If you give your house key to your neighbor, he has the opportunity to snoop around through your vinyl album collection. That has lessons for enterprise security (with fewer copies of David Bowie to worry about).
Whenever I read an article about data privacy, especially when it comes to breaches, I think of my neighbor. I give my neighbor the key to my house in case of emergency, such as a plumbing problem when I’m on vacation. An odd thought goes through my head sometimes: My neighbor has teenage kids; what if they decide to raid my classic ‘80s vinyl collection when I’m not home? Maybe that makes me a bit paranoid (not to mention overstating the long-term appeal of Oingo Boingo and Siouxie and the Banshees), but it highlights the difference between security and privacy, two terms that are often meshed together and confused.
The security piece is the lock on my door that needs a key. Because I handed a copy of that key to my neighbor, I’ve given him authorized access to my home. That creates an ethical contract between us: He won’t rummage through my stuff without me knowing. That’s the privacy bit (he is a trusted party), when someone is given authorized access.
Let’s say the police come to my home when I’m not there. Upon showing my neighbor a warrant, they’re provided access to my house. I might not like it, but that’s legally authorized access — though from a privacy perspective it’s questionable. Why the access? What for? How are the police using what they find? Do I have any unreturned library books? What if the individuals who show up are not really the police but people pretending to be so?
And so we enter the muddy waters of data privacy—because this process (and its moral issues) is as true for your personal data as it is your enterprise data, or for the data of your customers whom you are trusted to protect.
Of course, when it comes to data, the locks are much different, the controls are different, and (hopefully) we make written contractual agreements with vendors and employees to ensure those controls are enforced. And, if you’re fortunate, your neighbor who might also have your key (think encryption key and your service provider) will at least tell you the police rummaged through your house even if he can’t tell you what exactly for, as in Dropbox’s transparency report.
But these “obvious” business processes around how your employees must handle Personal Identifying Information (PII) or Personal Healthcare Information (PHI) often get neglected. Or we forget about them, in the stack of all the other things to sign and agree with (like we tend to glaze over all that mortgage paperwork we spend hours signing but have no clue what any of it actually means). Throw in the sometimes ambiguous global data privacy acts enacted by countries around the world (see Data Protection Laws of the World) and the fun really begins for your IT department.
I don’t need to look hard to find examples of the dangers of procrastinating on data privacy policies and implementing them. The Federal Communications Commission fined AT&T $25 million, just this month, for failing to protect customers’ personal information from misuse, including Social Security numbers, from their own internal teams. As an AT&T (News - Alert) customer, I cringed, and of course I thought about my vinyl collection.
I’m not the only one to cringe about the challenges of data privacy. A recent study conducted by Dimensional Research, on the behest of Druva, discovered that 93 percent of respondents are challenged by data privacy. One big concern is that, for 82 percent of respondents, their employees don’t always follow the company’s existing data privacy policies (citing sales and marketing as the most egregious violators). Not that the employees necessarily know what to do; a large subset of those employees have “insufficient” knowledge to know what’s required to protect sensitive privacy-protected data. (The survey was conducted in March 2015 with 214 IT and business professionals directly associated with enterprise security and privacy.)
This data also aligns well with a recent posting by 451 Group which discovered that data privacy tops the IT priority list of security challenges.
I’m sure we in the computer industry will address data privacy challenges, just as we’ve gotten better (mostly) at IT security. We’ll keep creating better locks, that’s a given. But we also need to become more consciously aware, innovative, and diligent in building and implementing technologies for protecting data privacy as locks are just deterrents, not the complete solution. In the meantime, maybe I should move my vinyl collection into the cloud...
About the Author: Dave Packer is Senior Director of Product Marketing, at Druva.