NEW YORK -- Thanks to the explosion of social networking and all those nifty web apps people use to bank and shop online, the bad guys now have an endless supply of attack vectors to steal personal data. In fact, some security industry experts have declared privacy dead.
Whatever the case may be, companies are increasingly under the regulatory gun to keep customer, employee and supplier data safe from prying eyes. At the CSO Security Standard Tuesday, attendees got a taste of what General Electric (GE) is doing to meet the challenge.
Also see "CPO and CISO: A comprehensive approach to information"
Nuala O'Connor Kelly, senior counsel and chief privacy leader for GE, started with a question for the audience: What is privacy? Answer: The right-ability to CONTROL how your personal information is used.
The trick for GE is the same as it is for most organizations -- how to achieve security without setting off animosity someone might feel about being violated.
An example of the delicate balance is the new TSA body scanners. We want to be safe on the airplane, but we don't want to be the one to walk through those new, very revealing scanners. This can present a challenge for companies that rely on extensive business travel.
In the world of social networking, the privacy is in the user's control in that they have a choice as to which details they include in something like a Facebook profile page. In that case, people have a habit of revealing too much on their own. In a sense, they are happily giving up their privacy. The thornier problem for companies is in how much information employees might put out regarding the business. The legal side of the house is therefore absorbed with making new rules on what kind of company information can be shared in the social networking arena.
Also see "Six ways we gave up out privacy"
Then there's the growing array of mobile devices people use for both personal and work activities. Companies face the challenge of letting those devices in while at the same time making it clear what kinds of company data is and isn't acceptable to share.
Though there's no one-size-fits-all manual for dealing with these issues, GE took one major step O'Connor Kelly believes has made a major difference: Bringing the legal and IT security sides of the house closer together.
O'Connor Kelly has worked with GE Chief Information Security Officer Grady Summers to get there, launching a GE Information Governance Council that combines the strengths of IT and legal, reviewing information management and policy issues holistically across the data life cycle.
Counsel worries about policies needed to ensure that "the right information is in the hands of the right user at the right time." From there, the CSO can takes those concerns and work on how to embed the necessary privacy controls into the IT infrastructure, whether it involves full encryption of information shared over e-mail or controls to block what employees can do on social networks.
.
"Regulatory excellence is embedded in IT," she said. "We audit each business function to see which specific requirements apply, be it HIPAA or something else, and we look at which regulatory best practices apply to the whole company. Ultimately, the systems reflect the regulatory environment."
For their purposes, the definition of information governance is the set of rules, policies and procedures relating to the creation, use and disposal of GE assets. The biggest headache, it turns out, concerns the disposal part.
"Knowing where all our data is and what we should keep or not keep is a thorny issue," she said.
Regardless of how difficult a challenge is, she said the partnership between counsel and IT has made a world of difference.
"I wouldn't say we've settled all of the structural issues, but in terms of what information governance is, it's really about how we create information, how we keep it safe and secure and accessible during its lifecycle, and how we thoughtfully dispose of it. So we've brought in document management and data lifecycle, data retention, e-discovery and a whole bunch of other disciplines, under the information governance umbrella," she said.