent National Security Agency data-gathering scandal brought several high-tech companies under greater scrutiny. Even though Amy’s company was not involved in the scandal, she has had to spend time preparing statements, briefing executives about the issue and confirming that their company was clear of any involvement. Regulatory activities, security threats, advances in technology, new software releases and the increasing proliferation of social networks can have serious impacts on an IT department’s approach to compliance. Not only must IT professionals be able to respond to the needs of their organization, but they must also be able to predict how events might impact the products, security and privacy readiness of the organization. More than ever, privacy controls have become an integral part of a comprehensive IT compliance program. Additionally, having good internal privacy procedures can help to attract and retain good employees. Prospective employees will be reluctant to work at a company that has an undesirable privacy reputation because such a reputation is likely to damage their professional career. Moreover, they may be concerned that their employee data could be released to the wrong person, causing financial or reputation issues. Having good external privacy procedures can also help attract and retain customers, business partners and investors. Conversely, doing business with a company with a bad privacy reputation can be seen as a general risk. Having a relationship with such a company could taint one’s own reputation. Bill is an IT compliance professional who works for Amy. He uses the COBIT 5 Framework to help him perform a risk assessment of the company’s IT systems, develop controls by which to measure the systems and validate that the controls are helping the company reach its compliance goals.3 Bill knows that having a formal process in place will help to minimize informational risk. Carrie is a privacy compliance professional who works for Amy. She works with Bill to help ensure the privacy compliance of systems that host employee and customer data. She follows the NCASE rules as set out by the Federal Trade Commission’s (FTC’s) Fair Information Practice Principles (FIPPs) as she goes about her daily duties.4 NCASE is the acronym for the five privacy principles: • Notice. Consumers should be given notice of an entity’s information practices before any personal information is collected from them. Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. • Choice. At its simplest, choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information—that is, uses beyond those necessary to complete the contemplated transaction. • Access. Access refers to an individual’s ability both to access data about him- or herself—that is, to view the data in an entity’s files—and to contest that data’s accuracy and completeness. Both are essential to ensuring that data is accurate and complete. • Security. Both managerial and technical security measures are needed to protect against loss and the unauthorized access, destruction, use or disclosure of data. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of credentials, implementation of role-based access controls (RBAC) and other techniques; and the storage of data on secure servers or computers. • Enforcement. It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them. Absent an enforcement and redress mechanism, a fair information practice code is merely suggestive rather than prescriptive, and does not ensure compliance with core Fair Information Practice Principles. Amy opened the door and walked into an unusually crowded conference room. There were too many suits being worn for all the occupants to be company employees. She overheard comments about WikiLeaks, foreign governments and a major breach that had to be contained. Amy could feel the blood flowing from her face and her knees weakening as she started to go through all the system checks in her head, wondering what could have gone wrong. “Amy, I hope you cleared your calendar today,” said the chief operating officer as he walked up to her. “This is going to be a long meeting. 1.2 IT Risks Like all IT professionals, Amy has to be ever vigilant about threats to the environment for which she is responsible. She gets numerous calls and e-mails throughout the day describing various problems being experienced by individuals or entire departments. The real issue could be a hardware or software failure, setting misconfiguration, cyber attack or simply user error. Amy does not have the luxury to assume that an issue is innocuous. Each issue could cause sensitive data to be leaked, permanently damage computer systems or the network, or adversely impact a company’s reputation. Amy is responsible for all of the company’s client machines, which can be desktop workstations, laptops, tablets or even mobile devices. Additionally, there are hundreds of servers, networks, devices, applications and installations that she has to maintain and protect. Not only does she need to ensure that all the systems under her purview are running smoothly, she has to be certain she is complying with all of the regulatory requirements, industry obligations and corporate policies. Each type of system has its own set of requirements that must be addressed. Failure to address the requirements could cause privacy incidents such as a data breach and improper use of personal data. IT risks include improper access controls or application of retention policies, leaving corporate documents exposed to the wrong people. Failure to meet industry commitments could result in a loss of accreditation, leading to a loss in customers. In the worst-case scenario, the company could be fined, forced to change its practices and have its executives jailed. 1.2.1 Client Side The client side represents the computers typically used by company employees. These computers normally connect to the company’s server-side systems via wireless and hardwired networks. The client side can represent a significant threat to the company’s systems as well as sensitive data that may be on the client computers. Employees often download customer files, corporate e-mails and legal documents to their computer for processing. Employees may even store their personal information on company computers. Even more concerning is that the client computer can access resources across the company that could have vast amounts of planning documents that might be of great interest to competitors or corporate spies. For that reason, client computers should be protected from possible threats. Protecting client computers from all of the possible threats is a daunting task for IT professionals. There are many threats to the contents of client computers. The computer itself could be stolen; a virus could make the computer unusable or send data outside the company; poor access control policies or lack of an auto-lock policy could leave data on the computer exposed to an intruder. At the same time, employees must be able to use their computers to complete their daily tasks. For that reason, IT professionals must make sure that their decisions maintain a healthy balance between protecting corporate systems and minimizing the impact on employee productivity. Even when an employee’s computer is protected from known threats, there is still more to be done to address client-side privacy issues. When accessing data from client computers, employees should be made aware of their privacy obligations. Employees should be required to take privacy training before accessing personal data. Initial accesses to data should display a reminder of the privacy policies for the data as well as a link to those policies. 