National Cyber Security Alliance panel of privacy chiefs kicked off Data Privacy Day

NCSA kicked off Data Privacy Day 2013 with panels of privacy chiefs. The best quote of the entire event was one expert quoting another: “Privacy should be like electricity. You should just be able to expect it will be there.”

Data Privacy Day is great since it highlights both privacy and security. The two topics used to easily be within the same category, but now are often at odds. The National Cyber Security Alliance (NCSA) kicked off Data Privacy Day 2013 with an event at the George Washington University Law School in Washington, D.C. that was streamed live on Facebook without requiring login. Privacy professionals from the government and corporate world discussed data stewardship and privacy innovation.

In the keynote address, the FTC's Maureen Ohlhausen discussed data security, protection enforcement, and policy. In one example, Ohlhausen announced umbilical cord blood bank Cbr Systems settled with the FTC. The charges were that it failed to protect the sensitive personal information of nearly 300,000 consumers when unencrypted backup files were stolen from a backpack left in an employee's car. Cbr must "establish and maintain a comprehensive information security program and submit to security audits by independent auditors every other year for 20 years." 

"Cbr Systems is a leading provider of umbilical cord blood and umbilical cord tissue banking services. Consumers pay to preserve and store a newborn's cord blood and cord tissue because they contain stem cells, the use of which researchers are investigating to treat some diseases and conditions," the FTC announced on its site. "Cbr allegedly created unnecessary risks to personal information by, among other things, transporting backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft." That information "included, in some cases, the names, gender, Social Security numbers, dates and times of birth, drivers' license numbers, credit and debit card numbers, card expiration dates, checking account numbers, addresses, email addresses, telephone number and adoption type (e.g., open, closed, or surrogate) of approximately 298,000 Cbr customers."

Additionally, the FTC complaint alleged that the "unencrypted Cbr laptop and unencrypted Cbr external hard drive contained network information, including passwords and protocols, that could have permitted an intruder to access Cbr's network, where sensitive personal health information was stored." The consent agreement package will be published on the Federal Register.

Screengrab of NCSA Data Privacy Day 2013 event 1st panel of privacy chiefs

Now, let's get back to the Data Privacy Day event, the first panel, and my favorite quote. "Privacy should be like electricity. You should just be able to expect it will be there," said Ari Schwartz, senior policy advisor, Office of the Secretary, U.S. Dept. of Commerce. He was quoting Richard Purcell, former CPO of Microsoft. Schwartz (left) was the moderator for the first panel comprised of Facebook's Erin Egan, Microsoft's Brendon Lynch, and MasterCard's JoAnn Stonier.

Microsoft's Chief Privacy Officer Brendon Lynch said, "Privacy is an art, not a science." Mr. Lynch mentioned Microsoft's principle-based privacy method as well as "understanding consumer expectations." However, he didn't touch what is holding Microsoft back from following through with "what people want" regarding Skype transparency reports. The transparency was asked for by privacy organizations and advocates in an open letter to Skype and Microsoft. Lynch added that, "How a company deals with privacy is key to long-term success." For Data Privacy Day 2013, Microsoft released a privacy trends study, Privacy in Action video series, and privacy guides.

Facebook's Chief Privacy Officer Erin Egan said that innovating around the concept of transparency and control are key Facebook principles. She defended the new "graph search" feature, saying the information was always there and this was simply an "improvement of search." Egan talked about "meaningful" Facebook privacy controls, filters that allow users to see what others can see, and "iconization," the use of icons to alert users to privacy settings.

JoAnn Stonier, chief privacy officer at MasterCard, mentioned privacy-by-design and the privacy ecosystem several times. When the conversation turned toward regulation, Stonier talked about info ethics. She said regulations are needed because it's no longer just one site that has users' personal information and is adhering to that one privacy policy. Instead, "we are moving from a one to one, to one to many as the world becomes more converged."

The second panel was all about mobile. The moderator was the CDT's Director/Project of Consumer Privacy Justin Brookman, AT&T'S Jeff Brueggeman, and the Director of the Future of Privacy Forum Jules Polonetsky. You can see more questions and quotes by reviewing the National Cyber Security Alliance tweets.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

The 10 most powerful cybersecurity companies