ISACA Journal
Volume 3, 2,014 

Features 

Data Privacy—Protecting This Asset Is a Priority 

Horace McPherson, CISA, CISM, CGEIT, CRISC, CISSP, PMP 

Over the past few years, there has been a shift in the business world pertaining to assets that need to be protected. The digital world has brought with it complexity in terms of defining what has to be protected and to what extent. It was no more than 15 years ago that the assets that most companies concerned themselves with protecting were tangible (e.g., equipment, buildings, manufacturing tools, inventory). Now companies must add data to their list of assets, and data are usually at the top of that list. These could include, for example, product blueprints, social security numbers, medical information, credit card numbers, personal information and trade secrets.

Companies are still having a hard time not only protecting their data in digital format, but also defining what constitutes sensitive data and where the data should be kept.1 There is a current business discipline called data governance that is the set of activities that optimize, secure and leverage data as an enterprise asset. Traditional accounting rules do not allow companies to treat data as a financial asset on their balance sheets unless it has been purchased from an external entity. Despite this conservative accounting treatment, enterprises now understand that their data should be treated as an asset similar to plants and equipment.2

Treating data as a strategic asset implies that organizations need to build inventories of existing data just as they would for physical assets. Organizations need to secure business-critical data within their financial reporting, enterprise resource planning (ERP) and human resources (HR) applications from unauthorized change and disclosure as they can affect the integrity of the organization’s financial reporting and the quality and reliability of daily business decisions. Depending on the business of the organization, it must protect sensitive data, such as customer information, patient information, credit card numbers and personally identifiable information (PII), as well as intellectual property.

Sometimes companies fail to understand how data protection implementation helps their bottom line by improving customers’ perceptions of their reputation and, in turn, driving more sales or new business. After all, businesses are created to turn a profit, and if there is no direct correlation for an item (i.e., tying it to cost and profit), that item is often given low priority. Companies are now discovering how data protection and security mechanisms affect their bottom line. If a company suffers a data breach, it must deal with a wide range of issues for which it is likely not prepared. In the recent past, a number of companies have had their databases attacked and their customer information compromised. Once customers find out that a company is not protecting their confidential and financial information properly, they will often take their business elsewhere. In addition, the customers can sue the company, which could result in punitive damages and court fees.

Because a company has such a wide range of threats to its data and information (not just computer viruses and hackers), each threat must be planned for and addressed individually using mechanisms such as access control, software applications and data malfunction considerations, site location, fire protection, site construction, power loss, equipment malfunction, business continuity and disaster recovery, and telecommunication and network issues.

Responsible companies follow due diligence and due care. Due diligence is the act of investigating and understanding the risk the company faces. A company practices due care by developing and implementing security policies, procedures and standards. Due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to protect the company, its resources and employees from possible threats. Due diligence is understanding the current threats and risk, and due care is implementing countermeasures to provide protection from those threats.

When a company does not practice due care or due diligence pertaining to the security of its data assets, it can be legally charged with negligence and held accountable for any ramification of that negligence. Organizations have had trade secrets and intellectual property stolen by employees who left to work for a competitor. In such instances, unless the original company has taken the proper steps to protect its data and informed its employees that this action is wrong, the company has no legal recourse.3 The company must practice due care both inside and outside its walls to protect its intellectual property from being compromised.

Data protection is accomplished via the practices of privacy, confidentiality and information security. As indicated, critical data become an asset to the company. Profits and losses are determined by the integrity of the data. Goodwill or punishment can result based on how company data are treated. A company’s entire reputation could rise or fall on how it is perceived to handle, and actually does handle, customer data. For all these reasons, the concept of data protection is a significant issue.

Figure 1Organizations within industries such as financial and banking, health care, and payment card are usually most concerned with data protection. Examples of financial institutions range from commercial banks (large and small), stock and trading entities, mutual funds organizations, investment entities, credit unions, credit card processing companies, and other firms that deal with clients’ financial information and monetary assets. The raw materials for these types of entities are literally the information on their customers. These include personally identifiable information (PII) (e.g., names, addresses, social insurance numbers), financial information, beneficiary information and insurance information, for example. This information is extremely valuable to the organization and, hence, is critical for successful business operations. This becomes an issue because by protecting this information and related data, the financial institution is protecting its assets, its profits, its customers and, in some cases, the very existence of the company. There are many stakeholders associated with a financial institution, and remaining cognizant of all stakeholders and their impact on the company will determine a company’s priorities. A typical stakeholder map (figure 1) attempts to represent those that are most critical.

The primary stakeholders (indicated with a P in figure 1) are listed along the top of the diagram since the reactions of these to any lack of due diligence or due care in data protection can result in significant damage to the institution. Customers could leave and take their business to other institutions. Regulators and the government could levy fines or even initiate legal actions. Shareholders and partners would suffer from the loss of profit, even influence. The institution’s reputation could suffer a setback that would taint it in the eyes of the public—its future customers.

