Getting a grip on data privacy and IT security issues has to be accomplished through a cultural evolution within companies rather than by quick fixes, according to a panel of users, analysts and vendors that discussed the issue here yesterday.
Ann Cavoukian, commissioner of the Information and Privacy Commission of Ontario, said Canadian corporations have developed a self-policing culture of privacy protection during the past two decades. When a new data privacy law took effect there in January, she added, companies "had already bought in" to the concept.
A similar evolution needs to take place in the U.S., Cavoukian said. "Legislation can't work without self-regulation," she said. To give companies a hand, Cavoukian announced that her government-sponsored commission will post a free corporate privacy diagnostic tool on its Web site in mid-August, in partnership with security services vendor Guardent Inc. and consulting firm PricewaterhouseCoopers LLP.
Jason Catlett, founder of Junkbusters Corp., a privacy advocate and consulting firm in Green Brook, N.J., blasted an often-quoted statement by Sun Microsystems Inc. CEO Scott McNealy warning people that they "have zero privacy" and should simply accept that fact. "That's like the CEO of General Motors saying, 'There is no safety; get over it,'" Catlett said.
Just as the construction and automotive industries have gradually developed an increased emphasis on safety issues, Catlett added, companies and the U.S. public need to make data privacy a higher priority. Privacy concerns should be built directly into business processes and taken into account when designing systems, he said.
Other speakers addressed security issues. For example, Bart Perkins, CIO at Tricon Global Restaurants Inc. in Louisville, Ky., stressed the need to look beyond internal systems when planning data security strategies. Business partnerships and alliances with suppliers and customers increase exposure to both security and privacy risks, he said.
As a result, Perkins added, taking security considerations into account when setting up business relationships is a must for companies. IT security requirements should be explicitly spelled out in contracts between different companies, he said.
Jerry Brady, chief technology officer at Waltham, Mass.-based Guardent, talked about the realities and myths of security risks, saying that most malicious hackers are opportunistic and target easy-to-use software that also tends to be easy to penetrate. Unfortunately, Brady said, security often isn't high on the checklist of users when they buy software.
"The best choices may not be the most popular ones," he said. "If you want more secure software, demand it." Guardent sponsored yesterday's panel discussion, which was held at the University of Chicago Law School.