I’ve been getting the following question and comment increasingly more often in the past several months:
1) “If someone’s name and/or address, or any other personal information item, is posted online for the world to see, then why do we need to put safeguards and controls around that information?”
2) “If information is on the Internet then it is no longer protected health information (PHI) because is it public information! Names are public information, not PHI!”
Item 1) – WRONG!
Item 2) – Also WRONG!
Context must be considered to effectively protect privacy
Protecting privacy isn’t just about protecting access to specific information items; it goes far beyond that and requires understanding how information can impact privacy based upon the contexts in which it is used. Protecting privacy is more complicated than simply protecting individual personal information identifiers. You must also consider the context within which the personal information identifiers are used, the other information items involved, how other information items from elsewhere (e.g., big data files, metadata, etc.) are combined with it, and the actions and decisions made based upon analysis of all the information items.
Same name, different outcomes
Consider different scenarios for a piece of paper that involve the same personal information item; a name (full name for those of you who want to be as specific as possible).
A) A full name found on a piece of white paper, with nothing else printed on it, in the street. This doesn’t reveal much, if anything at all, depending upon the geographic location and how many others have the same name. So, little privacy impact.
B) A full name found on a piece of white paper, that also contains a full address and phone number, in the street. This provides a little more information, and a little more privacy impacts, again depending upon the geographic location, how well known the person may be, and also any malicious or criminal tendencies within the person(s) finding the paper.
C) A business letterhead paper found in the street that also contains a full name, full address and phone number, along with dates.
- If the business is a law office, this may show that the person listed is involved in some sort of legal action.
- If the business is a medical clinic, this could show the person is getting some type of treatment. In the U.S. a HIPAA violation.
- If the business is a health insurance company, it could provide enough information to commit medical identity theft (a quickly growing problem). Also a U.S. HIPAA violation.
- If the business is a hotel, this could show where the person spent some time.
All these could present a significant privacy exposure if the person is someone known in the area, a celebrity, a politician, etc.
Now consider different scenarios of the same personal information item, still a full name, that is found online.
A) If the full name is found in a listing of other full names, with no other descriptions and no metadata to indicate the purpose of the list, then it may not have much privacy implication, depending upon how well known the person may be, and any big data analytics that may be used to try and determine the relationships between all those listed.
B) If the full name is found tagged on the associated individual in a photo showing a specific location, activity or others, then it could have a wide range of potential impacts, from none to a lot, depending upon those other factors.
C) If the full name is found tagged on someone other than the actual associated individual in a photo showing a specific location, activity or others, then it could have (and has had in some actual instances) a wide range of potential privacy impacts, depending upon the additional factors involved with the photo.
D) If the full name is found on a salacious type of site, such as Ashley Madison (a site made specifically for cheating on spouses), it could have significant impacts on personal relationships.
E) If the full name is found on a hospital’s website as being a substance abuse patient, it could have significant impact on not only personal relationships, but also employment, or other types of livelihood aspects. And in the U.S., also a HIPAA violation.
F) If the full name is found on Facebook on a person’s site who is a professional services provider, such as a banker, lawyer, accountant, or doctor, it could not only impact the associated individual because of the relationships it reveals, but it could also be in non-compliance with a wide variety of laws, regulations, standards and contractual requirements.
Bottom line for organizations of all sizes…
So, business leaders, from the largest to smallest and in all industries, must remember: just because a personal information item/identifier is found online does not mean that it no longer needs protecting in all the vast many other contexts within which it is used. Context has significant impacts upon privacy whenever individual personal identifiers are involved. If your organization collects, processes, creates or otherwise uses personal information, you must apply effective safeguards to protect it…regardless of whether or not the individual information items may be found somewhere online.
Tags: awareness, breach, compliance, data protection, Information Security, information technology, infosec, IT security, midmarket, monitoring, non-compliance, personal information, personal information identifier, personal information item, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, sensitive personal information, social network, SPI, surveillance, systems security, training