Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Big Data

2/6/2019
07:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Modern Enterprise – Stewards of Personal Data

Get on the nine-step program if you want to assure data privacy.

Privacy has been rising in the mindset of users lately. More than something abstract, it is having demonstrable and direct economic effects.

For example, according to a recent survey published by Forrester, 43% of US consumers are likely to cancel an online transaction if they read something in the privacy policy that they don't like.

This shows consumers as well as businesses are becoming increasingly concerned about how their private data is being used by others, and enterprises are going to have to learn how to deal with this concern.

Of course, there is the rise of regulatory efforts such as the EU's GDPR to consider as well. Indeed, Article 8 of the EU Charter of Fundamental Rights says, "Everyone has the right to the protection of personal data concerning him or her."

The Internet Society (the organizational home of the Internet Engineering Task Force) with more than 95,000 individual members has now weighed in on the topic. It published last week its Privacy Code of Conduct outlining the nine steps that it thinks all companies should implement to assure data privacy.

The first step is to Become Data Stewards. "Act as custodians of users' personal data -- protect the data, not just out of business necessity, but on behalf of the people who have trusted you with it." This elucidates both the sociological and business imperatives of privacy.

The other eight steps include:

Be accountable
Transparency is needed about privacy including establishing safeguards for handling personal data and showing they are being enforced. Should something goes wrong, companies should be transparent about what happened as well as doing their best to contain the harm.

Stop using user consent to excuse bad practices
Users need relevant information about how their personal data is being collected, used and shared.

Provide user-friendly privacy information
Companies should not rely on user consent to justify their data handling practices. "Shrinkwrap" consent isn't good enough anymore.

Give people control of their privacy
People should be in control of what data they share, and when.

Respect the context in which personal data is shared
People should be able to see when and how their data is being used. Privacy must be the default, not some optional extra that is added on.

Protect "anonymized" data as if it were personal data
The data is could be re-identified or used to single out particular individuals.

Encourage privacy researchers to highlight privacy weaknesses, risks or violations
Experts can help to establish an open, transparent process for responsible disclosure.

Set privacy standards above and beyond what the law requires
Getting ahead of just fulfilling current requirements makes sure that the enterprise will be able to help shape the dialogue that will occur in the future.

While these steps are not guaranteed to be the entire answer to fulfilling regulatory requirements, any business that embraces them will find meeting such regulations to be far more doable than they might have been if the IS advice is ignored.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.