Thursday, March 23, 2006

Of Privacy, PII, and Bicycles

As often happens, when news breaks of a significant privacy breach, I find myself discussing the issue with one of my privacy pals.

I think I’m a pretty smart guy, and well-informed on privacy issues, but I always feel a little bit smarter upon the conclusion of a conversation with one of these guys.

I like to think I’ve provided the same benefit to my friends, but I know I’ve gotten the better of the deal. (By the way, does it make me a privacy geek to admit that I enjoy talking about the latest breach?)

This morning, when news broke about Fidelity’s breach of privacy following the theft of a laptop computer containing retirement information and PII for nearly 200,000 HP employees, I turned to Richard Purcell of the Corporate Privacy Group.

Immediately we discussed the issue policy and awareness. I wanted to know his view on whether corporate data protection policy (and awareness) was keeping pace with the realities of an increasingly mobile workforce. That was all Richard needed to hear.

“Wells Fargo, SAIC, Ford Motor Co, Boeing, UC Berkley, Metro State Denver, Bank of Rhode Island, Brazos Higher Ed, UW Medical Center, UCLA, MCI, Medco Health, Ameriprise... the list goes on and on.”

In moments he rattled off a list of organizations that have recently reported the theft of laptop computers containing unencrypted PII.

The problem is that knowledge workers are encouraged (perhaps even expected – or pressured) to take their work with them in order to be more productive, but little thought has gone into the ramifications of data on the hoof. Transfer sensitive customer files onto a laptop and you’ve just increased your risk factor exponentially.

Richard compares the situation to bicycle theft.

“Laptop thefts have occurred over many, many years. They are obvious targets due to their high perceived value and mobility. They are stolen not because of the data they contain, but for their intrinsic resale value. That's obvious. Bicycles are in the same category. Leave your bike unlocked somewhere, and someone is going to steal it. No-brainer.

“Is there a lesson here? Duh. Lock it! Lock down the laptop whenever unattended and encrypt the data. Better, don't put such data on laptops - use the machines to link over secure transmissions to servers where the stored data is securely accessible. If you absolutely must put PII onto a laptop system, and can't encrypt it, then de-identify it – make sure the data does not point specifically to a known person.

And finally, like the bike analogy, don't expose yourself to double jeopardy by placing valuable stuff in easily stolen containers. I would never put my wallet in a pouch on my unlocked bicycle. Yet, we continually hear about just that kind of stupid (yes, it is nothing short of stupid) behavior in these stolen laptop stories.”

See what I mean? I’m feeling smarter already.

Richard’s point is that many organizations make the issue more complex than it needs to be. Writing policies related to mobile data may seem to be a daunting task, but it should take no more than the application of a little common sense.

That said, policy and training are among Corporate Privacy Group’s specialties, and I wanted to hear more.

“Most policies are just now coming up to date with the fact that devices are ‘in the wild,’ including not just laptops, but phones, media devices, and PDAs that have between 1GB and 40GB of memory. I have a simple 6GB device that can act as an external drive. No problem fitting a file with 200k+ personal records on that little puppy.

“So there's a mix of policies; the important thing is that practices are just not keeping pace. It is hypocritical for companies to, on the one hand, require data to be locked down, and, on the other hand, set difficult deadlines that force employees to indulge in risky behavior (like putting large files on their laptops to take home and work on over the weekend).

“Companies have to accept that putting 200k+ records on a laptop is like putting trade secrets on that same laptop. Management would never tolerate having their pre-audit financials wandering around on unprotected devices. For the same reason, they have to treat PII as a valuable asset that is always protected, even if that causes a bit of difficulty in accessing the data. So be it - cost of doing business.”

Recommendation: From my perspective, crisis communications starts with crisis prevention. Understanding risk and addressing risk factors with smart policy and thorough practice – including top-to-bottom training and awareness – is the first step. It’s a lot more pleasant preventing a data breach than it is explaining to your customers, partners, lawyers, and regulators how such a thing could have happened and what you are going to do to keep it from happening again.

Finally, it’s time this discussion moved front and center. Mobile data is data at risk. In Richard’s words, “it's a big deal to start banging the gong on mobile PII - anytime any asset goes mobile, additional safeguards are needed - it's elementary.”


Post a Comment

Links to this post:

Create a Link

<< Home