1.2.2 Server Side Organizational servers can share the same vulnerabilities as their client counterparts, though those risks can be minimized. Many client applications do not need to be on a server and most users have less of a need to access servers directly. Social, office productivity and communications software are examples of the types of applications that are typically not needed on servers and should be kept off of them. Reducing the number of applications on a computer reduces the surface area that can be vulnerable to attack. The more applications that exist on a server, the greater the chance that one could harbor a virus or contain a vulnerability that could be exploited, leaving the server exposed to attack. Reducing the number of applications running on a server can also boost the performance of the server and, by extension, the client machines that connect to it. One way to limit applications on a server is to use a bastion server—a server that has one purpose and only contains software to support that purpose.6 A proxy server, printer server, database server and e-mail server are all examples of bastion servers. Many servers do not need access to the Internet and can be placed on isolated networks that do not have Internet connections, thus minimizing the inherent risks of the Internet. Using that approach can help protect servers from cyber attacks, phishing exploits and Internet-based malware. When computers do have to be connected to the Internet, a firewall can be used to block unwanted network traffic from reaching the corporate network. The firewall can screen incoming network data packets and block undesirable ones based on the IP address, port number or protocol used. Another approach to protecting corporate servers is to use a screening host at the Internet boundary.7 These types of servers or network devices block unwanted accesses and network data packet types from accessing the internal network or frontline servers. Where possible, all data on a server should be classified based on its category, origin, sensitivity and purpose. This will help ensure that employees know which privacy policies apply to the treatment of the data. Efforts must be made to ensure that retention, usage and de-identification policies are applied to data. For example, it may be a requirement that data used for research contain no personally identifiable information or that data for use by marketing contain no personal data. Care must be taken to ensure that the linkage between datasets does not break any of the organization’s privacy rules. For example, a database may use IDs to avoid the use of personal data. However, if those IDs map to personal data in another database, then the privacy policies could be easily circumvented without the right protections in place. 1.2.3 Security Policy and Personnel It could be said that a company with no security policy has no security at all. Privacy cannot be assured unless practical security measures have been established. Likewise, a security policy with no accountability or people to enforce it is of little value. Each company should have a security policy in place along with compliance and security personnel to enforce it. This policy will help employees understand what their security responsibilities are. The compliance personnel can create a set of security controls to help enforce accountability with security policy objectives. Security personnel will help ensure that security policies are being followed. When determining the appropriate security policy to protect personal information, a privacy impact assessment (PIA) can help find any gaps in coverage and determine security requirements to address them. While there will be several internal corporate obligations to consider, all security policies should also include external requirements, such as: • Corporate. A company stores data from consumers, partners, vendors and employees. This data needs to be protected based on its sensitivity and in accordance with any contracts, agreements or privacy policies. Organizations also need to ensure that data is kept secure to protect their own interests. • Regulatory. Government entities often place privacy requirements on organizations. These requirements can present themselves in the way of laws from local, state, federal and even foreign governments. Regulations can even come from government agencies such as the U.S. Federal Trade Commission, Office of the Information and Privacy Commissioner of Ontario and the UK Information Commissioner’s Office. • Industry. Companies will want to comply with different industry groups to show their commitment to certain industries and their principles. This is one way to avoid the creation of new legislation and regulatory scrutiny, not only in the United States, but also in Europe, Canada and other regions where there is a close relationship between industry groups and regulatory bodies. These industry groups include the Better Business Bureau, Interactive Advertising Bureau, TRUSTe and the Entertainment Software Rating Board. Once completed, the security policy will drive the processes and procedures that an organization can follow for implementing the policy. Several industry standards can provide guidance on creating security policies, processes and procedures.8 Below are examples of security measures that should be included in a security policy to help protect data: • Encryption. Encryption is one of the best means to protect data during transmission and storage. The type of encryption used should be based on how the encryption’s performance and complexity may impact company systems. The National Institute of Standards and Technology has developed a Cryptographic Toolkit to assist organizations with the selection of cryptographic security components and functionality for protecting their data, communications and operations. • Software protection. Different types of software can be used to protect sensitive data from privacy threats. Antivirus software can detect malicious software that may grab data from an employee’s computer. Software can help to ensure that client computers accessing the network are properly configured. Packet filtering can help ensure that inappropriate communications packets do not make it onto the company’s network. • Access controls. Most computers, websites and data storage applications provide a programmatic means for preventing unwanted access to the data they host. This control usually comes from an access control list. These lists should be continually verified to ensure that