Panel encourages business to regard privacy as a tool for growth

When dealing with privacy issues, enterprises must move beyond fear and look at security as the key innovator to fuel growth, according to privacy experts.Speaking to a roomful of security, IT and executive leaders at a breakfast, Sun Microsystems Inc.’s vice-president of identity management Sara Gates discussed how the notion of “who” is an essential component of identity management.
Three to four years ago, for example, security meant letting the right people in and keeping the wrong people out, said Gates. Now, it’s about letting the right people in and giving them the right access. “Fear is winning,” said Gates. “We see greater preponderance around security and compliance.”
With identity theft the fastest-growing form of fraud — Equifax in Canada reported between 1,400 and 1,800 identity theft-related complaints per month — companies can no longer say it’s just an external threat that can be remedied by a firewall, for example. The Privacy Commissioner of Ontario, Ann Cavoukian said companies must think of privacy as a business issue rather than an IT-related one. Cavoukian cited several U.S.-based studies indicating identity theft-related incidents affect customer purchasing decisions. “If I were a business I would make privacy work for me,” said Cavoukian. “Trust is fundamental. Distrust has a devastating impact on profitability.”
To illustrate her point, Cavoukian cited the CIBC faxing fiasco as an example of how not to handle a privacy breach. The U.S. case involved a West Virginia scrapyard owner who had been receiving faxes containing confidential data from CIBC for three years. In April, the Privacy Commissioner of Canada ruled the bank was in violation of PIPEDA principles. CIBC responded to the Commissioner’s findings by creating a national database to track privacy issues and establishing a national privacy office.
“I’m outraged by CIBC’s response to the faxing fiasco,” said Cavoukian. “Everything is in your management of a crisis and your immediate reaction.”
Echoing Gates’s and Cavoukian’s comments, Toronto-based independent consultant John Casey of Aliquantum Inc. said organizations, in many cases, must work on getting the customer’s side of the story out after a privacy breach has occurred.
“Notify people, tell them what it was and what happened,” said Casey, adding businesses should explain the situation in plain English rather than a glossy press release.
While policies and fear of repercussions are changing how corporations view identity management, so too is the evolution of technology which is changing how enterprises, developers, consumers and the public sector interact on a daily basis.
As the market moves from the information age to the participation age, systems are communicating with each other without central control, said Gates.
“We don’t have perimeters like we used to,” said Gates.
With this in mind, organizations must view identity management as not only managing data but also managing users, said Deloitte Canada partner and identity management and privacy leader Andreas Faruki. Identity management, he said, is about protecting data that users access. The channel that the data flows through is tied to the individual and not the group, creating the need for security throughout the data’s lifecycle.