The perception of having a good privacy strategy goes a long way in gaining consumer trust; it is the lack of trust that causes consumer anxiety over loss privacy. On the other hand, as financial institutions prove themselves worthy of trust, customers may voluntarily provide more data about themselves, proving that a strong reputation for privacy protection enhances customer reach and leads to even more business. On a more negative note, competitors would hope to benefit from any loss, and criminals (e.g., identity thieves) are the ones that will inflict harm. Intimately knowing its most critical stakeholders will help a financial institution plan its strategy for data privacy protection.

Ethics and Responsibility Analysis/Evaluation

Companies today face many ethical issues that require different strategies and approaches. These issues range from fair business practices, sustainability and environmental investment issues to physical security and even insider threat issues. Data protection is one issue that, if not handled properly, can cause devastating and irreparable damages. The outcomes of threats that are posed to critical data are so serious that it is not surprising that governments have passed laws and regulations to mandate that financial firms implement proper protection mechanisms to safeguard stakeholders’ interests. Some firms have even gone beyond government regulations and also assumed industry self-regulations in addition to implementing their own internal company controls and security practices.

How a company resolves its privacy strategy will also be affected by a cost-benefit analysis. A company may choose to weigh the revenue gains and customer goodwill to be had from adopting different privacy strategies against the cost of compliance imposed by differing privacy strategies. These results will be assessed against the ethical position adopted by the company with the strongest decisions being those that provide positive cost benefit and are consistent with the company’s ethical stance.4

Ethics Analysis

Data protection is a solution to the ethical problems of inadvertent or deliberate internal exploitation and/or external exposure of private and confidential information. Financial institutions, in the course of doing business, collect an extensive amount of personal and financial information from customers. Possession of this information alone without anything else is as valuable as cash, investments and other returns. This is why competitors, partners and criminals would love to get their hands on an institution’s client database. Possessing someone’s personal information allows a legitimate company to target them for marketing campaigns, sell their information to other business partners and profile them for further business development efforts. Criminals could use this information to steal the identities of the unknowing customers.

For all these reasons and more, financial institutions have an ethical responsibility to protect customer privacy and confidentiality. Anne Wells Branscomb, in her 1994 book Who Owns Information?, made the following statement, “Our names and addresses and personal transactions are valuable information assets worthy of recognition that we have property rights to them. Unless we assert these rights, we will lose them. If such information has economic value, we should receive something of value in return for its use by others.”5 This is an interesting statement as the financial institution may, on the other hand, consider customer information in their possession as their own. However, there is a growing belief among consumer advocacy groups and consumers themselves that personal information is the personal property of the individual from which it came.6 Whether one agrees or not, the issue of privacy is one not to be taken lightly.

Consumers’ lack of knowledge and control of what happens to their personal information is another concern. The dynamic nature of information collection and manipulation decreases consumers’ ability to keep track of their information as it is collected and aggregated from multiple sources to create consumer profiles. Although some data are provided by customers (e.g., demographic information), other information is collected without customer knowledge, such as tracking information obtained through the institution’s web site. Thus, customers control only a portion of their profiles.7

Figure 2Financial institutions can show good corporate citizenship by engaging due diligence in their handling of customer personal and confidential information. Assurance is critical and customers must be confident that their information is safe. In the article, “Strategic and Ethical Considerations in Managing Digital Privacy,” Sarathy and Robertson indicate that “while external factors such as culture, business context, legislation, nature of data and history all play a role in shaping a company’s privacy strategy, the implicit and explicit ethical ideology of the company, its founders, and top management team establish a moral dimension to the chosen privacy strategy.”8 Sarathy and Robertson also introduced the concept of moral philosophy to describe an approach to privacy, outlining four categories of ethical theories that are relevant to managerial decisions in the context of privacy: utilitarianism, egoism, moral relativism and justice (figure 2).

Utilitarianism can be broken into two areas: rule utilitarianism, in which decisions are evaluated based on any relevant rules or laws, and act utilitarianism, in which a decision is made based on its consequences and the act resulting in the greatest good is selected. Companies following act utilitarianism would weigh the consequences of greater respect for privacy (and the trade-off of profitability and job creation) vs. individual privacy rights. On the other hand, a company following rule utilitarianism would consider customer benefit and would prefer to behave in a legally compliant manner.

Another concept introduced is egoism. This is where the company justifies its actions based on its own self-interest. Some profit-oriented entities could place profit maximization above all else, including privacy and data protection initiatives. As long as an action is legal, decisions are made based on the company’s paramount goals.

Moral relativism refers to defining ethical behavior in the context of individual or group norms.9 In the application of this concept, similar firms in the industry and sometimes competitors should be surveyed (formally and informally) to see what they are doing or see the generally accepted standards of behavior on privacy-specific issues. Essentially, moral relativism implies perceived moral accountability and the company adopts behaviors that conform to norms noted for the industry. An example of this approach is a mortgage company or other financial institution selling information about its customers’ debt and finances to another entity, if this was the prevailing industry standard, and not concerning itself with whether its customers should be consulted.

