In the last week, I have read some (painful), written and updated one (interesting) and started to consider how they drive (or not) actions around how people protect information. I think we need to reconsider our privacy policies…
Sometimes a confluence of events presents themselves to shape thinking in new and important ways:
2. On Friday, an article on a local company (High Peaks invests $500K in software developer Apprenda) stood out to me for two reasons:
a. This is a Software as a Service (Saas) company. They represent a growing trend that holds some important lessons and opportunities for changing the way people protect information.
b. They are a startup, and they actually have a dedicated security resource onsite as a founder – and his title is “Vice President of Security and Infrastructure.” This suggests security is top of mind.
3. This weekend, it was reported that 13 people were fired and another dozen or so — including doctors! — have been disciplined for access to Britney Spears medical records. Sadly, this activity is not new in the realm of medical records, and the reaction is not surprising.
Last night, I approved a comment to a post I wrote over two years ago. Normally, this is a sure sign of spam. In this case, it was not spam – and better. It was the catalyst that pulled my thinking together (yes, catalysts rely on other catalysts – now you know).
…you did NOT say that Plaxo will not read the data of their customers… It would be nice to see a policy shuch [sic] as “Plaxo will not read the data of its customers unless 1) explicit permission is granted from the customer or 2) a law enforcement agency with appropriate juristiction demands to see the data.”
This is a subtle point and an interesting question – if someone provides a service, beyond protecting the information, should they have access to the data they hold? If so, for what purposes? I even question what it means to “read” – machine or human? Is there a difference?
Same time – fascinating post popped up yesterday in the Security Catalyst Community, asking the ‘right’ way to handle ‘discovered’ PII: Handling Discovered PII. Great question!
We face a human problem. We need a new approach. Where to start? When it comes to privacy policies – I think we need to start with some active and transparent conversations about responsibility. What do you think?