James Governor's Monkchips

More privacy legisation: why I like the new HDS blog

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit

It takes cojones to criticize a potential customer in public. Its one thing for a blogger, or industry analyst to do so, but quite another for a senior executive enterprise IT supplier to make the personal so political…
 
Criticise a competitor – absolutely. But not a customer organisation…
 
Criticise is exactly what Hu Yoshida of Hitachi Data Systems just did, by calling out Marriott for its recent data loss.
 
Yoshida is making exactly the right calls, here, because toothless hand-wringing doesn’t cut it. We do need legislation to protect customers, citizens and companies from poor information management practices. Self-regulation isn’t working effectively, as ChoicePoint, Amex and others demonstrated in 05.
 
The media, and many commentators often use the blanket term identity theft, when in some cases the data has been effectively lost, rather than stolen. Here is a thought experiment: if a soldier on exercises leaves her gun in a public toilet and subsequently someone takes it is that theft? It may be, but the broader question is more important: who is culpable, responsible?
 
Data leakage, or “information bulimia“, is a big problem for today’s “data-driven” enterprise, or government. Where is the encryption? Why isn’t backup carried out online? Why actually collect this data in the first place–how will it drive the business.
 
Its very interesting to note that the USA now has stronger privacy protections than in Europe, because of California’s pioneering work on legislation around notification for loss of personal information.
 
While the EU has long had horizontal data protection legislation in place – there is no prosecution. The laws are basically toothless if noone ever gets hammered for leaks. Companies trading in the EU can pretty much safely ignore data protection legislation (Germany, Spain and the Czech Republic are stronger than most other countries and have fined companies for breaches), and do so. But in Europe the affected individual never knows there has been a breach. So we don’t prosecute. So the regulation is nearly pointless.
 
In the UK the Information Commisioner has finally declared its time to move from education to enforcement, but I don’t see much evidence yet.
 
Meanwhile in the US things are moving on apace. And lets face it, what American company doesn’t want to do business in California?
 
Yoshida asks rhetorically: “Is it enough to say your data was lost, and give tips on what you can do to ensure the data they lost is not being used fraudulently?”
 
The blog is asking all the right questions, and not a sales pitch in sight, Anil’s complaints notwithstanding. 
 
Compliance requires sticks as well as carrots. It is time for a Board of Boiler Rules. I don’t want to get blown up. Do you?
 
Prediction for 06 – we’ll see stronger, broader legislation in the USA, which will serve to finally wake up Europe as well to the need for notification. Notification is key to information privacy and management. If you don’t know your information has been stolen then you really are screwed. Financial services companies though will never admit a breach unless they absolutely have to.
 
From an enterprise perspective it makes a lot of sense to start thinking about more effective information management strategies, what data you need, and why, and how to store it, and where, because legislation is coming your way sooner rather than later. Why not think about identity and privacy in the context of a compliance oriented architecture.
 
Get it right and you can manage any new regulations that come down the pike, whether horizonal or vertical (HIPAA, GLBA). Get it wrong and your business could suddenly find itself in a world of pain. I know of at least one insurance company that is now no longer allowed to trade in California, a loss of tens of millions of dollars per year.
 
If data and customer relations are important to your business as you, or your line of business executives, claim they are, then its time to invest in that data and its management. IBM’s Steven Adler (note to Steve, get yourself a blog and improve your google ratings, I can’t believe Mohonk 03 is the top item) and team have done some really solid work thinking through issues of information value and information governance.
 
Never mind hand wringing,. Some abuses of personal information deserve neck wringing…
 
To be fair, Yoshida is completely not alone in showing balls when it comes to criticising a prospect when an important issue is at stake. I am a fan of Microsoft’s Jerry Fishenden since he publicly laid out how UK plans for a national identity card and registry might be counterproductive. Kim Cameron and Sun’s Robin Wilton are also helping to drive the debate. The UK government is evidently keen to ignore IT experience in its policy making, but at least some of the potential contract winners aren’t sucking it up in order to win the deal.
 
So a storage blogger joins the Identerati. Maybe Information Lifecycle Management (ILM) isn’t just hype after all….
 
—————————————————————-
disclaimers – Microsoft is a client, IBM is a client, Sun is a client
hattips – I could be wrong but I think it was Shel or Scoble first alerted me to Yoshida’s blog
 

9 comments

  1. I always wonder when I see “the comments are moderated” on a Corporate Blog.

    I’ve posted the following, let’s see if they have cojones as you say:

    “Mariott should buy an IBM zSeries mainframe and encrypt their tapes, I reckon!”

  2. Thanks James… I *think* that was a compliment ;^)

    I’ve had long arguments about both sides of the ‘legislation and breach notification’ subject. It turns out to be quite hard to come up with a breach notification set-up which reliably meets the interests of all parties (not that we shouldn’t try). I think you would enjoy a chat on the topic with our CPO…

  3. You might find the editorial cartoon cited at http://www.controlscaddy.com/A55A69/bccaddyblog.nsf/plinks/CBYE-6KR4KK
    timely and humorous (and oh so true).

  4. yes i saw that thanks chris. i like it, and considered riffing off it. the point i wanted to stress is that organisations need better stewardship of data. its not enough to blame customers and criminals. Having said that, I do agree that its horrifying the way people will give up their social security number for a candybar. expect more coverage in this space from me this year under the “declarative living” rhubric. both sides need to do a better job of understanding what information to keep, what to make public, and what to hide, and why.

  5. sorry the compliment not clear. it was meant as one Robin.

  6. Since the Scotsman is paid subscription, the full text of Jerry Fishendens UK ID Card piece can be found on Kim Cameron’s Identity Weblog.
    http://www.identityblog.com/2005/10/18.html

  7. or in fact Jerrys own blog where the full text of the article is posted.
    http://ntouk.com/

  8. ah thanks Mark. IBM has been notably quiet on the subject, but then again you never win large public sector deals in the UK, so why bother blathering on about it.

  9. Nice surprise, my comment has been posted on Yu’s blog. That’s nice given the overt reference to a competitive offering… Cojones indeed.

    Hi Yu, well done!

Leave a Reply

Your email address will not be published. Required fields are marked *