TORONTO – In dealing with privacy issues enterprises need to move beyond fear and look at security as the key innovator to fuel growth, according to privacy experts.
Speaking to a roomful of security, IT and executive leaders at a breakfast Tuesday, Sun Microsystems Inc.’s vice-president of identity management Sara Gates discussed how the notion of “who” is an essential component of identity management.
Three to four years ago, for example, security meant letting the right people in and keeping the wrong people out, said Gates. Now, it’s about letting the right people in and giving them the right access.
“Fear is winning,” said Gates. “We see greater preponderance around security and compliance.”
With identity theft being the fastest growing form of fraud — Equifax in Canada reported between 1,400 and 1,800 identity theft-related complaints per month — companies can no longer say it’s just an external threat that can be remedied by a firewall, for example. The Privacy Commissioner of Ontario, Ann Cavoukian, who also spoke at Tuesday’s event, said businesses need to think of privacy as a business issue rather than an IT-related one. Cavoukian cited several U.S.-based studies that show customers said identity theft-related incidents affected their purchasing decisions.
“If I were a business I would make privacy work for me,” said Cavoukian. “Trust is fundamental. Distrust has a devastating impact on profitability.”
To illustrate her point, Cavoukian mentioned the CIBC faxing fiasco as an example of how not to handle a privacy breach. The U.S. case involved a West Virginia scrapyard owner who had been receiving faxes containing confidential data from CIBC for three years. In April, the Privacy Commissioner of Canada ruled the bank was in violation of PIPEDA principles. CIBC responded to the Commissioner’s findings by creating a national database to track privacy issues and establishing a national privacy office, among other initiatives.
“I’m outraged by CIBC’s response to the faxing fiasco,” said Cavoukian, adding the incident will make it into business studies as an example of how not to handle such a situation. “Everything is in your management of a crisis and your immediate reaction.”
Echoing Gates’s and Cavoukian’s comments, Toronto-based independent consultant John Casey of Aliquantum Inc. said organizations, in many cases, need to work on getting the customer’s side of the story out after a privacy breach has occurred.
“Notify people, tell them what it was and what happened,” said Casey, adding businesses should explain the situation in plain English rather than a glossy press release. “There’s a huge difference between, ‘We lost hard drives,’ and ‘We lost hard drives that had aggregate and not personal data on them.’”
While policies and fear of repercussions are changing how corporations view identity management, so too is the evolution of technology which is changing how enterprises, developers, consumers and the public sector interact on a daily basis.
As the market moves from the information age to the participation age systems, are communicating with each other without central control, said Gates.
“We don’t have perimeters like we used to,” said Gates.
With this in mind, organizations need to view identity management as not only managing data but also managing users, said Deloitte Canada partner and identity management and privacy leader Andreas Faruki. Identity management, he said, is about protecting data that users access. The channel that the data flows through is tied to the individual and not the group, creating the need for security throughout the data’s lifecycle.
“The enterprise is porous,” said Faruki. “There no longer is a perimeter. There are multiple access points to data.”
Similarly, Cavoukian said with personally identifiable information it’s key who’s identity is being managed, by whom and for what purpose. Cavoukian added access control is key to controlling an individual’s access rights.
“As the sensitivity of data increases, protection must increase,” she said. “Identity management solutions limit the likelihood that data will be used by rogue agents.”
The Commissioner’s Office released its identity theft white paper in September, which is drastically different from the first one in 1997 in that the intent has shifted from the consumer to business.