We have just completed an awareness module covering privacy. Although NoticeBored has repeatedly covered the privacy topic, there is clearly just as much of a need for it today as ever.
One of our case studies in the module concerns a major privacy breach here in New Zealand. ACC is the government department that administers a national insurance scheme providing medical cover for accidents and emergencies. As such, it handles a lot of personal information including sensitive medical info. When an ACC manager accidentally and unknowingly attached a spreadsheet containing personal details on thousands of ACC customers to an email to one of those customers, he caused an incident that rumbled along for a year, embarrassing the minister and upsetting a lot of people along the way. Better training and awareness on privacy is one of several improvements recommendations made by the recent official report into the debacle.
If the ACC privacy breach seems remote and obscure, the train-the-trainer guide in the module suggests adapting or replacing the provided case study scenarios with something closer to home, such as a privacy incident involving the organization or employees, a competitor, a neighbor, or something else in the news. The unfortunate fact is that there is no shortage of privacy incidents and breaches to discuss, and those are just the ones that get (a) noticed, and (b) reported.
Surveillance is another addition to the awareness module this time around. An increasing number of news articles are reporting voyeurs using miniature cameras to spy on neighbors and members of the public. The cameras are readily available and cheap to buy. They can be concealed as pens and key fobs, or built-in to cellphones, laptops and tablets. Conventional CCTV cameras are part of modern life, both in public places such as high streets, and inside corporations. Big Brother in George Orwell's book 1984 is not such a far-fetched threat after all. We encourage our customers to cover surveillance (whether by the organization on its employees etc., or by employees etc. on each other) in their privacy policies, which implies management thinking through the issues and deciding how best to respond. It's surely better to do so in advance, than to face awkward situations later without a policy or rulebook for guidance. By the way, the complainant in the ACC case secretly recorded a meeting, providing undeniable evidence that ACC managers were made aware of the breach - covert surveillance is sometimes in the public interest.
Likewise, we suggest developing and documenting a privacy incident management process to handle the incidents or breaches that will probably occur. The ACC case once again demonstrates the need to have a well structured and thought-through process that is actually used when incidents are notified or identified. The ACC incident would probably have been much less damaging to ACC and the ministry if it had been properly investigated and resolved, perhaps avoiding the breach being disclosed to the press.
Finally, the technical awareness stream identifies the need for technical and physical controls for privacy in addition to policies and procedures, such as IDS/IPS/DLP systems that routinely monitor the network for inappropriate traffic and sensitive personal information passing in cleartext. Some while ago, one of our customers discovered that their email encryption system had been wrongly configured soon after just such a monitoring control was put in place. As well as protecting their customers' personal information, they narrowly avoided a breach that would have been highly embarrassing and costly for the organization - something else that ACC might like to bear in mind.