Last Friday I had the pleasure of discussing the question of, “Do We Have Privacy Anymore” with a group of highly regarded information security and privacy pros, including:
* Michael Santarcangelo, moderator and “expert on changing the way people protect information”
* Andrew Hay, Manager of Integration Services @ Q1 Labs, blogger and author of OSSEC Host-based Intrusion Detection
* Dr. Anton Chuvakin, Chief Logger and Blogger at LogLogic
* Martin McKeay, affectionately called Cpt. Privacy
* Dan York, Producer and Co-Host, Blue Box: The VoIP Security Podcast
We talked for an hour, but it seemed as though we had only talked for a few minutes; time flew by much too quickly! There were so many issues to discuss… privacy is a very broad area.
One of the points I think is important to make is that privacy is impacted (lost or preserved) basically in two ways:
1) By the actions each of us take with OUR OWN personally identifiable information (PII).
People need to be more aware of how they put their own PII at risk; by posting embarassing photos to their social networking site, thinking that others will not copy them, posting addresses and phone numbers, their whereabouts on certain dates at certain times, and so on. People need to think more about how they handle their PII and what they tell others.
and
2) By the actions OTHERS take with our PII.
Organizations MUST BE HELD RESPONSIBLE for providing strong safeguards for the PII with which their business partners, customers and employees have entrusted them. The largest reported breaches, and overwhelmingly, by far, the largest numbers of privacy breaches, occur because organizations had inadequate to no safeguards or controls in place.
I took a couple of pages of notes during the roundtable of thoughts and ideas I had that we did not get around to covering in depth because of the great conversation we had that filled our hour. Ideas about…
* How privacy has evolved throughout history, and how evolving technologies in the past decade have changed the previously mentioned actions in many significant ways.
* How referencing certain U.S. federal laws, such as HIPAA and GLBA, as “Privacy Laws,” when they are actually just data handling laws, confuses the concept of privacy further.
* The risks of perpetuating incorrect PII within multiple databases.
* So many other issues…
I believe at the core privacy is the concept, the reality, of having the ability to maintain control over your private life and associated information; keeping others from invading it without your permission, and obligating those you entrust pieces of it to, businesses, employers, government and so on, to not break that trust, violate or eradicate your control over it.
Listen to the podcast and let me know your thoughts!
Tags: Andrew Hay, Anton Chuvakin, awareness and training, Dan York, Information Security, IT compliance, Martin McKeay, Michael Santarcangelo, personally identifiable information, PII, policies and procedures, privacy, risk management, security roundtable