Today Kevin Beaver posted a nice article, “Dumb things IT consultants do” that included more than one warning about making assumptions. Kevin’s nice post made me think about all the dangerous assumptions consulants and practitioners often make when it comes to evaluating privacy practices…
I’ve done many risk assessments over the years, and since around 2001/2002 I’ve done privacy impact assessments (PIAs), basically a risk assessment around privacy issues. I love doing PIAs; by identifying privacy threats and vulnerabilities I can help organizations improve their safeguards and significantly lesson the possibilities of privacy breaches as well as helping them to be in compliance with applicable laws, regulations, contractual requirements and industry standards.
In the past couple of years a lot more consulting firms have started doing PIAs, some more thoroughly than others. I’ve spoken with several folks who do PIAs, not only consultants but also information security and privacy practitioners doing PIAs for their own companies, and I’m concerned that they are making way too many assumptions while performing the PIAs. These assumptions result in perpetuating privacy vulnerabilities and data protection laws non-compliance.
Here are five of the most common assumptions I’ve seen consultants and practitioners make while doing PIAs. If you’re doing PIAs be sure you don’t make these dangerous, and quite frankly dumb, privacy assumptions!
1) They assume that an organization has procedures to support the privacy policies posted on their websites.
Very, very few organizations (but thankfully the numbers are growing!) actually have internal procedures to support the practices stated and promises made within their posted website privacy policies. The FTC has financially dinged, and continue to ding, those companies who do not do what they say they are doing in their privacy policies; it’s called unfair and deceptive business practices, folks! I’ve also found many lawyers in organizations that assume their companies have procedures to support their website privacy policies; very dangerous + very dumb!
Assuming procedures exist to support posted privacy policies = dangerous dumbness
2) They assume that everyone in the organization knows what their website privacy policies say.
For some reason, too many practitioners, and many/most consultants, think that if something is stated on the website, then all personnel magically, or by some type of mystical digital osmosis, know what it says and have actually read it. That goes for the rarely-read-by-employees website privacy policy. Most personnel don’t know what their website policy says because most get little to no awareness or training about privacy to begin with, and so most go along their merry way each day performing their job responsibilities in ways that violate that posted privacy policy!
Assuming all personnel know what the privacy policies even say = dumb dangerousness
3) They assume that all storage locations for personally identifiable information (PII) are known and documented.
Really. Especially in business units, and in the legal office; most business leaders just assume that all storage locations for PII are known and that there is a 100% complete inventory for it somewhere. You infosec, IT and most privacy practitioners know the real deal; it is rare that PII is formally defined, and even rarer to have an inventory of all PII. Considering the ease with which PII can be copied and distributed literally thousands of times with just one press of a button, and stored in any number of mobile devices and outside storage locations, it is very hard to have a complete PII inventory. But, it must be done. And doing so will help to determine the controls and other safeguards that need to be placed around PII to keep from having it stolen, leaked or lost.
Assuming all PII storage locations are known is a very dangerous assumption that will likely lead to privacy breaches.
4) They assume that everyone in the organization knows what information items are considered to be PII.
PII items are more than just the definition of personal information as defined within CA 1386, but a scarily large number of folks I’ve spoken with think that those are the only few types of information that they need to protect under data protection and privacy laws. A LOT of business leaders think this! I’ve known consultants doing PIAs who did not include within the PIA the steps necessary to determine that the organization has defined, documented and communicated to their personnel the information items considered as PII. This is a PIA basic! If you have someone doing a PIA and they have not checked to see what your organization’s defined PII items are, or if they haven’t checked to see if personnel know what they are, then this is a huge oversight. A very dumb assumption.
Assuming everyone knows what information is PII and how it must be safeguarded as such is a naively dumb assumption.
5) They assume that vendors to whom the company has outsourced PII processing or handling have safeguards in place to protect the PII.
With all the information security incidents and subsequent privacy breaches that have occurred as a result of outsourced vendors, you’d think most organizations, and certainly most consultants doing PIAs, would know better than to assume that the outsourced vendors have adequate security and privacy programs. Guess what; most still don’t. You have to be proactive and go beyond just looking to see if there is a security contract clause, and ask to see the policies of your vendors to whom you’ve entrusted PII. I’ve done well over 150 vendor security and privacy program reviews, and I can tell you that the vendors that balked or refused to show me the policies were the ones who I consistently ultimately found to either not even have any policies, or they didn’t know what information security policies and procedures even were. One vendor told me I was on a “fishing expedition” by asking to see their policies. Ultimately I ended up creating, after the PIA, the vendor’s information security policies for them, based on their own unique orgnaization and business services.
Assuming vendors have adequate security and privacy programs in place is dumb, dumber and dangerous!
Are any of these assumptions made in your organization? Do you know?
If you have not done a PIA…a thorough, and well-executed PIA…doing one effectively will help you to identify these dangerous assumptions that often lead to privacy breaches.
Tags: awareness and training, Information Security, IT compliance, IT training, personally identifiable information, PIA, PII, policies and procedures, privacy impact assessment, privacy training, risk management, security training