The need for lifelong learning and a willingness to respond to a changing risk environment are two of the elements that attract many professionals to a career in corporate security. One such emerging challenge facing security leaders involves governance related to the collection, storage and transmission of personal information and the ethical utilization of it. While there are compliance programs currently in place that govern the protection of individual medical and financial data, there are clearly additional challenges on the horizon.

It has become commonplace to hear about the release or publication of sensitive personal information. This data is often obtained from electronic materials that have been removed or copied by organizational insiders and/or external people or groups. Publication of this type of material has had significant negative impacts on individuals, public and private organizations and various government agencies. Breaches of this nature are generally condemned and often successfully prosecuted.

An area in which laws and acceptable ethical practices are either nonexistent or emerging is the use of previously misappropriated information that has been legally collected. In this circumstance, we frequently see the utilization or publication of this information by individuals and organizations who, while knowing the information to have been misappropriated by others, benefit from its publication and dissemination.  This is a growing concern that will be an evolving opportunity for security professionals.

The events above often involve violations of law. A related issue going forward involves the proliferation of sales and repurposing of personal information that was freely given for one purpose but then was sold to others without the individual’s full understanding of the initial collector’s utilization and/or third-party sales activities.

Through their services that support personal interactions and communications, companies are expanding their collection and analysis capabilities of information freely provided by individuals. We are already beginning to see legal controls established to help address abuse. Unfortunately, legal controls are not happening at a fast-enough pace to keep up with technologic advances and the growing utilization of artificial intelligence to aid in monetizing the collected data.

While it is important for society to derive benefit from the availability and wide access to information, are our current criminal and civil statutes effective in addressing all these issues? Abuse, carelessness and nefarious intent can have devastating impacts on individual privacy. This behavior also affects brand, reputation and resiliency of organizations and can go as far as to negatively impact the national and economic security of a country’s citizens.

It may be many years before governments fully establish the legal framework to govern the appropriate utilization of information gathered by organizations. These are broad, complex issues that will be part of a CSO’s organization’s security risk-related mitigation strategy in the future. Security professionals should plan to be poised to aid and influence their organization’s strategies and polices surrounding these future challenges.