REDMOND, Wash., Oct. 19, 2005 – Not too long ago, when businesses sought to protect trade secrets, confidential communications and the private information of customers, the checklist of things “to do” and “not to do” was pretty short. For most companies, it involved little more than locking file cabinets, making sure no one spoke too loudly during business lunches and ensuring old documents were shredded before they were thrown in the dumpster.
The checklist is considerably longer today. The increasing power and ubiquity of information technology (IT) has spurred on a virtually non-stop exchange of electronic data and documents among co-workers, partners and customers. During this month’s Security 360 webcast, Microsoft Corporate Vice President Mike Nash and Director of Product Management Amy Roberts of Microsoft’s Security Technology Unit, gathered with security and privacy experts from the industry to discuss privacy and offer businesses advice on how to reduce the risk of private information getting into the wrong hands, while continuing to realize the business value of anytime, anywhere access and exchange of information.
During the live 60-minute webcast, the experts urged businesses to gain a better understanding of both the differences and similarities between privacy and security. They also discussed the importance of strong policies and procedures to help manage and protect confidential information – in tandem with powerful Microsoft technologies designed to help businesses increase privacy and security.
The webcast aired Tuesday and is available on demand at www.microsoft.com/security360 along with past shows from the series. Microsoft began offering the webcasts in 2004 to help businesses leaders and IT professionals learn about the latest techniques and technology to help protect their PCs and IT infrastructure. Localized versions of the on-demand webcasts are available in nine languages.
Defining the Privacy Challenge
Concern about data privacy has been growing within the corporate world for years. But it has begun to take center stage in boardrooms and IT departments following high-profile breaches of customer payment information and other confidential data. Nash cited a 2005 CSI/FBI Computer Crime and Security survey that estimated the total financial damage caused by unauthorized access to sensitive information has grown 600 percent over the past year, with 30 percent of companies reporting losses. More than half (56 percent) of these breaches were performed by people within the companies, according to the survey.
In the United States, new federal and state regulations, such as the Health Information Portability and Accountability Act (HIPAA) and the financial account requirements of the Sarbanes-Oxley Act, have created strict legal requirements for privacy for many businesses. Laws in Europe, Canada, and Japan add additional regulatory requirements for international businesses.
Nash and other experts said the protection of corporate and customer data needs to be viewed as more than a legal obligation for today’s businesses; it must be seen as a key to building customer trust and business success.
“Branded organizations begin with a concept of trust. If the public believes we are using information inappropriately or are not protecting it adequately, it will really hit the trust concept very, very hard,” said Marty Abrams, senior policy advisor and executive director of the Center for Information Policy Leadership, during the “What Is It?” segment of the webcast. “It’s hard to recover from a loss of reputation.”
In fact, more than eight out of 10 consumers say they would stop doing business with a company if they heard or read that the company misused customer information, according to a 2003 study by Privacy & American Business.
Businesses worldwide are investing vast resources to address the challenges of privacy and security, yet they continue making headlines. At the root of the challenge, the Security 360 panelists noted, is the question of how businesses approach privacy – even how they and the general public define the term.
Panelists defined IT privacy as the protection of a broad swath of corporate data. In addition to intellectual property and corporate secrets, companies need to protect confidential customer health and financial information, as well as personal information such as Social Security numbers, addresses, credit-card information and even information about browsing habits.
During the 360 Roundtable, hosted by Roberts, Adam Shostack, an independent cryptographer and security expert, said the term privacy is used in everything from advertisements to sell curtains to political short hand during the ongoing debate about abortion rights. Privacy “has this enormously broad spectrum of meaning,” Shostack said. If companies don’t consider this broad spectrum, they are likely to touch a raw nerve with their customers, he said.
Rather than viewing privacy and security as one and the same thing, businesses need to view privacy as a separate yet related responsibility, Shostack and others said.
“It’s difficult to have privacy without security, but if you say you have a secure environment that doesn’t guarantee you have privacy,” said Gerry Gebel, senior analyst for the IT analyst firm Burton Group.
Peter Cullen, chief privacy strategist for Microsoft, noted during the roundtable discussion that the IT departments within many businesses are investing time and resources to restrict access to their corporate networks resources and the information stored on them. But these same protections aren’t always extended to the information that is collected or stored on employee laptops or their corporate websites. Although these sites collect much of the same customer information as is securely stored on the network, they are often run by corporate marketing departments, which aren’t always tasked with IT privacy, he said.
New Software, Services Underpin Privacy
Except in specialized computing environments, businesses have traditionally had few tools to limit distribution of confidential or personal information. During Tuesday’s webcast, Nash and others discussed new technologies offered by Microsoft and other companies that have made it easier for companies to affordably increase data privacy. Windows Rights Management Services (RMS) technology, introduced in Microsoft Windows Server 2003, and Information Rights Management (IRM) technology, introduced in Microsoft Office 2003, allow the creator of a document or an e-mail to set rules for who can open the document and whether the document can be revised, printed or forwarded.
IRM in Microsoft Office 2003 permits the protection of Microsoft Office documents, while RMS allows organizations to set consistent rules for how documents can be used, and can be integrated into third-party applications and Microsoft Office 2003. Once a document or e-mail message is protected by rights-management technology, the protections travel with the file.
Privacy Policies, Procedures Equally Important
Technology is only part of the solution, and is only as effective as the internal practices and policies companies set up for the technology to help enforce, the expert panelists said.
The security breaches that have really sapped public trust in recent years have “had nothing to do with the big system itself,” said Marty Abrams, senior policy advisor and executive director of the Center for Information Policy Leadership. These breaches involved “the wrong people seeing the data at the wrong time and using it in the wrong way.”
Nash presented a checklist (see Privacy Check List, this page) of recommendations for companies to help ensure adequate privacy safeguards.
Stephen Fridakis, chief security engineer at the consulting firm Bearing Point, said companies need to establish rules that apply to all of their networks and applications, and designate a custodian for each type of data and application. “That person owns the data and has the responsibility to allocate different access roles to different groups of people,” Fridakis said during a roundtable discussion led by Nash.
Joe Gimigliano, associate director of architecture and security for the pharmaceutical company Purdue Pharma, said companies need to go as far as identifying employees who are responsible for uncovering breaches.
Purdue Pharma has placed all of the systems with private data on an isolated network with strictly controlled access. “We can apply additional controls because it is much less of an investment…to apply all the logging and monitoring controls in the isolated segment as opposed to across the entire infrastructure,” Gimigliano said.
The company also has hired outside security firms to access private data in its IT system. “It’s eye opening to see…your strengths and…your weaknesses,” Gimigliano said.
Shostack said some companies are adopting a different approach; they are limiting the information they collect from customers – and going as far as hiring independent credit agencies to assess the creditworthiness of a customer for them. “That way the company doesn’t see or store the social security number,” he said. “They haven’t seen it (so) they can’t accidentally disclose it.”
Several of the experts advised companies to use extreme caution and ensure they use latest encryption technologies if they allow employees to keep confidential information on laptops and other mobile devices. To help address these concerns, Microsoft is adding full-volume encryption to the next version of the Windows operating system said Jeffrey Friedberg, director of Windows Privacy at Microsoft. This hardware-based data-protection technology is designed to prevent anybody but the authorized user from accessing data on the machine.
Another important component of corporate privacy involves sharing information. Gebel said companies can attract and retain customers by ensuring they are clearly explain the types of information they collect, why they collect it and how they protect it. The same transparency should apply if a company uncovers a privacy breach, Shostack said.
“The key,” he said, “is really fast disclosure that tells people what happened, why it happened and what you are doing about it.”
