Privacy Matters: Companies Had Better Prepare

After two decades of lingering in near obscurity, privacy issues are finally returning to the computer security big table. This shift comes thanks to high-profile cases concerning mobile devices tracking users, massive data breaches, and countless other instances of data being repurposed in ways users never intended. Companies need to be careful now of how they handle user privacy, lest they come under attack not just from hackers but also the media, the law, and the public.

To recap some of the recent news concerning user privacy: Users, politicians, pundits, and the like were aghast to learn that mobile phones running iOS, Android, and Windows Mobile have been tracking users or storing user location information. If your smartphone vendor doesn't do it, your app vendor could.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

Additionally, there are the recent instances of massive data heists from Epsilon and Sony, which likely resulted in tens of millions of individual records being stolen. That's just the tip of the iceberg. Who among us hasn't received multiple "Your records may have been stolen" letters each year for the past few years? Not long ago, I calculated that one of every four Americans in the United States had their personal identity information stolen in one year alone. Exactly how much worse does it have to get before we, as a society, expect better safeguarding of our personal and financial data?

What's more, barely a week goes by that Facebook or Google isn't in the headlines (and being questioned by Congress) for some possible privacy invasion. Give your email address to your favorite newsletter and it'll probably result in a flood of spam from sources you'd rather didn't have your contact info.

Even away from your computer or mobile device, your privacy is in jeopardy. For example. cameras are everywhere. My hometown has many red light cameras, which I'm OK with because they make those intersections safer (usually). Further, they help me uphold my own safe driving tactics.

But it turns out that many of those cameras store the images of every car that enters the intersection, not just law breakers'. Law enforcement can request records based on license plate numbers and often end up with a pretty good idea of the path traveled by a suspect. If you have a wireless toll pass device, you already know your car's every move around a toll highway is being tracked and stored.

But consider this: A GPS manufacturer was found to be selling its customers' location and speed data to law enforcement so that police could set up better speed traps.

More alarming still, in the United States, thousands of government and private data sources -- including those I've mentioned -- can end up in a fusion center, set up by the feds in the name of fighting terrorism. Although this data collection is purportedly all legal and details are kept secret, it doesn't appear to be very American, falling under the area of unwarranted search and seizure (see epic.org for more information).

In short, people are feeling increasingly touchy about how their data and their very privacy is used and abused -- and companies are being taken to task to defend and improve practices that put users' data and privacy at risk. Microsoft (my full-time employer) is even careful to ask if it's all right to identify your Windows Media Player instance to media content providers you contact online before doing so, even if it is only to help people access the content they legally bought. Assume too much, and you could end up in a front page headline, testifying in front of Congress, or being sued.

If your company collects or stores other people's personal data, make sure your company has all its privacy components figured out. The best way to protect someone's privacy is not to collect his or her private information in the first place. The second best approach is to collect it when needed, while it's needed, and then erase it. The third best way is to store it, protect it well, then aggressively get rid of it as soon as possible.

Unfortunately, personal customer information is the lifeblood of many, if not most, companies today. The business model of collecting large amounts of personal information is their primary business model and it's not going away. If your company does this, has it awakened to the new reality? Does it have a CPO (chief privacy officer)? Is your company's privacy policy readily available and linked to every page on its public website? Does your company consider privacy as strongly as it does the rest of its security policies? Privacy needs to be a big, intentional part of any company's security design.

If you're in charge of your company's computer security, you need to ensure that privacy is a big part of that program. If not, tell the leaders a new wind is blowing. It takes only one minor miscommunication, one minor hack, to end up in the headlines, investigated by Congress, and in court.

This story, "Privacy matters again, so you'd better prepare," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Subscribe to the Security Watch Newsletter

Comments