Data Privacy Day Comes With New Security Recommendations
Today (Jan. 28) is the third annual Data Privacy Day, sponsored by Microsoft, Intel, Visa and Google and recognized by governments across North America and Europe.
In honor of the event, the Online Trust Alliance, a nonprofit organization promoting security compliance in online communications, wants to prove that the term digital privacy is not an oxymoron.
After a year of increased reports of data breaches, accidental data losses and incidents of compromised user privacy, OTA has just released its 2011 Data Breach Incident Readiness Guide, meant to provide a roadmap for businesses on how to best protect sensitive information.
In the past five years, over 525 million records containing sensitive personal information have been compromised, significantly undermining the foundation of consumer trust, Craig Spiezle, executive director and president of the Bellevue, Wash., group, said in a press release. With the onslaught of criminal and deceptive business activities, we are calling on business leaders to develop a readiness plan. Those failing to act may be faced with increased public scrutiny, regulatory pressures and a tarnished brand reputation.
In 2010, over 400 incidents of data breaching were reported, involving over 26 million records, for a cost to U.S. businesses of over $5.3 billion, according to the OTA's report.
Of these incidents, 98 percent came from exploitation of servers . Yet the OTA said 90 percent of them could have been avoided if the recommendations outlined in the OTA report had been adopted.
Research and industry surveys by the OTA indicate the number of reported incidents was just the tip of the iceberg, as a great majority of breaches continued to occur undetected or unreported.
While the OTA encourages self-regulation and reporting by online businesses, the trends outlined in the report suggest the need for broader transparency and self-reporting requirements.
When creating a readiness plan, Spiezle recommends that businesses take the following steps:
1. Get executive buy-in. Make sure the company's top officers are all on the same page regarding security and privacy plans.
2. Audit and inventory the data that all groups within a company have. Some of this may include data that individuals have collected but never documented.
3. Validate the needs for the data and how needs are accessed. (Is there a real business purpose?)
4. Review security practices suggested by the OTA. Validate what can be done immediately versus what can be done over 30-60 days.
5. Assemble a working group to review process and procedure.
6. Develop a plan and empower an incident-response team.
Because so much of the data that needs protection is personally identifiable information belonging to customers, consumers have a right to know how a company is protecting their privacy.
When dealing with any business, Spiezle told SecurityNewsDaily, customers need to understand what data the company is collecting, how that information is collected and tracked, how it is used, and if and how it is shared with third parties.
The OTA recommends that businesses move toward a standard format, so consumers can make an informed choice, he said. For example, think of a food nutrition label or a car sticker. The information is clear and comparable.
Customers, by sharing their concerns with companies, can encourage companies to take steps to protect online privacy.
Data and privacy is the currency of the digital market place, said Spiezle. Data stewardship is good business for the consumer, the business, and the long-term vitality of Internet-based services and commerce.