A recent issue of the Cutter IT Journal lists ten privacy pitfalls to avoid as well as privacy advice and procedures that every organization should follow to curb the misuse of personally identifiable information. Contributors include Rebecca Herold, a senior consultant with Cutter Consortium, and Andrew Jones, head of Security Technology Research at the Security Research Centre at British Telecommunications.

"Organizations need to address privacy not only because it is legally required and the right thing to do, but also because it is necessary for keeping customer trust, maintaining customer loyalty and support, and improving the corporate brand," said Herold.

In many parts of the world, privacy is considered a basic human right, or as the EU Data Protection Directive puts it, privacy safeguards are "for the protection of the private lives and basic freedoms and rights of individuals." It has only been in the past few years, however, that organizations have started to noticeably address privacy challenges and dedicate the resources necessary to effectively deal with the myriad of privacy issues and requirements.

Ten Privacy Pitfalls

Herold highlights 10 security pitfalls to avoid:

• Inappropriate access to the network or computer systems
• Lost or stolen computers and computer storage media (backup tapes, hard drives, CDs, etc.)
• E-mail messages with clear-text confidential information sent or forwarded inappropriately
• Fraud activities perpetrated by outsiders, insiders, and combinations of both
• Hackers gaining unauthorized access to personally identifiable information
• Information exposed online because of inadequate controls
• Insiders inappropriately using personally identifiable information
• Confidential paper documents being given to people outside the organization (e.g., donated to schools/churches as scrap paper) instead of being shredded
• Improper disposal of media containing personally identifiable information
• Password compromise that allows access to personally identifiable information

Reflections on senior management

Andrew Jones says, "The failure of an organization to specify adequate security measures for the protection of personally identifiable information represents a significant managerial shortcoming and a lack of appreciation of the legal, statutory, and, in some cases, trade sector-specific regulations that must be satisfied. One might also say that management has failed to adequately protect the organization's assets and to safeguard the interests of the business and the shareholders. After all, if the organization lacks procedures to protect personally identifiable information it is required to protect -- an oversight that may affect the organization's reputation and have an impact on its profitability -- is it likely to have measures in place to protect other sensitive corporate information?"

Herold concludes, "Data disposal, anonymity, trust, privacy management, and systems development activities are just a few of the many privacy concerns organizations must address. However, they are some of the most often disregarded, a fact that leads to a very large number of privacy breaches and to consumer distrust. To effectively address all privacy issues, organizations need to thoughtfully create a privacy strategy that is clearly and consistently supported by the top business leaders."

About the Cutter IT Journal

Cutter Consortium's "Cutter IT Journal" (November 2006, entitled "Avoiding Privacy Pitfalls") describes using anonymization techniques to protect sensitive data during storage and transit, when data may be at highest risk of being attacked; reducing the risk of a privacy breach by building privacy into applications that manage sensitive data; and what to do before discarding electronics equipment.

» Story on Analyst Firm Website

comments powered by Disqus