Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/29/2019
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Privacy 2019: We're Not Ready

To facilitate the innovative use of data and unlock the benefits of new technologies, we need privacy not just in the books but also on the ground.

Omer Tene, VP, International Association of Privacy Professionals (IAPP), also contributed to this article.

By any measure, this summer has been a busy time for privacy news. It started with a flurry of enforcement activity in Europe, including announcements from the UK privacy regulator of fines in the amount of $230 million against British Airways and $125 million against Marriott. It continued with a high-stakes standoff in Europe's highest court between Max Schrems (a prominent privacy advocate), Facebook, and the Irish Data Protection Commissioner, which could jeopardize the future of transatlantic data flows. Finally, it ended with a big bang, with news publicly released to the humdrum of a summery Friday afternoon of the FTC's $5 billion fine against Facebook in connection with the Cambridge Analytica scandal.

The message resonated loud and clear in corporate boardrooms from Silicon Valley to London: Privacy has become a first-order media and regulatory concern.

How should businesses respond to this new drumbeat of privacy outcries and enforcement actions? The risks of data mismanagement -- measuring hundreds of millions of dollars and including security breaches, inappropriate information sharing, and "creepy" data uses -- are no longer an acceptable cost of doing business, making it abundantly clear that society cannot experience the full benefits of a digital economy without investing in privacy.

The good news is that the public has recognized the gravity of the problem. Breakthroughs in healthcare, smart traffic, connected communities, and artificial intelligence (AI) confer tremendous societal benefits but, at the same time, create chilling privacy risks. The bad news is that we're hardly ready to address these issues. As Berkeley professors Deirdre Mulligan and Kenneth Bamberger wrote in Privacy on the Ground: Driving Corporate Behavior in the United States and Europe, it's one thing to have privacy "on the books," but it's quite another thing to have privacy "on the ground."

According to research by the International Association of Privacy Professionals (IAPP), more than 500,000 organizations have already registered data protection officers in Europe. Yet only a fraction of those roles can actually be staffed by individuals who are trained on privacy law, technologies, and operations. To rein in data flows across thousands of data systems, sprawling networks of vendors, cloud architectures, and machine learning algorithms, organizations large and small must deploy highly qualified people, technologies, and processes that are still in the early developmental stage.   

First, the people who will serve as foot soldiers of this army of professionals must be modern-day renaissance persons. They have to be well-versed on the technology, engineering, management, law, ethics, and policy of the digital economy. They need to apply lofty principles like privacy, equality, and freedom in day-to-day operational settings to disruptive tech innovations such as facial recognition, consumer genetics, and AI. They need to not only understand the logic underlying black box machine learning processes but also the mechanics of algorithmic decision-making and the social and ethical norms that govern them. Unfortunately, existing academic curricula are siloed in areas such as law, engineering, and management. Government, academic, and accreditation bodies should work to lower the walls between disciplines to ensure that lawyers and ethicists talk not only to each other but also with computer scientists, IT professionals, and engineers.

Second, researchers and entrepreneurs are building a vast array of technologies to help companies and individuals protect privacy and data. Just last week, OneTrust, a privacy tech vendor, raised $200 million at a valuation of $1.3 billion, making it the first privacy tech unicorn merely three years after its launch. Some of these new technologies help organizations better handle their privacy compliance and data management obligations. Others provide consumers with tools to protect and manage their own data through de-identification, encryption, obfuscation, or identity management. Over the next few years, governments and policymakers should give organizations incentives to innovate not only around data analytics and use but also around protection of privacy, identity, and confidentiality.   

Third, organizations should deploy data governance processes and best practices to ensure responsible and accountable data practices. Such processes include privacy impact assessments, consent management platforms, data mapping and inventories, and ongoing accountability audits. With guidance from regulators and frameworks from standard-setting bodies, such as the National Institute of Standards and Technology, procedural best practices will develop for both public and private sector players.

Like so many complex societal issues, privacy concerns require a matrix of responses. We certainly need strong laws and effective enforcement, but organizations should also embrace their stewardship of data and invest in the processes and technologies to better manage their data stores. Importantly, we need to continue to educate and train professionals with the knowledge and skills to make ethical, responsible decisions about how data is handled. To facilitate innovative data uses and unlock the benefits of new technologies, we need privacy not only in the books but also on the ground.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Fuzzing 101: Why Bug-Finders Still Love It After All These Years."

As president and CEO of the International Association of Privacy Professionals (IAPP), J. Trevor Hughes leads the world's largest association of privacy professionals, which promotes, defines and supports the privacy profession globally.  Trevor is widely recognized as a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jim_Gordon
50%
50%
Jim_Gordon,
User Rank: Author
9/16/2019 | 5:15:31 PM
Great article. Great perspective.
Promote Intel's approach to privacy ... https://usprivacybill.intel.com/

The world is definitely not ready.  Honestly, most enterprise and government leaders don't even yet know what they are getting ready for.  Great article.  Great perspective.  Intel (my employer) has an approach to privacy worth considering.  Steal with pride, look at it for ideas, participate in the online discussion or even send feedback if you have any.  Do all of that at https://usprivacybill.intel.com/ 
DHorse2
50%
50%
DHorse2,
User Rank: Strategist
9/5/2019 | 4:15:42 PM
Who get's privacy.
What a good article. I agree with it aside from some issues get skipped. What's ironic is in theory (simple strategies) I can provide a secure personal device or network. To the extent you could detect an active Minux3 backdoor. Which means other people can. Where people can be private and corporations can't we can expect a government response.
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.