10 Privacy Pitfalls to Avoid
"Organizations need to address privacy not only because it is legally required and the right thing to do, but also because it is necessary for keeping customer trust, maintaining customer loyalty and support, and improving the corporate brand," asserts Cutter Consortium Senior Consultant Rebecca Herold in a recent issue of Cutter IT Journal, which contains privacy advice and procedures that every corporation and individual should follow to curb the misuse of personally identifiable information.
In many parts of the world, privacy is considered a basic human right, or as the EU Data Protection Directive puts it, privacy safeguards are "for the protection of the private lives and basic freedoms and rights of individuals." It has only been in the past few years, however, that organizations have started to noticeably address privacy challenges and dedicate the resources necessary to effectively deal with the myriad of privacy issues and requirements.
Rebecca Herold highlights 10 security pitfalls to avoid:
- Inappropriate access to the network or computer systems
- Lost or stolen computers and computer storage media (backup tapes, hard drives, CDs, etc.)
- E-mail messages with clear-text confidential information sent or forwarded inappropriately
- Fraud activities perpetrated by outsiders, insiders, and combinations of both
- Hackers gaining unauthorized access to personally identifiable information
- Information exposed online because of inadequate controls
- Insiders inappropriately using personally identifiable information
- Confidential paper documents being given to people outside the organization (e.g., donated to schools/churches as scrap paper) instead of being shredded
- Improper disposal of media containing personally identifiable information
- Password compromise that allows access to personally identifiable information
Andrew Jones, Head of Security Technology Research at the Security Research Centre at British Telecommunications says, "The failure of an organization to specify adequate security measures for the protection of personally identifiable information represents a significant managerial shortcoming and a lack of appreciation of the legal, statutory, and, in some cases, trade sector-specific regulations that must be satisfied. One might also say that management has failed to adequately protect the organization's assets and to safeguard the interests of the business and the shareholders. After all, if the organization lacks procedures to protect personally identifiable information it is required to protect -- an oversight that may affect the organization's reputation and have an impact on its profitability -- is it likely to have measures in place to protect other sensitive corporate information?"
Herold, whose most recent book is Managing an Information Security and Privacy Awareness and Training Program, concludes, "Data disposal, anonymity, trust, privacy management, and systems development activities are just a few of the many privacy concerns organizations must address. However, they are some of the most often disregarded, a fact that leads to a very large number of privacy breaches and to consumer distrust. To address all privacy issues effectively, organizations need to thoughtfully create a privacy strategy that is clearly and consistently supported by the top business leaders."
© Copyright 2007 Auerbach Publications.