"Organizations need to address privacy not only because it is legally required and the right thing to do, but also because it is necessary for keeping customer trust, maintaining customer loyalty and support, and improving the corporate brand."

Start at the End

Don’t get caught throwing away your customers’ and employees’ privacy. Most companies can prevent privacy incidents by properly disposing of, recycling, or selling old computers and storage media at the end of their useful life.

Start at the Beginning

An ounce of prevention is worth several pounds of cure. With increasing amounts of sensitive information being stored on mobile devices, entrusted to end users, and shared with business partners, nothing short of a comprehensive and well-executed privacy program will do. If you wait until you experience a privacy incident to incorporate privacy throughout your enterprise, it will cost your organization many times more than it would have to prevent the incident in the first place.

Opening Statement

In many parts of the world, privacy is considered a basic human right, or as the EU Data Protection Directive (95/46/EC) puts it, privacy safeguards are "for the protection of the private lives and basic freedoms and rights of individuals." It has only been in the past few years, however, that organizations have really started to noticeably address privacy challenges and dedicate the resources necessary to effectively deal with the myriad of privacy issues and requirements.

The public is also becoming much more savvy with regard to privacy. Organizations need to address privacy not only because it is legally required and the right thing to do, but also because it is necessary for keeping customer trust, maintaining customer loyalty and support, and improving the corporate brand.

While organizations are starting to address some privacy issues, there are still significant privacy pitfalls that more and more organizations fall victim to. This is typically because they have simply not recognized certain common vulnerabilities.

INCIDENTS OCCUR MANY DIFFERENT WAYS

Organizations must realize that incidents can, and do, occur in a very wide variety of ways, not just as a result of hackers or stolen computers. Consider the following examples, each of which represents a different type of privacy incident:

• In July 2005, a programming error within an online system for accepting applications at the University of Southern California exposed the personally identifiable information (PII) of 280,000 people.
  
  
• In January 2006, a laptop was stolen from an Ernst & Young employee's car. It contained the names, birthdates, genders, family sizes, Social Security numbers, and tax identifiers for potentially all 330,000 IBM employees.
  
  
• In March 2006, an e-mail was sent to 17 principals at the Connecticut Technical High School System that accidentally had a file attached containing the clear-text Social Security numbers of all 1,250 teachers and school administrators. At least one principal then forwarded the e-mail to 77 staff members without realizing the file was attached.
  
  
• In September 2006, it was reported that a former employee of the Cleveland Clinic Hospital and a relative who worked for a health insurance claims company were arrested and charged with stealing the personal information of over 1,100 patients.
  
  

The types of privacy incidents that can occur include, but are not limited to, the following:

• Inappropriate access to the network or computer systems
  
  
• Lost or stolen computers and computer storage media (backup tapes, hard drives, CDs, etc.)
  
  
• E-mail messages with clear-text confidential information sent or forwarded inappropriately
  
  
• Fraud activities perpetrated by outsiders, insiders, and combinations of both
  
  
• Hackers gaining unauthorized access to PII
  
  
• Information exposed online because of inadequate controls
  
  
• Insiders inappropriately using PII
  
  
• Confidential paper documents being given to people outside the organization (e.g., recycled within schools/churches as scrap paper) instead of being shredded
  
  
• Improper disposal of media containing PII
  
  
• Password compromise that allows access to PII
  
  

In order to effectively plan to prevent -- as well as respond to -- privacy incidents, organizations need to identify their potential privacy vulnerabilities and then address each of them individually. This issue of Cutter IT Journal contains valuable information to help you with that effort.

STUFF HAPPENS … INCREASINGLY OFTEN

Today, PII is being stored on PDAs, laptops, and mobile storage devices, and it is being accessed by people who work from home, work while traveling, or work for other companies. The more mobile PII becomes, the greater the risk that PII will fall into the wrong hands. According to the Privacy Rights Clearinghouse, between 15 February 2005 and 18 September 2006, there were 307 privacy breaches reported in the news in the US.1 The cumulative number of individuals impacted by all these breaches was over 93 million.

According to a Ponemon Institute data breach study released in October 2006,2 losses involving PII cost US companies approximately $182 per compromised individual's record. When you consider that most breaches affect thousands of individuals, this is significant. Each of the 56 companies surveyed had $2.5 million in lost business as a result of each incident.

Furthermore, privacy incidents involve much more than just the immediate cost of the breach. Organizations may also suffer from the subsequent and ongoing actual costs of internal investigations; external legal advice; notification and call center costs; investor relations; promotions such as discounted services and products; lost personnel productivity; lost customers; travel and lodging costs to bring business clients on site for assurance meetings; increasing staff; ongoing auditing and documentation requirements; installing new systems and fixing old ones; and so on.

