Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Insider Threat: Worker Deletes 7 Years of Files; Lesson? Make Backups!! | Main | Cell Phone Text Messages Are Private...NOT! »

Some more information and ideas for Data Privacy Day, January 28

Last Thursday I posted about how tomorrow (1/28) is International Data Privacy Day.

I was delighfully surprised to receive an email in response to my blog post from Leonardo Cervera, the coordinator of Data Privacy Day 2008! Be sure to check out his site to find comprehensive information about all the activities being done for Data Privacy Day, as well as seeing the world-wide support Data Privacy Day is being given...it is good to see government agencies and large corporations acknowledging the importance of preserving privacy.

Another site that is good to track every day for information about privacy incidents that occur daily is pogowasright.org.

I get really tired of reading from news articles and hearing others' opinions about how we don't have any privacy anymore, that there is nothing we can do with it, and that everyone should just accept it.

HOGWASH!

The ongoing popular argument for this statement is always a reference to how people will post their information to social networking sites, or how people will give unknown employees at stores their credit card numbers to make purchases. This is quickly always followed up by, "See, people don't care about their privacy. They do this all on their own."

It is important to recognize that there are basically two ways in which people lose privacy:

1. They give it away by doing something silly, by not thinking things through before taking an action, by making a mistake, by being unaware of the consequences, or by being suckered by a criminal.

2. They *HAVE IT TAKEN AWAY* by an organization to whom they have entrusted their personally identifiable information (PII), such as a doctor, accountant, insurance company, government agency, and an infinite list of other organizations and businesses, because the organizations and businesses had poor safeguards for the PII, they made mistakes, or they valued profit over the cost of implementing safeguards and were willing to put PII...and privacy...at risk.

Number 1 above must be addressed with better awareness and understanding of the risks involved with transferring, storing and posting PII. There will always be people who will be their own worst privacy enemies, or who believe the untruths that their trusted professionals tell them about privacy, but we must continue trying to raise awareness.

Number 2 must be addressed with a number of actions, including the passage of comprehensive, understandable, effective and consistently enforced privacy laws, by asking our employers what they do to protect privacy, by asking the companies we do business with what they do to protect privacy, by reporting data protection and privacy law noncompliance to government oversight and enforcement agencies, and by telling organizations that they are responsible for taking the actions necessary for protecting PII. Privacy is not dead if you demand that it be addressed.

So, here are a few more ideas for you, personally, to do for Data Privacy Day:

1. Notice if your employer is doing anything tomorrow for Data Privacy Day.

a) If they are doing nothing, call your information security officer, privacy officer, CEO, and any other CxO, and tell them that it is Data Privacy Day! Tell them some of the communications and activities that other organizations and government agencies are doing to highlight the importance of privacy. Make them aware of the day; if you don't, who will?

b) If they are doing something, participate! Provide feedback. Get involved.


2. Call and ask your banker/insurance provider/school/doctor/lawyer/credit reporting agency/etc. what they are doing to protect PII. Ask them any or all of the following...

a) I would like to view my PII; how can I do this?

b) I would like to correct some errors within my PII; how can I do this?

c) Do you have a documented and tested privacy breach prevention and response plan?

d) With what other organizations do you share PII?

e) Do you provide regular information security and privacy training and ongoing awareness communications to your employees, your contracted staff, and your outsourced vendors?

f) When was the last time you experienced a privacy breach? What did you do, as a result, to ensure it does not happen again?


You will not have privacy if you give it away and allow others to take it from you. To keep organizations from saying there is nothing they can do, continue to ask your employers, and organizations you give business to, what they are doing to protect PII.

Go make it a great day! Raise some awareness, and let us know what you did to promote privacy. Let Leonardo Cervera know, and he might put your activity on his website. Let me know and I definitely will put you on this website! :)

Tags:                        
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on January 27, 2008 7:08 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/637

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for the past two decades. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the world's best privacy experts and on their list of the best privacy consulting firms in both 2007 and 2008. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 13th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.