By James Bone, Lecturer in Discipline, ERM, Columbia University’s School of Professional studies ERM Program
What, for you, are the benefits of attending the ‘Risk Americas Convention’ and what can attendees expect to learn from your session?
The Risk Americas Convention is very exciting to me because of the diversity of risk disciplines and topics covered over the course of the event. I look forward to learning what new challenges today’s risk professional must overcome as well as innovations deployed to address these challenges. I feel fortunate to be able to participate in two different programs each of which I have spent a great deal time examining as a lecturer and researcher who is exploring how risk practice is evolving.
Participants in my session, “Positioning and evolving privacy programs to account for different programs across jurisdictions”, will learn about a concept that I call Robust yet Fragile. This concept is borrowed from network engineers who had to solve a host of issues when building out the internet infrastructure. The Internet is robust, in that, it has the scale to allow communications to grow organically around the world but is fragile at specific nodes in the network. Given the boundary-less business environment we live in, I draw on lessons from this concept to build a case for reframing risk mitigation in privacy programs across jurisdictions. Participants will hear many familiar issues but the take away will focus on how to build resiliency in privacy.
How do you think privacy and security has changed over the last decade?
Great question! But the question implies that privacy and security is an emerging issue that has evolved over the last ten years. The truth is privacy and security has been a challenge since 1995 when the European Commission adopted the European Data Protection directive to protect individuals as the global markets opened to international trading. New regulation and challenges have evolved since the late 90’s. The growth and access to personally Identifiable Information (PII) and the protection of that data along with the assault of PII by cybercriminals has increased both the value of customer data and the costs of protecting it from misuse. My first job in risk was an Information Security Officer or ISO who helped developed security policy and information security programs for a very large financial services firm in Boston. I have experienced the changes in privacy and security directly and have evolved my thinking about these issues.
What has changed in public awareness is an increased understanding of threats to personal data in many forms. However, awareness hasn’t had a material impact on consumer behaviour in that we share a tremendous amount of personally identifiable information on social media without recognizing what we are giving up. What has also changed remarkably quickly over the last 10 years is the monetization of customer data. Data brokers have grown exponentially under the radar using online click-through agreements that we don’t read. As a result, the market for data has created tremendous economic wealth but has also exposed us to the ugly side of lost privacy. The genie is out of the bottle so now is the time to redouble efforts to define what is acceptable as public policy and the new ground rules for business. I agree with Mark Zuckerberg on “good” regulation but regulation alone isn’t enough. It is time to rethink privacy and security.
What advice would you give when trying to manage privacy across multiple jurisdictions?
In the U.S., privacy has been multi-jurisdictional for many years as each state has mandated different standards for the protection of personal privacy and data. There are over 600 laws among the states and more than a dozen federal laws on personal privacy and limits to electronic surveillance. Privacy officers have been on the front lines addressing multiple jurisdiction for years. Now information security officers have entered the battle given the explosion of data and the need to enhance security to protect it from inadvertent disclosure as well as breaches due to criminal theft.
In the early days of data privacy, the most stringent state laws drove the baseline standard for “best in class” privacy programs. Today, organizations must have a much more comprehensive view of privacy and how business is done globally. In a digitally connected business environment where the Internet of Things, (IoT), APIs, cloud providers, email, and social media exist side by side there are no boundaries in data privacy. My advice is that privacy and security officers must begin any analysis with how people use data today and develop a risk-based approach to understand the human-technology interaction. To avoid getting too deep in the weeds, this means going beyond an inventory of where data resides but a deeper understanding of how data is used and moved across many ecosystems.
In your professional opinion, how has privacy needs impacted commerce across the financial sector?
State and federal privacy laws have focused on financial, medical and personal data which basically is everything that we do. Gramm Leach Bliley (GLB) and the Federal Trade Commission raised the bar across the financial services industry for safeguarding customer data. In financial services, privacy laws have required financial institutions to become an extension of law enforcement in the form of the USA Patriots Act. As technology firms enter the FinTech space these organizations are learning the complexity and costs associated with adherence to multi-jurisdictional mandates to safeguard data. The impacts on commerce in financial and non-financial organizations will only grow.
Privacy regulation has forced organizations to look beyond data as cross-selling opportunities to consider the entire ecosystem of data to drive productivity and efficiency in how to deliver value while also protecting data, a new and powerful lever of business.
As an academic and thought-leader please can you provide your expectation for the future of privacy management?
Thank you for this question because there is a great deal of new research being conducted on this topic. There are major trends in society and business that make the job of privacy management harder in the near term. The big three trends are: Societal change, Technological change, and Analytical change.
According to the Privacy Rights Clearing house the cultural conception of privacy is in flux. Individuals are creating personal content at an unprecedented rate on social media and the cost and consequences of self-publishing blurs the lines of privacy. Social media has consistently been a target of cyber criminals to gain access to corporate data. Privacy management must include new training techniques and awareness programs to help users understand how their behaviour over the internet potentially exposes the firm to threats.
Secondly, technological change will continue to pose increasingly new threats to business. The human actor is the prime target in cybercrime via mobile devices, casual web surfacing and more sophisticated social engineering and phishing attacks. Trust is being weaponized on the internet which leverages our inability to discern these digital threats. Lastly, connected devices will continue to be a target as criminals access connected devices to monitor individuals or leverage IoT devices to launch attacks. IT security and privacy professionals stay current with more advanced tools to monitor end points beyond the enterprise.
Finally, the third trend in analytical change is also leveraged by our adversaries. Autonomous bots give cyber criminals the ability to collect data, launch attacks and exploit the very systems deployed to defend the enterprise. The cycle of innovation goes both ways as adversaries co-opt advances in analytics to exploit our defences. We operate in an open environment where open source technology allows our enemies to learn in real-time vulnerabilities that exist. As long as there is a market for data the role of privacy management will continue to grow in importance.