How Businesses Can Get Serious About Privacy & Security

In May 2014, Gregg Steinhafel, Target’s President, CEO and Chairman of the Board, resigned following a 2013 data breach that resulted in the theft of 110 million credit and debit card transaction records. Seventy million of those records contained customers’ addresses and telephone numbers – putting those affected at risk of identity theft. Experts have predicted that the data breach has already cost Target up to $161 million – not taking into account any future penalties, credit monitoring expenses, loss of goodwill or lawsuits. The theft of Target’s customer data has also had a significant impact on the company’s profitability, which fell more than 40% in the fourth quarter, and is down 46% from the previous year.

Personal information and customer trust are critical assets, which businesses of all sizes must take an active role in protecting. The privacy and security of customer data cannot be simply left to chance. Once you have lost your customers’ trust, you have lost their business, and that negative “word of mouth” can either make or break a product line, brand or even an entire company. With the appropriate security and privacy protections in place, however, Target’s massive privacy breach – and the associated harm to customers – could have been avoided.

Rapid innovation, global competition and increasing system complexity present profound challenges for businesses in protecting the privacy of their customers. All too often, organizations focus on securing their data assets while protesting that implementing strong privacy measures will stifle innovation, increase costs and diminish the bottom line of their business. While security is an essential element of privacy, it is not enough – privacy and data protection incorporate a much broader set of protections.

While the disciplines of security and privacy are closely related, they are not, however, synonymous. Privacy seeks to respect and protect personally identifiable information by empowering individuals to maintain control over its collection, use and disclosure. Information security seeks to enable and protect activities and the assets of both people and enterprises. As the value of information and the need to manage it responsibly grows dramatically, it is more important than ever for organizations to incorporate both privacy and security into their networked data systems and technologies as the default settings.

Privacy by Design

The Privacy by Design framework, which has now been translated into 37 languages, employs an approach that is characterized by proactive rather than reactive measures. It anticipates and prevents privacy-invasive events before they happen. Privacy by Design does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring. In short, Privacy by Design comes before the fact, not after. In October 2010, regulators from around the world gathered at the annual assembly of International Data Protection Authorities and Privacy Commissioners in Jerusalem, Israel, and unanimously passed a landmark resolution recognizing Privacy by Design as an essential component of fundamental privacy protection.

When Privacy by Design was created back in the ‘90s, the notion of embedding privacy into the design of technology was far less popular – taking a strong regulatory stance was the preferred course of action. This did not reflect the realities of the online world in terms of connectivity, mobile and ubiquitous computing. It was clear that a new framework needed to address the ever-growing and systemic effects of information technologies, and of large–scale networked data systems. The premise of Privacy by Design is “positive-sum” — that you can accommodate multiple interests at the same time. Not in an “either/or”, one versus another interest model such as privacy versus security, but in a “positive-sum” model meaning you can have positive increments in two functionalities at the same time — privacy and security together!

Organizations that embrace a proactive Privacy by Design approach — embedding privacy into information technologies, business practices and networked infrastructure at their nascent stages – will experience a number of positive business effects, including gains to one’s reputation, improved customer service and most importantly, enhanced customer confidence and trust in their business. Privacy by Design advances the view that the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.

Security by Design

The old ways of simply building a defensive perimeter around a data resource are no longer sufficient. Security must go on the offensive and address information security concerns as the default mode of operation.

The concept of Security by Design, which I explored in two white papers written with Oracle in 2013, highlights the need to design software systems that are secure, from the ground up, minimizing the impact of a breach when a security vulnerability is exploited, thus preserving privacy in the process. In order to become a reality, Security by Design – like Privacy by Design – requires strong leadership, continuous goal-setting and consistent follow-through. Ensuring security and privacy is an ongoing journey, not a single project or a disjointed set of loosely related projects.

To provide guidance for organizations, we established a set of foundational principles for Security by Design, which are modeled upon and support the seven foundational principles of Privacy by Design, which outline an enterprise-level process for defining and governing the strategic journey of Security by Design.

Good Privacy and Security Equals Good Business

One of the most important elements in the relationship between a business and its customer is trust. By taking a proactive approach, it is indeed possible, and far more desirable, to embed both privacy and security. The best path is to gain a competitive advantage – make privacy pay off by embedding privacy, side by side, along with security.