What IT Professionals Need to Know About Privacy
I’ve just learned that I’ll be presenting at SecureWorld in Boston on March 23rd. To follow is the abstract I submitted for the call for papers. Now all I have to do is put together the presentation… I know many people who read this blog are a good target for this type of topic. Feel free to send ideas, anecdotes, etc. that might help me focus the presentation.
As a 20-year IT veteran currently at the center of the privacy profession I have a unique perspective into the rapid growth of privacy and what it’ll mean to IT professionals in the near future. In this presentation I will discuss the gray line between the information security profession and the privacy profession, the current state of privacy laws and regulations around the world, and how the IT professional should integrate these into business decision as well as policy and software development.
It took more than a decade of highly publicized data breaches and break-ins for the nation’s board rooms to begin paying attention to the information security professionals in their organizations. A similar shift is occurring with privacy issues, and this time it won’t take a decade to gain prominence.
It’s estimated there were over 30 million personal records breached In 2011 at an estimated cost to businesses of over $6 billion. In addition, both Google and Facebook agreed to 20 years of privacy audits in settlements with the FTC. The massive expense to handle data breaches as well as the FTC’s clear warning shots indicating their intent to enforce limitations on what companies do with customer’s personal data is bringing privacy to the forefront.
This is evidenced by vocal public reaction to recent privacy violations, the recent appearance of state laws regarding breach notifications, as well as the numerous bills brought to the Congress in the 2011 session attempting to enact additional privacy laws and regulations. The writing is on the wall, and it will manifest itself in the corporate environment as urgent requests from the upper levels of the organization to address “privacy.”
For many companies the issue is already prominent. Those who deal with financial or medical records are subject to strict regulations, and anyone competing on a global scale faces mature privacy laws in Europe, Canada as well as parts of South America and Asia. For the rest it will come quicker than many expect.
And, for better or worse, without a clear definition of what “privacy” means in the US, the IT department is often leaned on to help define and manage this issue. An understanding of privacy laws, regulations and best practices, as well as knowing how to integrate that information into policies and development life-cycles, is an important tool for an IT professional. With that knowledge he becomes a critical asset contributing to the long-term success and competitiveness of an organization.
Does it sound interesting?