got privacy?  Musings on the state of Privacy in a connected world.

One of the major problems that organizations face when they’re reviewing their compliance program is understanding why they are doing what they are doing and how to achieve a ‘steady state’ where compliance becomes part of the scenery rather than an ongoing struggle.  For many organizations, this state seems to be receding ever further into the distance.  Each year bring more controls that need to be implemented and monitored.  Every gap analysis finds more gaps and every effort at remediation appears to lead to little relief.

Part of this issue is that for most organizations a ‘gap analysis’ is about the worst thing that they could be doing.  A ‘gap analysis’ frames the situation to prejudice an outcome and rarely helps an organization get closer to a steady state of compliance.  Framing is a term from linguistics which describes how the choice of words activates certain emotions and thought patterns.  With a ‘gap analysis’ the framing works like this:  Gaps are bad.  Analyzing and fixing gaps is good.  Having no gaps is best of all.  However, in practice there are always more gaps to be found.  Existing gaps may reoccur in other forms or auditors will just dig deeper to find smaller and smaller gaps.  But seeking to identify weak areas is good.  It shows that we care about what is wrong.  Therefore we should do gap analyses.

Even in organizations that are highly compliance focused, this approach doesn’t make a lot of sense.  It provides a never ending stream of ‘remediation activities’ and ‘refresh testing’ which keeps people employed and consultants in business, but it may or may not contribute to making organizations more secure or compliant.  And after a point, there is not much point in being more compliant than is enough to achieve a particular sign-off or to provide a level of due care should an organization be sued.
Does someone's right to privacy end once they are dead?  In the US, we do not have a constitutional right to privacy in the same way that Europeans do (yet!), but explicit provisions in HIPAA (Health Insurance Portability and Accountabilty Act) maintain that information about an indivudual should be maintained as private after their death, but other regulations such as the Freedom of Information Act may conflict in certain situations, in addition to free speech rights guaranteed under the First Amendment.

In the EU, the right to personal privacy explicitly survives death

Some interesting links around this subject can be found at:

Is there privacy after death?
Privacy after death debated.

Some more thoughts on this topic from Rebecca Herold (@privacyprof) who had written a couple of thought pieces around this topic here and here
An interesting point was made the other day by Joel Scambray in a presentation that he gave to the WTIA Security SIG.  How many tests does a doctor do when you go in for a checkup?  The number is around 8, weight, blood pressure etc.  Of course - this will not diagnose some ailments, but even if you take the pareto principle and say that it can give a trained practitioner a good guess at 80% of the common things that could be wrong with someone who walks into their office - that's a pretty good outcome.

If that is the case, given the complexity of the human body - then why do most information security frameworks (ISO, COBIT, PCI) have over 100 [in some cases over 200] individual controls.  Can't we just ask 8-10 questions and get a good feeling for 80% of the major things that are wrong with an information security or privacy program?

If we can - what are those key 8-10 questions that would help us to determine if we need to get a specialist involved to do more detailed testing?
The Federal Trade Commission (FTC) has settled with 6 organizations that claimed falsely that they complied with Safe Harbor (Sidenote: I still have to stop myself from spelling it "Harbour" even though I've lived in the US for a few years...). 

For those of you not familar with Safe Harbor, it is a way for US organizations to share data between the US and Europe even though there are very different data protection legislative environments in place.  There is a fundamental right to privacy in the draft European Constitution, but not in the US constitution -

Safe Harbor is a self-certification process.  Organizations can download the principles from the FTC website, review their practices against them and then pay a nominal fee to be included in the list of organizations that are Safe Harbor "compliant".  So far, so subject to abuse?  Frankly I am amazed that the EU has allowed this self-certification process to continue for so long when it provides so little real comfort that organizations are doing what they need to to protect EU Citizens personal information.  I guess that it's partly due to the balance of power in the EU / US relationship where the US govenment has no doubt been lobbied hard by business not to make the standard any more onerous.

I'm all for self-regulation when it works, but at Ronald Reagan said "Trust, but Verify".  Now that the FTC has stepped up its actions I wonder how many of the organizations that have gone through the self-certification process will revisit their answers just to check whether they would stand up to an outside inspection.

FTC statement regarding the settlement
Much more detailed analysis of the case and some possible implications at