For information security professionals, privacy might seem like a secondary thought. Done right, however, incorporating strategic thinking about privacy into daily job functions could be an info-sec professionals’ ticket to the C-suite. Or at least strong relationships with the people in it. After all, breaches and other gaffes are expensive and damaging, and information security professionals are the data keepers who can avoid such pitfalls.
That was the message from IAPP CTO Jeff Northrop, CIPP/US, CIPP/IT, who told a crowd at the RSA breakout session “Privacy as a Growing Risk” that privacy should be used as an advantageous tool to strategically make a leap up the command chain.
The opportunity exists because personal data has significant value, and there’s a great temptation by firms to extract the maximum value possible from the datasets companies collect. But unless that data is anonymized, which is extraordinarily difficult, that’s a dangerous proposition, Northrop said.
There are myriad examples of firms making mistakes in trying to do this, dating at least as far back as the 1990s, when Latanya Sweeney, now the chief technologist at the Federal Trade Commission (FTC), was able to reidentify 100,000 health records the state of Massachusetts Group Insurance Commission had released as “anonymized data” on state employees for a study aimed at driving innovation and research in the state. Or, a couple of years later, when AOL released user search queries to the public and a couple of reports from The New York Times were able to identify the people behind those. Or the Netflix gaffe. Or the Target gaffe. And the list goes on.
Those are prime examples of where information security professionals can play a key role, Northrop said. As the keepers of the data, they should decide how it should be handled. And if they aren’t making those decisions, they should be advising those who are.
“Systems in modern organizations are complex, and you have the access, skills and experience to uncover issues early and potential issues that legal or compliance may never spot,” he said. “You need to raise the flag and say ‘Hey, that’s not okay.’ That’s a strategic role.”
But there’s a flipside to promoting safe data practices, and that is that too much security is not a good thing. Requiring users at your company to constantly come up with randomly generated 48-character passwords all the time will have an opposite effect: “Too much security can also cause increase risk of privacy violation.”
An example of this was in 2013, when the FTC brought action against appliance rental service Aaron’s, which was leasing to the general public computers on which it had installed a suite of tools to mitigate potential damage to the computers. The software it had installed tracked user locations and accessed webcam and social network data. Some IT professional thought that was okay, Northrop said. But when the general public and the FTC found out, neither was pleased.
Northrop noted the FTC’s Jessica Rich’s assertion at the time that consumers have a right to rent computers free of cyber-spying and to know when and how they are being tracked by a company.
“Yes, of course,” Northrop said. “Who thought remote-control software able to take keylogs and webcam pics was a good idea? We are the ones making the decisions to collect and store this stuff. It’s important or us to be critical and ask do we need it? Are we exposing our company to new risks?”
Also important for infosec professionals to consider is whether their company is a multinational, as the laws and regulations of various countries differ widely, especially on privacy.
Northrop noted the 2011 case of Schrems v. Facebook, in which Austrian resident Max Schrems exercised his rights as an EU citizen to request his user profile data from the social networking giant. Unsatisfied with Facebook’s response to his request, he launched a protest site, gaining media attention and a public following. The result was an overwhelming number of similar requests similar by Facebook users and the attention of data protection regulators.
The lesson learned there is that a privacy officer may be able to tell you what the compliance rules are, but the infosec professional will know best how difficult compliance with those rules will be; profile data may be spread across systems, for example, and e-mailing data to respond to requests isn’t secure.
Knowing what role privacy will play makes infosec professionals indispensable when it comes to companies staying out of the headlines.
“That’s a strategic role for your organization. You ultimately have to comply with that kind of request,” he said. “When you’re raising the flag, it doesn’t mean it’s your responsibility to then handle the flag; maybe that’s the CPO’s responsibility. But you’re the one who understands these risks.”
Northrop continued, “Understanding data in a modern organization is specialized knowledge. You have the knowledge, so you understand the difficulty of complying with an unexpected request. Know the company’s obligations, and bake them into procedures and processes.”
While data privacy laws are based on Fair Information Practice Principles—which spell out that a company must give notice to a user via its privacy policy explaining what data will be collected and for what purposes so users can make informed decisions about whether that business transaction seems fair—that model is flawed, Northrop said. That’s because we all know, and studies have shown, that no one reads privacy policies, especially not on the tiny screens of mobile devices. And with the advent of the Internet of Things, ever-increasing amounts of personal data will be collected and used. This presents great opportunities for professionals to step up and make a difference.
“You manage the data streams,” Northrop said. “Help ensure that requests from marketing and product development are reasonable. Your organization must understand ‘consent.’”
That’s especially because regulators are expecting companies to have conversations with their consumers and imposing enforcement actions where those conversations aren’t happening.
Northrop noted recent headlines over Target’s embarrassing marketing misstep and the hot water Google found itself in over its collection of WiFi data, all of which could have possibly been avoided if someone in infosecurity had stepped up and raised concerns over the data streams being collected and used.
Learning from such mistakes and deciding to integrate privacy into your career is an opportunity to elevate yourself from robotically completing day-to-day tasks to becoming an asset within a company’s strategic pursuits, whether that means going global, maximizing or monetizing data use or preventing data breaches, Northrop told the crowd.
“Our chief privacy officers struggle to know this information. If we are strategic thinkers and we see this information and think more broadly about how the company will maximize this use over time, that is an important role for us,” he said. “You may be thinking this doesn’t apply to me, but it’s just beginning.”
Read More by Angelique Carson:
RSA Dispatch: Talking FIPPs and Geeks with Google, Microsoft and McAfee
Cryptographers at RSA: “Users Seem To Now Mind Giving Up Privacy”
If Gov’t Won’t Protect Privacy, Innovation Will
From RSA: In Times of Distrust, Innovation and Collaboration Will Be Key
Comments
If you want to comment on this post, you need to login.