As part of Data Privacy Day, CSIAC is asking community members to participate in discussions on Privacy topics.

This topic is on the basics of privacy: What is it and why does it matter?

Many people have different definitions of what privacy is and why it matters to them. Please reply to this topic to share your definition and why privacy matters to you.

Topic

[jreadeModerator]

Data Privacy to me is focused on the use and governance of personal data such as ensuring that consumers’ personal information is being collected, shared and used in appropriate ways.

Data Privacy is an important topic because most people are connected to the Internet and use it for everything – searching, purchasing, social interactions, etc. However, not too many people realize the great deal of personal information that is being collected and shared when they use the internet. The data can be stored forever and personal information can be used for both beneficial and unwelcome ways. Information that might seem harmless like the items of your last online purchase or the last restaurant you ate at, can be used to determine your socioeconomic status for example.

In the United States, consumer protection laws are weak or non-existent. This means that many companies and organizations have the ability to monitor their users’ personal behavior and sell the data. This means that it is very important that consumers understand the value of their personal data.

[prasanthiParticipant]

Protecting data is a crucial thing in any organization by following ever-changing technology landscape. Data privacy can be a juggling act in multinational organizations when it comes to fulfilling the needs of the organization and complying with local privacy laws. Ultimately, data privacy boils down to protecting the information held by individuals to prevent others from accessing their personal information. So, considering necessary measures to secure data is highly important.

• This reply was modified 10 months, 3 weeks ago by  prasanthi.

[ltuckerParticipant]

I agree, protecting Data is some organizations is one of the most important assets an organization can protect.
If data is compromised in these types of organizations, all 3 risks are compromised, (Legal, reputational, and the loss of performing day to day operations)

Multiple firewalls, with the most updated technology, along with the staff that are trained and proficient with the most current tools is a extremely critical. Also, a robust Incident Response Plan must be in place. This plan must have key players that clearly understand their roles.

This should be outlined in the Business Continuity Plan, which should be tested annually.
The organization must have the buy in from senior management, such as the CISO, CIO)

Lawrence Tucker

• This reply was modified 6 months ago by  ltucker.

[kjoyceParticipant]

Data Privacy also relies on educating people on how they need to protect their personal data. The concern over Snapchat’s Snap Map feature last year raised awareness about social media users sharing too much personal information. Social Media users, especially younger people, don’t always consider the full implications of sharing their location and being cautious about accepting friend requests from people they don’t know very well or not at all.

[jchief39Participant]

I have data privacy expectations as citizen, employee, and individual. As a citizen, my expectation is that my data is protected from “unreasonable search and seizure” under the 4th amendment, so that the government has to provide probably cause before they can begin looking around my digital identity. As an employee of my company, I expect that my data is not shared with other employees, that it is protected from theft through hacking by reasonable measures, and that we have it either segmented on the network or encrypted. As an individual, I need to understand that I have a responsibility to exercise due care in how my personal networks are configured, my behavior on the internet (identifying suspect emails and websites), and that I periodically review my digital identify for signs of theft. The trend in the US is for more access to data by the government, with a lower 4th amendment bar, driven by the events of 9/11 and the proliferation of terrorism world-wide. On a personal note, I have reduced my social media presence – the value I receive is not worth the risk.

[aabbParticipant]

Every data-driven organization’s operation, reputation, and litigation risks depends on data. Prioritizing data based on key business needs and proper access authorization is Data Privacy. It matters because sensitive data has to be protected with more security and encryption for confidentiality and consistency. We should care because without proper data a business might face reputational damage and if the privacy of user’s personal information is breached that can bring litigation risks for the business.

[abenyParticipant]

Data Privacy requires you to identify any location with information in you organization that can identify an individual (internal or customer) such as their email address, name, school, preferences, etc.

As it simple as it sounds, this is often a challenging task. If you fail to identify where this resides, how can you ensure its protection ?

GDPR is a EU regulation that is being enforced starting 5/25. This requires any European individual’s information that may exist by a organization (globally) to ensure its identification, protection and ability to wipe on demand! Imagine all the locations data may reside including places known/uknown, internally, externally, on backups, etc. What a challenging task!

Failure to comply will result in a fine of 4% of total revenue or $20M euros!