they include only the appropriate people with only the approved type of access. • Physical protection. Protecting sensitive systems from physical access is one of the most important things an organization can do. Very few security measures can protect against a person who has physical access to a machine. For that reason all computers should have a minimum level of physical security to prevent outsiders from getting access. Computers with sensitive data should have cameras watching them, a guard in place to restrict access and strong physical security to prevent unauthorized access. If strong physical security is cost prohibitive or cannot be achieved because of operational needs, the data stored on these computers should be encrypted. • Social engineering prevention. Data thieves posing as legitimate vendors or customers can mislead company personnel and convince them to inadvertently release data to the wrong people. The ChoicePoint data breach, which caused the leakage of over 100,000 customer records, was one of the most high-profile cases of social engineering.10 This breach was not caused by hackers who broke into ChoicePoint computers, but by criminals posing as legitimate companies. It brought awareness to the risks of social engineering and data breaches and probably single-handedly did the most to instigate data breach legislation. Employees should be properly trained to detect exploits where individuals pretend to represent a company or person in order to inappropriately gain access to data. • Auditing. System and application administrators often have access to sensitive data even when company policy requires that they do not access it. Since the administrators control most security mechanisms, auditing is one of the few ways to mitigate this type of threat. The auditing system should be configured so that logs are sent to a remote auditing machine outside the control of the system and application administrators. A modification to the audit log configuration should send an alert to the remote monitoring system as well to help prevent the disruption of the audit logs. Once a security policy has been developed, employees should be periodically trained so they understand the processes and procedures necessary to help ensure proper privacy protection of personal data. 1.2.4 Application Most company employees depend on applications to get their jobs done. However, it is prudent to restrict the number and types of applications that are deployed on a company’s computers. The more applications that exist on a user’s computer, the more opportunities for one of them to carry malware or be exploited by an adversary. Office productivity software is probably the most commonly used type of application. But even these applications can harbor viruses, key loggers, data gatherers or other types of malware. The market for security vulnerabilities has escalated to the point that hacking is becoming a full-time job for some programmers, which increases the need to validate all applications. Some legitimate applications may openly collect data as part of their terms of use, which should be understood before the applications are permitted for use within the company. Here are some important steps to consider to avoid privacy-invasive applications: • Privileged access. Restrictions can be placed on who can install or configure software on a user’s computer. For example, a person on each team could be assigned the responsibility for administering the software on each person’s computer. The software administrator can provide personalized service to employees while relieving them of the responsibility for knowing the software installation or configuration policies. • Software policy. Each company should have a policy in place that describes the requirements and guidelines for applications used on company computers. Companies can manage application usage in one of the following ways:
- Have the company’s IT department mandate the software that can be installed on each employee’s computer.
- Use a product standards board or third-party application to approve software that can be installed on each computer.
- Distribute a list of approved applications to employees that they must follow.
- Give employees guidelines on the types of applications that they can install on their computers. While this option provides the greatest flexibility, it also carries the greatest risk and should be avoided. • Privacy links. Where possible, each application should have a link to a privacy policy that explains the privacy obligations to data that may be accessible via the application. • Application research. In general, companies should perform research to determine which applications are the most appropriate for their employees, computers and networks. They should also determine and document the proper versions, settings, computer configuration and install procedures for each application within the environment where it will be installed. IT personnel should monitor security bulletins for information that will help identify application vulnerabilities and potential mitigation strategies, as well as newly released/discovered malware. • Employee training. All employees should be periodically trained on the company’s software policy. The training should include the threats to privacy that can come from the inadvertent installation of malicious applications or improper configuration of legitimate applications. All the IT safeguards in the world will not protect the privacy of sensitive data the way properly trained employees will. Where appropriate, reminders should be presented to employees about special handling that might be required for data. Requiring yearly privacy training is also a good practice. • IT involvement. The IT department must be an integral part of any application management strategy. IT professionals should be trained to identify privacy threats and work with the organization’s privacy team to adequately manage application deployment across the company. IT personnel will also serve as advisors to employees and therefore should be well versed in the variety of productivity applications so they can instruct employees on the most appropriate application to complete a specific task. Based on the company’s software policy, the IT department can have any of the following types of application deployment strategies: ggIT controlled. The IT department of each company can enforce a policy that only the IT department can set up each computer, ensuring that only specific applications are installed. The IT department can also ensure that all applications have the proper version, patches and upgrades. ggIT monitored. Company computers can be periodically scanned to validate that each installed application is on the approved list of applications and has the right version and proper configuration set. Ensuring that an up-to-date antivirus program is installed on each computer will also help prevent malware. ggEmployee controlled. Companies can choose to let employees manage their own computer systems based on corporate policy. If this approach is taken, each employee should be given training on the company’s software policy and encouraged to use approved anti-malware software. This approach is the riskiest and should be avoided, as harm from malicious applications may not be limited to a single user’s computer but may spread to the company’s network, servers and other employee computers. 