enterprisesecuritymag

A New Vocabulary for the Digital Age

By Trevor Hughes, CEO and President, International Association of Privacy Professionals

Trevor Hughes, CEO and President, International Association of Privacy Professionals

It’s no secret that the English language has already begun expanding rapidly to keep up with the digital age. Words like “selfie,” “wearable,” “hash tag” and “Bitcoin” have all entered main stream parlance.

Your familiarity with these terms might be the difference between a successful product launch and an FTC investigation. For CIOs, however, I’d offer a new set of terms that are vital for organizations looking to successfully navigate the frothy seas of our increasingly online world. They are terms privacy professionals find themselves using on a daily basis and your familiarity with them might be the difference between a successful product launch and an FTC investigation.

Here are just five with which you should become familiar to help you identify potential blind spots in your organization’s data collection and data use practices.

Aggregation

Isn’t Big Data great? With modern processing power and algorithms, we can uncover all sorts of new insights by compiling data and interrogating it.

Unfortunately, bad actors have this power, too. What this means is that what might seem like a pair of innocuous databases might, when combined, reveal unintended things about your customers or employees, so they might need more protection than you think.

"Your familiarity with these terms might be the difference between a successful product launch and an FTC investigation"

The privacy community learned this lesson almost 20 years ago, when the Massachusetts Group Insurance Commission released de-identified health records in an effort to spur medical industry innovation. A smart researcher named Latanya Sweeney combined the data with publicly available voter registration data and was able to identify Governor Bill Weld and his entire medical history.

Consent

This term is quite simply foundational to doing business on the Internet. If you’re collecting someone’s data, you will find that legal obligations in various countries – and in some cases, just plain good manners – require consent to do so.

Aaron’s learned this the hard way. The rent-to-own franchise surreptitiously installed software on computers they were leasing that allowed for the tracking and monitoring of user behavior on those computers. The idea was to prevent theft. The result was a lawsuit from the Federal Trade Commission for deceptive trade practices.

Yes, data has value, and it can be tempting to collect it whenever you can. But customers value their data, too. Make sure you know the applicable law, and get their permission, or be very confident that their permission is implicit in the action they’re taking, before collecting and storing it.

COPPA

Short-hand for the Children’s Online Privacy Protection Act, the important thing to know here is that the U.S. Federal Trade Commission treats the personal information of children under the age of 13 very differently from that of adults.

Just ask Yelp. When it created a streamlined process for subscribers to sign up via a mobile app, the company neglected to ask for an applicant’s date of birth. As a result, children signed up, Yelp didn’t get parental approval for those signups, and the FTC delivered a $450,000 fine for a violation of COPPA.

If you’re working with children’s data, be very explicit that you are getting parental permission to collect the data, offering parents a choice as to whether children’s data will be shared with third parties and provide parents access to their children’s data should they want to delete that data.

Or better yet: Make sure you and your team is very familiar with the entirety of COPPA.

Location

Oh, sure, real estate professionals have always told you that it’s all about location, location, location, but the digital age is radically changing the way we think about location data.

Researchers have shown that just four data points can be enough to identify an individual person and regulators are increasingly protective of location data, especially when it’s being collected without a user’s knowledge.

Case in Point

Golden shores, which created a very popular flashlight app, in order to generate revenue served ads through this free download. And to serve targeted ads, the company gathered location data of its users. Unfortunately, they didn’t tell users they were doing this. One consent decree with the Federal Trade Commission later, Golden shores finds itself being audited by a third party for the next 20 years.

Sure, this is about that consent thing we were talking about earlier, but it’s also an emphasis that location data is now very much sensitive and personal data and your organization needs to make sure everyone involved knows when it’s being collected.

Trans Border Data Flow

I don’t have to tell you that we live in a global market place, but many businesses don’t realize their obligations for dealing with data collected from citizens of other countries. Particularly Europe, but also Canada, Australia and many Asian, African and Latin American countries have privacy laws and regulations that are different from the U.S. regime.

Do you have a business relationship with that Canadian to whom you’re sending an email? Can you document that it’s been active within the last six months? Getting the answer wrong could result in $1 million or more in fines. Are you able to produce the data you have about an EU citizen upon request? Failing to do so could lead to regulatory headaches –even if you are a US-based business.

These are questions even small companies need to be able to answer with confidence when doing business nowadays. It’s vital that you and your staff understand the global data privacy regulatory environment if you want to do business around the world.

There are, of course, a host of other terms a smart business operating in the digital economy needs to know as well –transparency, hashing, pseudonymity, unique identifier and more. As a CIO, terms like these that get at the heart of privacy must begin to enter your vocabulary and the questions you ask of your teams in product development, HR, marketing, IT and all the other departments in your organization that work with data.

Learning them now, and spreading the word, will prepare your organization to take advantage of the many opportunities offered by the digital age.

Read Also

Accounting for Online Payment Security as a Practice

Accounting for Online Payment Security as a Practice

Vennard Wright, CIO, WSSC (Washington Suburban Sanitary Commission)
Do IT Professionals Have a Social Responsibility?

Do IT Professionals Have a Social Responsibility?

Sam Segran, CIO, Texas Tech University
It's Time to Turn Security Inside Out

It's Time to Turn Security Inside Out

Gilad Raz, CIO, Varonis