Hopefully my foggy crystal ball outperforms the 12/21/12 Mayan prognosticators. 2013 promises to be landmark year as it relates to the privacy/security of consumer information. Specifically we will see increased complexity of breaches and elevated enforcement action, but no meaningful federal privacy legislation. New technologies and business models will alter the risk posture for consumers, as businesses seek to maximize big data revenue potential. It is through that lens that I forecast privacy and security challenges for businesses, privacy professionals, security practitioners, and ultimately consumers who tend to have the most at stake, but the least leverage. And now the 2nd Annual Top 10 Privacy Trends, 2013 rendition…
10. Big Data, No Diet in Sight: Yottabytes of personal data has already been collected. I like to think that it is used for legitimate business purposes. OK, in case you don’t wear a pocket protector, traditional storage units go from bytes, to kilobytes up to yottabytes! The fact that a yottabyte holds 10 to the 24th power or 1,000,000,000,000,000,000,000,000 bytes of data isn’t important. The fact that we already have terms for storing that much personal data is alarming. This includes data collected by the government. For example, the New York Times reported that the National Counterterrorism Center has a program to copy and analyze US citizen government files (e.g., casino lists, US residents hosting foreign exchange students, flight records) for possible criminal behavior. Didn’t Jack Bauer work for the NCC?
9. Your Privates are Public: Consumers will continue to display a willingness to give up privacy for convenience. Consumers will skip the lengthy privacy policies, term and conditions, and just click “Accept.” But in their defense, I recently read such a notice on my iPhone 5, even with the increased 16:9 ratio 4 inch retina screen, the disclosure was still 37 screens! While reading the disclosure, my eyes glazed just past the “giving up my first born” clause.
8. Shussh, were Hunting Wabbits: Tracking is lucrative – monitoring where you are, what you purchase, and where you are when you make purchases enables effective marketing. Even Mickey Mouse is aggregating your vacation data. Disney’s new MagicBands is “big data” on steroids. Guests on property no longer need park tickets, hotel room keys, attraction express passes, or even credit cards. Instead the MagicBand has an embedded RFID chip; simply wave past a reader. Nice, my kids can buy bottled water without my credit card. [Take off mouse ears, put on privacy hat.] They are using RFID chips to track you, your kids, your spending habits, your location, how long you spend dining, what time you get back to the hotel, etc.
7. A Face Only a Mother Could Love: Expect technology and innovation to continue to outpace regulations. For example, Facedeals, developed by Redpepper, uses strategically placed cameras to scan your face, correlate to your buying patterns, and offer you tailored discounts, by sending coupons to your smartphone while you are in the store. It raises some interesting philosophical questions. Can they offer deals to minors? Can government officials or police tap into the system to find people of interest? Will the system record co-shoppers? Imagine the guy shopping with his girlfriend, only to have his wife see the correlation. Anyhow, passive facial recognition is only one example. Your smartphone is really a tracking device that just happens to double as a phone.
6. Belt and Suspenders: Keeping our breaches up: The belt and suspenders, dual control approach, isn’t sufficient in protecting personally identifiable information (PII). Breaches and stealthy sophisticated extractions of data continue to increase. Ponemon reports that 94% of hospitals polled suffered a data breach (3rd Annual Benchmark Study on Patient Privacy and data Security, 12/20012) in the past two years. Recall HITECH/ARRA promises of saving billions in healthcare cost? One of the premises behind the projected cost savings is requiring protected health information (PHI) to be stored in a specific electronic format. No privacy concerns here, unless you recently visited www.privacyrightsclearinghouse.com. Of the 606 million records reported lost/stolen since 2005, 24 million contained PHI.
5. The Biggest Loser – The Losses Continue to Mount: Many employers still lack proper controls for Bring Your Own Device (BYOD) tablets, smartphones, USB drives. Plus already ubiquitous mobile applications continue to proliferate and so do their vulnerabilities! But what data can be gleaned from a phone? Contacts, Facebook details, calendar entries, geolocation; Oh and blood pressure, cholesterol, and blood glucose levels. Really? Yes, for example last year the FDA approved a smartphone mounted blood glucose meter application! Anyhow, portable media will continue to be the number one source of data breaches. OK, I didn’t use my crystal ball for this one; I used a rearview mirror.
4. Show Me the Money: Healthcare industry will continue to see additional scrutiny and regulatory oversight. Expect more fines/settlements. After all, the HHS HIPAA audits were only funded for 2012; ongoing programs need to be self funding. Keep in mind HITECH included business associates.
3. Mobile Privacy: We already covered smartphones, but what about the trend of wireless medical devices? For anyone who hasn’t recently been in a surgery suite, excluding those under general anesthetics, mobile technology significantly improves the surgeons’ ability to treat patients. Many of these devices use wireless technology and many on Windows platforms. Fortunately they are FDA approved; unfortunately often patches can’t be applied, because the FDA won’t allow timely changes. What devices? Drug dispensers, insulin pumps, heart monitors, etc. So you are saying some hacker in Pakistan may be able to exploit known security vulnerabilities, because the patches are not applied?
2. Forecast – Mostly Cloudy: More data will be migrating into the stratosphere. HITECH’s Meaningful Use expedites the migration. OK no crystal ball needed here, but the troubling part: in a recent Ponemon survey (2010) only 31% hospital officials reported they have confidence in preventing and detecting patient data loss. So to recap, regulatory requirements are hastening the migration of everyone’s medical information into large databases that the business owners of those data stores are fairly confident are not secure. The data is often used for medical fraud and identity theft. That may explain why when my wife went to the doctor last month for her annual checkup, her medical records stored in the cloud indicated she is recovering in Albania from her vasectomy.
And the #1 Privacy Trend for 2013
1. Summer 2013: Some things never change, as security controls improve; end users continue to be the weak link. Passwords like “summer13” will be used by 7% of the population. How many times have I seen the chief information security officer and privacy officers dutifully implement hundreds of thousands of dollars of security controls, only to have my team ethically hack their network in less than two hours? The CPO asks, “We have everything locked down. How did you get in?” Our ethical hacker responds, “I gained access using the password “summer13.” Just so you know we hacked in last year using “summer12.” Looking forward to Summer 2014.”
In conclusion, big data gets bigger, the cloud expands, all while data owners question the security of the data. As a consumer I am concerned, because I am unsure of the amount of data collected, the correlations of big data, and how it’s protected. As a privacy professional I am concerned, because businesses may be trying to do the right thing with the safeguarding and usage of data, but competing business priorities and complexities of data protection are daunting. The win-win paradigm has security and privacy professional working with their business executives to employ constraints on the insatiable appetite for collecting yottabytes of PII while improving the security controls.