Cutter Consortium helps companies leverage IT for competitive advantage and business success through its comprehensive range of consulting, training and content, provided by the leading expert practitioners in business and IT.

30 January 2007

Recognizing Privacy Pitfalls

by Rebecca Herold, Senior Consultant, Cutter Consortium

Today's Cutter Edge is excerpted from Cutter IT Journal. For more information, please contact Dennis Crowley at +1 781 641 5125 or e-mail dcrowley@cutter.com

"Organizations need to address privacy not only because it is legally required and the right thing to do, but also because it is necessary for keeping customer trust, maintaining customer loyalty and support, and improving the corporate brand."

-- Rebecca Herold, Senior Consultant, Cutter Consortium

In many parts of the world, privacy is considered a basic human right, or as the EU Data Protection Directive (95/46/EC) puts it, privacy safeguards are "for the protection of the private lives and basic freedoms and rights of individuals." It has only been in the past few years, however, that organizations have really started to noticeably address privacy challenges and dedicate the resources necessary to effectively deal with the myriad of privacy issues and requirements.

Despite these efforts, there are still significant privacy pitfalls that more and more organizations fall victim to. This is typically because they have simply not recognized certain common vulnerabilities.

Incidents Occur Many Different Ways

Organizations must realize that incidents can, and do, occur in a very wide variety of ways, not just as a result of hackers or stolen computers. Consider the following examples, each of which represents a different type of privacy incident:

  • In July 2005, a programming error within an online system for accepting applications at the University of Southern California exposed the personally identifiable information (PII) of 280,000 people.

  • In January 2006, a laptop was stolen from an Ernst & Young employee's car. It contained the names, birthdates, genders, family sizes, Social Security numbers, and tax identifiers for potentially all 330,000 IBM employees.

  • In March 2006, an e-mail was sent to 17 principals at the Connecticut Technical High School System that accidentally had a file attached containing the clear-text Social Security numbers of all 1,250 teachers and school administrators. At least one principal then forwarded the e-mail to 77 staff members without realizing the file was attached.

  • In September 2006, it was reported that a former employee of the Cleveland Clinic Hospital and a relative who worked for a health insurance claims company were arrested and charged with stealing the personal information of over 1,100 patients.

The types of privacy incidents that can occur include, but are not limited to, the following:

  • Inappropriate access to the network or computer systems

  • Lost or stolen computers and computer storage media (backup tapes, hard drives, CDs, etc.)

  • E-mail messages with clear-text confidential information sent or forwarded inappropriately

  • Fraud activities perpetrated by outsiders, insiders, and combinations of both

  • Hackers gaining unauthorized access to PII

  • Information exposed online because of inadequate controls

  • Insiders inappropriately using PII

  • Confidential paper documents being given to people outside the organization (e.g., recycled within schools/churches as scrap paper) instead of being shredded

  • Improper disposal of media containing PII

  • Password compromise that allows access to PII

In order to effectively plan to prevent -- as well as respond to -- privacy incidents, organizations need to identify their potential privacy vulnerabilities and then address each of them individually.

-- Rebecca Herold, Senior Consultant, Cutter Consortium

Recognizing Privacy Pitfalls