One of the more low-tech ways privacy has been, and continues to be, compromised is through sloppy and inconsistent disposal methods. Many companies continue to throw papers containing PII directly into dumpsters in their back alleys, where crooks and fraudsters subsequently collect them. They are also making very poor decisions when it comes to retiring their old computers and electronic storage media, thereby putting PII at risk and causing significant privacy breaches. For example, some organizations actually require departments to sell their old computing equipment, but they have no accompanying requirements to remove the data first.

In our first article, Andrew Jones discusses a research project in which he collected hard drives that had been discarded. He then performed forensic analysis on these drives to see what types of information were left on them and discovered an alarmingly large amount of PII. Jones describes his research results and explains the mistakes people make when disposing of storage drives. Finally, he provides some recommendations for corporate and home users to follow in order to avoid becoming one of his statistics.

Of course PII is stored in many more places and many more ways than just electronic storage media. In "Best Practices in Data Destruction," D.J. Vogel and Mark Fischer stress that information security is a critical issue for organizations that store and process PII. Such organizations must comply not only with multiple regulatory requirements, but also with a growing number of association requirements, such as those from the Payment Card Industry (PCI). Despite the considerable amount of money organizations have spent on their security and privacy initiatives, however, an overwhelming number have not addressed how to securely dispose of PII in all media. As a result, privacy breaches resulting from inappropriate data disposal continue to increase. Vogel and Fischer use actual examples to demonstrate the impact of not having a comprehensive data destruction strategy and offer helpful recommendations for destroying PII in all its forms.

Next, David Lineman tells us how to build privacy into business applications that manage sensitive data, whether we are building them ourselves or acquiring them from a vendor. It is becoming increasingly clear that organizations need to incorporate security and privacy into a new system or application from the very beginning of planning and to continue to address these issues all the way through development, deployment, and retirement processes. The old practice of trying to tack on security just before deploying a system never worked well, and with new technologies and ever more entities being entrusted with PII, incorporating consistent PII protections throughout such processes is a basic necessity.

When PII is reported lost or stolen, it not only hurts the reputation and bottom line of the company or government agency in question, it also causes consumers to lose trust in the organizations that collect data from them. Our next author, Cutter Senior Consultant Khaled El Emam, argues that "one way to ensure the privacy of individuals who entrust their personal information to your organization is to anonymize that personal information." In fact, several laws and regulations require a great deal of anonymization (often referred to as "de-identifying" the PII), so as to protect patient and customer privacy. El Emam explains why it is so important to anonymize personal information in databases and offers practical ways of doing so.

The better organizations protect privacy, the more trust consumers will have in those organizations, and consequently more loyalty. In our next article, Roger Clarke outlines several incidents that have given consumers "every reason to be seriously suspicious and even downright distrustful" of corporations' privacy record and discusses what must be done to restore a climate of trust. Effective privacy and data protection laws are part of this picture, but while such laws are fairly coherent in Europe, Canada, Australia, and parts of Asia, Clarke notes that "the US has stood alone among economically advanced nations in refusing to enact comprehensive legislation." In the absence of such a legal framework, Clarke recommends that forward-thinking organizations take a "do-it-yourself" approach to privacy protection, incorporating privacy impact assessments (PIAs) and other techniques to help avoid costly privacy breaches and "reap the benefits of projecting a privacy-sensitive image."

In our final article, Timothy Virtue discusses how to identify, understand, and create an effective data protection and privacy strategy to address multiple legal and regulatory data protection requirements. Virtue describes what companies should know about privacy compliance requirements, the key actions companies must take to preserve privacy, and the practices that put privacy at risk.

IDENTIFY YOUR PITFALLS NOW

The issues addressed in the following articles -- data disposal, anonymity, trust, privacy management, and systems development activities -- are just a few of the many privacy concerns organizations must address. However, they are some of the most often disregarded, a fact that leads to a very large number of privacy breaches and to consumer distrust. To effectively address all privacy issues, organizations need to thoughtfully create a privacy strategy that is clearly and consistently supported by the top business leaders.

As you read these articles, keep in mind that there is no one-size-fits-all approach to privacy that all organizations can use. Every organization has a unique environment and particular regulatory and contractual requirements that it must consider. Organizations must identify their privacy risks -- which might best be revealed by performing a PIA -- and build their program to address those risks. The articles in this issue will help you identify practices that should be part of your own privacy management strategy and provide you with actionable items you can start addressing now so your organization will not fall into one of the all-too-common privacy pitfalls.

NOTES

¹See www.privacyrights.org/ar/ChronDataBreaches.htm.

²See www.vontu.com/offers/costofbreach.asp.

ABOUT THE AUTHOR