Guest column: Planning for privacy

As economic success and social value increasingly hinge on protecting personal information, privacy and security are critical issues shaping the progress of technology. Society’s awareness of privacy and security continues to grow as data breaches and privacy missteps are widely publicised and continue to fuel the public debate over the creation of privacy regulations across the public and private sectors. In Australia, the proposed government access card has sparked raging public debate and informed similar dialogues worldwide.

Personally identifiable information (PII) and sensitive financial and corporate data are the currency of today’s cybercriminals. In the US, 30 percent of people report to have reduced their overall Internet use due to concerns about identity theft, and nearly half of US consumers have “little or no confidence” that organisations are taking sufficient steps to protect their personal data (Leap of Faith: Using the Internet Despite the Dangers, Princeton Survey Research Associates International, 2005). Indeed, a study just released this week by the Australian Federal Privacy Commissioner’s Office has found that almost two million Australians – or 10 percent – have had their personal details stolen and used fraudulently by a third party.

While Australian enterprises report fewer incidents of data leakage than their counterparts in the US – this should not be seen as a reason for complacency; in fact, it may largely be an outcome of having less transparency due to the lack of notification laws in this country. The most recent report from AusCERT (Computer Crime and Security Survey, 2006) found the greatest sources of financial loss for businesses involving electronic attack, computer crime, computer access misuse or abuse were due to theft or breach of proprietary or confidential information.

Data threats are constantly evolving, both in terms of technology and behaviour. Globally, we are entering an age where motivation is no longer simply driven by hackers’ bragging rights but also includes mercenary attempts to raid bank accounts and mine databases to on-sell confidential corporate and customer data.

Each new report of a data breach, loss or theft involving credit card numbers, personally identifiable information, confidential business documents or other sensitive records threatens to further erode public trust in the Internet and blunt the growth of online services and commerce.

This has intensified the demands on private enterprises and government agencies to enact stricter accountability and stronger protections around their management of sensitive personal information. Furthermore, the proliferation of Internet usage in businesses of all sizes means this can no longer be seen as a problem only for the ‘big end of town’. But beyond merely helping to avoid regulatory violations or negative publicity, developing an effective data governance strategy is smart for organisations and good for their customers. The potential dividends include smoother processes, better data quality and utility, lower risk exposure, enhanced trust and a more secure reputation.

Successful data governance requires alignment of policies, people, processes and technology at all levels toward responsibly managing and strongly protecting sensitive personal information. In addition to providing a crucial role in implementing a data governance strategy, technology also helps people enable effective processes, implement policies, and comply with desired business practices and regulations.

Within this multi-faceted approach, the technology framework for data governance can be viewed across five main areas.

Secure Infrastructure
In terms of technology, safeguarding and managing sensitive information fundamentally depends on a secure infrastructure that protects against malicious software, hacker intrusions and other pathways to unauthorised disclosure. A solid foundation starts with products and services built from the ground up with security and privacy in mind, and IT providers whose internal development standards include rigorous processes for secure design, coding, testing, review and response.

Software applications and server products need to be capable of helping repel malware, hacking attempts, phishing scams and network-based attacks. They also need to provide continuously updated protection against evolving threats through automatic security updates. Simplified deployment, management and analysis tools can further help IT pros maintain and enhance security.

Identity and Access Control
As organisations handle growing volumes of confidential data, a new and paramount concern is guarding against the risk of a deliberate or accidental data breach. At the same time, the data needs to be readily available to authorised users for legitimate purposes. Reliable identity and access control technologies include authentication mechanisms that verify a user’s identity before allowing them to connect to the IT network, and tools that allow the network administrator to regulate users’ access to system resources and data based on their role or other security-related criteria.

For organisations that exchange personal information with trusted partners and customers across organisational boundaries, a technology framework that supports federated identity management – allowing people to use the same identification criteria to access multiple networks – contributes to data protection.

Data Encryption
Sharing sensitive information across organisational boundaries often requires the data to travel on the Internet, where it can be vulnerable to interception and misuse by unauthorised parties. Building on effective identity and access controls, a technology framework that enables strong encryption of confidential data can greatly reduce the harmful impact of a security breach.

Such capabilities include technology for encrypting files and authenticating users’ access to those files, as well as operating system-level file encryption that can prevent unauthorised access to data stored on a lost, stolen or decommissioned computer. In addition, organisations that conduct sensitive business communications in email can take advantage of technologies that enable employees to send and receive encrypted email from their desktops – without requiring the organisation to install and maintain complex hardware and software on top of its existing systems.

Document Protection
Effective document management is imperative for organisations entrusted with protecting personal information and confidential business data – from the time it enters the organisation until it is safely archived or destroyed. Rights management technologies that apply persistent protection to sensitive data can help safeguard the information by controlling how it is used, retained and modified throughout its life cycle. For example, access to internal documents can be restricted to certain employees and users can be prevented from printing a document, forwarding it outside the organisation, or copying and pasting the text. This type of technology also can allow a document’s creator to embed an expiration date, after which other people can no longer access its contents. The potential value becomes even greater with a technology framework that allows system administrators to set access permissions on a per-user basis, integrate their rights management tools with the organisation’s identity and access controls, and automatically apply rights management principles to data within a document before it is allowed to pass through the organisation’s IT system gateway.

Auditing and Reporting
Compliance with internal policies, government regulations and cosumer demands regarding control over personal information can become a daunting administrative task. Organisations can benefit from systems management and monitoring technologies that help verify that system and data access controls are operating efficiently, and identify suspicious or noncompliant activity.

Administrators also need to be able to centrally monitor how installed applications are being used, which is key to managing software assets and ensuring license compliance. In addition, the framework needs to help organisations reduce IT complexity and control costs by enabling administrators to quickly identify, diagnose and resolve network reliability issues.

Multi-pronged thinking
A major data spillage, security breach or failure to comply with government regulations can have significant long-term implications for an organisation’s bottom line, for its credibility with consumers, and for its brand. The challenge locally is convincing Australian organisations to take protection of data seriously while, unlike many US states and European countries, there are no laws to mandate reporting of data breaches.

Combined with thoughtful attention to an organisation’s policies, people and processes, technology can help lay a strong foundation for a successful data governance strategy.

The five elements of the technology framework described here are worth considering in this multi-faceted approach for businesses of all sizes. No single entity can tackle the privacy challenge alone. Addressing this issue will require broad collaboration among software developers, governments and industry organisations to utilise and promote technology as an enabler of privacy rather than the master of its downfall.