The International Association of Privacy Professionals’ (IAPP) Global Privacy Summit wrapped up just last week and, as always, the event organizers did a fantastic job lining up noted, impressive speakers that really made us think about four aspects of data privacy:
- the impact of being watched;
- capturing personal information;
- the role of government, citizens, companies, consumers; and
- the ethical dilemmas of data collection, use and protection in an increasingly small and interconnected world.
Glenn Greenwald, the journalist who brought us Edward Snowden, and Michael Sandel, Professor of Government at Harvard University (who also happens to teach the most popular class in Harvard’s history, “Justice”) brought up some very interesting and provoking points that are worth sharing here.
Without a doubt, we are living in a data-driven society. We are living in a world of globalizing economies, data transfer, and ubiquitous access to everything from everywhere. At the same time, throughout the past year, we have seen an influx of compliance and data security related stories flood news outlets – Experian and Home Depot, just to name a couple. Companies around the world are facing a heightened demand for data privacy and compliance regulation. Further, from Facebook and Google Glass to NSA and Verizon, there is a continuing balancing act to share information that we choose to share, and at the same time protecting information we wish to keep private. Living in our increasingly social world has and will continue to present a paradox with personal privacy: Information placed on the internet and available publicly can be used in unintended ways, regardless of your original intent. This is true for public sector organizations, businesses, and individuals alike.
One of the issues Professor Sandel raised during his session was whether “knowing that you are being watched may not only limit the thoughts you will have but the thoughts you can have (emphasis added).” So, are Chief Privacy Officers data stewards and advocates for the privacy rights of our employees, customers, and citizens? The reality is that virtually every company is in business to make money, and it is the job of compliance professionals (whether privacy officers, attorneys, or security officers) to help them make money by fully realizing the potential of the data they obtain – but also ensure they are simultaneously protecting that information.
Let’s be clear: consumers are at risk. Not only as their personal information such as credit card numbers, passwords, and security questions are stolen and exposed, but also as their information becomes a valuable commodity sought by anxious data brokers – and even captured by devices like their automobiles and thermostats!
Whether personally identifiable information, health information, financial data, contract information, research and trade secrets, intellectual property, or contract data, this kind of information has become a new kind of currency – and some have even called this personal information the new “oil”. Companies like Google and Facebook have become multi-billion dollar organizations by offering free services simply by being able to attract their users to share this kind of information so they can then use this data to learn about their users and share it with paying sponsors and advertisers. However, shared inappropriately, whether by accident or breach, inappropriate disclosure of sensitive data can have dramatic financial impacts on an organization and can, arguably more importantly, erode consumer trust. Trust is something that businesses must work to establish with their customers every day. Once lost, it is very difficult to regain.
The stakes are high, but if handled properly, risk management transform the way we do business. For effective data management and collaboration to turn into a competitive advantage for the business, timely access to data as well as multi-directional communication flow – with the right risk management filters in place – is essential so data is available whenever and wherever to those who need it, and protected from those who shouldn’t have access. Companies can repurpose their compliance programs traditionally viewed as a “cost center” for the business by turning this previously untapped information into a business asset. This not only creates a quantifiable return on investment for data security and privacy programs, but also helps the company increase productivity and mitigate the potential of violating regulatory statutes.
J. Trevor Hughes, President & CEO of the IAPP, said that “privacy is like a series of dams that we try to set up to limit the data we share as small data from becomes big data.” Technology and proper controls can help make sure the flow of information is controlled, intentional, purposeful, and thoughtful rather than something that becomes destructive to the greater good.
Interest research area. Year after year this has become one of the most discussed topics in the classes I teach.
Yes I agree-Privacy definitely has become a more prominent topic in the last few years-we can thank Edward Snowden, NSA, and some social media and search companies for that new spotlight! It is and should be important to all of us-as our personal information is a vital part of how we operate in the world. Thank you for your comment!
Privacy is hot now because people have a greater ability to learn about it… this is not remotely a new problem, and rules & regs aroudn technology won’t go nearly far enough in solving the problems.
Hello Greg-thank you for your comment. I agree that the increased attention to privacy in the news brings more attention to it, and I also agree that technology and particularly laws and regulation will always be at least a “few steps behind” the challenge of protecting information, but I also firmly believe that we nonetheless need to be very steadfast in our determination to take good care of our personal information and hold vendors and service providers as well as the government accountable for saying what they do and doing what they say with our personal information. Consumers have the ability to directly influence companies that do the right thing and the wrong thing!
I think 2 factor authentication need to be implemented on everywhere so we can do what we can to protect our personal online privacy.
Thanks for your comment. I think that a “layered” approach to security is definitely important so that we are not simply relying on a single method of identity protection and access management! Two factor authentication can be a part of the solution but does not alone solve the problem!
Great points Dana. I believe there are so many people that do not know how easily their personal information get spread online. From Google searches to Facebook likes, they are all recorded and then sold to ad companies. I think it’s important people learn the safety of sharing certain information in the online world.
I agree. I’m working on our firm’s annual security update and there’s always a good amount of information on being aware of what you are doing online. Too many times, employees will blindly input information not realizing the purpose. Educating the users is key.
Definitely, it is crazy how easily people will put their email and home address when someone is offering for them to win a prize. (Little or Big)
Later when they get spam emails by the hundreds, they still don’t know how that happened.
Acceptable use policies generally have some language with regard to agreeing by using their site. If you don’t disable or remove your account, is that deemed as “use”?
Great post! People don’t think about privacy and how easily their “data”–personal information–is available.
The lack of online privacy is a huge problem, and it’s only getting worse. Most consumers are still unaware of the scale and scope of online tracking. I recommend researching tools to protect your privacy to reduce your risk.
I agree… scary times for the uninformed.
Or for those who are oblivious and have no clue.
Dana, this is definitely a rising problem.
We have departments that go out and buy cloud solutions, and start putting data there with no regard to security or eDiscovery or anything.
How can we realistically combat this? Policies don’t work. Training? More technology? Public shaming? It seems like it will take an actual security incident to get people to care.
Online privacy is a huge concern especially given the rise of social media and online shopping. Consumers are definitely at risk!
Very intriguing topic. It will be interesting to see what happens over the next few years.
This a very interesting topic and the public needs more visibility.
Data privacy and stewardship are very important to my company. I hope to learn alot at the event
The problem is, people do not care about their privacy until it is too late. The insights we give in our lives are way beyond the bad dreams of George Orwell’s 1984. And there’s no going back to 1948 (wasn’ t that the year it was published?)
And it is only going to get worse. A lot of youth are giving away their privacy and the concept has a lot less impact to them now.
“Companies can repurpose their compliance programs traditionally viewed as a “cost center” for the business by turning this previously untapped information into a business asset.” Sounds promising, but needs a convincing bc – and a convincing recordsmanager/compliance officer…
Interesting topic. I think people would care more about their privacy if they had ever had an issue with it. Speaking from first hand experience, identity theft sucks 🙂
I think 2 factor authentication is hard to implement.
Try harder Tim!
thanks for the info
Certainly some PII is more dangerous than others. As we hear more and more about data breaches and information loss, we have to examine how we ourselves are both a cloud entity storing client information and cloud consumers putting our protected data out onto other clouds, and have a serious conversation on which side our data is at the most risk. Frighting as it might seem, more often than not the risks are local.