1.2.5 Network A company’s network is one of the most challenging systems for IT professionals to protect because of its pervasiveness and the number of possible connection points, both ephemeral and permanent. The network is connected to client machines, servers, routers, hubs, load balancers, packet filters, wireless endpoints and the Internet, to name just a few connections. Traffic over the network can come from employees, vendors or customers connected to the network via a direct, wireless, VPN or cellular connection. Many of the applications running on client and server computers, network devices and smartphones can also access the network. Any one of these devices, individuals or applications, which have a legitimate reason to be on the network, could cause a data breach. A breach can cause a loss of personal data, trade secrets or sensitive plans, which can lead to lawsuits, fines and loss of customers. There are several ways to mitigate these types of network risks: • Keep computers clear of malware. Malicious software running on a computer system can read network traffic and send it to a remote computer or store it locally for later download by someone who has access to the computer. To avoid this risk, all company computers should be running the latest anti-malware software with up-to-date signatures. • Apply smartphone policies. Smartphones represent a higher level of risk as they are more vulnerable to theft. Phone passwords, auto-device lock and remote wiping mechanisms should be enforced for smartphones connecting to network resources. • Validate network devices. Each device attached to the network must come from a reputable vendor, have the proper configuration and have the most recent updates from the manufacturer. Even though network devices aren’t considered to be computers, they can harbor viruses that could steal sensitive data off the network. • Write secure code. Developers who create a line of business applications for the company that access the network should follow guidelines on how to write software that avoids the risk of exposing data over networks. Writing Secure Code is a good book for learning how to avoid writing code that could inadvertently expose sensitive data over a network.12 The Open Web Application Security Project is an organization that can be of great assistance to individuals desiring to keep up-to-date on the latest security trends. • Validate applications. All applications running on computers or smartphones should be restricted from accessing network services unless they are on a safe list set up by the IT department. They of course should have the most recent updates and be properly configured. Besides threats posed by all of the legitimate connections to the company network, many risks to a network come from devices, individuals and applications that should not be on a network; these include inappropriate access to resources, scanning of network data and deployment of malware. This type of threat prevention requires going beyond the mitigations listed above. • Strong authentication practices. Would-be data thieves will often attempt to log in to company networks to access data. Attacks can come from individuals or from automated software that runs authentication attacks against network computers. Having strong password rules, authentication rules (maximum tries, account lockout, progressive response, etc.) and IP blocking set up can mitigate these types of attacks. Each employee should have login credentials to connect to the network and know the proper way to configure his or her computer to get on the network. Where possible, make the network setup for computers an automated process. • Network monitoring. Malware can infect a company’s network and travel from computer to computer, gathering data. Network monitoring software can look for known virus signatures or use other means to find and cleanse network infestations. Network-level data loss prevention technologies can monitor data that has been tagged as private and prevent it from leaving the company. Network-based zero-day threat detection systems can look for signatureless advanced malware and take targeted actions. • Network encryption. Data thieves don’t need to have legitimate access to a company’s network in order to access data flowing across it. Using a network sniffer, anyone can view or copy unprotected data from a company’s wireless network. A legitimate visitor to a company could also connect a device to a network outlet using a cable and copy all unencrypted data from the network. This becomes especially important when discussing VoIP technologies, where voice communications are traveling across the data network. Using strong encryption on wireless and wired networks at the transportation layer will help mitigate this threat. 1.2.6 Storage Companies store sensitive data in many locations, each with its own pros and cons. It’s important to have policies that cover each of the following storage mechanisms and to continually train employees on their proper use to minimize the risk of improper access to data, a data breach or the placement of malware. • Files. Storing data in files provides both flexibility and challenges when it comes to protecting sensitive data. Access to files can be restricted using the security of an operating system or document management systems. However, once the files are removed from the system, the protection goes away. Files can be protected outside of their storage system using password-based encryption or digital rights management (DRM), each system having its own benefits and limitations. Passwords must be shared among everyone who has access to the data and if the password is lost, access to the files will be lost. DRM-protected files must be connected to a policy server in order for them to be accessed. DRM also limits a person’s flexibility in regard to what she can do with a file, even if she has proper access to it. Preventing the proliferation of files is another challenge. Files can be protected during storage in company systems. Disk-based encryption can also be used to protect files while they are stored on disk. However, in each case the protection ceases once the files are removed from storage. Once that happens, an employee has the ability to copy files to offline storage or e-mail them to a personal e-mail account. Data loss prevention technologies can be used to categorize files with sensitive data and apply policies that prevent files from being copied, printed or otherwise shared in a manner that is inconsistent with the configured policies. • Websites. Organizations’ websites often hold sensitive data, such as product plans, design documents, customer contact information, patent filings or even personal data such as credit card numbers. In general, employees can have access to