Privacy is not Security, II
Late last year I wrote about the differences between information security and privacy. What was true then is still true now: That information security professionals, often by default, are tasked with handling privacy for their organization—and I wouldn’t want to discourage that. I believe those who possess the knowledge, skills and experience to protect data are well positioned to extend their responsibilities to handle information privacy as well.
However, the mechanisms with which information security professionals perform their functions don’t fully cover privacy. Compliance with laws and regulations such as DSS-PCI, HIPAA and GLBA work to ensure that certain types of data are well protected from improper access and use, but as the field of data analytics (a.k.a. Big Data) continues to mature, those narrow protections are inadequate.
Consider the tension around privacy for a moment. On one side you have a growing fear among consumers: A fear of a loss of control over their personal data. As consumers we willingly share our personal information thousands of times a day. When we post to Facebook or Twitter, use Google or just surf the web, we are sharing bits of ourselves. We also divulge information when we use our credit cards and rewards cards, when we talk to our doctors and when we use the EZ-Pass in our cars.
We do this willingly because we believe the value we derive is worth the expense of sharing our personal information. But what we don’t willingly agree to are tertiary uses of the information. This is where paranoid fantasies and conspiracy theories come into play. Is the knowledge that I purchase a gallon of Ben & Jerry’s every week being sent to my insurance company? Is EZ-Pass recording my average speed and sending that to the State Troopers?
The answer is likely “no” in both of those cases, but Netflix did share video rental history, AOL did share search data, MySpace did reveal identities to advertisers and Target did calculate who was pregnant based on purchase history. As the prevalence of these stories increase, the public gets increasingly less comfortable with the idea of divulging personal information, and it is within that context that I state that people have a growing fear of a loss of control of their personal data.
On the other side of this tension is the Big Data engine—the practices of taking disparate sets of data and combining them in novel ways to derive some sort of business value. Big Data is making businesses both smarter and more efficient. It is helping serve customers better and manage inventories more closely. There are now businesses themselves built solely on the value driven from these modern analytic techniques. Big Data has moved rapidly from the realm of “unique competitive advantage” to simply a “cost of doing business.”
It’s prevalence can not be understated. And what is fuel for this Big Data engine? Largely it is personal information. The very same information that consumers are increasingly unwilling to reveal. This tension between consumers’ fear of revealing too much information and businesses demand for that very same information is growing.
Trying to address this tension are the regulators and lawmakers. They are walking a tightrope in attempting to alleviate the public’s fear while not stifling business innovation. But the current laws and regulations don’t adequately address the problem. If it did I wouldn’t be discussing this growing tension and, in fact, there likely would be no privacy issues at all.
Given our current situation, if information security professionals intend on tackling privacy, is it imperative that they understand this tension and understand that simple compliance with laws and regulations aren’t enough. Compliance doesn’t address this tension. Frameworks and guidelines such as ISO 27001, COBIT, CERT and NIST don’t address this tension either. And that is why I believe information security professionals don’t have privacy covered.
We, as information security professionals, can assume the privacy responsibilities of our organizations, but to do so means we need to extend our practices. Unfortunately the discipline of privacy isn’t nearly as mature as information security so we don’t have the same depth and breadth of resources to rely on. On the other hand we are fortunate that privacy as an issue isn’t nearly as deep and wide a security in general. While there is no ITIL or NIST in this space there are resources that can help us develop our own programs.
But what is available and how it can be used is a large and tricky topic so I’ll reserve that for another post. Until then look to organizations such as the FTC and HHS in the U.S. or the myriad of other data protection authorities around the world for guidance. It can be hard to parse the documents put out by those agencies but there is a mountain of excellent information for those willing to tackle them.