[gvheesParticipant]

Yes, I agree that GDPR has given us more focus on information security. The right of privacy is one of the most important issues in my opinion.
All organisations more or less handle personal information. If only that of their own employees. That means that all organisations have an obligation to guard the personal information and therefore apply information security.

Physical controls, technical controls and administrative controls should all be applied to protect the PII, but most organisations mainly focus on the technical controls.
In my personal opinion the administrative controls are the least used, because they are more difficult to apply.

I think more specifically the education around privacy could be improved upon. Many organisations are still struggling with the implementation of GDPR and can’t oversee the requirements.
While everyone is looking at and is education on cybersecurity, privacy is getting less attention than it deserves.

[mabisParticipant]

Let me jump in with a positive standpoint towards GDPR: I am German citizen working in Germany related to consultancy around IT security and data protection. GDPR is a major change in paradigm and many organisations are currently struggling with implementing it. Starting from the legislation: hundreds of laws still have to be adjusted to the new regulation and in the government they are missing ressources and skills to get everything done in time. Second the companies: also far from being compliant. Many just recently started their projects and even the once who are already for longer time on their journey they are still missing the one or the other aspect of the new law (complemented by the way through local laws, in the Germany the new BDSG which is specifying points where the GDPR has left intentionally gaps for local authorities and legislation). Nevertheless: the important point is having started the journey.
First time in history IT security becomes obligatory for all organisations in Europe instead of “nice-to-have” in previous times. In relation to the current threat landspace including the exponential growth of IoT-devices I think it is just a starting point to defend against nation-state-actors and cybercriminals.

[bsquareParticipant]

Data Privacy to me means the ability of an individual or an organization to decide what data can be shared with a third party especially, sensitive data about an individual or the organization. Protecting individual information that can be used to identify an individual or that relate directly to an individual. I believe it is better to be save than to be sorry in the sense that as an individual, I have the responsibility to shield myself/information from the public face by limiting the information about me that I personally made known to everyone. E.g. social media. A lot of us get carried away when it comes to social media or the internet as a whole. We post information about us that hackers can easily use to trace of damage one without knowing. The rate at which data is being stolen is really alarming.
Data privacy is really important. As individual/organization, there are lots of things which are at risk when it comes to data privacy, the more knowledge you have about it the better you will protect yourself from the risk involve. Nobody wants to face the repercaution or the consequences of having your private data gets in the hands of a wrong person.

[andy84Participant]

Privacy is a privilege that most people don’t think about it until it’s gone, and these days, once your privacy has been compromised there’s no getting it back. I believe personal privacy in a digital age is something that should be taught in schools and better prepare children with the knowledge that what they are posting or signing up for could have repercussions for them down the road. Things like the GDPR are long overdue and a great wake up call to the industry but doesn’t address personal decisions of how one would like their data to be used and what they are OK with or not. What’s lacking today is a single privacy authority that can help people govern their privacy decisions. The daily bombardment of are you OK with sharing this or allowing this for anything you do online could be governed by an authority that controls the specifics of what someone is OK with sharing.

[kjoyceParticipant]

To emphasize andy84’s point, this statement is right out of the regulation, “The protection of natural persons in relation to the processing of personal data is a FUNDAMENTAL RIGHT.”

[scanchariParticipant]

Hello,
Data privacy matters because information is the most important asset for all companies. So, as any other critical asset needs to be managed and protected. Nowadays, most companies try to get as much customers information as possible, information gives a competitive advantage, however, this leads to a responsibility: Data privacy management.

First of all this is important due to regulations that have been created worldwide; besides, most of the latest hacking attacks have targeted data, and finally because an inadequate management of data could lead to a sued or loss of reputation.

[abatamaParticipant]

Data is a collection of facts or items of information which could include identifying information about an individual or entity. These items of information can be personal, thus very sensitive. Individuals or entities have privacy protection under the law to determine what items they would like others to know about them, which people are permitted to know about them and also determine when those people can access that information.
Data is subject to privacy laws and it is the duty of the individuals/organizations who collects, stores and uses such data. Data privacy is therefore the ability of an individual/organization to determine what data in their system can be shared.
The sensitive data collected must be protected from being accessed by unauthorized entities as that could possibly cause damage to their reputation or hardships, in different ways, to the individuals who loose their privacy of information.
It is very necessary and important to secure such data from criminals who want access to the data by attacking, through various means, the systems, networks and data centers that store such data.

