Lessons from the Other Side: Best Practices in Privacy and Data Security

Privacy and data security go together like chocolate and peanut butter, motherhood and apple pie. Yet in many organizations and in their practices, the two disciplines are too often operating as siloes. Data security typically lives in the IT organization, concentrating on systems, and the privacy function tends to reside under the compliance or legal organization, concentrating on compliance, training, and the people side of security. Recent trends towards managing privacy and security risks more holistically have more organizations moving the functions under one umbrella in order to improve communication and collaboration, but both functions also learn from the other. So in the spirit of our shared mission, here are three top lessons that privacy and data security organizations can learn from each other’s best practices.

Watch: Privacy and Security: Teamwork Required to Tackle Incident Response

Lessons from Data Security

Data security is an old profession. Julius Caesar is credited with the invention of the cipher in 50 B.C., and computers used for encryption date back to World War II (a story told in the current hit movie The Imitation Game). In the 90 years since the Colossus computer was shipped to Bletchley Park in 1944, the IT industry has developed a host of data protection best practices that privacy organizations could adapt to their own activities. Here are just three.

Standardize: The IT industry lives by standards that are developed, tested, and maintained through national and international collaboration, and these standards evolve with the technical and threat environment. For example, the Information Technology Standards Committee (ITSC) currently has working groups on cards and personal identification, health informatics, and cloud computing, in addition to a standing committee on security and privacy. The International Standards Organization (ISO) also sets standards for information security management—standards that include risk management and other systematic approaches to protection. (One cornerstone of the ISO 27001 security standards is “’plan-do-check-act’ . . .plan security processes ahead of time, do the difficult work of integrating these processes, check that they are being followed and act quickly in cases of non-compliance ”[1], a strategy well understood by privacy organizations.

In contrast, privacy standards are more localized in nature, bound by geography and regulatory jurisdiction because they are in many ways a function of laws. While standards set by U.S. government agencies such as Health and Human Services (HHS), the Federal Trade Commission (FTC), and NIST are relatively mature, our nation’s privacy posture is comparatively in its infancy compared to, say the E.U.. But organizations such as the International Association of Privacy Professionals (IAPP) and the Electronic Privacy Information Center (EPIC) have working groups researching and documenting best practices for privacy organization, and advocating for privacy practices and efficacy. By supporting these development efforts and adopting new standards, privacy professionals can help the industry improve outcomes and control costs.

Measure: Business today is data-driven, thanks to the sophistication of information systems and data analysis tools. As part of IT, data security organizations track the amounts of data on their systems, network loads, etc., looking for unusual activity that might indicate breaches or attacks. Privacy organizations need to do the same. Key indicators such as a rise in privacy-related incidents or in privacy-related customer service inquiries, or unusual patterns of physical access to facilities could all help to quickly identify and mitigate privacy issues.

Automate: Data security organizations have used automated monitoring, logging, and analysis for decades. These practices have been applied with great success, for example, in identifying usage patterns that indicate credit card fraud or tracing the source of a data breach. Privacy organizations now have tools available to help automate and streamline processes such as risk analysis and data breach response. By supporting consistent and objective analysis of privacy incidents, providing a central repository for all incident information, and streamlining the documentation and reporting process, these tools can improve outcomes and free the privacy staff to spend more time on prevention.

Lessons from the Privacy Side

While information security has been a concern for millennia, for most of human existence, privacy has been a non-issue: most people lived in such close proximity that privacy within the group was impossible, and distance communication was so slow that people longed to share information. It was only with the advent of the camera and electronic communication that most people began to consider privacy as an issue. But the rapid rise of digital information, interconnected systems, and the ability to exploit them have made privacy one of the cause célèbres of the twenty-first century. The privacy profession has evolved rapidly in the decade-plus since massive data breaches began to become commonplace, developing virtually in lockstep with government regulation meant to protect consumers against breaches and misuse of their personal information. As a result, the privacy profession tends to be focused on compliance and the consumer, working successfully with people and processes.

Here are three privacy best practices that IT security teams could apply to better protect their organizations.

Be customer-centric: For years, privacy studies have shown that, although regulatory penalties have grown, the greatest risk from data breaches is still the loss of customer trust and future business. Because they are responsible for incident response, including reporting to those whose information has been compromised, privacy groups are mindful of the human impact of data breaches. They tend to look at addresses, account numbers, SSNs not as data but as an information set that defines a person. Data security organizations can take a lesson and focus more, not just on encryption or keeping data behind a firewall, but also on how to de-identify data or use the minimum data set for each application, limiting exposure of data combinations that would leave a person vulnerable if exposed.

Operationalize: Data security needs to be a driver as organizations increasing move from ad-hoc incident management towards an operational model. While privacy functions have been driving the trend towards an enterprise-wide approach to incident tracking and response, the role of the CISO has also been changing to become a privacy protection leader on the executive team. In addition to fostering collaboration that makes data security and privacy programs more effective, helping to operationalize will give data security groups a platform to advocate successfully for the tools and resources they need.

Communicate proactively: A privacy program depends on policies and processes executed by people throughout the organization, so privacy professionals work hard at training and at building a culture of awareness and compliance. In contrast, many data security functions are implemented within the computing infrastructure. Security software and malware protection are critical pieces of a security program, but a system is only as strong as its weakest link, and often that is the person carrying a mobile device or responding to what may be a phishing email or phone call. Data security professionals are in the best position to know where the user vulnerabilities lie, and they should work proactively with privacy staff to identify and close these gaps through training and awareness programs.

Lessons to Live By

In some areas, privacy and data security already agree on best practices. Both know it’s critical to have clear policies, and to enforce them. Both recognize the importance of top-down support for their initiatives, and both believe in regular risk assessment and monitoring. With so much common ground, data security and privacy organizations should be able to combine their strengths in the battle to protect personal data.

Watch: Privacy and Security: Teamwork Required to Tackle Incident Response