01-19-15 | Blog Post
“Dear Diary,”
These words carry two powerful implications:
With everything-as-a-service and the prevailing forecast calling for use of “clouds everywhere” to store and send all manner of sensitive data – personal, financial, or health related information – the internet of everything now harbors millions of “dear diary” entries. At odds are the increasing use of cloud services in corporations without IT department involvement – so called “shadow IT” – and the cries of consumers, companies, and countries that “something must be done” to protect privacy. It’s no wonder that the majority of executives and board members are worried about cloud privacy, according to a recent survey by the Cloud Security Alliance (CSA).
Maintaining privacy is not a simple fix. As Forbes contributor Ben Kepes points out, “Technology alone cannot fix this problem.”
Indeed. At its core, privacy comes down to my attitude of respect and discretion towards information that is deeply private and meaningful to you. In other words, a company’s privacy record might be best predicted by culture, rather than by technology or even policy.
Each participant along the cloud highway – from infrastructure to networks, storage arrays, cloud controllers, backup environments, and user facing interfaces – needs to incorporate privacy, and the security safeguards that protect it, as a non-negotiable part of design requirements. Even “public clouds” would do well to ensure that they can be “private clouds”.
Accomplishing privacy in the cloud requires two things:
Neither of these points have a high take rate: they are complex, challenging, and require ongoing commitment. Worse, they threaten timelines, budgets, and short-term profits. But any informed cost comparison between taking these preventative measures to exercise the privacy muscle on a daily basis to avoid the long-term risks and costs associated with breaching private information suggests they are worth investing in.
Let’s look at some examples.
Policy without process or ongoing commitment to privacy
The FCC (Federal Communications Commission) announced last fall their plans to levy a $10M fine against two telecoms for storing personal information of over 300,00 of their customers, including social security and driver’s license numbers, on public servers – accessible to anyone on the internet. Big mistake? Absolutely, but large fines typically mean more than an isolated process or technology error. In this case, two additional issues contributed to the action:
Policy without technology or ongoing commitment to privacy
The action of the FTC (Federal Trade Commission) against Wyndham hotels has been brewing for a long time. The breach of personal and credit card information several years ago resulted in over $10M in fraudulent claims and countless headaches for their patrons.
Those of you familiar know this case is not just a matter of missing firewalls, intrusion detection and prevention, encryption, and other basic security technologies. Nor about poor processes that delayed detection of intrusion by 4 months and also stood in the way of being able to physically locate the compromised servers after persistent failed login attempts were finally identified.
The galling issue, and one of the core reasons that the FTC is involved is because of the blatant misrepresentation to consumers in their privacy policy that “commercially reasonable” and “industry standard” protections were in place to protect their information – with nothing of substance to back up the promise.
While the Wyndham case is still churning in the courts, the FTC settled with ChoicePoint out of Atlanta for $10M in civil penalties and $5M for consumer redress when personal information including social security numbers was sold without adequate assurance that the requesting customers had a legitimate right to receive it.
Lack of commitment to privacy
In perhaps the clearest attribution of organizational culture to its impact on privacy, the Health and Human Services (HHS) Office of Civil Rights (OCR) levied a $275,000 fine against a medical center when 2 senior executives shared personally identifiable information about a patient throughout their organization with staff that had no clear need to know, as well as with members of the media.
Then OCR director Leon Rodriguez stated: “Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”
In addition the penalty, the resolution agreement calls for policy overhaul throughout the 16 medical centers and hospitals under the same ownership.
Your commitment to privacy
Whenever you see large fines associated with a data breach, recognize there is usually a bigger integrity issue – not just a technology, process, or policy flaw.
So, how can you improve a culture of privacy in your organization?
How do you assess a culture of privacy in your partners and associates?
Perhaps humorist David Sedaris said it best: “If you read someone else’s diary, you get what you deserve.”
Related information and references:
FCC plans $10M fine for carriers that breached consumer privacy
http://www.skyhighnetworks.com/wp-content/uploads/2015/01/CSA-Cloud-Adoption-Survey-0115a.pdf
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf
http://barclayagency.com/sedaris.html
http://www.ftc.gov/enforcement/cases-proceedings/052-3069/choicepoint-inc