The moral growth of individuals who are involved in making strategic decisions about privacy issues is also a factor influencing how companies make privacy protection decisions. Individuals tend to operate on different levels, or stages, of moral rationalization. Whether the manager is trying to avoid punishment, obey laws as a service to society or assert personal idealistic beliefs, this variance in cognitive moral reflection can influence the ultimate privacy strategy chosen by the company.10

The ethical perspective of the top management team determines whether the company will be proactive and a leader in setting and supporting privacy protection policies and whether privacy protection is put ahead of profits. The tone at the top is important. A corporate culture that is customer-oriented will ask customers about their privacy protection needs and listen to the fears of customers regarding the erosion of their privacy. Such conversations will lead the company to treat privacy protection as a long-term goal and value, setting a high bar for competitors and the industry.11

Other Support Mechanisms and Processes

With privacy protection being so essential to the financial institution, building awareness among employees, management and customers is critical to any effective privacy and confidentiality efforts. Privacy directives within the company will not be effective if no one knows about them or how the company expects them to be implemented. For privacy protection efforts to be successful and effective, everyone from senior management to all staff must be fully aware of the enterprise’s privacy efforts. All employees should understand the underlying significance of privacy and the specific privacy-related requirements expected of them. This is critical for the institution’s privacy efforts. To ensure understanding and awareness of the company’s data protection efforts, privacy and security awareness training must be implemented. Sometimes this is even required by regulation. Awareness training should be comprehensive, tailored for specific groups and organizationwide.

The goal for each employee is to understand the importance of privacy to the company as a whole, to clients and to each individual. This should be a formalized process that ensures that everyone understands what the company’s privacy posture is, why pursuing an official privacy policy is important and how it fits into an individual’s role within the organization. Financial firms should also find ways to educate their customers regarding their own privacy. This could be accomplished via the distribution of brochures, online notifications or even word of mouth.

Besides awareness training, financial institutions must be constantly managing risk. Careful risk analysis will help to prioritize protection efforts. Risk analysis has four main goals:

  1. Identify the assets and their value to the company. In this case, it is the classified data.
  2. Identify the vulnerabilities and threats. These could be numerous and exist both internally and externally.
  3. Quantify the probability of the business impact of the potential threats. This determines the extent of the investment used for prevention or mitigation.
  4. Provide an economic balance between the impact of the threat and the cost of the countermeasure. This is simply good, responsible business practice. Figure 3 shows a simple analysis that outlines three obvious risk factors and outcomes.
Figure 3 Figure 4

Conclusion

There is no doubt that data privacy is an ethical issue. It is an issue that cannot be taken lightly by organizations in possession of customers’ personal, financial or other critical information. Data protection and privacy are governed by the organization’s ethical stance and its goals for corporate social responsibility (CSR) (figure 4). Ethical actions are those internal practices of the organization that guide its approach to privacy and data protection. CSR encompasses the external activities that are adopted, e.g., industry self-regulations or customer education. These provide assurances that critical information is properly protected.

Financial institutions owe it to shareholders to implement data protection mechanisms to ensure privacy and confidentiality. Most financial and related institutions no longer have a choice of implementing privacy protection due to the existence of government regulations to which they have to comply. Smart companies go beyond government regulations and also follow industry self-regulations or their own internal initiatives. Finally, when privacy and confidentiality are so critical to the company, senior management must be seen to be fully behind the efforts and there must be education, training and awareness programs in place to educate all staff and customers about the importance of privacy. For the financial firm, privacy becomes everyone’s business.

Endnotes

1 Harris, Shon; All-In-One CISSP Guide, 5th Edition, McGraw Hill, USA, 2010
2 Soares, Sunil; “The IBM Data Governance Unified Process,” MC Press, Ketchum, USA, 2011
3 Op cit, Harris
4 Sarathy, R.; C. Robertson; “Strategic and Ethical Considerations in Managing Digital Privacy,” Journal of Business Ethics, 2003
5 Wells Branscomb, Anne; Who Owns Information?, 1994
6 Cavoukian, Ann; The Privacy Payoff, McGraw-Hill, Canada, 2002
7 Caudill, E.; P. Murphy; “Consumer Online Privacy: Legal and Ethical Issues,” Journal of Public Policy and Marketing, 2000
8 Op cit, Sarathy and Robertson
9 Ibid.
10 Ibid.
11 Ibid.

Horace McPherson, CISA, CISM, CGEIT, CRISC, CISSP, PMP, works as a senior technology manager for the government of Ontario, Canada. With more than 15 years of experience working in complex technology environments, McPherson has led many teams in the strategic design and implementation of numerous business-enabling technologies. McPherson has developed broad experience in various roles in the private sector, public sector and large financial institutions, utilizing his expertise in information security, risk management, privacy, IT governance and IT infrastructure management. Currently, he is serving as program manager for the Justice Video Network, which is a highly secure videoconferencing and converged communication network serving the Justice Ministries within the province of Ontario.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.