Joanne Joseph, CISA
In light of current and evolving technologies, electronic data privacy is a global issue and there is a growing public concern surrounding the infringement of personal privacy rights and information security in the way data are transmitted, stored and used across borders on the Internet and with wireless devices (e.g., mobile phones, interactive TV, global positioning systems [GPSs]). The concern is that the electronic data that are captured from these sources can be used for unintended purposes to the detriment of the individuals using the services. Based on research performed by the Ponemon Institute, it appears that mobile devices, coupled with ubiquitous access to sensitive personal data, present a significant risk to the invasion of privacy in the digital landscape.1 This article explores the threats as well as the policy measures that are universally applied to protect users’ data from privacy infringement.
Examples of personal data at risk include, but are not limited to, name, date of birth, home address, telephone number, ethnic group, sexual orientation, political affiliations, religion, social security number, driver’s permit number, identification numbers for various systems, customer credit information, medical information on applicants for jobs, qualifications and experience, employee performance appraisals, Internet browsing history, and emails.
Privacy Rights Clearinghouse describes incidents of personal data security breaches in organizations between 2005 and 2012 as a result of:2
Privacy is “freedom from unauthorized intrusion.”3 In the conduct of business, organizations must acquire personal information about individuals, companies and other institutions.
Privacy protection is to be managed on three fronts: users, consumers and employees. On the users front, it is expected that their records will be protected from unauthorized persons/entities. From the consumers’ perspective, trust and confidence must be maintained wherever business is conducted. And, from the employees’ perspective, they should be assured that their information is not disclosed without their consent.
Where sensitive data are processed, additional protection measures should be in place, in particular strong encryption of data transmission and recording of access to sensitive data. The best defense, however, is not the application of technical security controls, but information security training and awareness. Encouraging users to be security-savvy could be a primary concern for service providers and organizations. Users can be considered to be a weak link in information security as it relates to keeping information confidential. Between 2005 and the writing of this article in 2012, there were 364 instances recorded in the chronology of data breaches that resulted from insider information.4
In recent years, new legislation has been introduced following publicly announced privacy violations in order to provide security to users, consumers and employees whose data could be manipulated and their privacy invaded in data security incidents.
The Code of Fair Information Practices established in 1972 by the US Department of Health, Education and Welfare provided the basis for subsequent legislation, such as the US Data Privacy Act (1974) and UK Data Protection Act (1998). The Code of Fair Information Practices is based on five principles:5
There must be no personal data record-keeping systems whose very existence is secret.
There must be a way for a person to find out what information about the person is in a record and how it is used.
There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person’s consent.
There must be a way for a person to correct or amend a record of identifiable information about the person.
Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.
The US and UK legal frameworks supporting good privacy practices were extended to include industry-specific legislation to address the inherent risk associated with particular types of data. Examples of those practices include:
Regulatory demands of US and UK legislation coupled with growing concern about privacy and information security have stimulated companies and government institutions toward compliance with national laws or, alternatively, intergroup agreements in countries where there is no legislation on the matter. Legal requirements and compliance standards10 are examples of externally driven mandates,11 which serve as a framework for implementations of privacy policies across international borders,12 and are designed to defend individuals’ rights to privacy by prohibiting unauthorized disclosure of personal information.
An additional concern in the legal framework is the duty of organizations to notify persons whose personal data have been compromised. This requirement varies from state to state in the US and is generally enforced if the data are unencrypted (i.e., it can be read in clear text). The National Conference of State Legislatures maintains a list of enacted and proposed security breach notification laws in the US.13
The European Network and Information Security Agency (ENISA) published a report in January 2011 on the status of the data breach notification laws in European countries. The report states that data breach notifications are not yet mandatory in most European Union (EU) countries, as the member states are still preparing to transpose the directives of the EU telecommunications regulation reform package, which was passed in November 2009.14 The reform package requires EU member states to introduce mandatory data breach notifications into local legislation.
To effectively implement the policies of the legislative framework in addressing the technology risk, industry-specific standards have emerged. These standards are updated based on the industry risk profile and published for use as a baseline in conducting digital operations. Examples of these standards include:
Unauthorized access or inadvertent disclosure of sensitive personal data occurs universally in digital communications. Examples of these points of ingress for information security exploitation are noted in figure 1.
At times, stories appear in key media highlighting instances of data security breaches and identity fraud, placing enterprises, celebrities and public officials in a hall of shame or leaking information that is considered confidential or secret.
“Solitude and privacy have become more essential to the individual, but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.”17
Recent examples of media reports of data security incidents occurring across a range of sectors include the following:
An ISACA white paper emphasizes the risk that perpetrators can use geolocation systems to track an individual’s whereabouts for the purposes of committing crime. This type of information is highly personal and should be classified as sensitive with the appropriate restricted access.21
Every time persons sign up for a discount card at a store or complete a form to obtain some preferential service, the potential for personal information being proliferated in unknown places increases. Protection of personal data to some extent largely depends on each individual.
