How to beat the odds and be ahead of the curve on compliance
What do corporate privacy and security mean in a pervasive social media world?
As most compliance, privacy, and security officers know, privacy and security compliance cannot only mean investigating breaches and preventing their re-occurrence. Effective compliance means anticipating, evaluating, and mitigating risks before breaches occur. This has always been a challenge, but new technologies have introduced a host of emerging risks. To name just a few of the questions privacy and security professionals will need to address:
- How do your corporate policies deal with social media? Does your organization block or allow access to Facebook on corporate computers? Are employees permitted to post descriptions on LinkedIn of the projects they are working on? Does your company search social media sites to gather information about clients, partners, or job candidates? Each of these decisions needs to be informed by privacy and security policies.
- Do you encourage employees to bring their own technological devices to work (BYOD)? If so, how do you manage the potential for employees easily to publish secret material on social networks? While deliberate information leaks are an important risk, a greater risk comes from employees accidentally leaking information by a few wrong taps or swipes on a smart phone.
- How do you plan to deal with new and future technologies? Technologies such as Google Shoe could allow employees or clients to map out your enterprise simply by walking through its rooms; Google Glass could enable individuals to photograph and film your enterprise and stream it live, showing assets and people. Some organizations have blocked cameras on business cell phones to mitigate the risk of leaked photographs and video, but many employees carry their own 4G smart phones with web and video transmission capabilities.
“Breach by Design”
The truth is, privacy and security compliance programs are still in their infancy. The training and education which compliance officers receive prepares them for predictable risks, such as internal or external security breaches (for example, an employee exporting data to a USB memory stick and taking it off premises, or hackers breaching the organization’s web portal). However, compliance professionals are not ready for the “breach by design” world. New technologies and social media analytics allow companies and other private interests to continuously monitor people’s movement, devices, and even some of their thoughts and feelings. To give just a couple of examples:
- With only a smart phone and some basic programming skills, individuals can monitor the MAC addresses of smart phones accessing wireless networks in their immediate vicinity. Anyone physically located inside a business could potentially use this information as a tool to hack employees’ phones. Hundreds of retail businesses are already using this method to track customers’ movement patterns in their stores and to count returning customers.
- Companies such as Walmart are testing facial recognition software. By recognizing faces in video from stores and linking in-store consumer behaviour to online activity, they hope to track individual consumers’ shopping patterns and use this information to tailor marketing and promotions. While these companies are working with regulators to develop a voluntary code of privacy practice, the implementation of this software would constitute a massive breach into individuals’ private lives. We can block programs that track our smart phones, but we cannot block cameras that identify us by our facial features in stores or other public spaces.
Research data is showing that people are increasingly accepting of the social media world. Many see social media involvement in all-or-nothing terms, no longer expecting privacy but assuming that anything posted on social media is public. Even when individuals set strong privacy settings on their profiles, their privacy is dependent on those in their social circle, as friends can easily republish their posts. The implications of this new reality are already beyond most people’s full understanding; those of future technologies are even harder to imagine.
Privacy and Security for a New Environment
Privacy and security compliance has traditionally focused on two tasks: protecting company information, and fulfilling legal responsibilities for protecting customers’ privacy. As social media blurs the boundaries between personal and professional, it is clear that these two aspects can no longer be considered separately. Protecting company information requires protecting the individual privacy of employees; protecting customers’ privacy requires that companies safeguard their information assets, as well as limiting the information that they collect in the first place. To avoid an atmosphere of paranoia, companies will have to create a safe environment in which employees and customers can conduct business without feeling harassed or tracked. There are very promising possibilities in this regard, but to make them a reality, compliance officers need to be ahead of the curve. Without going into too much detail, two principles can help compliance officers to prepare for new technological realities:
- Enterprises need to start thinking of themselves as families of individuals and to help society as a whole to improve individuals’ ability to manage their personal data. Since technologies are increasingly tracking people’s lives, including their work, corporate security requires protecting employees’ and customers’ individual privacy.
- Policies and their technological instruments need to be both proactive and reactive. Reactive policies and technologies identify and mitigate potential breaches by monitoring present business activities. Proactive policies look ahead; they are written in a way that is resilient to changes in technology. Proactive technologies disrupt potential breaches before they occur, by jamming, disabling, or blocking monitoring of private information. These will be instrumental in effectively protecting privacy without excessive monitoring.
In essence, the future holds breach by design – as social media pervades people’s lives, information is no longer private by default, but public. A compliance paradigm for this environment will be based on being in continuous breach mode; policies and privacy enhancing technologies will be used to block breaches rather than exclusively to identify them. A proactive approach to the management of information, which seeks to protect the privacy of employees, customers, and partners, can protect company privacy and a sense of public trust.
Risk-based Privacy Maturity Model