Friday, March 02, 2007

Utmost attention will be paid to secure personal privacy

Densely typed in, nearly 2,000 words over four pages, the policy statement of The University of Washington’s Electronic Information Privacy Policy on Personally Identifiable Information lays out in clear terms what PII is at the University and who can provide exceptions to the rules. The document requires familiarity with technical information and communication systems and at least some knowledge of the University -- how it is structured and administered.

The document regulates the ideas behind the University’s goals in relationship to Personally Identifiable Information (PII), to be “in full compliance with all related federal and state statutes and regulations, and demonstrate a rigorous commitment to core values of maximizing trust, integrity, and respect for privacy.” It is a statement of clear commitment which using the methods outlined in this case study can be accomplished through a collaborative, enterprise wide community commitment to the ideal, so that the insurance costs do not escalate beyond the UW’s ability to pay, and to maintain a sense of respect, responsibility, and dedication to humanity.

There can be no doubt that the tone of this document is intended to protect people, enumerating who “they” are in some detail. The document outlines the exceptions for control of information, by detailing which executives may take responsibility for PII.

In contrast to the stated commitment and ideal, the reality is more difficult to practice because “60% to 80% of consumers' PCs are infected with spyware”, as Kirk Bailey, UW’s Chief Information Security Officer told MSIM2008 interviewers, “But much, if not all of any individual’s Personally Identifiable Information (PII) is already available through other online sources. In fact if an organization looses control of someone’s PII, it would be very difficult to prove who the source really was.”

The truth is most if not all PII is already publicly available. This was demonstrated by Kirk Bailey’s study reported in the New York Times and Seattle Post Intelligencer, in which his valid birth certificate was obtained with little difficulty, and leveraged to gain control of bank accounts. By cross referencing a number of sources, such as databases, and search behaviors other information may be inferred.

There are several motivating factors underlying the reasons to protect Personally Identifiable Information, but the primaries are reputation and risk management. Reputation and cost are inextricably linked, because it is the law to remediate each case as applied to individual people.

Organizations and individuals have been successfully sued for millions of dollars in privacy claims. Common practice is to settle out of court in class action and group lawsuits, to avoid further degradation to the organization, reputation, tarnishing of their brand, and disturbing influences on the business in terms of compliance and audits. The expense really never ends; the costs are ongoing in the form of insurance.

The definition and legal application of privacy standards such as HIPAA are being tested in practice, due to recent enactment. Company executives have lost their jobs and organizations their reputations because they could not show they complied with best practices in relationship to securing PII data on systems, or worse yet, intentionally misused their customers PII by selling it to a third party without permission.

Loosing control of PII is expensive to remediate. By statute in Washington State, when a persons PII has been compromised they must be informed. At the University of Washington it is estimated last year it cost $187.00 per personal contact. The University’s reputation, as well as its brand is at stake, due to the lost of PII. And it is no fun for the people who have to make those calls. In order to assume responsibility and restore some faith that the organization’s intentions are good the senior staff speak with truly irate individuals.

At the current time security breaches and PII loss appears inevitable; as the University’s CISO Kirk Bailey takes a four fold method to reduce risk, and obtains insurance against such losses. Enterprise-wide, voluntary, even eager, compliance with regulations and statues is a best practice in terms of lost prevention. This is a major factor in the methods he applies.

Regarding how companies abuse privacy Kirk Bailey detailed in his Hackers PBS interview, he said unscrupulous companies do this with “The placement of "cookies" or the requesting of information when you log onto the site. Forms that are filled out and then that information is rolled up into databases, or tracking your activities on their Web sites to create a profile of what your interests might be, then using those conjectures and that real data and wrapping it within a profile and selling it that information. We know those things take place. I resent those kinds of things. I find that unacceptable. It's not necessary. . . .”

-Kirk Bailey, PBS interview, 2001 http://www.pbs.org/wgbh/pages/frontline/shows/hackers/interviews/bailey.html


Shukovsky, P. “’Good Guys’ show just how easy it is to steal ID” Seattle Post Intelligencer. March 5, 2005 (retrieved from the web March 19, 2005). http://seattlepi.nwsource.com/local/214663_googlehack05.html

No comments: