Does anyone truly have Privacy?
With Google tracking your interests, Facebook scanning each Photograph, Foursquare locating you every now and then, and apps like FindMyIphone, this becomes a very trivial question. In recent times, it has become crucial for users to draw a line between their online and offline lives. The picture is a matrix of regulations, compliances, policy framework when I look at it from an enterprise perspective.
Here I have cut short some of the important regulations that industries/enterprises have to comply with:
1. Finance: Did you know that the Insurance and Finance industry fraud losses in the US last year were in billions? Stringent audits and penalization have helped curb this to some extent. Few important acts that I would like to mention are:
- Gramm–Leach–Bliley Act (GLBA): This act removed the barriers in the market among banking, securities, and insurance companies that prohibited consolidation of an investment bank, a commercial bank, and an insurance company. This added an additional need to make sure the safeguarding of the data of customers using all these services in terms of emails exchanges, records etc.
- Sarbanes Oxley Act (SOX): This has been one of the most historic acts that set new standards for all US Public Company Boards, Management and Public Accounting Firms, while protecting investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. The main functions of business affected by this act are:
(a) Email confidentiality
(c) IT practices
This made it mandatory for public companies to ensure that they have a secured way of exchanging data thus using more reliable methods than the traditional FTP.
2. Health: So only your transaction needs security? Think again, don’t you have the right to keep information regarding your health, private?
- The Health Insurance Portability and Accountability Act (HIPAA): Designed to protect the health information of individuals and give individuals the right to take reasonable steps to ensure their confidentiality. For example:
(a) An individual can ask to be called at his or her work number instead of
home or cell phone numbers
(b) Messages containing health information of users must be encrypted.
- Health Information Technology for Economic and Clinical Health Alert (HITECH): This was a part of the $1 trillion set aside by USA under President Obama’s administration to improve the health reforms for citizens. HITECH is a $22 billion project to digitize the health records of all the citizens before 2014 and hence has to adhere to the most stringent rules and regulations. This should take the healthcare industry to another level.
3. Transactions: Got a mail from your bank asking you to change your password and got redirected to a page that looks like your login page? You could have just helped a terrorist organization raise funds or a hacker steal your last dime. Relax! The solution is here:
- Office of Foreign Assets Control (OFAC): This standard enforces economic and trade sanctions based on the U.S. foreign policy and national security goals to make sure there are legitimate business transactions happening between organizations or individuals thus curbing any terrorist activity. Technologies like IAM ensure that there are processes defined so nobody can take advantage of any loophole in the system.
- Payment Card Industry Data Security Standard (PCI DSS): This policy enforces secured storage of the user information using a Credit/Debit card through a different set of processors. One of the most important ways of achieving this by making transfer of user info encrypted. The various programs started for this are Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program.
The most common need that arises from all of the above compliances was the need for better security and audit for organizations storing and exchanging sensitive consumer data. There are number of security organizations taking care of this through different methods and governments are taking concrete steps to protect the privacy and sensitive data of individuals. Going forward Technology, with concepts like IAM or Identity Access Management will ensure curbing the misuse of sensitive data and more importantly data theft by defining processes at every level in the organization.