Friday, March 30, 2007

Auditing Privacy Part 2 - Risk Assessment of Data Loss

The easy way to assess privacy risks is to focus on the impact of data theft to the organization by including the private data as a corporate asset. There are well documented methods to identify the vulnerabilities in means of collecting, storing and sharing the data. Similarly, there are methods to identify and list the data's threats (hackers, "insiders," and negligent loss). The impacts will likely shake out along the lines of direct costs (postage, call center, other incident response costs), potential legal and regulatory actions and reputation damage. (For an example, Protegrity assessed the TJX data breach at $1.7 billion, though TJX was not strictly a privacy issues, it has parallels*).

This would be the easy way, but may not result in the most accurate results. The problem lies in identifying the impacts of a privacy breach. The attribute of “privacy” assigned to the data is what makes the data valuable, and worthy of protection. However, "privacy" is not an attributed that belongs to the corporation, but to the individual the data describes. So an assessment of risk to the corporation of privacy loss should start at looking at the impact of the loss to the individual.

Why do many corporations, when disclosing losses of tremendous amounts of data, appear to suffer only short term damage to their reputation. I posit that the potential damage to a corporation is proportional to the actual real damage to privacy of the individuals described in the lost damage. (See Guin v Brazos)

The real impact of a privacy incident on individuals has been hidden behind a cloud of security vendor fear mongering and media induced panic. The common problems with the data is equating data loss with a privacy breach. Identity theft properly defined is likely a higher impact, lower frequency event than is commonly reported.

The SB1386-style disclosure laws have been a boon to identifying the frequency of data loss, but the information that has to be disclosed does little to help identify the impact. An auditor concerned strictly with compliance would have to place equal risk to any loss of private data. But the auditor should take the risk assessment to the next step and focus on the individuals, identifying the risks that lead to actual harm to the privacy of individuals. Compliance risk is equivalent for the loss of a laptop carrying an encrypted database of private data and the same databases being heisted off a web server unencrypted by a criminal with the intent to exploit the identities. The real risk to the privacy of the individuals described in the database is clearly different.

Beyond the risk of a data loss, the auditor should also consider the equally important risks of the collection of private data and the dossier-ification of data. More on that later.

*Why the high risk to TJX? Though not strictly a privacy issue, the damages related are an issue of a loss to a third party - the banks - rather than TJX itself.

"Some would call this good fortune" from s2art

No comments: