Are you overwhelmed with the regulations and requirements to keep your data secure? Are all the reports in the news of security breaches exposing sensitive information causing you, your senior management team and board serious concern about your ability to keep sensitive information private? If not, should you feel overwhelmed and concerned?
In Part I of this two-part series I will define what privacy is, who determines what must be private, and the costs of protecting privacy. In Part II I will address the challenges of information privacy, and an approach to meeting the challenges. Let's get started.
Privacy-What Is It?
Often-times the terms security and privacy are used interchangeably in discussions about keeping sensitive data private. According to NIST (National Institute of Standards and Technology), information security is defined as "...protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability." Privacy focuses on the unauthorized access, use, disclosure part of the definition of confidentiality. Not that the integrity and availability of the data is not important, or that there is no relation between these attributes of security and privacy. However, the definition of privacy/confidentiality for our purposes will be "Ensuring that information is accessible only to those authorized to have access," as stated by the International Standard Organization.
Who Says Data Needs to Be Private?
Remember when you were a kid and another kid said you had to do something you didn't want to do? Your comeback would be, "Who Says?" Well, as an IT auditor I hear this often, maybe worded differently and without the attitude, but nevertheless the same question.
So, here's who says: Federal and State Regulations: These are enacted to protect the privacy and confidentiality of the public. They are not laws per se; however they have the force of law behind them for support. Regulations can be issued by governmental agencies at the federal, state, county and municipal levels. Currently 47 states and territories have privacy breach laws on the books with others pending. Some examples of regulations are GLBA (Gramm-Leach-Bliley Act) to restrict the sharing and sale of consumers' personal information; HIPAA (Health Insurance Portability and Accountability Act), which regulates how covered entities use and disclose certain individually identifiable health information, and MA 201 CMR 17, (Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts), which applies to any person or business who own, license, store or maintain personal information about a resident of the Massachusetts to establish minimum standards for the protection of personal information contained in both paper and electronic records. Ah, yes-don't forget about paper!
What Are the Costs of Privacy?
There is no one solution that an organization can implement to be compliant with all its regulatory requirements. Every organization's business process, information architecture, current security profile, and corporate culture are different.
Remember, compliance doesn't mean that your sensitive data will be kept private and you won't experience a privacy breach. It means you meet the applicable standards set by government agencies and industry requirements with the goal of minimizing your risk of a privacy breach. I'm not a lawyer but should you have a breach it can only help if you can show you were compliant with all applicable regulations and requirements.
There are some studies that have been done that can give you a pretty good estimate of costs in the event of a privacy breach. One is from the Ponemon Institute and found that "...data breaches in the 2008 sample cost companies an average of $202 per compromised record-of which $152 pertains to indirect cost including abnormal turnover or churn of existing and future customers."
This gives you a dollar amount per record to calculate a cost-in other words "You do the math." A small privacy breach of say 10,000 records multiplied by $202 per record comes out to $2,020,000. If you had half of that amount how much do you think you accomplish in your efforts to comply with regulations and requirements, and to minimize the risk of a privacy breach?
Bill Franklin is a Senior IT Auditor with the Lighthouse IT Compliance Group and can be reached at firstname.lastname@example.org