Opinion

The State of Privacy

Over the past two years, I've spent a lot of time looking at how the issue of privacy is impacting businesses around the world.

By Bob Bragdon, Publisher, CSO

February 05, 2007 — CSO —

We have been witness to during this time, one comes to appreciate the unique challenge that all organizations, including CSO, face when they address the privacy issue.

We speak often about the impact that government and industry regulations have made as drivers of security investment. With respect to privacy issues, that is certainly true. And few laws have impacted business more than California's breach notification law, SB 1386. It's a simple law requiring organizations that experience a breach of customer data to let the customer know. That one law has changed how businesses perceive privacy and how they address it. It has made privacy a business issue and has further made good privacy protections a component of good business practice.

Why? I believe that Larry Ponemon's research sums it up best. Through his Ponemon Institute, his research has discovered that each lost (compromised) customer record costs a company an average of $182, and that having to notify those customers of the breaches has far-reaching implications on the business. Of the 23 million adults who have been notified that their data had been lost or compromised, 20 percent terminated their accounts and another 40 percent consider doing so. (So much for identifying, reaching and retaining your best customers.) It was this simple act of notification that forced the boardroom to wake up and take notice.

The legal implications of this awakening are deep and complex. My good friend Christopher Wolf, an attorney at the law firm of Proskauer Rose, recently wrote a treatise, "Proskauer on Privacy, a Guide to Privacy and Data Security Law in the Information Age." He's done a wonderful job spanning the breadth of the topic and provides a thorough examination of the legal issues that must be addressed. At four inches thick it's not a great beach book but one that I would strongly recommend you give to your general counsel as a belated Christmas gift.

Back in 2002 when we first launched CSO I was fortunate to meet Rebecca Whitener, EDS's chief risk officer and an EDS fellow. As I struggled to make the connection between privacy and security, she brought it clearly into perspective for me. She said, "Without good security there is no privacy." It's that simple. The work that all of you do to secure your organizations creates the foundation upon which your organizations can ensure that they meet their obligations with regard to privacy.

It's a never-ending challenge. You must continue to "educate up, down and out" and make sure that the people in your organization understand the value of good privacy and the risks associated with not maintaining your vigilance.