Privacy Ref Blog

It’s just a leak

In recent weeks, leaks have been at the forefront of news.  This is mostly in a political spectrum, but it illustrates the importance of managing how information flows through an organization.  There have been examples other than those coming from the White House though. Being non-political in nature, they have different consequences and lessons to be learned.

Many privacy professionals are familiar with breach response.  They know that they have to know how to detect, stop, and analyze a breach when it occurs.  Breaches, in the legal definition, only cover specific types of information such as financial info, email addresses, or passwords.  This is why leaks are important to us today.  When information that is not covered by the definition of a breach, you still must consider what to do.

Think about Coca-cola for a second.  The recipe for their soft drink is the key to their success and if it were leaked to the world, they could potentially lose a large amount of profit and market share.  Their recipe being lost wouldn’t count as a breach in that they don’t need to report it to regulators or attorneys general.  It would be a very serious leak though.

A more recent real-world example of a breach occurred when the details of Gamestop’s “Circle of Life” program was leaked to online journalists.  The basics of the program was that it focused on sales of items that maximized profit for Gamestop but also penalized employees, in a sense, for selling lower profit items.  Again, no sensitive or private information was leaked, but it is damaging in a few ways.

First, this damages consumer confidence because it brought forth allegations that some employees knowingly lied to customers to promote certain products, in this case pushing used games (which are higher in profit for Gamestop) over a new copy of the same game.  This can also hurt the company if investors lose confidence in the company and pull their investment.  Gamestop did respond to the leaks with an internal memo, which was also leaked.

So how do you protect yourself from a leak?  It is important to limit information to only those who need it to perform their job.  An employee in customer service does not need to have full access to financial information of customers.  When you design who has access to what systems or information, you can also set up a way to override access in those fringe cases.  By limiting access, you can narrow down where a leak is coming from or prevent it from occurring.

You should also have a plan for when leaks occur.  Just as you would prepare for a breach, you can prepare for leaks by preparing a “leak response” plan.  If these recommendations sound familiar, they should. These recommendations follow recommended best practices for the handling of personal information. Which begs the question, “should the handling of corporate confidential information be addressed as part of a privacy program?”

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on March 23, 2017 by Ben Siegel


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

May 10, 2017

Predictive Breach Cost Model
Download our predictive breach cost modelhere.

Latest Blog Posts

August 14, 2017

Privacy Ref and CyberDefenses Bring Privacy and Security Together
There is a saying that you can have security without privacy, but you cannot have privacy without security. While privacy and security are both concerned with the protection of information held by an organization, security provides the means to meet the business requirements identified to meet privacy demands from regulators, customers, employees, and other stakeholders. Privacy Ref works with our clients to improve their business and operational practices for protecting personal information. Increasingly our clients’ have been looking for services to supplement their security practices, tools, and expertise. CyberDefenses fills this role. Continue reading this post...

Can Consent Fall Short in GDPR?
Over the past several months, I have been taking a deeper dive into GDPR. I have found Article 6 on the legal basis for processing data particularly interesting. There is some discussion to be had for each company and how they will process data in a particular case, but I often hear that consent will be used. I have even heard arguments for consent as a catch-all for processing. This ignores the pitfalls that could come with the use of that certain legal basis. Continue reading this post...

Other Recent Posts

PRIVACY REF