Privacy & Security: Complex Relationship

Privacy & Security: Complex Relationship

IBM's Former CPO on Resolving Privacy-Security Conflicts

By Harriet Pearson, April 26, 2013.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Harriet Pearson

The relationship between cybersecurity and privacy is complex. On the one hand, cybersecurity that protects data from intrusion, theft and misuse obviously is a significant privacy safeguard. On the other hand, cybersecurity measures that monitor access and use can implicate the collection of personal information and thus raises privacy concerns.

While adoption of cybersecurity defenses will serve to protect personal data - indeed, there can be no data privacy without sufficient security, including cybersecurity - some of the defense techniques may require the monitoring or collection of personal information, and thus implicate privacy concerns:

  • First, there is network and system monitoring. Experts agree that in order to detect and defend against cyberattacks, organizations should be aware of how their information networks and IT systems are behaving. Such monitoring typically is focused on non-personal information such as malware indicators, bad IP addresses and network flow data. Of course, the more specifically one monitors, and potentially records, activity, the more potential there is that personal data will be part of the information reviewed and/or collected.
  • The next issue is that of background checks. Not all cyberdefense measures involve cybertactics. Organizations frequently find it prudent to conduct background checks - at times quite extensive - on individuals with access to certain sensitive systems and data. By definition, background checks require the collection and use of personal information.
  • A new aspect of data security arises from the bring-your-own-device phenomenon. An increasing number of organizations are allowing their workforce to use personally owned smart phones, PCs and other devices. The steps organizations take to secure such devices and the data that might be stored on them often involve access to personal data.
  • Steps taken to strengthen supply chain and vendor security may also raise privacy issues. Security conscious enterprises understand that the weakest link in their organization may lie outside their formal control. Measures imposed on their vendors and suppliers may require those third parties to conduct background checks and share other information that has privacy implications.
  • Information sharing with third parties and government agencies means that personal information may be shared. Finally, but importantly, experts agree that rapid and preferably automated cross-organizational sharing of cyberthreat information is essential to help detect and defend against cyberattacks. And given the recent passage of H.R. 624, the Cyber Intelligence Sharing and Protection Act [see House Handily Passes CISPA], there can be significant privacy issues raised by such sharing. While each of these areas of cybersecurity techniques raises privacy concerns, those concerns can be addressed responsibly.

Thoughtfully Limited Data Collection

Consistent with the well-known Fair Information Practice Principles, data collection should be thoughtfully limited; used only for the purpose of security or other carefully considered and approved purposes; retained only for as long as needed for security and other legitimate purposes; and shared only with those that need the data for security or other carefully considered and approved purposes, with accompanying limitations on their sharing, use and retention. These are concepts that privacy professionals in American business apply every day, and close collaboration between privacy professionals and security personnel at companies is essential to ensure that the security/privacy balance is correct and that Fair Information Practice Principles are applied to design privacy into cybersecurity programs.

Second, there should be transparency as to the cybersecurity measures that organizations, especially operators of critical infrastructure, increasingly are using. Transparency is fundamental to the Fair Information Practice Principles. When implemented, it reassures individuals that the processing of information that relates to them is not being done in secret, thus enabling them to pursue any recourse available if necessary.

Promoting Transparency

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Secure Domains: The DNS Security Debate

Better DNS security could help block some types of spoofing, poisoning and DDoS attacks. But the...

Latest Tweets and Mentions

ARTICLE Secure Domains: The DNS Security Debate

Better DNS security could help block some types of spoofing, poisoning and DDoS attacks. But the...

The ISMG Network