For CISOs, every day is data privacy day. But every January 28th Data Privacy Day is officially observed by a number of countries and agencies.
It could be a good day for infosec pros to remind themselves that in addition to IT security, ensuring corporate privacy policies for personal data — of employees as well as customers and partners — are up to date and enforced.
This year’s observation comes at a sensitive time for chief security and privacy officers. Not only are data breaches increasing, the ability of customers to sue is also going up as well.
Just this week an Ontario judge recognized a new common law privacy tort of public disclosure of private facts. The case involved a man who posted a sexual video of an ex-girlfriend on the Internet without permission.
“In the electronic and Internet age in which we all now function, private information, private facts and private activities may be more and more rare, but they are no less worthy of protection,” the judge wrote in part.
The woman had entrusted the defendant with the images, he judge said, and the defendant had no right to publish them. The man was fined a total of $100,000 in damages, plus court costs.
This case doesn’t deal with a corporation. However, before this week no Canadian court recognized the right to sue for public disclosure of private facts. The point is organizations need to note the common law on privacy is expanding.
Later today we’ll report on a panel discussion taking place in Toronto that includes former Ontario privacy commissioner Ann Cavoukian, now the executive director of the Ryerson University Privacy and Big Data Institute.
But for now this is a good time to remind boards of directors and the C-suite that like any risk, managing privacy begins at the top. That means, as the U.S.-based National Cybersecurity Alliance says, understanding that privacy is good for business.
- Have (and follow) a privacy policy: Your company’s website should have a privacy policy that tells customers what information you collect and how you use it.
- Know what you have: You should be aware of all the personal information you have about your customers, where you’re storing it, how you are using it, who has access to it and how you protect it.
- Keep what you need and delete what you don’t: While it’s tempting to keep information for future use, the less you collect and store, the less opportunity there is for something to go wrong.
The group — which offers a workplace risk calculator — urges organizations to remember the following:
–If you collect it, protect it;
–Be honest about how you collect, use and share personal information;
–Don’t count on your privacy notice as the only tool to educate consumers about your data practices;
–Create a corporate culture of privacy;
–Conduct due diligence and maintain oversight of partners and vendors.
Doug Cooke, director of sales engineering at Intel Security Canada, says CISOs can help preserve privacy in addition to protecting databases is monitoring who accesses sensitive databases.
Having a corporate culture of privacy and security awareness “is paramount,” he added. “It’s not possible for a security operation in an organization to stop all incursions, primarily because a lot of the activity is through social engineering. “There’s a lot to be said for employees who have awareness and some empowerment (to say), ‘That looks strange,’ and say to IT there’s an issue that need to be investigated.”
Meanwhile, as a public service organizations could also take the day to remind customers and partners how they can own their online presence including:
–Share with care: Think before posting about yourself and others online;
–Personal information is like money. Value it, protect it;
–Be aware of what’s being shared. Set privacy settings on Web services and devices to where you’re comfortable. It’s OK to limit how and with whom you share personal information;
–Apply the Golden Rule online: Post only about others as you would have them post about you.