got privacy?  Musings on the state of Privacy in a connected world.
 


One of the major problems that organizations face when they’re reviewing their compliance program is understanding why they are doing what they are doing and how to achieve a ‘steady state’ where compliance becomes part of the scenery rather than an ongoing struggle.  For many organizations, this state seems to be receding ever further into the distance.  Each year bring more controls that need to be implemented and monitored.  Every gap analysis finds more gaps and every effort at remediation appears to lead to little relief.

Part of this issue is that for most organizations a ‘gap analysis’ is about the worst thing that they could be doing.  A ‘gap analysis’ frames the situation to prejudice an outcome and rarely helps an organization get closer to a steady state of compliance.  Framing is a term from linguistics which describes how the choice of words activates certain emotions and thought patterns.  With a ‘gap analysis’ the framing works like this:  Gaps are bad.  Analyzing and fixing gaps is good.  Having no gaps is best of all.  However, in practice there are always more gaps to be found.  Existing gaps may reoccur in other forms or auditors will just dig deeper to find smaller and smaller gaps.  But seeking to identify weak areas is good.  It shows that we care about what is wrong.  Therefore we should do gap analyses.

Even in organizations that are highly compliance focused, this approach doesn’t make a lot of sense.  It provides a never ending stream of ‘remediation activities’ and ‘refresh testing’ which keeps people employed and consultants in business, but it may or may not contribute to making organizations more secure or compliant.  And after a point, there is not much point in being more compliant than is enough to achieve a particular sign-off or to provide a level of due care should an organization be sued.
 
Does someone's right to privacy end once they are dead?  In the US, we do not have a constitutional right to privacy in the same way that Europeans do (yet!), but explicit provisions in HIPAA (Health Insurance Portability and Accountabilty Act) maintain that information about an indivudual should be maintained as private after their death, but other regulations such as the Freedom of Information Act may conflict in certain situations, in addition to free speech rights guaranteed under the First Amendment.

In the EU, the right to personal privacy explicitly survives death

Some interesting links around this subject can be found at:

Is there privacy after death?
Privacy after death debated.

Some more thoughts on this topic from Rebecca Herold (@privacyprof) who had written a couple of thought pieces around this topic here and here
 
Interesting report in Wired (http://www.wired.com/threatlevel/2009/10/delta/) The Register (http://www.theregister.co.uk/2009/10/14/delta_flyersrights_hacking_lawsuit/) and probably other tech news outlets about allegations that a large corporation accessed an activists private email accounts as part of an effort to derail some legislation that could cost them up to $40m per year. 

While this blog still believes in the principle of "innocent until proven guilty" - we will be watching this case with interest.  In many cases, people's private and work lives are closely intertwined, and there aren't many people who can claim that their work email is 100% separate from their personal email (*cough* Sarah Palin *cough*).

If proven, this case could impose punitive damages and may certainly cause other organizations to think twice about using similar tactics.  Until then - we'll be keeping an eye on how this progresses as it goes to court.
 
The Federal Trade Commission (FTC) has settled with 6 organizations that claimed falsely that they complied with Safe Harbor (Sidenote: I still have to stop myself from spelling it "Harbour" even though I've lived in the US for a few years...). 

For those of you not familar with Safe Harbor, it is a way for US organizations to share data between the US and Europe even though there are very different data protection legislative environments in place.  There is a fundamental right to privacy in the draft European Constitution, but not in the US constitution - http://www.edri.org/edrigram/number12/privacy-eu-constitution

Safe Harbor is a self-certification process.  Organizations can download the principles from the FTC website, review their practices against them and then pay a nominal fee to be included in the list of organizations that are Safe Harbor "compliant".  So far, so subject to abuse?  Frankly I am amazed that the EU has allowed this self-certification process to continue for so long when it provides so little real comfort that organizations are doing what they need to to protect EU Citizens personal information.  I guess that it's partly due to the balance of power in the EU / US relationship where the US govenment has no doubt been lobbied hard by business not to make the standard any more onerous.

I'm all for self-regulation when it works, but at Ronald Reagan said "Trust, but Verify".  Now that the FTC has stepped up its actions I wonder how many of the organizations that have gone through the self-certification process will revisit their answers just to check whether they would stand up to an outside inspection.

FTC statement regarding the settlement http://www.ftc.gov/opa/2009/10/safeharbor.shtm
Much more detailed analysis of the case and some possible implications at http://www.huntonprivacyblog.com/2009/10/articles/enforcement-1/ftc-takes-additional-safe-harborrelated-enforcement-actions/index.html