A common refrain I hear from those in IT security runs along these lines: "Privacy? Yeah, we call that security. We'll take care of it."
See Also: 2016 State of Threat Intelligence Study
Of course, you can't have a robust privacy program at your organization without good data security. There's little doubt about that. But there's good reason for going through the effort to do things like conduct privacy impact assessments as you evaluate new products, rather than just focus on not losing data.A loss of trust with customers can be much more damaging than any cost savings that might be created via cutting corners.
In the process, you learn a lot about your organization and have the opportunity to recognize value to the business. And, as outlined in a great article from the Harvard Business Review, you need to combine IT security knowledge with business acumen if you want to find yourself eventually among the ranks of chief information officers and other high-level positions.
For instance, it's often the case that two separate databases of information are not, in themselves, full of personally identifying information. Maybe one contains a list of publicly available names and addresses - a customer list, with customer IDs for each record. No big deal. People can find that sort of thing on the Internet. Maybe the other contains a record of things shipped, and is anonymized, so that only a customer ID is associated with each product.
That's great privacy.
All of a sudden, however, a new initiative from someone in the accountant's office calls for the merging of these two databases. Now, the loss of the database would mean a list of who bought what. And you sell some stuff people might not want to be associated with, for whatever reason.
On one hand, you've got someone advocating for this initiative because it will save money, and create efficiency. The C-suite likes saving money.
The privacy impact assessment, however, identifies this newly created risk, which either creates the need for more expensive security (negating the cost-savings) or simply adds more risk than the created value via efficiency. If you, as the IT security hawk, make this case, it shows more than the ability to protect data and avoid disaster. You also show an understanding of the business, the value it provides to customers, and the many drivers that lead to business success.
Loss of Trust
A loss of trust with customers can be much more damaging than any cost savings that might be created via cutting corners.
This was maybe best demonstrated this month when Google announced it would begin to boost the search rankings of sites that employed HTTPS encryption.
Has anyone ever given you flack for a budget request for an SSL certificate? Maybe you heard, "Hey, it's not like we're collecting credit card numbers here; do we really need to buy this?"
Of course, you know that people are using e-mail addresses as user names, so your privacy knowledge tells you that you've definitely got personally identifying information. There's your argument for SSL, anyway. But how do you make the argument that you should go with the expensive Symantec SSL certificate instead of just the cheapest one on the market that will make browsers happy?
Well, less than $1,000 is a small extra price to pay in order to be extra sure you're avoiding the loss of data that could result in extensive fines, which is the potential price you pay for losing a list of names and e-mail addresses as they're entered into your site. Knowing the privacy impact as well as the security practices allows you to demonstrate your knowledge of the business.
Tack all of that together, and not only are you avoiding potential risk, but you're also adding value via the added search ranking from Google, which might lead to great page views, which might lead to greater ad revenue.
By not viewing each action discretely, but instead viewing it in the context of the business as a whole, you lay a path for advancement in the organization. If you don't know privacy, it's hard to get the right holistic picture, which makes it hard to make your argument.
Hughes is an attorney specializing in e-commerce, privacy and technology law. He's executive director of the International Association of Privacy Professionals.