internal websites, but that access should be limited due to the risk of data falling into the wrong hands. Each website should have a privacy policy link so employees know their privacy obligations with regard to processing of data accessible via the website. Content stored on an internal website can be protected at several levels across the website to ensure that employees have access only to data appropriate to their jobs. Using individual or group access control lists, access can be restricted to an entire website or just to portions of the site. The website can be organized by category to help protect sensitive content that is at the same sensitivity level. Files can also be stored on a website where each file can have its own individual access control. This provides greater granularity of protection, but can require more time to maintain. Websites can also be used to provide web pages that host formatted access to data that is stored in a database in the back end. For these types of pages, access control can be managed by the website or the database itself. The data from each web page can still be copied, but the process can be made a lot more tedious depending on how the web page is constructed. • Databases. Much of the sensitive data stored by a company is kept in databases. Databases have many features that make them attractive for storing sensitive data, such as general access control, role-based access control, various types of encryption, data categorization, retention management and auditing. In addition, applications can be written on top of the database to provide an extra layer of control over the data that is presented to a user. Even with all of those features, it is difficult to prevent a database administrator from gaining access to sensitive data. However, technology like the SELinux operating system, role-based access control and remote auditing can help to mitigate that threat by providing the ability to restrict an administrator’s access to sensitive data. • Cloud storage. Organizations often use cloud storage for several reasons, such as to provide better access to data for customers, to lower operational costs and to limit regulatory risks from cross-border transfer of customer data. However, using a hosting company for cloud storage can introduce additional risks. Steps must be taken to ensure that the hosting company follows the organization’s data storage policies. For this reason a contract should be in place between the organization and the hosting company. Risks can come from inappropriate access by companies that share a data center in a multitenant configuration or from the country where the data is hosted. Encryption can be used to protect organizational data, but care should be taken not to share the encryption keys with the hosting company. A company sometimes acts as a hosting company for organizations and individuals in cloud data centers. (“Cloud data center” simply means servers that are accessible over the Internet.) This causes additional requirements for companies as they must help organizations comply with policies that may conflict with their own. For example, a company may not collect credit card data, but may need to help another company meet Payment Card Industry or Basel III compliance. Hosting data for others can also increase data breach risks, as a company that holds data for multiple companies or individuals can be seen as a more valuable target. • Applications. Many applications, such as accounting, HR and financial systems, store sensitive data that can be accessible to anyone who has authorization to use the application. Make sure to use applications that have strong role-based access controls. Those controls should be continually verified to ensure that the right people are in the right roles. An employee’s membership in an application’s roles or access control lists should be reviewed as part of any transition plan or termination process. • Backup tapes. Backup tapes are often overlooked as a source of data leakage. Tapes don’t have an access control list and can easily be read by anyone who has a tape reader unless the data on the tapes is properly encrypted. Remember that just because the data is encrypted while on disk or in a database doesn’t mean the data will be encrypted after the backup process completes. Ensure that backups are encrypted and stored in a safe place. Backups should also be segregated into those that need to be part of a retention process and those that don’t. Data that has a specific retention period should only be backed up to tapes that are eventually destroyed or overwritten in order to comply with retention policies. Of course, you would not want to dispose of data that you feel should be kept forever, such as the recipe for Coca-Cola or blueprints for building a production car. Backup tapes should be properly degaussed or wiped with an approved software deletion product before disposal. • Hardware. When storage hardware is replaced, it is important that any data is completely destroyed or made unreadable before recycling or disposing of the old hardware. This includes but is not limited to printer or copy machine hard drives, simple cell phones or smartphones, removable media cards and server or desktop hard drives. IT should have documented hardware disposal procedures in place. 1.3 Stakeholders’ Expectations for Privacy According to the Business Dictionary, a stakeholder is “a person, group or organization that has interest or concern in an organization. Stakeholders can affect or be affected by the organization’s actions, objectives and policies.”16 Managing stakeholders’ expectations can be a huge responsibility for organizations with regard to protecting privacy even when the organization does not hold stakeholders’ data. An organization can have many stakeholders who are concerned about the organization’s privacy practices—some inside the company and some outside. Expectations around privacy often go beyond what the law allows or what a company may state in its privacy policy. When consumers make online purchases or vendors do business with a company, they expect their personal data to be treated a certain way. They don’t want to be compelled to read a long privacy statement in order to feel that their privacy will be respected. As a matter of course, most people do not read privacy statements.17 Here is a list of some stakeholders and expectations that companies should be aware of: • Consumers. On average, web consumers are one of the biggest sharers of personal information on the Internet. They share information with social, shopping, search, banking and healthcare sites, to name just a few. Very few of them read a website’s privacy policy, but they have expectations for their privacy nonetheless. Most consumers expect a website to see and retain their browsing habits or the information they give the website. Consumers don’t expect a website to share that data with other sites across the Internet unless it is to fulfill a transaction, such as sharing an address with UPS for shipping purposes. • Regulators. Several U.S. regulators monitor privacy issues for