January 28, 2011 is Data Privacy Day. Analyst Eric Ogren from The Ogren Group sat down with Lumension CEO Pat Clawson to ask some key questions around what this day means for the industry and how it has made an impact since Congress implemented it two years ago. Both Eric and Pat get down to the key issues while at the same time offer specific advice for individuals and organizations to better protect their most important asset – data.
Q) Do you think this day has been effective in raising awareness around the issues of data privacy?
A) Absolutely not. There is little sense in observing a day that has no action behind it and fails to make individuals or organizations responsible for ensuring sure smart plans are in place to secure their biggest asset – data. And why would we? What is the incentive? We need to take a lesson from Massachusetts’ Data Protection Law that requires all entities that license, store or maintain personal information about a Massachusetts resident to implement a comprehensive information security program — even if the business or entity does not have offices in the state. While strict, it will prove to be necessary, especially in light of the recent WikiLeaks and stolen USB stories that have littered the news. Singapore also has statutory provisions to regulate use of personal data.
If the federal government can put good policies in place, then the commercial sectors will follow. We need to establish positive rules of behavior that actually become enforceable. I am clearly biased, because at Lumension we live and die by data privacy and are at least mildly passionate about it.
Q) How has this event evolved and gained visibility since its inception in 2009?
A) From what I’ve seen, it hasn’t gained much visibility outside of the initial inception, which makes sense considering there isn’t anything currently in place in terms of protection. Over the past ten years, we continue to talk about what needs to happen, but even with Data Privacy Day, we have yet to find the right model to make data protection needs actionable. The thing that this event does do is reiterate the need for the government to put a clear plan of action in place from the top down. If not, this will just end up being another day like “National Clean out Your Computer Day” (second Monday of the month).
Q) How has data security changed in the last few years and how has this impacted organizations overall?
A) Information Security has seen a radical change moving from information and computer security to data protection. In other words, we are much less concerned about the technology itself and more focused on the data. The challenge comes in knowing how to protect all of the billions upon billions of bits and bytes of data, which is made difficult by the fact that organizations want to stay protected, while still providing employees with online freedom.
Q) This day is particularly targeted towards teens and young adults as a means of educating them on how to protect their personal information online, especially in the context of social networking. However, since 2009 (when this day began), social networking has expanded to a much broader, and older audience. Thus, should the focus of this day be broadened to incorporate older adults, many of whom are new to social networking?
A) As a parent of teenagers, who don’t even know this day exists, clearly the message of data protection is not getting across to this audience. If we agree that data is the cornerstone to how our infrastructure works, then at the very least, we should make sure as a nation that the importance of keeping data secure is paramount at any age. We were very effective when communicating the perils of nuclear warfare. Money was behind it and the effort came from the Federal level so everyone was well aware – commercials, billboards, radio ads, television, etc. So why is something as important as our individual data security that impacts all organizations at all levels across all sectors not being put front and center?
Q) For those who are inspired by Data Privacy Day and want to take a look at the accessibility of their information on the Internet, where do you recommend they turn in order to learn more about how to lock down their data?
A) There are no truly effective vehicles to push this issue ahead, which makes it challenging to gain insight, not to mention the information out there is very vendor-focused, making it even harder to find real insight. We can start by looking to the successes other counties have had in implementing data privacy awareness and laws to protect data. There are also neutral-organizations such as SANS who have some helpful hints on how to stay protected.
Q) What are some of the issues that could arise if social media users do not lock down their personal data, such as birthdays, addresses and personal contact information?
A) Back when email was used as a vector to infect rapidly around the world, the contact databases proved to be a very effective tool for the bad guys. Today, social media has injected a whole new layer of risk to both enterprises and the consumer via prominent sites like Twitter and Facebook. Leveraging their massive subscribership and people’s unfailing ability to trust anything sent to them by their friends, social networking sites takes risk all the way down the chain to reach all kinds of demographic sectors in a much less noticeable way. If you receive something from your friend, you trust it and people open links, pass them along and continues the cycle. Unfortunately, it is also reaching children and the machines they use.