PHILADELPHIA – Many organizations lump information security and data privacy together, meaning infosec teams end up managing privacy issues by default. That's not necessarily a bad thing, according to one data privacy expert, but privacy comes with many new problems and few easy answers.
We have nothing… that helps us determine whether the business's data use is risky to the privacy of the individual.
Jeff Northrop, IT Director, IAPP
During a presentation on data privacy issues for information security professionals this week at the 2012 (ISC)2 Security Congress, Jeff Northrop, IT director with the Portsmouth, N.H.-based International Association of Privacy Professionals, told attendees they shouldn't shun data privacy responsibilities.
"As information security professionals, we should want to assume these [privacy] responsibilities; that's good for our profession," Northrop said. "And by good for our profession, what I really mean is, you can make more money, and money's good."
However, Northrop indicated infosec pros are often surprised to learn their organizations' privacy practices are suspect at best. He said the general public defines privacy as anonymity, meaning data they provide to third parties won't be made public or used to identify them.
But within enterprises, those are often difficult expectations to meet. Northrop said nearly all organizations struggle with anonymizing data, since most data identifies an individual at some level. The best an organization can do, he said, is prevent a privacy violation, namely by preventing third parties from obtaining individuals' data without their consent.
What makes privacy even more challenging, Northrop said, is the inherent and growing conflict between what's best for individuals' privacy and what's best for the businesses that collect personal data. Individuals, he said, while increasingly concerned about the loss of control of their personal data, are still usually OK sharing data with entities they trust. What people don't like is when their data ends up in the hands of third parties, or is used in ways they didn't foresee.
Northrop cited the February New York Times expose about Target's data analytics and privacy practices, in which it was revealed that, among other questionable initiatives, the retail giant analyzed women's purchases to determine whether they were likely to be pregnant. In one case, Target mailed coupons for pregnancy-related items to a teenage girl, inadvertently alerting her father about her pregnancy before she had told him.
"That's where the fear comes in," Northrop said. "Like in the case of Target, it's these secondary and tertiary uses of data, and that's what we characterize as a loss of control of the data. We may be OK with giving away our data, but we're uncomfortable with what happens with it."
Yet these sorts of non-traditional uses of personal data, Northrop said, are becoming the norm. Enterprises are jumping on the big data informatics bandwagon, he said, tantalized by the possibilities of taking disconnected data sets and combining and analyzing them in novel ways to create unique business value. What used to be a competitive advantage, he added, is quickly becoming the norm.
"Wal-Mart uses this technology to know when it no longer needs to order Justin Bieber posters because he's not popular anymore. Google uses it to serve up appropriate ads. The WHO uses it to determine where a flu outbreak will happen and how severe it will be," he said. "We're seeing it everywhere, it's making businesses smarter, and there's no stopping it."
More coverage of the 2012 (ISC)2 Security Congress
For Target, retailer's risk management program hinged on executive buy-in
The retailer's risk management program architect had to define success and make sure everyone could speak the same language.
AT&T applies new tactics to advanced persistent threat protection
After a year researching and implementing new advanced persistent threat protection tactics, the telco giant has put several new defenses in place.
And the fuel for the growing number of enterprise big data engines, Northrop said, is personal data. So it's no wonder, he said, that there's tension between individuals who want to prevent their personal data from being used in ways they're not comfortable with, while enterprises require more and more personal data to funnel into their big data analysis systems in order to identify new business opportunities.
Information security pros, Northrop said, find themselves smack in the middle, recognizing an ethical responsibility to protect the privacy of the individuals whose data they've collected, even though enterprise infosec teams are ill-equipped to do it.
"As infosec pros, we do an excellent job of protecting the data," Northrop said, "but we have nothing in our frameworks, auditing or regulatory environments that helps us determine whether the business' data use is risky to the privacy of the individual."
Also stuck in the middle are regulators. Northrop said government officials and lawmakers face a difficult challenge in formulating new regulations that protect individuals' privacy while not stifling business. Worse yet, he said, the only practical actions they can take would involve beefed up requirements around notice of and consent to use personal data, but neither one works well.
"To describe everything a modern organization does with personal data is really complicated," Northrop said. "Then you put a lawyer in there to make sure the language is precise, and it's even harder."
FTC ramps up privacy violation enforcement
Northrop said the Federal Trade Commission (FTC), recognizing it has few privacy protection options at its disposal, is getting more aggressive with privacy violation enforcement action, most notably on social media companies like Facebook and MySpace, forcing them into legal settlements that involve many years of rigorous privacy audits.
Until new government privacy legislation offers more guidance and clarity, the best thing enterprise information security teams can do, Northrop said, is advocate for the implementation of a comprehensive privacy program. He said it should identify an individual – a CISO or other privacy officer – who serves as a single point of accountability for privacy issues. Organizations should also conduct a privacy impact analysis: conduct a data inventory, highlight personal data and examine how it's used by the business and the controls placed upon it.
"You need spec polices to prevent what happened to Target," Northrop said. "So when somebody has a big data notation, a novel way to parse personal data, there needs to be some approval for this through the privacy officer."
"Nothing will make a regulator happier than if they come into your organization with an accusation they're trying to prove, and they see some protection in a policy that you're not doing," Northrop said. "If they do, it's over."