To honor Data Privacy Day, Privacy Professsor Rebecca Herold reveals the top five privacy predictions for 2011:
1. All types of organizations must consider the risks involved with using cloud computing.
More organizations will use outsourced cloud (remote computing andstorage) services. Particularly small and medium-sized companies will move their information security and IT functions to outsourced clouds because they simply do not have the expertise internally to effectively manage security and privacy, and cannot afford to hire traditional hourly consultants to help them. This will also be the case for education institutions currently struggling with budget cuts. Cloud services can be quite secure, but some simply aren't. Organizations must know the right questions to ask, and get satisfactory answers, prior to using one.
2. Every organization is affected by social media sites.
Companies will use social media sites even more to communicate about their services and practices, and as a result of human error, malicious intent or even lack of knowledge, there will be significant privacy breaches (unauthorized use or release of personal information) through these sites. Companies must ensure they have policies and supporting procedures in place for their personnel to follow with regard to posting (and actually not posting) information about the business,coworkers, customers and clients, even when employees are away from work, using their own computers.
3. Healthcare privacy issues will become more problematic and comeunder heavier scrutiny.
Healthcare providers that qualify are clamoring to get their $44,000 in "meaningful use" stimulus funds to convert to electronic health records. As part of the requirements for the funds, providers must perform an information security risk assessment and fix any problems discovered. Plus, providers and their business associates (accounting firms, ad agencies, financial institutions, etc.) will be held to stricter compliance regulations due to changes in HIPAA and the HITECH Act. This will ultimately be good for consumers, but the transition, even with these additional requirements in place, will result in more breaches if providers and associates don't implement safeguards in a comprehensive manner.
4. All organizations that collect, store or handle personal information will increasingly perform privacy impact assessments to determine how to best address their individual circumstances.
These assessments will emerge as a corporate necessity, with utilities companies leading the way. For example, as utilities start converting customers to smart meters and connecting to the Smart Grid, and as manufacturers create new types of smart appliances, they will face significant hurdles to prove their offerings protect consumer privacy.
5. All organizations must address the risks inherent with mobile computing.
It would be hard to find a company today where personnel are not using mobile computers, smart phones or electronic storage devices. This use, and working away from the office, will continue to increase dramatically in 2011. Large amounts of sensitive and confidential information is often stored on such devices. Mobile computers and storage devices are very easy to misplace, to lose or forget, and are a favorite target of thieves. Appropriate security must be in place to protect them, and the information stored within them.
The weakest link in information security and privacy is people, says Herold. Studies show that most incidents and breaches occur because people simply didn't know what they were doing, they made a silly mistake, or they had ill intent because they knew that they would likely not get caught, she notes. Many laws and regulations explicitly require formal, ongoing training and awareness - not only HIPAA, HITECH, and GLBA, but also many other federal, state and local level laws, regulations and industry standards, Herold says, and penalties will become increasingly heavier for organizations that lack effective training and awareness activities.