[rssbeauParticipant]

I believe that data privacy is crucial, both at organisational level and at a personal level. I always get worried when I get calls from tele-marketers who I never gave my information to. It means that somewhere along the line some company’s systems were compromised and the end-user information leaked. This is also a security concern to individuals as one never knows where this information lands.
It is thus very crucial for organisations to secure their networks, systems and eventually data from prospective criminals.

[rynaParticipant]

Data Privacy are when individuals and organisations are able to control who can access and their information, data, ideas and intellectual property. With a top down approach, the organisation is responsible to ensure that operationally, employees data and customers information are protected through masked data so that it makes it challenging for hackers to unscramble the encrypted information. There also has to be adequate training for employees to take active steps to keep their information safe (ie locking laptops when leaving the work station, different passwords for different LogIns).

[entropyincreaseParticipant]

To me data privacy is the fundamental right of a person, in an increasingly complex digital world, an individuals data is scattered across multiple organization over multiple countries. In such cases the jurisdiction of said individuals data is worldwide, then comes the question, how is this going to be managed ? from a legal perspective? from an ethical perspective? rules drawn in one country prohibiting the sharing of an individuals data may seem perfectly legal in another country, this represents a modern day dilemma for countries, governments, organizations and individuals alike.

[bygditParticipant]

Hi all,
just joined the forum.

I agree with most of comments I read on GDPR:
– thanks to GDPR cybersecurity has became mandatory for all organisations which deal with European citizens’ PII.
– apart from technology related matters, complying with GDPR requires for a strategic approach and a real committment in all company levels. It’s not an easy task, but that’s something that any effective risk management systems ask for, actually.
– fines for being uncompliant might be very high. That’s frightening for any CEO, but it can be decisive for them to go ahead when it comes to evaluates for costs and benefits.
Altogether, that’s pushing companies a lot in concerning about their IT security and allocate money to manage it.

Nevertheless, in a fully-connected world, assuring privacy is not up to organisations only. People have to be involved as well. Until people won’t be fully aware of risks posed by cyberthreats and how to deal with them on a daily basis, they will stay one of the weakest links in the chain.

Unfortunately, that is something GDPR doesn’t really address. Anyway, organisations are still made of people (so far…), and hopefully this can help them developing their cybersecurity awareness as citizens as well.

Privacy authorities are still needed, though. This is too complex a matter for it to stay self-regulated. Luckily, GDPR requires for privacy authorities at both single countries level and European Union as well.

[srobertsParticipant]

There’s an interesting and potentially worrying example evolving in China based on a Social Credit Score. Similar to a Credit Score, this is a score based on your behavior, purchases, marital status etc. and is driven in large part by your online activity.

Maintaining your good social standing brings benefits like renting a car without having to pay a deposit, or getting better loan interest rates. If your behavior is deemed inappropriate, your social credit score goes down and can restrict your options severely. One example is an investigative journalist who published stories on corruption in government found himself unable to book train tickets or flights due to a local social credit score.

This is a worrying example of the way information which we freely ‘give away’ due to our activity and information being stored and shared by companies across the internet, can be used to exert control

[FlockhartParticipant]

#50335 – I only very recently learned about China’s Social Credit Score and find it fascinating. Technology and inter-connectivity seems to have become embedded in the culture. Giving away personal data has become the norm in China and I wonder how this will ultimately translate to the rest of the world.

[positParticipant]

Hi All,
What is it? – I believe that Privacy as an individual is of particular significance when it comes to personally identifiable information (PII) and personal health information (PHI).

Why Does it Matter? – I believe it is the right of an individual to restrict and control the availability of personal information to trusted parties to protect their rights as a citizen, and digital safety against exploitation, victimisation and cybercrime. Furthermore, Governments and organisations who hold personal information should do so only under strict controls and requirements and to inform the owner of that information.

I’m personally keen to ensure combinations of personal information (often used as a starting point of cybercrime during Open Source Intelligence (OSINT) recognisance) such as my full name (including any middle names), addresses and birthdate are not publicly available. Many people seem to freely make these available via social media, and in such cases I further believe social media providers should continue to make available and continuously improve controls and warnings that helps those people understand their potential exposures and options.
Furthermore, I’m especially concerned about the control and management of personal information that can have an immediate impact on an individual. This includes information such as Social Security numbers/Tax File Numbers, health and medical records, financial data, bank account details, credit card numbers, student records and exam results and any records relating to minors to name but a few.

