As computer systems attacks become more sophisticated and dangerous, so does the technology to deal with them. But there’s an unintended side-effect of the rollout of enhanced system security technologies, according to a report from Ontario’s Information Privacy
Commissioner and Deloitte & Touche — they can be a liability on the privacy front.
The Security-Privacy Paradox: Issues, Misconceptions and Strategies, released on Monday, outlines the tension between corporate security and privacy policies. While their goals and practices sometimes overlap, they often conflict.
As technologies such as intrusion detection, incident response and personal authentication are tuned to deal with increasingly sophisticated attacks, they can also become more intrusive from a personal privacy perspective, said Robert Parker, a partner with Deloitte & Touche.
Software that collects information about who visited a Web site and when can begin to build a profile of an identifiable individual without that peron’s consent — or even the knowledge that the information has been passed on.
“”Once you have an intrusion, when you start an investigation, that could lead to information about an identifiable individual,”” Parker said. Companies have to be aware of the privacy implications. Most deal with the issue by disclosing to users that the information is being collected and how it will be used.
The study also makes the case for having distinct security and privacy functions in the C-suite. It’s common for a chief security officer or chief information officer to take on the role of privacy officer when it becomes an issue, and that can diminish the privacy perspective, according to Ontario Information Privacy Commissioner Ann Cavoukian.
“”The perception and the mindset (CSOs and CIOs) bring to the task is different from that of a chief privacy officer,”” Cavoukian said. “”Those two views can be contradictory at times.””
A CPO will view information as owned by the subject, and will focus on limiting its use. A CSO or CIO tends to view the information as a corporate asset and focus on maximizing its value. Separating the roles means two arguments will be brought to the table, allowing the company to strike a balance between the two views, Cavoukian said.
That’s an expensive proposition for most companies, said Stephen Mill, Toronto-based regional manager for international staffing consultancy Robert Half Technology.
“”You can’t afford to have three chiefs looking after this issue,”” Mill said. While at very large companies there’s a good case for making security and privacy very different functions, few companies in the Canadian market will have that divergence of roles.
Most often, said Mill, the privacy mandate will fall under the security umbrella. But he argues that the HR department has a role to play, especially in environments where employees’ computer usage is monitored.
The most important takeaway from the study, Cavoukian said, is that “”security does not equal privacy.”” The words are often used interchangeably, especially by techies, she says. “”You can’t have privacy without security, but you can have security without privacy,”” she said.
And building privacy decisions into the technology framework can enhance the security of the system, she says. One needn’t come at the expense of the other.
“”It’s not a zero-sum game,”” she said.
The study outlines a 16-step roadmap for developing a balanced privacy-security strategy.
Comment: [email protected]