Opinion

The Risk of the “Risk-Based Approach”

By Stuart S. Shapiro, CIPP/US, CIPP/G

At this year’s IAPP Global Privacy Summit, I repeatedly encountered references to and quasi-explanations of the “risk-based approach” to privacy. The risk-based approach is, apparently, the new black now that accountability is no longer quite so chic. With its focus on the privacy risks incurred by individuals, the risk-based approach is, I was informed, a bold new direction for the privacy profession.

Taken at face value, it’s rather difficult to imagine a more damning indictment of the privacy profession. It’s 2014 and we’ve only just started worrying about risks to individuals?

More from Stuart S. Shapiro

Cybersecurity

Why Privacy Pros Should Embrace NIST’s Final Cybersecurity Framework

By Richard Santalesa, CIPP/US

By now the saga is familiar. After the White House tasked the National Institute of Standards and Technology (NIST) last February with developing a “Cybersecurity Framework” to reduce cybersecurity risks connected with “critical infrastructure,” a year to the day later, NIST released its final Version 1.0 of a “Framework for Improving Critical Infrastructure Cybersecurity” along with a companion “Roadmap” and supporting documents.

The many NIST workshops and weekly conference calls over the last year—Full disclosure: I took part in many of NIST’s working group calls—initially resulted in a draft and then 44-page preliminary framework, released last October and covered by the IAPP here. The preliminary framework spurred significant discussion and controversy during the 45-day public comment period following its release, primarily in connection with the “Privacy Methodology” depicted in Appendix B.

More from Richard Santalesa

Cloud Computing

Cloud Computing Contracting and Compliance: Why All Privacy Pros Need to Get Up-to-Speed

The cloud is going mainstream.

Many organisations are embracing cloud computing enthusiastically as a means to improve business processes while, potentially at least, making substantial cost savings along the way. Others, meanwhile, are proceeding at a more measured pace. Cautious adopters include companies that operate in heavily regulated sectors such as financial services and healthcare, as well as many government agencies and other large organisations with substantial investments in legacy IT systems and processes.

Whatever sector you work in, however, it is time to get to grips with cloud computing and, in particular, the privacy implications of cloud procurement and deployment arrangements.

Cybersecurity

SEC and Cybersecurity—What Publicly-Traded Companies Need to Know

Note from the Editor:

Mary Ellen Callahan, CIPP/US, and Elaine Wolff, both of Jenner & Block, will be part of the breakout session "The SEC and Cybersecurity: What Every Publicly Traded Company Must Know" at the IAPP Global Privacy Summit in Washington, DC, on March 7 at 8:30 am. They will be joined by Nicole Maddrey, Vice President, Deputy General Counsel & Assistant Secretary, at Graham Holdings and Tangela Richter, Functional General Counsel—Direct Bank and Brokerage, Capital One.

With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention.

From the Wire

Tuning the Privacy/Customer Service Dial

By Jedidiah Bracy, CIPP/US, CIPP/E

Twitter handles can be valuable commodities, and no story better demonstrates that than one described by web developer Naoki Hiroshima. Originally published on his personal blog and then republished with permission by TheNextWeb, “How I lost my $50,000 Twitter username” describes the ordeal he went through when a hacker decided he wanted Hiroshima’s Twitter handle @N—registered to Hiroshima since 2007.

In a nutshell, a hacker decided he wanted @N and was going to do just about anything to get it—without paying any money, of course. To do so, according to the hacker himself (someone call “Ripley’s Believe It or Not”), he socially engineered his way into Hiroshima’s GoDaddy account, which controlled several of his website domains, in order to wrest control of @N from Hiroshima. Give up the Twitter handle and the hacker would take his hands off the throat of Hiroshima’s websites.

Extortion at its finest.

More from Jedidiah Bracy