I am winding down volunteer work on a community project where privacy and information security has been a contentious issue. At the center of the picture is a custodian of sensitive electronic consumer information who is resistive to change. This custodian lacks an understanding of modern principles of privacy and information security, and the person has little more than a rudimentary understanding of computers and information systems.

Management personnel who have this knowledge gap are not uncommon--but it could be a major liability.   

The challenge is to get such a person with limited technical and security knowledge to take responsible steps to protect the information in a technically and legally defensible manner. After significant pressure to resolve the security hole in this organization, which essentially amounted to a massive data breach involving tens of thousands of records, the custodian acted under their software vendor's advice.

My assessment was that the advice was not in the best interest of the organization, the custodian and the data subjects.

The organization's legal counsel also appeared to lack an understanding of privacy and information security laws. The custodian was receiving awkward advice from corporate counsel concerning how the breach should be handled.

Few attorneys have experience in privacy and information security laws. This area of law is relatively new, and few laws schools currently offer a specialty in privacy and information security.

Although your attorney or vendor may be sincere by trying to be helpful, the reality is that few lack the credentials to provide technically and legally defensible privacy and information security solutions. Vendors have a financial interest and not always a fiduciary interest

So what is missing in this organization?

Many larger organizations employ a chief privacy officer, the corporate expert, who can provide sound administrative, physical and technical security guidance throughout the organization. This medium-sized organization does not have a privacy or security officer. 

Other organizations, especially smaller organizations that cannot afford a full time expert, use a security or privacy consultant to do the same. Either way, a capable third party is available to provide appropriate guidance to management to bridge the knowledge gap.

---

Add this page to your favorite Social Bookmarking websites