Posted by: David Scott
best security practice, business continuity, business exposure, business liability, content management, content security, cost of data breach, cyber attack, cyber security, cybersecurity, data breach, data breach expense, data exposure, data privacy, disaster awareness, disaster awareness preparedness and recovery, disaster plan, disaster prevention, Executive Director, information privacy, International Association of Privacy Professionals, security officer, Trevor Hughes, workplace privacy
I was reading an interesting article the other day, Apple, Google Under Fire at Hearing.
You may read the article for yourself, and I recommend it. But of interest to me, and hopefully others here, is the tracking that is performed by Google and Apple for optimization of services. This tracking can have privacy implications: Google and Apple (and by extension, anyone hacking critical data) can establish your whereabouts – either pinpointing, or exposing, virtually your exact location.
You can certainly harbor your own thoughts and opinions regarding the level of liability in all of this – but before anyone makes a hasty determination of privacy liabilities, or lack thereof, consider: There are all manner of folks who benefit from not being located at any given moment in time. There are former spouses who don’t relish being tracked. There are people with some measure of public profile who like to get out and about without generating a scene. What of witness relocation? Further, there’s potential for government abuse in this realm. Other examples abound, and further, others will evidence themselves in time.
It’s an interesting puzzle: How to manage the balance of delivering beneficial information to the consumer based on location (such as GPS and navigational assists; location and distance to pizza – you get the idea…) - while at the same time providing protection to consumers’ privacies?
No less an authority than Trevor Hughes, Executive Director of the International Association of Privacy Professionals, has some interesting things to say regarding privacy:
“You know, it seems to me that there are real risks for organizations out there today, and you can knowingly violate privacy law or the expectations of privacy of your consumers…”.
“I think it speaks to a larger issue in the marketplace, and that is we all have to become privacy professionals [emphasis added – DS] at some level. We all have to have a broad environmental awareness of how data can create risks for our organizations.”
“If your customers don’t trust your privacy, they don’t trust you. And that has implications far beyond just the law; it has real implications for your business.”
When we see Mr. Hughes speak above about risks to privacy – how data “can create risks for our organizations,” and that these things have “real implications for your business”(that is, liabilities) – he’s actually talking about… SECURITY. BUSINESS SECURITY.
I don’t like to blow my own horn (wellll… actually, I do. I lean on it sometimes…), but I’ve long made the point: All activity must now be viewed through security’s prism. Everyone in the organization must become a mini-security officer: Do it now.
I posit that, rather than everyone being a privacy professional, we really need everyone to be a security officer – that condition encompasses issues of privacy, protection, and the ensuring of best outcomes for business all around.
I’ve stated this here before at The Exchange, I stated it in my 2006 book, and I continue to counsel all businesses with whom I consult that they must do this. They must qualify every employee to view all activity through security’s prism, and to take appropriate safeguards before triggering any action. It becomes natural, efficient, and ensuring. It’s fairly simple to effect.
Breach of privacy – whether exposing business methodologies and secrets, or client, customer, consumer confidences, histories, and critical business/personal data – is a breach to security and direct threat to business continuity.
Update plans and training: Security; Acceptable Use; Content Management; Business Continuity; Disaster Awareness, Preparedness, Prevention and Recovery; and others of your own. Be certain to conduct semi-annual or quarterly refreshers: Most organizations likely have regularized refresher training, or monthly All-Staff meetings, where security and privacy concerns can easily be accommodated without too much overhead to the organization’s time and other resources.
If I may quote I.T. Wars: Sooner or later, everyone in the organization will be made a mini-security officer: Do it now.
Word to the wise.
On this day: In 1965, the Kinks arrive in New York City to begin their first U.S. tour.