Why your company needs a chief privacy officer

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infoworld.com/article/2881793/security/why-your-company-needs-a-chief-privacy-officer.html

Another week, another 70 million records compromised. Best way to not have
a data breach? Don’t have the data in the first place.

Yet if you had a person or team dedicated to protecting employee and
customer privacy, your data exposure would already be far less than it is
today. Does your company have a chief privacy officer or advocate? If not,
it should.

Most companies have a CSO (chief security officer) and/or a CISO (chief
information security officer). Put chief privacy officer on the list of
C-level executives your company should have. More than ever, a dedicated
privacy advocate is worth his or her weight in gold.

Privacy problems are embedded in nearly every component of computer
security -- so much so, I propose updating the well-known security triad of
CIA (confidentiality, integrity, and availability) to CIPA, with a pillar
dedicated to privacy. Sure, it can probably fit nicely under
confidentiality, but wedding it to better-known encryption issues doesn’t
give it enough visibility.

Most companies I work with say they are big believers in privacy. But that
usually means they have generalized statements on protecting customer data
along the lines of a financial regulatory requirement. For example, they
won’t share your customer information with additional third parties minus
your consent. That’s not what I’m talking about. That’s a given. That’s a
minimum.

What I’m talking about is an advocate who helps the company understand both
customer and employee data confidentiality. Let’s not forget that many of
the biggest, recent compromised resulted in lost employee data, too.

A dedicated privacy advocate would be your expert in all relevant
applicable government and regulatory laws in all states and countries in
which you practice. They would educate the other C-level officers, create
documentation and policy, and educate the entire workforce. They could help
create training materials, tests, and look for and remediate violations.

They would tell you what data can be collected, as well as when, where, and
how long it can be kept. They would help you collect less specific data and
keep the data better protected, then erased when no longer needed. They
would help you realize when less specific or anonymized data would be a
better choice than simply collecting highly personalized data. They would
help set data retention and deletion policies.

A privacy advocate would help you automatically delete older email and data
stores at a predetermined time. I personally keep my email for decades, and
I often need to refer to emails that are many years old. But a continuous
email trail is a huge risk for any company. Anytime lawyers ask a company
for copies of old emails, it can’t be good. Imagine how many people,
recently in the news, wish their company automatically deleted their old
email (subject to legal restrictions, of course).

A privacy advocate would help you navigate the very murky waters of outside
third parties, such as the government and law enforcement agencies
requesting private data. Many service providers have learned that having a
friendly and cordial relationship with outside interests is a good way to
lose business. A privacy officer would help you decide when to assist law
enforcement and when to fight back.

Personally, I believe digital privacy to be this century’s key
constitutional issue. Many unwarranted privacy invasions invoke
unreasonable search and seizure concerns, as well as preventing me (and my
employers) from the right to pursue happiness. The world’s best spy
agencies of the past couldn’t dream of how much information they could
easily retrieve on any individual simply by searching the Internet or
scouring their own  data troves.

Whether you hire a CPO or anoint a lower-level team member is up to each
individual company. The choice is often dictated by company size and need,
but whichever position you create, it will involve frequent communication
with employees, customers, and others regarding how much your company
values privacy. In big companies, each major team or division should have a
privacy advocate, with lower-level advocates reporting to the CPO.

One thing is clear: C-level leadership and real enforcement of a strict
privacy policy is essential. In the recent large heists, for example, you
can be certain much of the data stolen was not needed by the company.
That’s the old way of doing IT. Hire a chief privacy advocate who can limit
your company's exposure and join the modern world.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!