One lawyer noted, credit protection offerings do not come close to meeting federal compliance requirements, so why is this half-baked effort acceptable?

The Issue with Privacy

By Dr. Stephen McCauley
Faculty Member, School of STEM at American Military University

Data breach laws do little to stem the tide of breaches. Evidence shows organizations are failing to see the value of applying data protection methods, however costly they may be, prior to having to adhere to data breach notification laws.

Some evidence shows organizations are in their infancy with regards to privacy. The default stance of providing credit protection for a year is being challenged by Blue Cross Blue Shield (BCBS), who are offering coverage for as long as an individual is a member (and opt-ins). Class action lawsuits are challenging the “credit protection” solution being offered by organizations, as an “insufficient” remedy for a breach of privacy. One lawyer noted, credit protection offerings do not come close to meeting federal compliance requirements, so why is this half-baked effort acceptable?

All the while, the European Union (EU) is tightening their data protection laws and safe-harbor requirements. Although Privacy by Design (PbD) has been advanced for many years, many CISOs fail to understand the implications associated with privacy laws. The privacy issue is not thoroughly addressed by prestigious certification bodies such as (ISC)2 or ISACA. Although (ISC)2 does have the HCISPP certification, many CISSPs perceive this certification as a “step backwards” in their quest for validation of professional prowess, and forego the material.

Another reason the HCISPP lacks the “security cache” needed within the industry, is the focus is on health care, not just privacy. Because privacy deals with actual laws (rather than regulations such as CFRs, frameworks and standards such as NIST and COBIT) newly minted lawyers are often called upon to interpret Privacy laws and conduct gap analysis for organizations. This “position” seems to be viewed as punishment by up and coming lawyers, as the perception is similar to being type-cast as a child actor (career ending event, just as they are getting started), which confounds the privacy issue within organizations.

Whose job is it anyway? The primary difference between privacy and information security is, people have a right to access and modify any inaccurate data an organization may have on them. CISOs are geared to keep people out, while privacy encourages people to view and change their data. Yet, without information security, privacy cannot provide any assurances to individuals their data will remain protected.

There is one organization (IAPP) that specializes in privacy certifications, but executive managers do not yet value this certification as the topic of privacy is so new to all organizations within the U.S. One difficulty with educating executive management about privacy issues is that they tend to group everything into buckets, and privacy they tend to lump into the security or legal bucket. The concept of an individual Chief Privacy officer and Enterprise Privacy Office (EPO) have not yet been embraced by corporate America … and certainly not yet identified as an issue within the government sector.

About the Author
Dr. Stephen McCauley has worked in information technology, cyber security, and privacy for most of his career, starting back when cyber security and privacy were relatively obscure occupations. He has a Bachelor of Science in Business Information Systems (BS/BIS), a Master’s in Business Administration with a concentration in Technology Management (MBA/TM) and a Doctorate in Business Administration with specialization in Information Systems (DBA/IS). He has a number of security and privacy specific certifications which include a CISSP, HCISPP, CIPP, and a FQNV, to name just a few.