Privacy Needs an Iron Eyes Cody

Yes, I play in the privacy sandbox less since moving over to cloud-focused EMC, but I still have regular conversations and keep track of the major issues.

In one such recent conversation I felt compelled to preface the discussion with a disclaimer: “I am not a technologist, and I am not a lawyer, but I also don’t believe that privacy issues can be solved with technology or regulations.” A bit smug, perhaps, but it’s the truth. The major privacy issues facing businesses today have very little to do with too much or too little technology, too many or too few laws. The issues are rooted in human behavior – employees who have habits that are not privacy or security friendly, individuals who are not privacy-aware, and miscreants who don’t give a fig about your privacy or mine.

When you begin with that premise, I don’t think you have much choice but to view technology and law as tools that are part of a bigger solution to the problem rather than the pillar upon which the solution must be perched. You also have to take a long view toward arriving at anything resembling a solution.

Changing human behavior across an entire culture takes time – usually a lot of time – but with persistence, patience, and the right strategy it can be done. I think of our national attitude toward pollution as an example of a successful shift in human behavior. As a kid growing up in the late ‘60s and early ‘70s, I saw the American landscape at a time when it was shockingly dirty. Trash, pollution, and urban blight were everywhere. The medians on every highway in land were garbage dumps; our rivers were open cesspools; and the sky was dark with industrial exhaust.

It didn’t happen overnight, but when we decided to do something about it, things started to change. After years of work to raise awareness of the problem, the advent of the 1970s brought about things like Earth Day, the Environmental Protection Agency and Iron Eyes Cody’s famous tear. As the Keep America Beautiful campaign said, “People start pollution. People can stop pollution.” Were laws passed? Of course, but laws didn’t clean up the environment and pick up the trash, nor did the millions of new trash receptacles fill themselves. People’s attitudes and habits had to change, and, with our collective eyes opened and consciences shocked, we did.

I believe the same approach can work with privacy. Help consumers understand that they can and should expect more from their digital experience. Make them aware of their situation and their risk; educate them and equip them with the information they need to respond to organizations; give them a voice and a way to amplify it and things will change. Consumers will also take this newfound attitude and information into the workplace where their awareness will translate into greater responsibility with the sensitive information entrusted to them, helping to curb the instances of human error leading to the compromise of personally identifiable information and other valuable data.

It won’t happen overnight, but it can happen.

Healthcare Industry Takes $6.5B Hit Over Poor Information Security

Technology’s supposed to make us more efficient; more productivity for each hour we invest in a project. It also means less cost associated with the effort. Without the cost benefit, after all, why bother with efficiency?

During the last year or so we’ve seen the evidence of this productivity increase with each new round of earnings reports. This has been a fantastic year for corporate profits, even as the grass roots economy remains in the toilet. While unemployment remains stubbornly above 9 percent nationally, and with even more people out of work but off the books, companies are making record profits making and selling their products and services without adding payroll.

If you are among the un/under-employed, you might not think it’s a very fair shake, but we’ll leave that debate to the Occupy protesters and their foes in D.C. and on Wall Street. For business managers, however, it’s a pretty good deal – invest in new technology and see profits rise.

Yet a study released today by my friends at the Ponemon Institute, sponsored by ID Experts, shows that not every industry seems to understand that the cost savings isn’t just about reducing workforce, but it’s about investing in the right resources. Yes, I’m looking at you, healthcare.

For industries and organizations that deal with large volumes of sensitive information, information security is not an option, yet it seems many healthcare and related companies are trying to cut costs by ignoring their obligations to safeguard patient data and comply with regulations. They are operating in the digital age and a world of mobility and Big Data, but with antiquated policies created for a time when information moved largely on paper. According to Ponemon, the costs of poor information security and inadequate data management cost the healthcare industry $6.5 billion last year.

As the press release announcing the study points out, that $6.5 billion would have been enough to employ more than 81,000 nurses – or to equip the overworked medical administrative staffers with the right tools and training to do their jobs in a manner befitting the trust their patients put in them each day – trust, by the way, that is rapidly eroding. Hey, if you are going to spend that $6.5 billion anyway, why not invest it in the tools to protect information, preserve trust, and provide operational efficiency rather than pay fines, legal fees, and audit costs?

Do it right and the costs might actually decline next year. But I won’t be holding my breath; if I pass out, I might end up in the hospital, and I don’t trust them to keep my information safe.

I'm Baa-aack!

After a couple years of focusing my blogging efforts on providing content for the Ponemon Institute, I’ve decided to revive Private Communications.

For five years I worked as an independent contractor/consultant in the area of privacy and communications. And while I gave up the glamorous life of self employment this past March in order to take up a new (and decidedly less public) challenge at EMC, it doesn’t mean that I’m out of the privacy game. To the contrary, EMC’s focus on cloud computing and big data means there will be plenty of opportunities to put my wealth of knowledge and experience to use. Issues like trust, and governance, risk and compliance (GRC) are all issues that intersect where EMC is and is headed.

I will speak for myself in this forum and not for my employer. I have no role in policy here, nor do I have any authority make statements on behalf of EMC. I may be inspired by some of the things we’re doing, but don’t flatter me by thinking I have any special insight specific to EMC. I don’t.

If you decide to make any investment decisions based on anything I write here, you are a fool.