Momentum continues to gather for the protection of people’s private data. On January 28th, the US, Canada, and 27 European countries will celebrate Data Privacy Day. The security aspects seem simple in principle, but are proving to be more challenging than anyone predicted.
Today we celebrate Privacy Day, to promote fundamental principles of privacy and to raise awareness in our society. The advancement and adoption of everyday technology has pulled this issue into the attention of the world stage. In recent years, consumers insatiable desire for convenience, efficiency, and speed have placed our identities, purchases, interests, medical records, debts, communications, and social interactions into the digital world. Indeed, our very lives are being tracked, processed, stored, and transmitted electronically.
There is a cost to all the inherent benefits: our Privacy. One of the most important liberties in our free and open society is our right to privacy. Our ability to choose what others know about us grants individuals some semblance of control in how we can be manipulated by others. Protecting our private data is key.
The realms of security and privacy are beginning to blur. I see a trend of security organizations being asked to tackle this tricky problem. On the surface, it appears to be straightforward. Find the data and secure it. However, the picture starts to get complicated when we consider regulations, security controls, data lifecycles, and the immense behavioral challenges.
The European Union strongly influenced the direction back in the 1990’s with the development of privacy directives which outlined some basic principles. Since, decentralized regulations have been germinating and beginning to take hold with different verbiage, requirements, and exemptions all over the world. Even within each country, different regulations may exist for different states, provinces, or jurisdictions. Today’s landscape is ever changing with overlapping policies, gaps, and regulations which touch different aspects. It is a mess. Well, Rome was not built in a day and neither will a unified privacy stance. Security, with the goal of meeting all the regulations, must understand the requirements and make them magically come to fruition.
The security controls, including tools, standards, and processes, are themselves new and trying to keep up with the changing types of data and how they are handled by organizations. It is akin to herding cats. Finding private data is tough enough, but securing it with a comprehensive strategy without impacting the business value of how it must be used is problematic. To compound the problem, new technologies and more types of data are being added to the pool. Everyone loves data. Nobody loves the job of securing it.
It is not enough to simply lock up data from prying eyes. Data must be managed. In some cases, the very person which the data represents must be given a chance to review and correct inaccurate data. Information may be obtained only in certain ways, stored securely, accessed in a controlled manner, and most importantly, data must be destroyed. Yes, destroyed. Which means security must have a strong hand in how data is managed across its entire lifecycle.
Securing data may sound tough, but the most difficult problem is not technical in nature. It is the behavioral challenges of educating people why security is necessary and to convince them it is in everyone’s best interest. The toughest audience to convince are the end-users, especially the next generation who are just now leading the social media exploration of cyber communication and on-line communities. They are willing to share very personal data without comprehending the risks or understanding how it may adversely affect their future.
Which brings us back to Data Privacy Day. As an employee, I am proud Intel is actively participating in Privacy Day
http://www.intel.com/policy/dataprivacy.htm Check out the event details, other participants, and resources!
“Designed to raise awareness and generate discussion about data privacy practices and rights, Data Privacy Day activities in the United States have included privacy professionals, corporations, government officials, and representatives, academics, and students across the country.
One of the primary goals of Data Privacy Day is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues.”