Privacy has had its Chernobyl moment.
Maybe it was when a foreign power stole everything every American had submitted for a clearance form from the Office of Personnel Management. Maybe it was when an insurer lost control of the health records of millions of Americans. Maybe it was when the United Kingdom spilled its child benefit data. Maybe it was when India created a biometric ID system and sort of forgot about controls.
However you want to define a privacy Chernobyl, it, or something like it, has happened.
We exist in a world where our expectation of privacy has been shattered, diminished and demeaned, and yet privacy invasions still outrage us. What we haven’t done is built a cap, and certainly not a sarcophagus that’s designed to protect the radioactive slag for an appropriately long time.
Privacy failures still make the news. Failures on the part of firms who have promised to take it seriously still result in 20-year consent decrees. (Recall that 20 years ago, in 1997, Alta Vista was still the dominant search engine, the Motorola flip phone was dominant amongst those weirdos who bothered with a cellphone, and 56k was pretty good internet connectivity through your phone line. Will word choices that seem agreeable today be sensible after 20 more years of technological acceleration?)
I want to encourage you to use Implementing a Privacy Protection Program: Using COBIT 5 Enablers With the ISACA Privacy Principles as a way for you to realize that personal data is radioactive, and you want to start treating it as such. If you accumulate too much, you risk a meltdown, but even when you have it in small doses, you want to be intentional about it. You want to know why it’s here, how you’re protecting it, and how to get rid of it when the risk exceeds the reward.
You should be thinking of ISACA’s new privacy protection guidance as an important move forward in your privacy journey. It’s a necessary step, and going through the steps will help you understand if there’s more that you need to do.
Editor’s note: Additional privacy-related guidance can be found in ISACA’s new white paper, Adopting GDPR Using COBIT 5.
About Adam Shostack: Adam is a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board, and helped found the CVE and many other things. He’s currently helping a variety of organizations improve their security, and advising and mentoring startups as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the “Elevation of Privilege” game. Adam is the author of “Threat Modeling: Designing for Security,” and the co-author of “The New School of Information Security.”
Adam Shostack, Consultant and Author
[ISACA Now Blog]