The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
In May 2014, Gregg Steinhafel, Target’s President, CEO and Chairman of the Board, resigned following a 2013 data breach that resulted in the theft of 110 million credit and debit card transaction records. Seventy million of those records contained customers’ addresses and telephone numbers – putting those affected at risk of identity theft. Experts have predicted that the data breach has already cost Target up to $161 million – not taking into account any future penalties, credit monitoring expenses, loss of goodwill or lawsuits. The theft of Target’s customer data has also had a significant impact on the company’s profitability, which fell more than 40% in the fourth quarter, and is down 46% from the previous year.
Personal information and customer trust are critical assets, which businesses of all sizes must take an active role in protecting. The privacy and security of customer data cannot be simply left to chance. Once you have lost your customers’ trust, you have lost their business, and that negative “word of mouth” can either make or break a product line, brand or even an entire company. With the appropriate security and privacy protections in place, however, Target’s massive privacy breach – and the associated harm to customers – could have been avoided.
Rapid innovation, global competition and increasing system complexity present profound challenges for businesses in protecting the privacy of their customers. All too often, organizations focus on securing their data assets while protesting that implementing strong privacy measures will stifle innovation, increase costs and diminish the bottom line of their business. While security is an essential element of privacy, it is not enough – privacy and data protection incorporate a much broader set of protections.
While the disciplines of security and privacy are closely related, they are not, however, synonymous. Privacy seeks to respect and protect personally identifiable information by empowering individuals to maintain control over its collection, use and disclosure. Information security seeks to enable and protect activities and the assets of both people and enterprises. As the value of information and the need to manage it responsibly grows dramatically, it is more important than ever for organizations to incorporate both privacy and security into their networked data systems and technologies as the default settings.
The Privacy by Design framework, which has now been translated into 37 languages, employs an approach that is characterized by proactive rather than reactive measures. It anticipates and prevents privacy-invasive events before they happen. Privacy by Design does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring. In short, Privacy by Design comes before the fact, not after. In October 2010, regulators from around the world gathered at the annual assembly of International Data Protection Authorities and Privacy Commissioners in Jerusalem, Israel, and unanimously passed a landmark resolution recognizing Privacy by Design as an essential component of fundamental privacy protection.
When Privacy by Design was created back in the ‘90s, the notion of embedding privacy into the design of technology was far less popular – taking a strong regulatory stance was the preferred course of action. This did not reflect the realities of the online world in terms of connectivity, mobile and ubiquitous computing. It was clear that a new framework needed to address the ever-growing and systemic effects of information technologies, and of large–scale networked data systems. The premise of Privacy by Design is “positive-sum” — that you can accommodate multiple interests at the same time. Not in an “either/or”, one versus another interest model such as privacy versus security, but in a “positive-sum” model meaning you can have positive increments in two functionalities at the same time — privacy and security together!
Organizations that embrace a proactive Privacy by Design approach — embedding privacy into information technologies, business practices and networked infrastructure at their nascent stages – will experience a number of positive business effects, including gains to one’s reputation, improved customer service and most importantly, enhanced customer confidence and trust in their business. Privacy by Design advances the view that the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.
The old ways of simply building a defensive perimeter around a data resource are no longer sufficient. Security must go on the offensive and address information security concerns as the default mode of operation.
The concept of Security by Design, which I explored in two white papers written with Oracle in 2013, highlights the need to design software systems that are secure, from the ground up, minimizing the impact of a breach when a security vulnerability is exploited, thus preserving privacy in the process. In order to become a reality, Security by Design – like Privacy by Design – requires strong leadership, continuous goal-setting and consistent follow-through. Ensuring security and privacy is an ongoing journey, not a single project or a disjointed set of loosely related projects.
To provide guidance for organizations, we established a set of foundational principles for Security by Design, which are modeled upon and support the seven foundational principles of Privacy by Design, which outline an enterprise-level process for defining and governing the strategic journey of Security by Design.
One of the most important elements in the relationship between a business and its customer is trust. By taking a proactive approach, it is indeed possible, and far more desirable, to embed both privacy and security. The best path is to gain a competitive advantage – make privacy pay off by embedding privacy, side by side, along with security.
This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its affiliates.
Image: Pixsooz
October 19, 2023
Identity Theft and Scams
May 17, 2022
Identity Theft and Scams
May 20, 2021
Identity Theft and Scams