consumers. Agencies such as the Federal Trade Commission, Federal Communications Commission and Federal Reserve Board are responsible for different aspects of consumer privacy. These agencies enforce regulations such as COPPA, the Fair Credit Reporting Act and the Right to Financial Privacy Act. In the European Union, the Data Protection Directive requires individual member states to establish national regulatory bodies.18 The institutions of the EU itself (such as commission, council, parliament, etc.) are monitored by the European Data Protection Supervisor. The European Free Trade Association (EFTA) has much the same system, in which member states establish independent national regulatory bodies and the EFTA institutions are monitored by the EFTA Surveillance Authority.20 As in Europe, each province in Canada has its own privacy commission with a national body known as the Office of the Privacy Commissioner of Canada. Regulators work to ensure that companies follow privacy regulations and fine them when they don’t. For example, the company Path was fined $800,000 for collecting personal information without permission. • Industry groups. There are many industry groups that work to protect consumer privacy via self-regulation. The Better Business Bureau, Interactive Advertising Bureau and TRUSTe are examples of organizations that represent companies for specific industries, such as consumer advocacy, advertising and online privacy. One of their main goals is to encourage companies to follow self-regulatory principles that they set up and avoid costly legislation, which can have a chilling effect on online business. • Researchers. Many academic and corporate researchers conduct studies that aim to improve consumer safety, find cures for diseases and increase the yield and nutrition of food. Much of this research requires the use of personal information from lots of people. While there is enormous support for these types of research from a broad set of stakeholders, there is an expectation that the work will be done in a way that will preserve the privacy of those providing the personal information. Those responsible for collecting and storing the information must ensure that proper privacy and security procedures are in place to minimize the risk of a data breach or improper use of the data. Technological means have been developed to help protect sensitive data used for research while preserving its utility. • Employees. Depending on their perspective, employees are either concerned about how the privacy of their personal data within the company is protected or how they should be protecting personal data for which they are responsible. For that reason, even internal websites should have a link to a privacy statement so employees can be assured that their privacy expectations are being met. Accordingly, employees should know where to find the appropriate privacy training based on their role in the company. They should also understand the company’s expectations of them in regard to protecting the personal data of others. 1.4 Mistakes Organizations Make Amy sits at a table with Bill, Carrie, David, Euan and Filo, the organization’s privacy council. Collectively, they represent privacy, compliance, legal, business, security and PR teams. “Hello, everyone,” says Amy. “I hope you all enjoyed your long weekend off. I assure you privacy incidents did not take a break this weekend. I’m going to forgo our normal monthly update and get right to the issue at hand. An employee in the new Widgets group inappropriately shared personal data with a third party and now we have a European Commission inquiry to deal with. Once again it was a case of no privacy representation in the group. Even if it is only part time, every team in the company that manages personal data has to have privacy representation. Until now, executives have been reluctant to mandate privacy representation because they thought it was heavy handed. Now I think we have a strong case for it. I need each of you to provide your perspectives of the risks involved with not having broad privacy representation. Your input along with this new inquiry should encourage the executives to be more accountable for supporting privacy. Please send your input by end of day so I can get this in front of the executives as soon as possible.” Organizations are often entrusted with personal information from customers and other entities. This data can come from different parts of the company and be brought in using multiple means. This disjointed set of systems can be a recipe for disaster for companies that do not manage data policies consistently across their organization. When multiple teams across an organization are managing personal data, care must be taken to ensure that they are all following organizational policies to avoid situations where misuse of data against policy causes lawsuits, fines or lost business. For this reason, management must see privacy as a strategic imperative that is expressed across the organization. Privacy policies and internal standards governing the use of the data must cover each point of collection, transfer and use. The following types of mistakes can happen when managing personal data: • Insufficient policies. Before the first byte of data is collected from or about individuals, a set of internal standards should be in place to cover the proper classification, collection, storage, usage, sharing and disposal of the data. This will help to ensure that proper access controls, encryption and processing of data occur, helping the organization to avoid legal, brand and financial risks. There should also be a public policy that informs those providing the data about how the data will be handled. New companies are often slow to implement these types of practices. However, improper standards can lead to mishandling of data, regulatory fines and a loss of trust, and so should not be neglected. Assessments need to be performed against the policies on a regular basis to ensure compliance. Having a policy is a good start, but ensuring that the policy is followed is key to overall success. • Improper training. All the privacy standards, processes and guidelines in the world will not make a bit of difference if employees aren’t trained to use them. Training should cover proper notification, collection, storage, access, processing, sharing and retention procedures for data. All employees, from the janitor to the CEO, must have basic privacy training to understand their obligations when it comes to handling personal data. The level of training given should reflect each employee’s level of data management. Employees should see themselves as privacy ambassadors and be able to point to the company’s privacy policy as well as the top three ways that the company protects customers. Multiple training formats are available. The organization should utilize the methods that best deliver the message in a manner that is clear, concise and understood. • Disjointed practices. Companies often have multiple departments that maintain relationships with the same customers. Problems arise when cross-team sharing