Manage Learn to apply best practices and optimize your operations.

Regulatory compliance: Sun shines on SB-1386

This case study reveals how Michelle Dennedy, Sun Microsystems chief privacy officer, tackled SB-1386 compliance by making it part of the corporate culture.

As she wrote the job description, Michelle Dennedy knew exactly the type of person Sun Microsystems needed as a chief privacy officer: someone who was sharp, flexible and could "hold hands with the CIO and CSO." Sun knew too: Dennedy.

Moving into the chief privacy officer role from that of senior counsel, she had her work cut out for her. Dennedy mapped out 100 countries' privacy laws with which Sun needed to comply -- including the then draft form of SB 1386 -- and met with Sun's privacy council, which draws people from human resources, IT and other departments for guidance. Dennedy and her team then worked with trade groups such as TechNet to shape the wording of SB 1386.

The end result: a comprehensive privacy policy that is enmeshed in Sun's corporate culture. Today, 75 people are on Sun's privacy council, which meets regularly, and SB 1386 is one of the topics covered in Sun's mandatory "fiduciary boot camp" for all employees. Each employee goes through periodic security-awareness training, and an intranet page is devoted to helping staffers understand the law and its ramifications. All e-mail coming into Sun goes through multiple levels of antispam and virus filters, and intrusion detection and identity management systems.

This three-pronged approach -- "people, process and technology" -- is necessary for Sun to adhere to SB 1386's requirements, Dennedy says.

SB 1386 covers a fairly narrow chunk of personal data, which Dennedy cites as a positive. "It's very important [that the information affected be well delineated] for the legislation to be effective, so you know when it is time to act," she says. "That awareness of data segmentation and mapping is the biggest lesson being learned out of all these [privacy] laws."

To bolster its networks against unauthorized access, Sun uses technology it helped develop via the Liberty Alliance: specifications that define open standards for Web services and federation technology to secure personal information. Companies -- from product vendors to corporations -- that adhere to Liberty Alliance specs in their applications may reduce the number of times users log in to networks and the number of passwords users must remember.

The focus of federation, Dennedy adds, is "sharing as little information as you have to with your partners. It's like booking travel: The car company doesn't care that you like an aisle seat, and the airline doesn't care that you need an economy car. Federation shares exactly what you need, without excess data [being transmitted]." To help people understand what constitutes a breach that could trigger SB 1386's mandated processes, Dennedy tries to "talk to people all the time," she says.

"If an administrative assistant has her boss's password and she goes into his computer to check something, trying to be proactive, is that a breach?" According to Dennedy, the answer lies in a dialogue. Employees should talk to her about any privacy-related issue such as "a weird e-mail" or a gating function in an application that doesn't seem to work. The important thing is that they tell me.

"You don't have to have 100 full-time [people] dedicated to data protection, but you do have that many people owning data, so everyone's input helps," she says.

About the Author
Diana Kelley, Senior Analyst with Burton Group, is also a contributing editor for Information Security magazine and

This article originally appeared in Information Security magazine.

This was last published in April 2006

Dig Deeper on Data security breaches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.