There was a time when people defined privacy as the right to be left alone, spurred by Supreme Court Justices way back when who saw the need to protect from the intrusion of instant cameras, of all things. Then there was a 2.0 definition that required a person to show harm of a so-called privacy violation in such areas as intrusion upon seclusion, appropriate of name or likeness, publicity given to private life, and publicity placing a person in a false light.
|Some privacy-related incidents may not be illegal but the enterprise could still take a brand hit, says Andrew Serwin, a partner with Foley & Lardner in San Diego and a Security Magazine “Most Influential” executive.|
Today, given the changes in society, the steady march of technology, enforcement mechanisms that now exist, and how invasion of privacy can impact an enterprise’s brand and reputation, it’s now time for Privacy 3.0, contends Andrew Serwin, a partner with Foley & Lardner in San Diego and a Securitymagazine “Most Influential” executive.
His idea: the principal of proportionality which balances the sensitivity of data against the benefit of collecting or processing it. “Neither government nor private citizens benefit – and they have much to lose – from overbroad privacy restrictions,” says Serwin, who believes that there is a need to focus regulation on the most sensitive data with appropriate protection while reducing regulation where there is a societal benefit.
Measuring by Sensitivity
He sees four levels of information: highly sensitive, sensitive, slightly sensitive and non-sensitive. “The level of security and privacy with each would vary according to sensitivity as well as the methods used to collect, process and use information,” he points out.
“It’s all about consistency and clarity” for enterprises, chief security officers and chief information officers.
Right now there are numerous agencies, regulations, definitions, compliance requirements, cross border and industry specific rules that form a crazy quilt headache. And there is much to lose ranging from dollar to brand and reputation damages.
Take healthcare privacy, as one example, with its Health Insurance Portability and Accountability Act (HIPAA) and Health Information Tech-
nology for Economic and Clinical Health Act (HITECH) federal requirements. They center on the need to privacy protect personal health records as well as some security video in hospitals.
The latest benchmark study by Ponemon Institute, sponsored by ID Experts, finds that data breaches of patient information cost healthcare organizations nearly $6 billion annually, and that many breaches go undetected. The research indicates that protecting patient data is still a low priority for hospitals and that organizations have little confidence in their ability to secure patient records, putting individuals at great risk for medical identity theft, financial theft and embarrassment of exposure of private information.
The passage of HITECH Act last year widened the scope of privacy and security protections under HIPAA to provide stronger safeguards for patient data. This includes notification to patients when their information is breached.
Still a Struggle to Meet Compliance
“Our research shows that the healthcare industry is struggling to protect sensitive medical information, putting patients at risk of medical identity fraud and costing hospitals and other healthcare services companies millions in annual breach-related costs,” says Dr. Larry Ponemon.
Key findings of the research:
• The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580. The average organization had 2.4 data breach incidents over the past two years. Major factors causing data breaches are unintentional employee action, lost or stolen computing devices and third-party error.
• Healthcare organizations are not protecting patient data. Organizations have little or no confidence in their ability to appropriately secure patient records (58 percent).
• Protecting patient data is not a priority. Seventy percent of hospitals stated that protecting patient data is not a top priority.
“We talk with healthcare compliance people dealing with data breach risks every day and they just can’t get their arms around the problem of data exposure,” says Rick Kam, president and co-founder of ID Experts. “Unfortunately, in healthcare organizations, patient revenue trumps risk management.”
The bottom line: Enterprise security leaders – beyond healthcare – also need to take logical and physical security action protecting data, including security video information, based on proportionality according to levels of sensitivity. Such an approach “will provide the stability necessary to bring order to the confusing morass of today’s privacy laws,” observes Serwin.
And Privacy 3.0 is yet another opportunity for CSOs to take the lead.