NATIONAL HARBOR, Md. — Even though most enterprises have created a position to oversee privacy in their IT operations, many of those programs miss the target, often owing to budget shortfalls, according to an industry analyst.
In a 2008 survey, 65 percent of businesses reported that they had a dedicated individual or office to promoting privacy, which Hallawell admitted was higher than she expected. In the same survey, however, only 40 percent of businesses said they have distinct privacy funding provisions in their budgets.
“You can’t beg borrow and steal forever,” Hallawell said. “You need some type of resource that’s dedicated to this.”
Privacy issues, concerning data relating to both employees and clients, are complicated by a patchwork regulatory environment affecting firms that operate overseas. In Europe, for instance, many members of the EU have adopted privacy guidelines that are far more stringent than markets like China and India, where the collection and use of personal information is largely unregulated.
The United States falls somewhere in between. Despite the efforts of some lawmakers, Congress has yet to adopt a nationwide data breach notification requirement, though efforts have resumed in both chambers to codify a national standard.
But in the absence of a federal law, more than 40 states have developed their own widely varying statutes, ranging from notification requirements to specific standards on how information like social security numbers can be used.
To navigate that tangle of regulations, Hallawell advises enterprises to form — and fund — dedicated privacy operations that incorporate multiple sectors of a company’s operations.
Hallawell said that security auditors increasingly advise firms in all industries that their privacy policies are too weak.
“We’re hearing that loud and clear from our clients,” she said. “Privacy is an immature function.”
She added, “Many organizations might have someone who’s in theory in charge of privacy, but, particularly in the U.S., that’s tended to reside in the legal department.”
She also recommended against housing the privacy apparatus within the information security department. Subsuming privacy within the security apparatus risks lowering the profile of an issue that needs attention of sales, marketing, human resources and other segments of a company’s operation.
“While security and privacy share a heritage, they are separate disciplines,” she said.
In addition to the dedicated privacy officer (or, better still, a team devoted to privacy), Hallawell said she advises clients to form a privacy council, a big tent that would draw representatives from across a company’s operations. She also advised companies to go the extra mile and codify the body with a formal charter to ensure that employees would take the privacy operation seriously, and actually show up to the meetings.