Operational Risk Management (ORM) professionals from London to Paris, Berlin to Brasilia and Silicon Valley to Washington, DC are quietly smiling these days. It is ironic, that now privacy is the new vogue marketing strategy. After so many years of trying to explain to executives the risks that exist around confidentiality, integrity and assurance of data--now a rogue U.S. citizen charged with espionage, finally has convinced some senior business executives of the value of marketing increased privacy of their technology products and services. Chris Strohm explains:
While Google, Yahoo, Microsoft and Facebook Inc. provide data to the government under court orders, they are trying to prevent the NSA from gaining unauthorized access to information flowing between computer servers by using encryption. That scrambles data using a mathematical formula that can be decoded only with a special digital key.
The NSA has tapped fiber-optic cables abroad to siphon data from Google and Yahoo, circumvented or cracked encryption, and covertly introduced weaknesses and back doors into coding, according to reports in the Washington Post, the New York Times and the U.K.’s Guardian newspaper based on Snowden documents. He is now in Russia under temporary asylum.
Mitigating the risks of being hacked by a group of criminals stealing personal identifiable information from consumers on a transnational basis has not motivated these same executives to move towards investing in more effective data and information assurance strategies. Yet now that the adversary has been described by the mainstream media as the U.S. Government, industry executives have started to listen. Go figure...
What are the industry executives motivation for now improving the confidentiality, integrity and assurance of customers information? Improved market share and presence. The payback will be rapid and those organizations that have been in denial that customers expect and demand more systems and tools to protect their information, are now doing an about face.
As we quickly approach Cyber Monday and the commerce of the Internet is at a peak of annual transaction volume, some servers will be talking to each other on encrypted networks for the first time. All seamless to the end user and consumer, yet not to the adversary. So who really is the adversary these days; the criminal organizations or the U.S. Government? The strategists mitigating risks at commercial private organizations unfortunately in many cases, see both in the same category. This is a real mistake and one that should be evaluated, discussed and agreed upon.
You see, U.S. based companies must have an effective symbiosis with it's legal system and rule of law. What does that mean? Operational Risk encompasses the risks to the institution from a legal perspective. That means that the process of processing, storing, archiving and retrieving information is subject to the laws of electronic discovery and forensic evidence. It means that as an organization, having an effective way to encrypt information to stay ahead of the criminal organizations simultaneously requires that your organization is also adaptive to current legal statutes. Tomorrow, you may need to identify, decrypt and produce evidence to the U.S. Government or as a result of another legal order.
As organization executives embark on the "new new" trend of marketing privacy to their customers, they should also be working along side the legal staff. The risk management and information technology professionals should be briefing both corporate executives on the implications of being responsive to their consumers and non-responsive to plaintiff lawyers, or the U.S. Attorney or State Attorney General:
Fearful of adverse consequences if they inadvertently discard electronic documents that are deemed to be relevant in litigation, some of the biggest companies in the U.S. are simply saving all documents, including email sent via employees' electronic devices.
A minority of federal courts say companies can be sanctioned even if they discard documents without intending to. All allow sanctions, which can mean the loss of a big case, when documents are intentionally destroyed. So companies including Exxon Mobil Corp. and Microsoft Corp. are asking the federal Judicial Conference to recommend a new rule that would provide uniform standards for document retention and allow sanctions only when documents are destroyed willfully or in bad faith, reports the Wall Street Journal(sub. req.).
So this is where the marketeers and the legal staff need to get their heads together. The privacy vs. government legal requests space is still not widely understood inside corporations let alone the average John Q. Citizen, who has never even heard of eDiscovery:
Microsoft General Counsel Brad Smith said yesterday that there are "significant inaccuracies" in last week's news reports. He added in a blog post, referring to Outlook.com: "When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency."