Ben's Book of the Month: Practical Data Privacy: Enhancing Privacy and Security in Data


Posted on by Ben Rothke

In the history of computer security, Pretty Good Privacy (PGP) is one of the most influential encryption programs ever created. With the ability to make data and email communications more secure, even to government entities, it’s an invaluable tool.

 

But as powerful as PGP is, Alma Whitten and J.D. Tygar wrote in their seminal paper Why Johnny Can’t Encrypt - A Usability Evaluation of PGP 5.0, that user errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near nonexistent. So, even with a robust program like PGP, the powerful encryption is worthless if incorrectly implemented.

 

When it comes to data privacy within an organization, getting it right is significantly more complex and challenging than just a single encryption program. In Practical Data Privacy: Enhancing Privacy and Security in Data, author Katharine Jarmul has written a superb guide detailing what needs to be done to enable this beast called data privacy.

 

It was not that long ago that data was seen as an asset. With cheap storage, organizations had no incentive not to obtain as much data as they could and store it for as long as they wanted. But regulations such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and many more have turned data into a liability.

 

In November 2022, Google settled with 40 states over claims they misled users into thinking they had location tracking turned off. Google agreed to pay nearly $400 million to settle location tracking investigation lawsuits. Meta, a company that does not take fraud seriously, and had long treated privacy as an afterthought, was fined $277 million for the data leak of half a billion users. So, the costs of privacy non-compliance are significant.

 

The book starts with an overview of privacy, anonymization, and other core topics. Then, Jarmul launches a tour de force into the myriad details needed to ensure data privacy is implemented. She makes a fundamental point throughout the book: privacy is not just done by information security. It needs to be done in a multi-disciplinary approach with various teams in an organization. The key to doing privacy right is to move it from a piecemeal approach to privacy by design. While privacy by design and by default is a crucial part of GDPR, it must also be part of every effective privacy program.

 

The chapter on privacy attacks is particularly interesting. While much has been written about network and application attacks, there are countless attack vectors where sensitive data can be breached due to failures in the underlying privacy controls.

 

Privacy is a challenging task to do correctly. Firms have two options, be proactive and do it right. Or, be in the receiving end of a lawsuit and eventually do it right. Practical Data Privacy is an invaluable guide to show you how to do it right.

 

Jarmul has written a highly technical yet very readable and practical guide for those looking to both start or enhance their privacy initiatives. This is a book that should be in the hands of every developer, systems architect and security team member in every organization.

 

Those organizations that have been on the receiving end of a lawsuit due to privacy concerns will often be left with six-figure legal bills, from which they gain no benefit. The best way to do privacy right is proactively, and this is one of the best books on that topic.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

Protecting Data & the Supply Chain Ecosystem

privacy data security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs