The attached is an article we did for Sun's Inner Circle newsletter. The lovely Robin Wilton-- IDm guru extraordinaire-- liked it well enough to blog about it here: at blogs.sun.com/racingsnake/date/20080528. (Very cool!)
So, I am reproducing it here & would love to hear your thoughts.
Here's the link: http://www.sun.com/emrkt/innercircle/newsletter/0508/feature-bus.html?cid=924946
& the article:
The Missing Chair Around Your Boardroom Table
Protecting privacy is an inevitable challenge in a free society. With more and more personal information moving onto the Internet, what role must companies assume to protect employee and customer privacy? And globally, what are the implications for privacy with regard to cultural differences and harmonization of identity and data protection standards?
Sun Chief Privacy Officer Michelle Dennedy calls this participatory Web era the "Network of You." Below she shares her views on how companies can protect their assets and stakeholders by expanding the way they think about data privacy and personal information management.
Q: What is the "Network of You?"
A: The "Network of You" is a concept that links traditional business practices to evolving Web 2.0 practices in the new environment of data-enriched enablement. The Network of You recognizes that for the first time in human history, we can individually participate in a global web of information flow. There is obviously a strong economic benefit, but there is also a strong risk factor if we're not careful.
Q: What are the most worrisome threats to online users' privacy?
A: The most worrisome threats are the unplanned, unexpected uses of information that violate individual cultural or legal mores. Organizations can fail to notify users about why they're collecting information — or that they're collecting information at all. They can fall into the trap of abusing collected information for which they are a fiduciary, but not an owner. Information about individuals is the currency flowing through the enterprise and that enterprise becomes, in a sense, its banker. One of the biggest threats is failing to recognize the power of information as a leverageable asset. When you collect too much, not enough, or the wrong information, you store risk that doesn't drive value back into the organization.
Information about individuals is the currency flowing through the enterprise and that enterprise becomes, in a sense, its banker.
To quantify the risk involved, we can look at the case study of breach notification legal requirements. In the U.S., it's becoming typical for organizations that have been forced to notify customers about a data loss to provide two years of credit protection per record lost. So if you lose a laptop that contained 100,000 records with a standard credit protection cost of roughly $40 per record, per year, for two years, you're looking at a potential liability hit of $8 million. That figure doesn't account for brand loss, sales opportunities lost, lawyer fees, or the paper exercise of sending out letters. And that's just a ballpark — I've heard figures from banks up to $500 million, or $250 per record for a major breach.
Treating data as an asset up front and giving it the respect it deserves frees precious organizational time for communicating with customers about the stuff that drives revenue.
Q: Data control is said to now be a boardroom issue as well as an IT issue. Thoughts?
A: It's absolutely a boardroom issue due to the ascendancy of information as the most valuable asset. I think there is an empty chair at the CEO's table that is unique in charter from the chief financial officer, general counsel, chief information officer or chief privacy officer. If the trend to use, collect, and manage data and to connect with customers and workers on a global scale continues, there will be a significant role for new types of executive leadership in the boardroom.
There needs to be an information control officer who looks at information the same way you look at cash, with the nuance that information about human beings is non-replaceable. Once you have disenfranchised your customers or employees because you failed to protect their information, you can't get them back as readily as you can recover cash if you have executed poorly in your capital investments. One of the ongoing tasks for this new executive will be to partner with the CFO, CIO, HR, and R&D leaders to help drive in economic value and drive out risk by only collecting information that has value and doesn't cause harm.
In the short term, existing business unit leaders share in these new data asset and liability-driven duties, and each must become his or her own data advocate, legal advisor, and accountant.
The expanding universe of stakeholders and government regulations like the U.S. state data breach notification laws, the Gramm-Leach-Bliley Act, HIPAA, EU Directives, member state regulations, and the Canadian PIPEDA and other international regulatory frameworks will continue to complicate the business landscape. At the same time, a global community of users and creative entrepreneurial opportunities will continue to press for more data, more control, more transparency, and more respect than ever before.
Q: Is technology the problem or the solution? What technologies can be employed to protect privacy in the online world?
A: Technology can be both. If technology is used in the absence of people or processes, it can be a huge risk. Technology can gobble up more information than any human can possibly consume. Technology can share information faster than human minds can think it, so it can be harmful if you don't have that boardroom-level care of information as well as a system that sets up how information flows, where it is shared, who has access to it, what role those people play in the organization, and assurance that the information is audited.
Identity management technology is critical to understanding "who" is participating on your network.
Identity management technology is critical to understanding "who" is participating on your network. "Who" is your customer and "who" will serve that customer's various needs? Sun has deep identity management leadership and experience in helping with auditing and identity compliance. Sun's capabilities include user provisioning, role management, access management, federation, and directory services. These are examples of technology that can make a big positive impact when deployed with a clear strategy to get in front of the business challenge of "who."
You can centralize and better secure data by using ultra-thin clients like the Sun Ray, which greatly minimizes your data footprint and reduces risk. The only way to use a Sun Ray is by logging in, therefore every action is auditable. Instead of spreading data by duplicating and multiplying it across desktops, a greater proportion of the data stays centrally managed at the server level. Users authenticate and access information that is stored in a guarded place. Then security, privacy, and audit professionals can outreach, manage, and train the person who's allowed to use that interface.
Where data really "sticks" is in your storage strategy. That's where technology, management, and training help you figure out how to utilize your information as an asset. Sun's open data archive solutions enable organizations to change the economic equation for their IT departments because they are 10 times more scalable, use 50 percent less physical space, and can reduce energy costs by a factor of 10 over competing products.
It's critical to understand where you're storing stuff. Your CIO may not be looking at the risk and potential rewards implied by stored data. Which gets back to my "empty seat at the boardroom table" notion. Where it's appropriate, cut down your data footprint to keep the good investments of data that drive value, and systematically get rid of data that only serves to create unmanageable risk.
Q: What role should governments have in helping companies or individuals protect their privacy?
A: Hopefully not a heavy-handed one. My personal responsibility is to cover the globe, and we have business interests in almost every country. We must understand how to harmonize information flows with other governments and protect information through its lifecycle when that lifecycle goes from very restricted civil law countries, to common law jurisdictions, to socialist republics and beyond into emerging economies that are only now selecting a governance strategy for people and data.
We have to agree on the functional definition of how information is protected, despite differences in culture and legal strategies. We can look at how identity management strategies can be deployed to ensure that only the right people at the right time in the right place view authorized information.
Let's say Person A is fulfilling Function B and Strategy C is protecting it. Once you realize that the information pipe is secure, you can rationalize that protection in a common law society like the U.S. where we enforce by regulatory agencies and private litigation. In civil law societies like Europe, where the whip is felt from various agencies, protecting the data pipeline with rigor can satisfy those data protection authorities. When you get to other parts of the world with different notions of individual privacy, you can do that same calculus of role-based access — Person A, Function B, Strategy C — and if that protection is robust and transparent enough, it can satisfy all of these governments with differing enforcement strategies.
You need a leader who understands and cares about data protection and that person must scream from the mountaintops in the language of employees, vendors, and partners to let them know what is expected of them and that data governance is a valuable investment.
Q: What do executives need to be thinking about and planning for over the next five years?
A: People, process, and technology. Your people have to know what to do when. You need a leader who understands and cares about data protection and that person must scream from the mountaintops in the language of employees, vendors, and partners to let them know what is expected of them and that data governance is a valuable investment.
Process has a lot to do with your identity management strategy — who is going to be allowed to look at what when? How long is that information available to those individuals? How do you de-provision those people when they move on? It also has to do with how you determine data value, track it across your enterprise, and protect its integrity throughout its lifecycle.
You have to constantly look at your technology resources, whether you own them or whether you leverage Web 2.0 tools and communities, to determine what brings value. Sun leverages an open, interoperable architecture. The reason people come to Sun and the reason that we are the fiduciary for so much confidential, highly sensitive data is because this architecture allows you to think about the future and where information is going to be stored. All of the information that is housed on those storage media comes at a cost if you lose it, and can bring value if you leverage it well.