© 2011 by Taylor & Francis Group, LLC
In any organization there are privacy concerns. Privacy is personal
information being disclosed to the wrong person at the wrong time.
It could be personnel les, medical records, or customer records.
Every organization has personal information. ere are rules and
various legislation regarding the disclosure of personal information.
Inappropriate disclosure of personal information is a risk. Mitigation
of the risk and the protection of personal information are security
controls. Security controls may be technical, procedural, or physical.
Personal information was dened by the U.S. government in 2007
as PII. e Oce of Management and Budget dened PII as
Information which can be used to distinguish or trace an individuals
identity, such as their name, social security number, biometric records,
etc. alone or when combined with other personal or identifying infor-
mation which is linked or linkable to a specic individual, such as date
and place of birth, mothers maiden name, etc.*
NIST has developed SP800-122, Guide to Protecting the
Condentiality of Personally Identiable Information (PII) for pro-
tecting personally identiable information that may be useful when
combined with PCI data security standards.
A breach in privacy is usually a breach in security. is means that
one or more controls have been compromised. Even when authorized
people inadvertently disclose personal information, there is usually
a control compromised. Privacy breaches tend to get more visibil-
ity. ere is not one day that goes by where a privacy breach is not
reported. Some of these are laptops containing personal informa-
tion being stolen or lost. Some are information being leaked; some
are personal information being sold. ere are so many incidents of
personal information being lost, stolen, or leaked that it is now a
300 PraCtiCal risk ManageMent for the Cio
© 2011 by Taylor & Francis Group, LLC
common occurrence. e questions are where, when, how much, and
how long has it been going on? Employees have been caught steal-
ing customer records and selling these records on the Internet. As
indicated previously, there is value in personal information and if you
do not protect your personal information, there is a good chance that
your organization will end up on the front page of a newspaper or
major blogging news.
e OECD developed a set of privacy principles in 1980. ese
should be reviewed; they will provide a foundation for your privacy
policies. A summary of the privacy principles are found in Appendix
A or you can look on the OECD Website (“e OECD Guidelines
on the Protection of Privacy and Transborder Flows of Personal
Data”; www.oecd.org).
If you are collecting personal information, you must conform to a
number of laws. In Canada there is the PIPEDA. In California, SB
1386 is the disclosure law requiring businesses to disclose a privacy
breach. ere are a lot of other laws and acts coming on line and most
likely the U.S. Government will pass an overarching law to protect all
personal information similar to its federal disclosure law for health-
care (HIPAA).
ere are privacy seals for your Web site that you can purchase from
a number of vendors. A privacy seal is an image that is displayed on a
Website. A privacy seal means that your organization has a minimum
set of guidelines of how you collect, handle, store, and share person-
ally identiable information. ese are a minimum set of guidelines
and there appear to be no penalties attached if your organization fails
to comply other than the privacy seal vendor will not reissue their
privacy seal.
One nal note: ere is a protocol for privacy protection on the
Web known as the Platform for Privacy Preferences (or P3P). P3P
is a generalized vocabulary for describing Web site privacy policies.
Please understand that having a P3P rating does not imply that the
site will or will not protect the privacy of its visitors. e user must
download the policy and read it. If you have a privacy policy regarding
the use of personal information, make sure it is clear about what you
intend to do with the information.
Privacy is a topic unto itself. With the collection of any personal
information comes the responsibility of protecting that information.
PrivaCy 301
© 2011 by Taylor & Francis Group, LLC
is includes any procedures for handling, managing, and storing
personal information. If you determine that you must share personal
information, you should have a contract or agreement that outlines
your requirements and legal obligations to protect the information.
One thing to remember is that electronic information is easy to share
and it proliferates quickly.

Get Practical Risk Management for the CIO now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.