Protecting and Managing the Currency of Private Information
I spent a stimulating 45 minutes yesterday with Michelle Dennedy, Sun’s Chief Privacy Officer, and my colleague Joel Brame, discussing issues relating to privacy, telecommunications and the role Identity Management plays, or should play, in protecting private information while enabling innovative, advanced online services.
Michelle’s recent article, “The Missing Chair Around Your Boardroom Table,” discusses some key points on these issues.
1. Information is the most valuable asset of a modern enterprise: “Information about individuals is the currency flowing through the enterprise and that enterprise becomes, in a sense, its banker. One of the biggest threats is failing to recognize the power of information as a leverageable asset.”
2. Organizations that store and use sensitive, private information assume a high, quantifiable risk liability that far exceeds the value of physical systems on which it is stored: “To quantify the risk involved, we can look at the case study of breach notification legal requirements. In the U.S., it’s becoming typical for organizations that have been forced to notify customers about a data loss to provide two years of credit protection per record lost. So if you lose a laptop that contained 100,000 records with a standard credit protection cost of roughly $40 per record, per year, for two years, you’re looking at a potential liability hit of $8 million. That figure doesn’t account for brand loss, sales opportunities lost, lawyer fees, or the paper exercise of sending out letters. And that’s just a ballpark – I’ve heard figures from banks up to $500 million, or $250 per record for a major breach.”
3. Enterprises can employ Identity management technology and methods to support privacy requirements by understanding and controlling who has access to networks and systems that contain private information: “Identity management technology is critical to understanding “who” is participating on your network. “Who” is your customer and “who” will serve that customer’s various needs? … technology that can make a big positive impact when deployed with a clear strategy to get in front of the business challenge of “who.”
4. Michelle points out that technology is only part of the answer. She proposes that in each enterprise, “There needs to be an information control officer who looks at information the same way you look at cash, with the nuance that information about human beings is non-replaceable. … You need a leader who understands and cares about data protection and that person must scream from the mountaintops in the language of employees, vendors, and partners to let them know what is expected of them and that data governance is a valuable investment.”
The bottom line: we in the Identity Management industry can do much to enable enterprises, and the information control officers who lead the way, to protect and control use of sensitive information that has become the most valuable asset corporations possess. I look forward to exploring more deeply into this intriguing concept.
Technorati Tags: Identity,
Digital Identity,
Identity Management,
Privacy