Or alternatively titled, “How security and privacy both intersect but are different and why it would benefit to pay closer attention,” but that would be way too long of title. As CTO of the IAPP – at the center of privacy – I have a unique perspective and I see both an obligation and an opportunity emerging.
One constant for me since early 2013 is that I am continually asked about Snowden, or more precisely how has the secrets he revealed changed our collective thinking about privacy. Short answer: not much, but it did consolidate our collective voices.
The only lasting effect Snowden has had so far was to emphasize just how much the public does care about privacy and those of us working in privacy already recognized that the public cares deeply about maintaining control over their personal information. You’d think after all of the media attention that the interest in Snowden would be beaten to death by now, and I’ve answered the same questions dozens of times, just like I did for a reporter yesterday.
However, surprising myself, I’ve recently started to change my answer. As I just mentioned, I believe the biggest effect of the public reveal of Snowden’s stolen NSA documents on our public consciousness is to show just how much we all really do care about having control over who has access to our personal information and for what purposes it may be used. And while discussions over government surveillance is always an emotional topic, on a practical level the aforementioned underlying issue is much more important to recognize.
Consumers are demanding privacy protections and as a result of this demand companies are now being held more accountable to how their actions meet their demands. This creates a unique opportunity for IT professionals of all flavors.
State of Privacy
Before proceeding, which will lead to a discussion on what that previous statement means to you, it is worth restating: Companies are being held accountable for how they respond to consumer’s expectations with regards to privacy.
We see this playing out in private sector. Consider Facebook. As recently as 2010 Mark Zuckerberg was publicly proclaiming that Facebook users don’t believe in privacy. Recently however the company has made a number of moves to be more privacy sensitive, including the introduction of an anonymous login, a privacy dinosaur to help users understand their choices, and more restrictive default privacy settings. These moves clearly indicate that Facebook is responding to this consumer call for increasing privacy protections and Facebook is certainly not alone.
As a result of the massive data breach suffered by Target, the CEO resigned. As far as I know this is the first time a CEO has stepped down over a failure to protect consumers’ privacy. And it is not just the industry giants responding to this new world order, startups are getting in the game by embracing privacy as their main value proposition. After a dismantling of their service in the wake of the Snowden revelations the folks from Silent Circle have risen from their ashes and have just raised $30 million in funding to build a privacy-preserving smartphone.
These are just a few of many examples of the market responding to consumer demand, but it is not just the private sector, we see a similar sort of response playing out with US regulators, such as the FTC and State Attorney Generals.
For example consider the case of Wyndham Hotels and Resorts. Wyndham suffered a series of data breaches that resulted in the loss of over 600,000 records that included personal information and credit card numbers. The FTC sued Wyndham alleging that they failed to meet their customer’s expectations for security, resulting in a loss of privacy. Wyndham, with the support of the Chamber of Commerce, sought a dismissal of the allegations but lost in New Jersey federal court.
Along those same lines, and for the same general reasons, the FTC sued LabMD, and just like Wyndham, LabMD took the FTC to court to fight the charges and lost as well. Neither of these cases, seemed to make a big splash in the media, but, for too many reasons to explain here, it is big news. The bottom line, and what you really need to understand, is that with this ruling the FTC should feel emboldened in its attempts to go after companies that violate a consumer’s expectations of privacy and security. They have been doing this for a long time now, but there is now legal precedent to support their claimed authority.
It’s not just the FTC either, State Attorney Generals are also finding ways of prosecuting companies for failure to meet consumer expectations. Lead by Connecticut, thirty-eight State Attorney Generals sued Google for indiscriminately collecting wifi data via its Streetview vehicles. Google ended up settling out of court, and as is often the case with these things admitted to no wrong, but they were accused of collecting the unsecured router traffic in such a way that it would be surprising to the public. Even though anyone with the right equipment (which is cheap and easy to find) walking up and down public streets could collect the same information.
All of these incidents from Facebook’s recent privacy enhancing moves to legal actions against companies not considering societal expectations not only prove that consumer expectations with regards to privacy needs to be considered beyond simple legal and regulatory compliance, but it is clear that neglecting to do so can result in brand damage, regulatory action and revenue loses. Consumers care about their personal data and as a result, privacy has emerged as a serious risk that needs to be addressed.
Data is Valuable
On the other side of the equation organizations are finding increasing use for, and extracting more value from, personal information. This data, which used to simply be a by-product of, or ingredient for, main priorities of a business, is now a valuable core asset. I’m hoping I do not need to elaborate on this point. If you are working in a company that has significant amounts of personal information and markets to consumers you already know how valuable this data is. It is the primary reason why Facebook, Twitter, et al have stratospheric market valuations and you’ve had your head in the sand if you haven’t put two and two together.
When you combine the consumer’s desire to protect their personal data and pit that against a push by companies to collect and process more and more of this same data you have all the ingredients for a battle. This battlefield is a notable tension between consumers that want to limit uses of their data and organizations that want to maximize their uses and that creates a clear need for a role in the organization – one who can guide it so that it can both extract maximum value and at the same time minimize the risk of upsetting consumers. Upsetting consumers, as I’ve mentioned, can result in significant brand damage, financial losses and regulatory action.
What does this Mean
Now that we share the same background on this issue, I can bring this back around to my alternate title: “How security and privacy both intersect but are different and why it would benefit to pay closer attention.” IT professionals, in all segments, whether it be systems administration, security or software engineering, are well suited to fill this emerging role – the role responsible for minimizing that battlefield tension. These professionals know what data is being collected, where it is being stored, how it is being stored, who has access to it and for what purposes, and those are precisely the things that must be understood in order to correctly manage privacy.
Privacy is migrating out of the traditional silos of legal and compliance and into the domains of technologists at all levels. Particularly those who manage our increasing large caches of data. And this is a golden opportunity for technologists. Not only is this role of growing importance to the overall health and well-being of an organization, which is always a good place to be professionally, it is a great opportunity for professional growth as well.
IT related positions often struggle to move from senior roles to the executive roles, such as CIO, CISO, CTO or CSO. Those roles are often filled by MBAs who might not have the same level of technical skills but have demonstrated experience solving strategic issues.
Unfortunately, if you think about most of the work that IT professionals do, you’ll notice it is tactical in nature. This leaves them unable to show they can think strategically as well. Privacy is a rare opportunity to take on strategic issues, show competency in that area, and position themselves for promotions to executive roles.
The Big Finish
To propel your career towards the c-suite you need to demonstrate you can think strategically, which with regards to IT, means managing the correct balance between competing interests. That is the balance between the benefits of permissive access of the data for uses that can improve efficiencies, productivity or generate revenue versus minimizing the risk of a data breach or misuse – for your organization this balance is profoundly important and is the central issue related to privacy.
Make the choice to take on the responsibilities living at the intersection of privacy and security, work to understand consumer expectations, and learn to properly mitigate privacy risk. It’s a rare opportunity and it is waiting for you.