Why Should I Care? – I believe that individual privacy and protection against exploitation, victimisation and cybercrime, because of its loss, should be considered an inalienable right protected at all costs. It’s important to note that privacy, like other human rights (e.g. Basic human rights such as the right to life, the right to liberty and freedom, the right to the pursuit of happiness and the right to live your life free of discrimination) are often only realised to individuals when they are lost.

To provide some context, George Orwell’s Novel, “1984” had some thought-provoking quotes, that are something to think about in Digital Age we live in. The following quotes from his book seem to point toward a digital future bereft of Individual privacy:
• “Big Brother is Watching You.”
• “If you want to keep a secret, you must also hide it from yourself.”

[karinushParticipant]

Today we are living a digital era. With every visit or action we perform on line – we leave behind a difital foot print. The role digital media plays in cultural content, business and social relationships is only growing, and the world as we know it, or our non-virtual reality is fading out.

There are those who benefits from our presence on the Internet. We expose our most intimate information on the social network, but aren’t these networks only meant to sell us advertising? This is one of the reasons behind the European legislation called GDPR.

The General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 on the protection of online consumers, regard to the processing of personal data and the free movement of such data.
The regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital market.

The regulation came into force on 24 May 2016 and will apply from 25 May 2018. It is important to know that the law applies to any European organization, but also to organizations outside the continent, as long as they process personal information of European citizens in the context of offering products and services or organizations that monitor their behavior.

Like other regulations of recent years, this also broke out in our lives due to technological changes that caused unique social changes for our generation. In the last decade social networks have influenced us perhaps more than anything else and there seems to be almost complete congruence between what each of us calls “digital life” and “real” life (assuming there is still a gap between them).

The law is coming to action by imposing significant obligation on organizations that process personal information. The goal is to dictate new behaviors to advertisers to comply with rules and maintain user information. Organizations will not only have to secure personal information, but also identify and classify it, frame it, limit usage over an extended period, and justify it’s use.

The justification for the use of personal information requires a legal basis . In terms of enforcement, the GDPR went very far. Beyond the possibility of criminal liability, the GDPR allows imposing heavy administrative fines on violators of up to € 20 million or 4% of the global turnover. In addition, the law allows individuals to claim damages without proof of damage. Thus, a very significant deterrent basis has been created, as noted, for those who do not sit in the European Union.

[famauryParticipant]

Our data now represents not only a couple of numbers or name, but your actual behavior and that is treasure for criminals agents that are hungry to reach you in a way that analyzes so deeply that may direct your steps either online or going to home after a working day, or either personal desires. The proposal of certain systems is to know better about you than either yourself.

[Protect1Participant]

According to a definition I recently read, Data Privacy is the ability an organization or individual has to determine what data in a computer system can be shared with third parties.

More and more, we are losing out capability to control our data and determine what can be shared with 3rd parties. One example of this is due to our growing use of social sites/e-commerce. With social sites & e-commerce, our interests and past purchases are shared between multiple sites as a marketing strategy. While this may not be detrimental to us, it is something that should be considered when the topic of data privacy is brought up.

• This reply was modified 1 month, 3 weeks ago by  Protect1.

[jcramer706Participant]

Being a consultant in the healthcare industry which is a prime target for cyber attack, I am particularly concerned with data privacy. Our members rely on us to keep all of their personally identifiable information (PII) and protected health information (PHI), whether paper or electronic, secure and safe. Data that healthcare companies have can easily result in identity theft if stolen.

Of great concern is the amount of healthcare data that is now transmitted electronically. Health Data Information Exchanges, which are being developed across the nation, are of particular concern and require significant security measures be in place.

[adubey2321Participant]

how centralization, orchestration, prioritization of threats with “LTS Secure integrated security SOC solution” is achieved. How this cost-effective security solution assists you in protecting your business from a huge damage.
To know more >> Click Here

[adubey2321Participant]

LTS Secure 2020 Cyber security framework” can provide cyber defense that organization should take to protect themselves from advanced cyber threats. But how to build a cybersecurity strategy, and what are the steps that organization should take?
To know more >> http://ltssoc.com/ltssecure/security_framework.html

[Author]

Replies