With cyber-threats growing by the minute, it’s easy to see why data security professionals get hyper-focused on securing their organizations against attacks and all the technologies, practices, and processes that entails. Ultimately, what they’re protecting, though, is the privacy of data — their own and that of their customers, constituents, partners, and other stakeholders.
To remind attendees of the symbiotic relationship between security and privacy, Sage made sure to include a session on privacy in its “Collaboration & Information Sharing” program — delivered by no less an authority than J. Trevor Hughes, head of the International Association of Privacy Professionals (IAPP), whose 26,000 members collaborate to develop best practices and standards for information privacy.
“We specifically invited Trevor because, as security professionals, I think we do ourselves a disservice when we focus so much on security” that privacy becomes more an offshoot, said symposium chair Sari Greene, as she prepared to introduce Hughes to attendees. The two continue to merge, she said, “so if we’re going to be successful security practitioners we’ve got to understand and support both sides of the equation.”
In his provocative presentation, “Engineering Privacy: Why Security Isn’t Enough,” Hughes advanced this understanding by cleverly using renowned works of art, scientific theory, and pivotal technology advances to illustrate privacy’s role as a cultural cornerstone. He posited that privacy is simultaneously a “fundamental human truth” and a value whose definition is subject to shifting societal norms.
So, while most consider privacy an inalienable right, what constitutes privacy continually changes as disruptive technologies emerge and move into the mainstream. Social norms and privacy legislation that followed the invention of the printing press or flexible film, for instance, differ just a tad from those that could eventually govern social media — if they even have a chance to develop before the next big thing takes off.
Today, the speed with which technology is developed and introduced into the public domain, coupled with the globalization of data collection and use, far outpaces society’s ability to develop corresponding social norms, much less respond with relevant laws. “We’re stuck in what I call a public policy gap,” said Hughes. “The bleeding edge of technological innovation is far ahead of our ability to understand and manage privacy,” he said. That leaves a considerable gap — one brimming with risks — between this bleeding edge and existing norms and laws.
Beyond Codes and Compliance
In a data-driven world, where interconnected organizations, systems, and devices are constantly generating, collecting, aggregating, and analyzing personal data, privacy professionals have a lot to reconcile. With all the complexity surrounding privacy, they’re fighting just to stay compliant and meet existing legal mandates. However, warns Hughes, they’re exposing themselves to risk if they get too hung up on codes and compliance.
“We try to address privacy by distilling it down to frameworks, compliance, and legal mandates,” said Hughes, but it’s something that’s much more personal. Because privacy changes as society adapts to new technologies — social media, smart phones, Big Data, the Internet of Things — “we need to pay attention to how data is used, how new technologies mediate our lives, and how new norms emerge that result in new legal standards.”
Privacy’s Value Proposition
While compliance and frameworks may address just part of the privacy puzzle, it’s nonetheless imperative that organizations follow privacy laws and apply a framework for privacy accountability and risk assessment. Further, security officers should develop a close working relationship with their privacy counterparts to establish comprehensive privacy policies for all data types, and both should collaborate with IT to choose a policy enforcement platform that allows teams to centrally manage data, encryption, database segregation, metrics, and compliance reporting.
Beyond adopting technology and compliance best practices, best-in-class organizations treat privacy as an enterprise-wide issue, not just as a security or IT issue. “The smartest organizations treats every person who touches or make decisions about data as a privacy risk factor,” said Hughes. They require that employees undergo privacy awareness or training programs. They also have smart people in key positions that make wise decisions where privacy is concerned.
Citing examples of prominent companies who’d made major mistakes on the privacy front — capturing massive amounts of personal data “just in case” [Read Google Faces Streetview Wi-fi Snooping Action from the BBC] or using Big Data findings to create ill-advised marketing promotions [Read How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did in Forbes] — Hughes said smart organizations raise privacy awareness to a level that employees across departments know when to question data-capture decisions and whether they should seek the advice of privacy, legal, or risk management teams.
“When it comes to privacy, just because something’s legal doesn’t mean it’s not stupid,” he said. When you’re failing in some capacity, competitors will call you out, and when you prove you deserve the trust of customers and constituents, they’ll reward you through increased engagement.
Those that prioritize privacy know it’s a competitive differentiator. ”If you are not making customer privacy a central value proposition,” said Hughes, “you're going to lose customers and experience market risk.”
This is the 2nd in our series presenting key takeaways from Sage Data Security’s 2015 CyberCrime Symposium, held November 5-6, 2015. In case you missed the filled-to-capacity event, “Collaboration & Information-Sharing,” make sure to check-in weekly for the latest installment featuring actionable insight from select presentations.