Data Privacy in the 21st Century

Posted on by Robert Moskowitz

Privacy impacts both the quality of life and business success. In today's highly automated and digitized world, the concept of "privacy" effectively boils down to data privacy.Simply put, you want to be able to keep certain information from being shared (voluntarily or involuntarily) with others.

Although the word "privacy" does not appear in the United States Constitution, the Supreme Court has construed a basic right to privacy, and various courts have upheld laws delineating privacy rights and regulating invasions of privacy. Despite the best intentions, privacy remains under threat. It must be actively protected, particularly if you have information—such as financial information, details of valuable patents, or secret formulas—that others want.

As a result, a constant tug-of-war has developed between those seeking to maintain their data privacy and those seeking to breach it.

Privacy is considered a business requirement, and the larger the enterprise or the more valuable its information, the more extensive its efforts to protect privacy .

Even so, recent data breaches show that basic, common, human errors frequently compromise data privacy. Errors include using out-of-date software when more secure versions are available (Windows XP being a prime example) and sloppy handling of passwords and access codes. No amount of sophisticated and thorough security measures can prevail if users leave their passwords lying around in plain sight. And how often have we heard of a laptop, tablet, or smartphone disappearing while still configured to access the organization's sensitive data?

No organization can expect to maintain data security when it disposes of old equipment without first securely erasing sensitive information from its drives.

One of the most difficult battles being fought in the data privacy war is an internal one: maintaining a workable balance between protecting sensitive data and enabling trusted employees and partners to access it with reasonable speed, ease, and simplicity.

This battle is complicated with the advent of "bring your own device," that organizations should allow employees to access secure data using their personal computers, tablets, and smartphones.

Because the organization neither owns nor controls these devices, it is extremely tricky to grant access to  data without sacrificing privacy. Checking the device configuration or scanning for hidden vulnerabilities make personal device owners feel suspect. But allowing unfettered access to sensitive data opens the way for seriousrisks to data privacy.

At the very least, organizations must establish and enforce meaningful policies to keep sensitive data private and make these policies clear to everyone seeking access.

These policies depend on a comprehensive assessment of the types of data considered sensitive. Every organization should ask itself the following questions:

  • What types of data do we want to keep private?
  • How do we collect, store, and/or transmit this data?
  • What devices do our team members use as they work?

This initial analysis provides insights into various channels that can potentially compromise data privacy, and lead to meaningful defenses.

Here are other things organizations should consider:

  • Minimize the information saved and stored, focusing on what the organization absolutely needs instead of grabbing everything it can get
  • Avoid storing sensitive data on portable devices, which are intrinsically more vulnerable
  • Responsibly destroy information when no longer needed
  • Create standards for effective passwords, and prompt frequently to change passwords.
  • Restrict which machines can access private data, which  people can use those computers, and where they can go when browsing the Internet
  • Encrypt sensitive data so that it becomes worthless if stolen. Software-based encryption can be supplemented with specialized hardware-based encryption systems
  • Transmit data only by means of secure connections, such as SSL. Use unsecured connections only if the data has already been encrypted. Most organizations' security systems gradually evolve from weaker to stronger levels of protection, and rarely undergo a comprehensive SWOT (strength, weakness, opportunities, threats) analysis. By evaluating your current system against the various types of security measures that can help to maintain your data privacy, you may find some that can markedly improve your data security without costing significantly more than you're currently spending.

Robert Moskowitz

, New Mobility Partnerships

BYOD data security security operations

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community