This is a great time to publish my first blog post to my CPO Magazine column! Why? Because Sunday, January 28, 2018, was International Data Privacy Day. After my team and I accomplished, for the tenth year in a row, obtaining the Iowa Governor’s official declaration for Iowa Data Privacy Day, and I finished getting creating this year’s infographic, 6 Places Crooks Steal (Then Ransom) Your Data, with my fabulous team doing all the heavy lifting to take my sometimes complex and convoluted ideas and put them into understandable and clear representations, I was thinking about how I first started addressing and solving privacy risk challenges as an integral part of my career activities. It has been 2 ½ decades now.
I’ve been creating privacy management solutions for businesses since 1994 when I built and managed the information security program for the large multi-national financial and healthcare corporation I worked at from 1988 to 2000. The corporation was planning the first online bank in 1994, and I was given the responsibility of establishing the information security requirements for it.
I had run across the OECD Privacy Principles when I was researching the few (compared to now) information security standards that were in place for online commerce at that time. After reviewing the related issues, I knew we needed to implement not only security controls within and around that online bank, but we also needed to clearly address and mitigate the associated privacy risks of the individuals whose data we would be collecting (the data subjects). I knew that without addressing the associated privacy risks in a transparent and comprehensive manner, we could not gain our customers’ trust, which was essential for our bank to be successful.
So, I went to my Sr. VP / CIO expressing my concern that if we did not address privacy within the online bank it would not only leave our new customers at risk, but also put our business at risk. I successfully made the case to establish privacy requirements for our bank.
The Sr. VP spoke with the Corporate Counsel, asking for one of the lawyers to address the privacy issues. The Corporate Counsel said that while it sounded like a good idea, since there were no legal justifications for doing so, the corporate lawyers could not spend any time to determining privacy requirements for the bank. But, think about it. There were no privacy laws in 1994 applicable to online banks. Why would there be if ours was going to be the first?
I did not stop there. I strongly believed it was important, so I convinced the Sr. VP to have privacy addressed in some other way. He indicated that since I felt so strongly about it, that he was giving me that privacy responsibility. Ask for something, and you get something…often along with added responsibility! But, this was actually another great opportunity to do something that had never been done before within the organization, or within most other organizations.
Since then I’ve welcomed the opportunity to identify privacy risks in new technologies and practices, in a wide range of industries and also identify the cybersecurity controls to mitigate those risks.
The things that have changed
There has certainly been much change in technologies in the past 24 years. Here are just a few of the major ways that things have changed:
We’re always online. Very few used the internet 24 years ago, versus now when almost everyone is connected, in one way or another, to the internet almost continuously. More online connectivity creates more types of security and privacy risks.
We’re using many more types of devices. Most individuals now have half a dozen, or more, types of computing devices, that they carry, wear, use at work and at home, virtually non-stop. As opposed to in 1994, when primarily PCs were used by the general public, and only for very specific types of activities that often were not online. More computing devices creates more types of security and privacy risks.
We’re generating more, and more types of, data. Today’s computing devices are largely creating data on an almost continuous basis, often related to the associated user’s activities. And considering the ease with which data is shared and copied, data can be multiplied by a thousand-fold and more with a simple press of a button. As opposed to in 1994, when data generation was largely a purposeful and point-in-time event. More data, particularly new types of personal data, creates more types of security and privacy risks.
Additionally, there are literally hundreds more privacy / data protection laws, regulations and standards today versus only a handful, that applied to comparatively few organizations, 24 years ago. Managing privacy compliance a quarter of a century ago was much easier and straightforward since few requirements existed.
Things that are the same
While so much has changed, it is important to never forget the lessons of the past. While the types of data, tech and legal requirements may be much different, the basic categories of privacy risks are still the same. And the general concepts for mitigating those risks are also pretty much the same as they were decades ago. In particular:
Use data minimization. Only collect and generate the data necessary for the associated purpose. Give only the minimum access to users to support their job responsibilities. Etc.
Implement security safeguards. Control access. Use two-factor authentication. Implement strong encryption. Log access. Keep systems patched. Provide regular security and privacy training to workers. Etc.
Retain data only as long as necessary. The longer you keep data, the more data you have to secure. Get rid of unnecessary data to reduce risks. Comply with growing numbers of legal requirements for data retention. Etc.
Dispose of all forms of information securely. Finely shred hard copy information. Remove data from digital storage devices. Irreversibly delete data from hard drives. Completely destroy backup tapes. Etc.
Don’t share inappropriately. Do not give copies to third parties without consent from associated data subjects. Don’t publish personal data online inappropriately. Etc.
Ensure accuracy. Don’t allow unauthorized changes. Allow data subjects to correct their associated data. Verify data accuracy. Etc.
Make data backups. Ensure up-to-date and accurate data is backed up to multiple, secured, backup locations. Ensure recovery can be accomplished quickly when necessary. Etc.
Comply with legal requirements. Laws. Regulations. Contractual requirements. Adopted standards. Posted privacy notices. Etc.