Happy Data Privacy Day. Or maybe another way to think of it is Happy Halloween in January. After attending this week’s Data Privacy Day Town Hall meeting at the Seattle Art Museum (SAM), sponsored by the Online Trust Alliance (OTA), you’d be right to be afraid, very afraid.
Data Privacy Day is an annual event on Jan. 28 that focuses attention within the technology industry on issues of privacy, trust, and security. Companies, governments, and non-government organizations (NGOs) around the world now participate in Data Privacy Day activities.
The OTA is a Bellevue-based industry working group that formed in 2005 to address issues around spam and phishing. Craig Spiezle, a former Microsoft manager focused on privacy and antispam technologies, is its founder and executive director. After leaving Microsoft, Spiezle has focused his attention on growing OTA into a working group with a broader industry focus around online privacy and security.
As part of that ongoing work, this year for Data Privacy Day, OTA hosted two Town Hall events featuring keynote speakers and expert panels. These events are in support of another piece of their ongoing work: education. This week they released their 2013 Data Protection & Breach Readiness Guide, a best practices guide for data protection and dealing with data breaches.
As the Town Hall showed, this kind of guidance can come none too soon.
The Town Hall’s keynote featured Washington State’s new Attorney General Bob Ferguson giving one of his first addresses on cybercrime and technology enforcement issues. Ferguson has some big shoes to fill when it comes to this area: former Attorney General Rob McKenna has a strong reputation within the state and the nation for aggressive enforcement, particularly around spam. Ferguson’s speech gets his tenure off on a good foot by at least openly recognizing the size of the shoes he’s filling, emphasizing the continuity that the AG’s office’s professional staff will provide, and committing to keep Washington State in the forefront of cybercrime and technology enforcement. For those of us in the security and privacy fields, Ferguson’s introduction hit all the right notes.
After Attorney General Ferguson’s remarks, the event shifted to feature two expert panels: one dealing with the convergence of big data, innovation and privacy; the other dealing with data protection and data breach response.
The panels provided an overview of what its takes to protect data and information in today’s environment, what the actual state of data protections are like, and what it looks like when data protections fail or are inadequate. Taken together, these panels present an increasingly bleak picture around data security as several trends converge.
New technologies can gather ever more detailed data (particularly around geolocation and mobile devices), and are often being developed and deployed in haste with little thought to possible ramifications. Meanwhile, storage costs that are getting closer to zero enable this trend by making it cheap and easy to store all the data being gathered (whether it’s necessary or not).
Against this backdrop of massive data gathering and storage, the panelists discussed how current data protection and security schemes are grossly inadequate. Statistics in the OTA’s 2013 Data Protection & Breach Readiness Guide are telling: they noted that there were 1478 data breaches in 2012 with 97% of data breach incidents being labelled as “avoidable.”
On its own, this situation would be bad enough, but as those on the Data Protection and Breach Response panel noted, we’re also seeing increased sophistication and professionalism in the development of malware and attacks. Gone are the days of clumsy phishing messages with poor grammar and spelling errors. Now attackers are farming out work to native language speakers and even using editors to ensure quality control. In light of this, one can’t help but wonder if soon phishing mail will be identified because it’s better than the original.
The panelists also noted that even well-run organizations are facing nearly overwhelming challenges as both the adoption of cloud technologies and the push for “bring your own device” (BYOD) policies upset the order and control often necessary for good network security. The panelists on the Data Protection and Breach Response panel were unanimous in their advice that security professionals should stand up and resist the BYOD tidal wave. As one noted and another agreed: “In this business you have to have a thick skin, and this is where you should have a thick skin.”
It would be wrong to conclude that data security is impossible. The fact that OTA released their guide in conjunction with their Town Halls shows that we can operate and participate in the modern, social Internet in a secure way that respects and protects privacy. However, it would be wrong to conclude that this is going to happen on its own. We in this field know that we’re facing a crisis around data security and privacy that dwarfs the security crisis of the late 1990’s and 2000’s. What will move us from problems to solutions is an awareness of the state of affairs and what it takes.
Hopefully, events like this will help everyone to understand better where we are and where we need to go.
Christopher Budd works for Trend Micro, focusing on communications in the areas of online security and privacy, incident response, and crisis communications. Prior to that, he was an independent consultant and before that a ten-year veteran of the Microsoft Security Response Center (MSRC). He combines his prior career as an engineer with his communications expertise to help bridge the gap between the technical and communications realms. Follow him on his personal blog or on Twitter @christopherbudd.