The issue of data privacy seems to be everywhere these days. There are directives in Europe, regulations in the United States, and lawsuits seemingly in every courtroom. As is often the case when laws are passed, it is unclear whether privacy is being breached more often, hence the need for more laws, or if the laws are so effective that privacy is, in fact, better assured. What is certain is that many more people are becoming aware of the need for privacy in information systems and there is considerable confusion over what to do about it.
Privacy and Security
Some of the confusion derives from matters of definition and responsibility. (Sadly, many of the laws, regulations and directives governing privacy do not define the term, perhaps because lawmakers believe that everyone understands what privacy is. But, many people do not, hence the confusion.1)
Is privacy the same as confidentiality? And if so, does the person with responsibility for security take on, de facto, the duties associated with privacy?
Privacy is not security; it may be thought of, in information systems terms, as the rights retained by an individual who is a subject of a data record. Foremost among those rights is the control over who has access to the records in question, and for what purposes. Therefore, privacy is security, inasmuch as it entails the prevention of unauthorized disclosure of the records, i.e., a breach of confidentiality. Much as I would like to allay the confusion of Journal readers on this subject, I fear I have only added to the bewilderment.
Let us simply say that privacy has to do with personal rights, which depend on security for their execution. Thus, privacy cannot be achieved in the absence of confidentiality. In the same manner, integrity and availability are more than access control and disaster recovery plans, but access control and disaster recovery plans are used to achieve integrity and availability.
So with privacy as a legal right, and security as a technical imperative, who owns the privacy issue--the lawyers or the security professionals? As is often the case, the answer is both. The division of that responsibility and the way it is exercised is going to differ, country by country and company by company. Divided they must and will be. To paraphrase mighty Caesar, all privacy is divided into three parts:
- What the government says you have to do
- What you say you do
- What you do
The first two bullets belong to the lawyers, the last to the security manager. Making all three equal is the challenge.
What the Government Says You Have to Do
I am no lawyer and cannot offer legal advice, but I can say that there are a lot of laws on the subject of privacy. All nations in the European Union have passed laws in support of the Data Protection Directive, which addresses data privacy. It also has been implemented in Lichtenstein, Iceland and Norway, which are not EU members. Other European nations have independently followed suit.
Summarized much too briefly, the directive gives data subjects the right to consent on the way that data about themselves are being used. A number of exclusions are offered, but the basic fact is that individual rights are considered paramount. Therefore, information systems "are designed to serve man...[and must] respect the fundamental freedoms and rights of individuals, notably the right to privacy."2
Similar legislation has been adopted in many countries outside Europe as well. The US does not have such broad-ranging legislation, but there are laws addressing the privacy of certain types of data, most notably financial and health-related information.
In sum, especially for multinational corporations, there are quite a few legislatures, regulators and courts pronouncing that the privacy of individuals must be respected insofar as data about them are concerned. This applies most specifically to data maintained on computerized information systems. Of course, this contradicts another grand social goal, best realized on the Internet, to make the maximum amount of information available to the maximum number of people.
There is nothing inherently easier about data sharing than data protection, but we as a society seem to have been better at the former than the latter. And the technologies we have developed in the past half-century or so need some taming to make them adhere to privacy restrictions, which have in part led to the laws. It is up to the technologists to satisfy the lawyers and the lawyers to make sure that the legislators are obeyed. But how does the individual data subject gain satisfaction?
What You Say You Do
In part, the way to reassure the public about the privacy of their information is to make it clear that the laws are being complied with or, in the absence of particular laws, that their privacy is being protected anyway. This is done in press releases, marketing brochures and, most relevant to this discussion, in privacy notices on web pages. The privacy notices explain company policy and make certain representations about how data are being protected.
There have been a number of recent cases in which companies did not live up to their publicly held policies and have been severely reprimanded. Most notable in two regards was the incident at Eli Lilly, the American pharmaceuticals maker. Briefly stated, Lilly inadvertently distributed an e-mail containing a list of names of persons who were taking their antidepressant drug, Prozac. This contradicted the statement on their web site, "Eli Lilly and Company respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests' privacy as they take advantage of this resource." Although an error, and not a malicious act, was committed, the US Federal Trade Commission stated that the company should have taken "appropriate steps to ensure the security of that information" (emphasis added). In other words, a security breach is no excuse for a privacy breach.3
What You Do
Thus, a company cannot disentangle its security protections from its privacy protections. In the technical arena, nowhere is this more evident than in the use of the World Wide Web. There are a multitude of ways that data can leak out of a web site, all with colorful names like cookies, web beacons and bugs. Even the underlying tools of data capture, GETs and data entry forms can be used or misused to transfer information about a data subject to an unauthorized third party. For instance, if someone were to browse for information about AIDS and suddenly started receiving information about AIDS medications, this individual might have cause to think that data about his/her identity had leaked to unintended recipients. Sadly, this is not a specious example. It happens because of faulty design, implementation and maintenance of web sites.
As web sites and other public-facing information systems are developed, privacy needs to be more than a user requirement. It has to become institutionalized in the way that systems are designed, tested, implemented and monitored.
Fortunately, tools are arriving on the market to assist in accomplishing this goal, but they depend on two factors: 1) management's awareness of the need for privacy, and 2) the enunciation of a policy that obligates the company and is achievable given the technical constraints of the software and hardware in use. As Eli Lilly learned,4 privacy is neither easily achieved nor is it free.
Fortunately, we have experienced significant shifts in the design of information systems in the past and can learn from them now. The change in information systems development brings greater interest because it is being played out on such a broad societal field. Once it is realized that privacy is a business obligation, as are audit trails, security and recoverability, then privacy will become a part of the systems development life cycle as well.
1 For example, the definitions section of the EU Data Protection Directive does not define privacy, nor does ISO 17799. The definition section of the United States' HIPAA (health care) legislation does not contain a definition either, but under the heading "Subjects for Recommendations" there is a serviceable explanation:
(1) The rights that an individual who is a subject of individually identifiable health information should have
(2) The procedures that should be established for the exercise of such rights
(3) The uses and disclosures of such information that should be authorized or required
2 "On the protection of individuals with regard to the processing of personal data and on the free movement of such data," also known as the EU Data Protection Directive, p.1. www.privacy.org/pi/intl_orgs/ ec/final_EU_Data_Protection.html
4 To its pain. The company agreed to a complex and expensive program to prevent recurrence.
Steven J. Ross, CISA
is a director at Deloitte & Touche. He welcomes comments at firstname.lastname@example.org.