Customers are already voting with their feet – taking their business away from companies who allowed private data to be exposed. So it’s understandable that privacy and security are top of mind for many businesses and their customers.
Small and mid-sized businesses (SMBs) are hastening to respond, according to David Kidd, QA and Compliance Director at Peak 10. “Titles such as information security officer and privacy officer are now emerging in SMB enterprises. Even smaller companies have recognized the need for centralized security and privacy oversight – even if these become part-time roles within another job.”
However, security and privacy are not the same. Differentiating the two is a key step in establishing practices to keep private customer data where it belongs. “The biggest misconception,” explains Kidd, “is that once you partner with a cloud or data center provider, you have outsourced all of your compliance, privacy and security obligations. You can outsource many security controls, but the responsibility for security and compliance is yours.”
A recent Forrester Research report details how the chief privacy officer (CPO) and chief information security officer (CISO) see data differently. “CPOs want CISOs to understand that security is not equivalent to privacy. While CPOs have a vested interest in data security, their focus is first on whether the organization is even allowed to have the data, and then what they are allowed to do with it.”
When privacy and confidentiality are regulated by government or statutes, organizations are often ahead of the curve. For example, financial services organizations are usually well informed on which data they may collect and retain; it’s spelled out in the financial privacy requirements of the Gramm-Leach-Bliley Act (GLBA). But privacy can be more subtle when the rules aren’t as clearly defined.
Target famously discovered the subjective nature of privacy when they mailed baby-related coupons to a teenager whose family didn’t know she was pregnant. Target hadn’t violated any regulations, but the breach of the teen’s privacy embarrassed the customer – and Target had to adjust their internal policies. As Target’s Andrew Pole observed, “We are very conservative about compliance with all privacy laws. But even if you’re following the law, you can do things where people get queasy.”
Its company-specific nature is why privacy must remain the responsibility of your business. You know best what regulations affect you, and only you understand the sensitivities of your customers to the level of confidentiality they trust you to maintain. This can’t really be outsourced.
The good news is that help is available on the security side. Many SMBs prefer not to build, staff and maintain an entire data center infrastructure. Outsourcing this function – whether in the cloud or by colocation – allows you to get secure compute and storage resources without diverting you from your core business.
A good infrastructure partner will surround your data and computing operations with security controls that assist you in enforcing your privacy and confidentiality obligations. These include network security controls, managed intrusion detection and prevention systems (IDPS), log file servers and management of system logging, anti-virus and patch management – plus controls as fundamental as physical security.
“Every time I go into a Peak 10 facility, I have to present a fingerprint,” says Peak 10’s David Kidd. “Our security and compliance program is assessed annually by an independent third party for environmental, logical and physical security. That’s how we give our users and customers confidence that what they trust to us will be stored and managed right.”
Finally, your partner must be expert in all areas of compliance that affect your business. While no vendor can take on your entire compliance obligation, you want to trust your data to a vendor with audit-ready and/or compliant offerings and a long track record in standards and regulatory compliance.
Privacy and data breaches are not going away. Verizon’s 2014 Data Breach Investigation Report finds that hackers’ speed at accessing data outstrips companies’ ability to discover the breaches. Nevertheless, your company’s data and your customers’ data are the crown jewels of your business. Knowing how security and privacy interact lets you find the right partners and improve your odds of success.
Executive Spotlight: The CISO’s Guide To Understanding The Chief Privacy Officer, Forrester Research, Inc., July 23, 2014