By guest blogger Russ Miller, CTO of SunView Software
It is not news that users of technology are increasingly more tightly integrated, in intimate ways, with computing devices, especially due to the portability of smart phones. For example, a large percentage of young people sleep with their devices. As a result, more and more of our private data is captured and then scattered about the cloud, potentially exposed as big data, waiting to be mined in ways undreamed of by the owner of the data.
Due to these scattered pools of sensitive big data the likelihood of leaks or spills increases and so does, potentially, the impact of each breach. As a result of the greater frequency and impact, the spotlight is now quickly focused on any company that exposes customer data, often with considerable harm to the company's brand name and bottom line. Now, not only are the companies that leak data being punished by the press and consumers, but increasingly government is getting involved. The FTC is busy pursuing privacy infractions, most recently slapping Google with a $22.5 M fine. Beyond the FTC, state governments, the US congress, and the EU are increasingly focusing on privacy issues, for example, California recently provided guidelines for mobile app security.
Privacy is the toughest issues of the information age and there are no easy answers. For those working in IT, responsible for protecting that data, what is to be done to protect customer's data and the company's reputation?
Here are a few points to consider:
1) Privacy, like security needs to be built in, it can't be bolted on later. Privacy by Design is a high-level framework providing guidance on building in privacy and protecting it throughout the lifecycle of information. One key aspect of Privacy by Design is the idea of leaving the control over personal data in the hands of the individual or group it belongs to. Also, there are many new techniques being developed to permit systems to process data without exposing it any more than necessary; these techniques leave the control in the hands of the information owner.
4) Make sure employees are educated on privacy risks that can occur throughout the lifecycle of the information collected. As privacy engineer, Jason Cronk CIPP, pointed out in a recent episode of the Architectural Concepts podcast, it is not enough to have a privacy specialist on staff, anyone that touches a system handling sensitive data anywhere needs to be educated about the importance of protecting data privacy and relevant techniques for protecting it. Front line developers, architects, and engineers need to be aware of the available tools and techniques to properly integrate them into your information systems.
5. Privacy is becoming as much a specialty as is security or database design. For example, many more companies now have Chief Privacy Officers and recently the job title of "privacy engineer" has become more common in job postings (see this ad at Google).
Note that Carnegie Mellon will now start offering a Master in Privacy Engineering in the 2013-2014 school year. Of course, not every company can afford a Chief Privacy Officer or even a dedicated privacy engineer, but as privacy becomes a bigger risk, even mid-sized companies will need staff that specialize in this area.
In conclusion, the need to protect privacy will only become a bigger issue as we further integrate ourselves with technology. It is through constant vigilance and by educating ourselves on practices like those mentioned above that we can protect our customer's data and our own.
Flickr Image by Sean MacEntee