I'm so tired of seeing privacy officers and council members who are lawyers first. They may understand the law, but they often don't understand privacy. And lawyers tend to not consider risks outside of the legal/liability context. I've experienced privacy lawyers say that it was okay to not encrypt data anywhere internally because we only said "via our website" in our privacy policy. That may be true in a strict legal sense, but from an overall customer privacy and privacy threat model perspective, it doesn't adequately ensure either adequate protection for customer privacy (the intent of the policy and assurances to customers) nor does it ensure an adequate privacy environment or mindset in a company (which itself often leads to more lax treatment of sensitive information and therefore breaches).
EPIC Alert 13.16
Open letter to DHS secretary Michael Chertoff
No comments:
Post a Comment