User education on key information security concepts, such as social engineering, e-privacy and cybersecurity, is critical. With respect to company monitoring, access to digital communications and electronic files should be carried out only for legitimate business reasons, such as technical maintenance; monitoring system security; complying with company policy and/or legal requirements; and investigating allegations of misconduct, fraud or other wrongdoing. Users should be aware that their electronic communications may be accessed for such purposes.
Where data are being used for marketing purposes, the individual should be given the opportunity to opt out from this arrangement at any time.
It is important that data custodians be provided with training that is specific to their role and function in order to ensure that the appropriate safeguards are maintained over the data under their responsibility. Custodians hold accountability for appropriate data classification and approval of access to sensitive data.
Performing regular information security reviews, auditing data privacy policies and procedures, and actively monitoring for new security vulnerabilities helps to ensure that the appropriate data protection standards are being maintained. Upper-level management support is a key strategy in the successful implementation of information security initiatives.
Given the type and extent of the damage that can result from personal data security breaches, continuous risk assessments need to be performed by privacy professionals22 as communication technologies evolve. Alongside this effort is the need for stricter policies and regulations to mitigate growing threats.
“The fantastic advances in the field of electronic communication constitute a greater danger to the privacy of the individual,” according to Earl Warren (former US Chief of Justice).23 Thus, the protection and security of personal private information must be a priority for privacy professionals who can influence the development of policies and laws against privacy invasion.
Privacy law is still in its infancy in many territories and every major entity should be engaged in sustainable initiatives aimed at preventing and detecting abuses of personal data. Continuous information security campaigns must be in place to educate users about the risk of having their personal data stolen as well as the controls for protecting it. A key success factor in user awareness initiatives is C-level support—demonstrating leadership by example and accountability. This mission can be extended through stakeholder partnership with nonprofit privacy organizations to disseminate public information media releases geared toward the education of users universally. To put it simply, data privacy is everyone’s responsibility.
1 Ponemon Institute, “2012 Confidential Documents at Risk Study,” July 2012, www.ponemon.org/blog/post/2012-confidential-documents-at-risk-study 2 Privacy Rights Clearinghouse, “Chronology of Data Breaches, Security Breaches 2005–Present,” 2005, https://www.privacyrights.org/data-breach 3 Merriam Webster’s Collegiate Dictionary, www.webster.com4 Op cit, Privacy Rights Clearinghouse5 Health, Education, Welfare (HEW), Advisory Committee on Automated Data Systems, The Code of Fair Information Practices, http://epic.org/privacy/consumer/code_fair_info.html6 Tech Target, “The Gramm-Leach-Bliley Act,” http://searchcio.techtarget.com/definition/Gramm-Leach-Bliley-Act7 SOX-online, “Sarbanes-Oxley Act,” www.sox-online.com/sarbanes_and_oxley.html 8 Health Insurance Portability and Accountability Act (HIPAA), http://samples.jbpub.com/9780763766207/66207_CH02_McConnell.pdf 9 “UK Privacy and Electronic Communications Regulations: E-mail, Faxes, Phone Calls, and Cookies,” http://www.the-dma.org/international/articles/UKElectronicprivacyreg.PDF10 Axelrod, C. Warren; Jennifer L. Bayuk; Daniel Schutzer; Enterprise Information Security and Privacy, Artech House, 2009, appendix A11 The expression “externally driven mandates” refers to changes that are driven or mandated by an external source (e.g., regulatory requirements, industry standards).12 Forrester Research, “Forrester’s Global Data Protection and Privacy Heat Map,” 2011, http://heatmap.forrestertools.com 13 National Conference of State Legislatures, www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx14 European Network and Information Security Agency, European Union, 2011, www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-breaches/library/deliverables/dbn 15 PCI Security Standards Council, www.pcisecuritystandards.org16 National Institute of Standards and Technology, www.nist.gov/index.html 17 Brandeis, Louis D.; Samuel D. Warren; “The Right to Privacy,” Harvard Law Review, vol. IV, no. 5, December 1890, http://faculty.uml.edu/sgallagher/Brandeisprivacy.htm18 BBC News Technology, “Google ‘in Breach’ of UK Data Privacy Agreement,” 2012, www.bbc.co.uk/news/technology-1901420619 Borden, Sarah; “Wyndham Hotels Data Breach,” Bloomberg.com, 201220 CBC News, “Elections Ontario Discovers Privacy Breach of Voter Data,” 2012, www.cbc.ca/news/canada/windsor/story/2012/07/16/toronto-elections-ontario-privacy-breach.html21 ISACA, Geolocation: Risk, Issues and Strategies, 2012, www.isaca.org/research22 Nonprofit privacy organizations as well as enterprise representatives from human resources, security, IT, internal audit, records management, legal and other functions with aspects of their roles dedicated to data privacy23 Warren, Earl; www.judiciary.senate.gov/hearings/testimony.cfm?id=e655f9e2809e5476862f735da16302cc&wit_id=e655f9e2809e5476862f735da16302cc-0-0
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.