“Dear Diary,”privacy_thumb

These words carry two powerful implications:

  1. If I am the author, this information is personally valuable and private to me.
  2. If I am not the author and reading someone else’s “dear diary” entry without being granted permission, I am violating a deeply personal boundary.

With everything-as-a-service and the prevailing forecast calling for use of “clouds everywhere” to store and send all manner of sensitive data – personal, financial, or health related information – the internet of everything now harbors millions of “dear diary” entries. At odds are the increasing use of cloud services in corporations without IT department involvement – so called “shadow IT” – and the cries of consumers, companies, and countries that “something must be done” to protect privacy. It’s no wonder that the majority of executives and board members are worried about cloud privacy, according to a recent survey by the Cloud Security Alliance (CSA).

Maintaining privacy is not a simple fix. As Forbes contributor Ben Kepes points out, “Technology alone cannot fix this problem.”

Indeed. At its core, privacy comes down to my attitude of respect and discretion towards information that is deeply private and meaningful to you. In other words, a company’s privacy record might be best predicted by culture, rather than by technology or even policy.

Each participant along the cloud highway – from infrastructure to networks, storage arrays, cloud controllers, backup environments, and user facing interfaces – needs to incorporate privacy, and the security safeguards that protect it, as a non-negotiable part of design requirements. Even “public clouds” would do well to ensure that they can be “private clouds”.

Accomplishing privacy in the cloud requires two things:

  1. setting aside the time and the money to consider and implement privacy safeguards at the start of new projects, and
  2. monitoring and reviewing privacy controls as a part of daily operations and finding ways to incentivize ongoing improvement.

Neither of these points have a high take rate: they are complex, challenging, and require ongoing commitment. Worse, they threaten timelines, budgets, and short-term profits. But any informed cost comparison between taking these preventative measures to exercise the privacy muscle on a daily basis to avoid the long-term risks and costs associated with breaching private information suggests they are worth investing in.

Let’s look at some examples.

Policy without process or ongoing commitment to privacy

The FCC (Federal Communications Commission) announced last fall their plans to levy a $10M fine against two telecoms for storing personal information of over 300,00 of their customers, including social security and driver’s license numbers, on public servers – accessible to anyone on the internet. Big mistake? Absolutely, but large fines typically mean more than an isolated process or technology error. In this case, two additional issues contributed to the action:

  1. The company stated in their privacy policy that they had “technology and security features in place to safeguard the privacy of your customer specific information from unauthorized access or improper use.”
  2. Even after the companies learned of the security breach, they failed to notify all affected consumers, jeopardizing their ability to take measure to safeguard their information.

Policy without technology or ongoing commitment to privacy

The action of the FTC (Federal Trade Commission) against Wyndham hotels has been brewing for a long time. The breach of personal and credit card information several years ago resulted in over $10M in fraudulent claims and countless headaches for their patrons.

Those of you familiar know this case is not just a matter of missing firewalls, intrusion detection and prevention, encryption, and other basic security technologies. Nor about poor processes that delayed detection of intrusion by 4 months and also stood in the way of being able to physically locate the compromised servers after persistent failed login attempts were finally identified.

The galling issue, and one of the core reasons that the FTC is involved is because of the blatant misrepresentation to consumers in their privacy policy that “commercially reasonable” and “industry standard” protections were in place to protect their information – with nothing of substance to back up the promise.

While the Wyndham case is still churning in the courts, the FTC settled with ChoicePoint out of Atlanta for $10M in civil penalties and $5M for consumer redress when personal information including social security numbers was sold without adequate assurance that the requesting customers had a legitimate right to receive it.

Lack of commitment to privacy

In perhaps the clearest attribution of organizational culture to its impact on privacy, the Health and Human Services (HHS) Office of Civil Rights (OCR) levied a $275,000 fine against a medical center when 2 senior executives shared personally identifiable information about a patient throughout their organization with staff that had no clear need to know, as well as with members of the media.

Then OCR director Leon Rodriguez stated: “Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.

In addition the penalty, the resolution agreement calls for policy overhaul throughout the 16 medical centers and hospitals under the same ownership.

Your commitment to privacy

Whenever you see large fines associated with a data breach, recognize there is usually a bigger integrity issue – not just a technology, process, or policy flaw.

So, how can you improve a culture of privacy in your organization?

  • Equate all digital information without your organization with that “dear diary” entry. Even if you CAN read it, don’t. Ever. Even if a customer requests it.
  • Incentivize proactive reflection and communication about lax safeguards so that your experts on the front lines can earn kudos for surfacing weak links.
  • Engage and encourage close partnership and ongoing dialog with experts like auditors and security consultants so that year over year, your organization becomes better at safeguarding information.
  • Don’t tolerate integrity transgressions in your organization; deal with them strongly and promptly.

How do you assess a culture of privacy in your partners and associates?

  • Ask them to share documentation of risk assessment or safeguard controls, and read it.
  • Experience it yourself; nothing beats an onsite visit.
  • Humans come equipped with a good gut sense about integrity. Trust it.

Perhaps humorist David Sedaris said it best: “If you read someone else’s diary, you get what you deserve.”

Related information and references:

WEBINAR: Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices

FCC plans $10M fine for carriers that breached consumer privacy

http://www.skyhighnetworks.com/wp-content/uploads/2015/01/CSA-Cloud-Adoption-Survey-0115a.pdf

http://www.forbes.com/sites/benkepes/2015/01/09/you-dont-say-in-the-face-of-massive-security-breaches-execs-are-concerned/

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf

http://barclayagency.com/sedaris.html

http://www.ftc.gov/enforcement/cases-proceedings/052-3069/choicepoint-inc