Cavoukian offers roadmap for security-privacy balance

As computer systems attacks become more sophisticated and dangerous, so does the technology to deal with them. But there’s an unintended side-effect of the rollout of enhanced system security technologies, according to a report from Ontario’s Information Privacy

Commissioner and Deloitte & Touche — they can be a liability on the privacy front.

The Security-Privacy Paradox: Issues, Misconceptions and Strategies, released on Monday, outlines the tension between corporate security and privacy policies. While their goals and practices sometimes overlap, they often conflict.

As technologies such as intrusion detection, incident response and personal authentication are tuned to deal with increasingly sophisticated attacks, they can also become more intrusive from a personal privacy perspective, said Robert Parker, a partner with Deloitte & Touche.

Software that collects information about who visited a Web site and when can begin to build a profile of an identifiable individual without that peron’s consent — or even the knowledge that the information has been passed on.

“”Once you have an intrusion, when you start an investigation, that could lead to information about an identifiable individual,”” Parker said. Companies have to be aware of the privacy implications. Most deal with the issue by disclosing to users that the information is being collected and how it will be used.

The study also makes the case for having distinct security and privacy functions in the C-suite. It’s common for a chief security officer or chief information officer to take on the role of privacy officer when it becomes an issue, and that can diminish the privacy perspective, according to Ontario Information Privacy Commissioner Ann Cavoukian.

“”The perception and the mindset (CSOs and CIOs) bring to the task is different from that of a chief privacy officer,”” Cavoukian said. “”Those two views can be contradictory at times.””

A CPO will view information as owned by the subject, and will focus on limiting its use. A CSO or CIO tends to view the information as a corporate asset and focus on maximizing its value. Separating the roles means two arguments will be brought to the table, allowing the company to strike a balance between the two views, Cavoukian said.

That’s an expensive proposition for most companies, said Stephen Mill, Toronto-based regional manager for international staffing consultancy Robert Half Technology.

“”You can’t afford to have three chiefs looking after this issue,”” Mill said. While at very large companies there’s a good case for making security and privacy very different functions, few companies in the Canadian market will have that divergence of roles.

Most often, said Mill, the privacy mandate will fall under the security umbrella. But he argues that the HR department has a role to play, especially in environments where employees’ computer usage is monitored.

The most important takeaway from the study, Cavoukian said, is that “”security does not equal privacy.”” The words are often used interchangeably, especially by techies, she says. “”You can’t have privacy without security, but you can have security without privacy,”” she said.

And building privacy decisions into the technology framework can enhance the security of the system, she says. One needn’t come at the expense of the other.

“”It’s not a zero-sum game,”” she said.

The study outlines a 16-step roadmap for developing a balanced privacy-security strategy.

Comment: info@itbusiness.ca

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Dave Webb
Dave Webb
Dave Webb is a technology journalist with more than 15 years' experience. He has edited numerous technology publications including Network World Canada, ComputerWorld Canada, Computing Canada and eBusiness Journal. He now runs content development shop Dweeb Media.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.