Protecting privacy

Privacy concerns exist wherever in the world uniquely identifiable data relating to a person is collected and stored. The origin of identity is always government-based. If someone is hired by a company, the first day on the job they will be asked for a driver's license or something else issued by the government to establish identity.

The US government has mechanisms and agencies in place to ensure the public's privacy protection, including the Federal Trade Commission (FTC), which claims that privacy is a central element of its consumer protection mission. But even the FTC cautions that as personal information becomes more accessible, companies, associations, government agencies and consumers alike must take precautions to protect against its misuse.

The call for stricter regulations could help motivate increasing numbers of enterprises to participate in a movement to better protect individual privacy.

"In the United States, stringent regulations could be a wake up call that says we need a comprehensive understanding and a plan on how to deal with information privacy," says Rob Marano, president, CEO and CTO of InDorse Technologies. "But it is not going to happen anytime soon. In the meantime, the wakeup call could be a data breach that causes a company to wind up on the front page of The Washington Post."

In other parts of the world, privacy is seemingly taken much more seriously than in the United States. "The data privacy laws in the European Union are very strict," says Marano.

Can it be that the problem is just too intractable?

"Data loss may be controlled, but it probably cannot be stopped entirely," says Marano. "And since much of the problem is based on human behavior, to fix it you have to change behavior. Thus, it will be impossible to fully contain. The challenge to the industry is to enable users to be safe online, but without having to go through a lot of change."

Locking IDs

In this economic climate, the atmosphere is rife with internal threats. For example, if a disgruntled employee is laid off, they may retain their access to sensitive systems.

"We see this as a major driver leading companies to adopt strong authentication products," says Thorsten George, vice president of marketing at ActivIdentity. "It is very labor-intensive and expensive sometimes to decommission passwords. You cannot just push a button and decommission thousands of accounts."

Before an enterprise contemplates privacy assurance or compliance, it is important to know what data it has and how it is being used. In many cases, companies say they do know, but in reality, oftentimes, they do not.

"Companies must go through a data classification process to determine what they have, and determine what it is that is most critical," says Glen Kosaka, director of data protection marketing at Trend Micro. And then, he adds, they need to find out where it resides and how it gets used.

In some cases, that means reference to how data is collected, stored and associated. In other cases, the issue is who has access to the information. Other issues include whether an individual has any ownership rights to data about them, and/or the right to view, verify and challenge that information.

The next step is to determine the most vulnerable leak vector. Is it laptops, desktops, offshore sites, USB storage, email? Typically, the highest priority vectors are email, laptops and removable storage devices. And as iPhones and MP3 players become more popular, more ways for data to leave the company - either accidently or maliciously - are introduced.

The bottom line is that protection of privacy requires constant vigilance and enterprises are likely to be the primary targets for those who would invade it.

"No security solution is perfect," says Trend Micro's Kosaka. "A determined thief can always find a way to get around the system."