Dear CISOs and Legal Counsel: We Can’t Wait for the Privacy Regulators

Privacy is constantly in the news these days. Should Apple create a “back door” to unlock a terrorist’s iPhone for the FBI? Should Microsoft provide European citizen’s information stored on servers in Ireland in response to a US subpoena? Should data be allowed to be stored outside of Germany, France, Sweden and Russia for cloud services? Should we store information in the cloud without retaining the keys? Should commerce between the US and EU flow under the proposed replacement for Safe Harbor (Privacy Shield)? Or maybe the question is should someone be awarded tens of millions of dollars for having their privacy violated for filming them naked in a hotel room without their consent, or for filming someone’s engagement in a sex tape and releasing it to the Internet?

The Issue is Clear:  Why Should Anyone Trust Anyone?
We could leave this issue to privacy officers, internal and external legal counsel, governments, data protection authorities, politicians, regulators, and technology companies to sort out. We could wait for the ultimate answer to solve the privacy question once and for all. And wait. And wait some more. And wait for another review, debate, newsworthy event (such as needing information from another critical terrorist phone). Or wait for the next cloud service to be hacked, exposing photos that violate an individual’s right to privacy.

The reality is we just don’t trust each other—person to person or country to country. The reality is also, we have to trust each other at some level to interact personally or conduct business with each other.

As we grow up, we implicitly trust our parents to protect and lead us in the right direction. We have temporary moments of insanity during the ages of 5-6 and 13-17, where we don’t trust what they are telling us (because we just know better), and our parents all of a sudden get smarter when we turn about 22! In other words, we have temporary moments of disbelief, or a lack of trust in what they are telling us. It is the receiver of the message (in this case the child), that does not believe the sender (parents), even though thesender of the message was telling the truth and had good intentions all along. Trust is earned by delivering a consistent message that matches the real environment.

So what does this have to do with privacy in our organizations? Everything. We are currently in a state where people and governments are challenging the trust model. However, we cannot stop and wait for resolution of this temporary insanity and total lack of trust to figure out how to enable others to trust our assertions.

We Will Lose Valuable Time
We must, as “parents of our own organizational destiny,” continue to refine the controls on our systems and enhance how we protect information privacy. As we promote our message of information protection, those who make the rules will recognize that the organizations performing fundamental security work, building in privacy considerations and protecting rights through followed processes, will be able to be “trusted” and interact with other people and countries.

Privacy is much more than publishing a privacy notice on the company web site or sending out notices. Privacy is an organizational commitment to build trust by securing information and limiting access to accurate information to only those who have a right to it. Security officers are at the core of this issue and must be literate in the language to be effective.

At the 2016 North America CACS conference in New Orleans May 2-4, 2016, Todd Fitzgerald’s “One-Hour Privacy Primer” session will explore privacy concepts every security officer, privacy officer, auditor, lawyer, and governance professional should know:

• The role of the CISO with respect to Privacy
• 8 Universal (OECD) privacy principles
• Global laws impacting privacy
• Privacy by Design principles
• Understanding data elements and the language of privacy

Todd Fitzgerald, CISA, CISM, CRISC, CISSP, CIPP/US, CIPP/E, CIPM, PMP, CGEIT, ISO27000, ITILv3f, Global Director Information Security, Grant Thornton International, Ltd.

[ISACA Now Blog]