of data happens. Commitments made to users about how their data will be handled do not always follow the data as it moves to different teams. Likewise, employees are rarely trained on privacy practices from other teams. Without the proper practices in place, employees may mishandle data, share it with the wrong entities and inappropriately contact the owners of the data. Even when there is a high level of trust in employees, their practices should be verified in order to minimize the risk of a data breach that damages that trust. • Complacency. Companies may feel that because they are small, have minimal web presence or never had a privacy incident, they don’t have to be vigilant about their data-handling practices. As a company grows or matures, its data practices can evolve even though the standards and policies are not updated to reflect the changes in practices. Having periodic internal or external audits can help a company maintain adequate privacy controls and avoid complacency. • Third-party contracts. A company can be doing all the right things in regard to privacy protections but be lax in the way it monitors how vendors treat their data. A company’s responsibility to its customers’ information does not end when it hands off the data to a third party. The same commitments that were made to users persist after the data leaves the company. Companies should use contracts and other agreements to help ensure that data is processed in a consistent fashion, from collection to disposal, no matter how many hands it might pass through. Where possible, third-party data processors should be monitored or periodically audited to help ensure that they are following their contractual obligations. 1.5 Privacy vs. Security—What’s Alike and What’s Different Though privacy and security are inexorably linked, they are by no means interdependent. It is also not necessary to give up one to have the other. To help ensure privacy, it is important to employ security mechanisms. Guards, locks, cameras, access controls and encryption are types of security mechanisms that can be deployed to help ensure privacy. It is not just the perimeter that should be protected but the data items themselves, such as individual rows or columns in a database. Even with the strongest security measures possible, an employee who has legitimate access to data can mishandle it if he or she does not have a thorough understanding of the privacy policies that govern the processing of the data. Proper auditing can help provide after-the-fact detection of breaches, but that is not without its challenges. For these reasons one cannot rely on security or privacy alone to protect data. They offer the best protection when used together. New advances in encryption have provided a means to protect sensitive data while maintaining its utility. Homomorphic encryption, multiparty computation and differential privacy are examples of technology that prevent the raw data from being accessed, but still provide the ability to perform analysis on the data. Trusted third parties, such as credit reporting companies, can also be used to provide information on users without exposing unnecessary personal data. There will be cases where privacy practitioners will be asked to give up privacy in order to ensure security, sometimes going against stated policies or contractual agreements. Instead of taking the path of least resistance and releasing sensitive data against company commitments, privacy preserving solutions should be sought that support the desired analysis without relinquishing sensitive data. Privacy and security have a shared goal of protecting personally identifiable information (PII). In that manner they are very much alike. However, they have different approaches for achieving the same goal. Privacy governs how PII should be used, shared and retained. Security restricts access to the sensitive data and protects it from being viewed during collection, storage and transmission. In that way they have a symbiotic relationship. Privacy policies can inform security systems about the security that is needed to protect data, and the security systems can accordingly enforce those privacy policies. For example, one policy could state that only payroll administrators can view employee salaries, and database access controls could enforce that policy. The eXtensible Access Control Markup Language (XACML) is an example of a policy language that permits the definition of policies that can be programmatically enforced via security controls. Microsoft’s SQL Server’s Policy-Based Management System permits the definition of user and group policies that can be programmatically enforced by the database.26 There is no silver bullet and no one fix to ensure both privacy and security. Rather, it takes continual education, awareness and the application of appropriate controls in accordance with statute, standards and policies. The essential challenge around privacy and security for privacy practitioners is to be steadfast and express how to preserve both in an environment of escalating data collection and security threats without negatively impacting business operations. While privacy and security are not the same, our commitment to each should be. When requests are made to lower the privacy bar for the sake of security, the response should not be “no,” but the start of a conversation on how to achieve the desired goals while preserving privacy. 1.6 IT Governance vs. Data Governance IT governance focuses on the systems, applications and support personnel that manage data within a company. For the most part IT governance is managed by the IT department. The key performance indicators (KPIs) or IT controls for IT governance should be based on access control, physical and technical security measures, encryption, software inventory, computer and network device configurations, database schemas, backups and retention management. Proper IT governance is the foundation for great data governance. It is through the proper application of IT policies such as access control, encryption and auditing that proper data handling can be enforced. IT governance can be achieved through business alignment, consistency and common frameworks such as COBIT 5. Data governance focuses on the proper management of data within a company. Data governance is a shared responsibility for all teams across a company. IT governance is an important element in reaching data governance, but it is not all that is needed. Beyond the IT requirements are mandates for providing transparency to users and honoring commitments to manage data in accordance with published policies. KPIs or privacy controls for data governance should be based on transparency of data practices, user data control, and principles for data usage, sharing of data, data retention, vendor contracts and customer contact. One way to view the differences in the two models is by using a plumbing metaphor. IT governance is about governing the way the pipes are built, maintained and protected. Data governance is about governing how water flows through the pipes. 