CIO and CISO

Privacy Leader

Marketer and Brand Manager

Blog

Legislating Social Privacy
July 30, 2010
There’s a great deal of talk these days about privacy and social media. Specifically, services like Google, Facebook, Twitter, and other popular social networking platforms are coming under increased scrutiny over their privacy policies and data sharing practices. Permalink

When Privileged Access is no longer a Privilege
July 19, 2010
I just read an interesting multi-part investigative report in the Washington Post about how intelligence gathering – and the bureaucracy that has risen since September 11, 2001 to facilitate the harvest and analysis of that information – has spun beyond the federal government’s control, not to mention its ability to make use of the sheer abundance of information. Permalink

Information Governance in the Cloud
July 15, 2010
Just a brief note to bring our recent webinar to your attention.  I presented Information Governance in the Cloud along with the good people at Symantec. Permalink

Home » Blog » Mike Spinney's Blog » Use What Works to Create a Culture of Privacy » 

RSS Feed

RSS Feed RSS Feed

Use What Works to Create a Culture of Privacy

December 20, 2009

I was in an industrial facility recently and noticed large banners on the walls proclaiming “12 Years without a Safety Incident.” I also saw certificates honoring individual employees who had eclipsed certain thresholds without a time-lost safety event.

 
It struck me that this is the kind of simple program that privacy and compliance officers can use as a model to create a “culture of privacy” throughout the entire employee community and instill a basic awareness of each employee’s responsibility to protect sensitive information. Such programs would be relatively simple and inexpensive to implement because the model has already been used successfully for decades by safety officers to educate and reward employees for demonstrating effective safety practices in their jobs. A quick look around the organization reveals other programs that can be replicated by privacy and compliance officers. Human resources executives, for example, already offer training and awareness programs to prevent sexual harassment or various forms of discrimination.
 
What’s the difference between these initiatives and similar programs for privacy and information security?  Why are these things not being done for the purposes of preventing a data breach? In a word: Lawsuits.
 
If someone slips and falls and hurts their back on the job because of unsafe conditions, there’s a good chance a lawyer’s going to come looking for a paycheck.  If a female employee attracts unwelcome attention from a boorish executive, there’s a good chance a lawyer’s going to come looking for a paycheck. If someone feels they were denied a job, raise, or other benefit because of the color of their skin, lifestyle choice, religious practice, disability or what have you, there’s a good chance a lawyer’s going to come looking for a paycheck – and rightly so.  These are negligent or unethical business practices that need to be addressed.
 
But until recently, no lawyer had successfully extracted a paycheck from a company because of negligence leading to a data breach… but as my recent blog post points out, I think 2010 is the year that dynamic will change.

Posted by Mike Spinney at 12:03 pm


Add Comment (0 comments)
Tags: