BOSTON — Privacy is a fog rolling in over the land. That’s how Jeff Northrup, IT director of the International Association of Privacy, described personal information privacy during his presentation at the SecureWorld conference last week. The fog is thick over some countries, especially in Europe, and rather light over the U.S., but that will change soon. Northrup advised IT professionals in the U.S. to draw a map through the fog now to avoid crashing into problems and penalties later.
Evidence of a rapidly changing data privacy landscape is plentiful. The Obama administration just released its U.S. Privacy Bill of Rights, which would grant individuals more control over how their information is collected and managed, and increase transparency in privacy policies. Many observers believe it has a good chance of becoming law. Also, the FTC recently slapped Google and Facebook with penalties after users complained of privacy abuses; Google will now undergo 20 years of independent privacy audits, and Facebook may face similar chastisement from the FTC.
These incidents are just a few of the signs that security professionals need to amp up privacy projects before their organizations run afoul of current or future U.S. data privacy laws. Where to start? Northrup suggested organizations take an inventory of every piece of personal information it collects, and note why it is collected and where it is stored. This can be a daunting task, but many organizations already have some of the pieces in place as part of their compliance programs or DLP projects. Any information that does not have a clear business purpose (and the marketing team’s desire to send email blasts to a million relative strangers does not count as a “business purpose”) should be deleted or stored only on an as-needed, transient basis.
By taking steps toward greater transparency and giving users more control over how their information is used, organizations will be better prepared to navigate out of the fog.