1.7 The Role of the IT Professional and Other Stakeholders in Preserving Privacy “How did Hua have access to the data in the first place?” asked Amy. “The security team forgot to remove her from the database’s access control list when she moved departments,” Bill explained. “Don’t blame security,” said Carrie, agitated. “The privacy policies were not updated to cover the usage of the Widget data. It’s always been within policy to share our data with advertisers. However, the Widget application uses precise location data instead of less granular regional data.” “Using the more precise data increases our revenues, and we should understand the financial risk before ending the program,” added David. “Filo, what’s the PR hit if we change our privacy notice to reflect the new data sharing?” asked Amy. “As long as we can update the consent mechanism we should be okay. We’ll have to delete all the data captured before consent was collected, though,” replied Filo. “That’s going to cost us some revenue and development resources that were dedicated to another project,” said David. “Considering the alternative, I don’t see where we have a choice. Let’s put a plan together to address this issue and get it before the executives for sign off right away,” stated Amy. IT professionals are responsible for laying the technical foundation for an effective privacy program. They ensure that the computers, networks, applications, websites, databases and security are maintained at levels that protect data privacy in accordance with company policy, regulatory requirements and industry standards. If the company’s technical infrastructure is properly set up, it is easy for other employees to follow the company’s privacy policies. For example, by encrypting the data that flows through networks, employees won’t have to worry about the secure transfer of data. By creating incident response processes, it is easier for employees to record privacy incidents in a consistent and efficient manner. Though the IT professional is not responsible for a company’s privacy program, their work in laying a good technical foundation makes the effectiveness of a program more attainable. A small company might be able to deploy a successful privacy program without the assistance of IT professionals, but it wouldn’t be as effective, and this is a bad practice. When an IT department is not involved in a company’s privacy program, it makes everyone else less efficient and opens the company up to increased risk. Likewise, a privacy program will not be effective without the involvement of personnel throughout the company, including the following roles:
Privacy professionals. These employees are responsible for a company’s overall privacy program. They define the policies, standards, guidelines, auditing controls, training and internal and external relationships. It is through their leadership that they stimulate a company’s dedication to privacy and inspire employees to uphold its importance. Company executives. A company’s privacy group must feel that it has the sponsorship of executives to create a meaningful privacy program that it can mandate to employees. Accordingly, employees must feel that they are empowered to devote time to such programs. It is the duty of executives to support privacy programs through their words and actions. Lawyers. The legal department is responsible for creating privacy statements, writing contracts, ensuring compliance with laws and regulations and addressing formal inquiries from regulators. If they do their jobs properly, the legal staff are the ones who keep the company out of trouble and employees out of jail. Marketers. The marketing team is involved in marketing campaigns, e-mail campaigns, contests, product registrations and conference booths. Each of these events provides an opportunity to collect information from users or contact them via some form of communication. Marketers must be sure that they are following the company’s privacy practices in these exchanges. For example, if a user signs up for one product’s marketing campaign, it doesn’t mean that marketers can send material for other products. Public relations. A great privacy program will not benefit a company if no one knows about it. The PR team can be a great resource for promoting a company’s commitment to privacy. The PR team can also help to respond to privacy incidents in a way that enforces the company’s privacy position while minimizing any backlash from the incident. Other employees. Though other employees may not be on the front line of the fight for an effective privacy program, they are no less important to its success. All employees must see themselves as privacy ambassadors and help to ensure compliance with the company’s privacy policies.
While IT and privacy professionals are responsible for the creation and deployment of effective IT and data governance, it is the organizational executives who are accountable for their success. Without the right funding, personnel and mandate from the top, employees will not be empowered to follow privacy policies, especially where there is tension between business goals and privacy protection. 1.8 Conclusion Amy held the coffee cup to her lips without taking a drink. Lost in her thoughts about the recent privacy issue, she wondered how she would have made it through the day without the privacy council in place. This time they didn’t dodge the bullet, but at least the wound wouldn’t be fatal. It’s unfortunate that it takes a privacy incident for executives to agree to provide adequate resources when it would have been much cheaper to provide the resources up front. Suddenly, Amy was pulled away from her thoughts by a phone call. “Amy, Bill here. It appears the CEO received an inquiry this morning from the FTC on the same privacy issue the European Commission is asking about. He said it got lost in his inbox.” “No problem. Send it my way and copy the council. It appears that this is one issue that is not going to go away soon, and neither is this long day.” IT departments are continually under pressure to ensure that systems under their control stay in compliance. Items such as computers, network devices and applications must have different privacy controls applied to them to validate their compliance. The everevolving landscape of cyber attacks, privacy regulations and self-regulatory requirements makes privacy compliance challenging. The proliferation of smart devices and use of social networks in the workplace add to the spectrum of privacy risks that exacerbates the difficulty of keeping IT systems in compliance. Employees outside of the IT department have a part to play in compliance as well. By taking the appropriate training and following company policies, standards and guidelines, employees can help to simplify the job of IT compliance. Maintaining the privacy of personal data is an important element of reaching compliance that goes far beyond IT governance. Providing transparency, control and retention management of personal data stored by a company helps not only to attain compliance but also to increase a company’s trust quotient, which will attract customers and employees alike.