5 Things I’ve Learned About Privacy

As founder of the Ponemon Institute, a privacy and business ethics think tank, Dr. Larry Ponemon worries society will give up on privacy ideals as protecting personal data becomes harder.

My own privacy has been compromised. I’m a U.S. Navy veteran, and I was among the more than 26 million servicemen affected by the VA breach last year. It was interesting to experience how an organization responds to a data breach. In addition to this egregious event, I’ve received more than five other notifications that my personal information was lost, stolen or compromised. Frankly, I’ve learned a lot from these very poorly crafted communications and have been able to use this experience to help companies better prepare for the likelihood of a data breach.

Many companies remain complacent about their data protection responsibilities. They fail to control certain portable devices such as laptops, PDAs, USB memory sticks and others. Companies are paralyzed by inaction or the belief that this is a problem too daunting or expensive to proactively address. Instead of assessing their risk profile and implementing a plan based on practical information needs, some companies believe their only option is to do the legal minimum and pray for good outcomes. They hope the next breach will happen to some other company in their industry. Well-intentioned executives in good companies make this fundamental mistake every moment of every day.

RELATED LINKS

Eight Strategies to Strengthen Network Security

How to Protect Consumer Data Privacy: A Proposal

With respect to data security practices, we try to practice what we preach. From a technology perspective we have a number of security measures in place that I don’t want to reveal to avoid tipping my hand to the proverbial bad guys. We are aware of the danger that comes from not paying attention to having responsible information management practices in the workplace.

The CIO is essential to creating a culture for responsible information management. As CIO, you are responsible for all the information your organization collects and uses about people. Beyond better technology, the road to good privacy starts with good data governance. Avoid “silo thinking” and make sure the privacy and security functions and goals are properly aligned.

My own thinking about privacy has changed over time. Despite 9/11, I was more optimistic five years ago about businesses and governments in their attempts to protect our data. I believed the information technology marketplace would advance new tools to make it easier for companies to regulate privacy compliance and safeguard sensitive or confidential information. I thought there would be a big change in consumer attitudes, knowledge and concern about their privacy rights. This wave of public concern did not happen. I also thought that a rash of class-action lawsuits would emerge, making it even more difficult and painful for companies to shirk their privacy commitments. Finally, I expected that a comprehensive national privacy law would have been enacted.

My top privacy concern as a consumer is the real possibility that our society will give up on privacy ideals completely on the basis that the protection of any individual’s personal information is too hard or no longer possible. In my opinion, there is a real possibility that future generations will no longer have the right to expect privacy, thereby creating enormous asymmetric powers for organizations to use private information as a social control mechanism (a.k.a. Big Brother). While this may sound like a science-fiction movie such as “Minority Report,” it can happen quickly if we are not on guard.

In general, however, I do put my trust in an organization if I want to do business with them. No company is perfect, so there’s an element of privacy risk in most consumer transactions. But I believe that by doing business with trustworthy companies, and being smart about how I conduct my transactions, my information risks can be minimized.

There is a “privacy age gap.” Younger folks don’t seem to have the same level of concern as us older folks. This gap is best illustrated by the millions of kids who regularly post embarrassing facts about themselves and their friends on social networks, blogs and other publicly available Internet locations. It is my belief that this gap will close once the younger generations have to get a real job and pay their bills. Only time will tell!