Why Is Information Security Important? The Privacy Dividend
The UK’s information Commissioner (2008) argues that the privacy of personal information has four dimensions of value:
It has value as an asset when used within the organisation in pursuit of your own goals.
Viewed in this way, personal information is an asset for your organisation. As with any other asset, personal information needs to be protected to ensure it is available for use within your organization, and where the organisation has exclusive access to it, kept private from competitors. Where personal information derives its value from being linked to a specific person, protecting that information preserves its value as an asset.
It has value to the individual who is the subject of the information.
Personal information has value to the person to whom it relates. Because of this, any organisation holding and using other people’s personal information introduces significant risks. If you do not handle people’s personal information with care, and do not respect people’s privacy concerns, this may cause distress or harm to the people whose information is being held. In turn, this can rebound directly on your organisation, leading to reputation loss. If customers do not trust your organisation, this will lead to loss of business. This risk is significant, and you need to manage the risk to protect yourself from harm, as well as protect the interests of others.
It has value to other people or organisations who might want to use the information, whether for legitimate or improper purposes;
Your organisation is responsible, when third parties are able to access personal information that you hold and cause harm through fraud, or distress through embarrassment, to other people. Damage can be caused to your organisation, irrespective of whether you have influence or control over the third party using the information for nefarious purposes. You are still accountable for maintaining the quality of the information you provide to legitimate parties and for keeping the personal information you handle out of the hands of other parties not authorised to have it. Therefore, you must manage the risks of damage to your own reputation and future prospects, which are inextricably linked to possible damage and distress being caused to the subjects of the personal information.
It has a value in society derived from the value placed upon privacy by regulators and lawmakers.
Potential damage to reputation may be seen as a desire to do the right thing, and therefore, a luxury. However, there are also laws enacted to defend the right to privacy. For example, the EU directive 95/46/EC7, is enshrined in UK law as the 1998 Data Protection Act, and alternative legislation exists outside the EU, such as SOX8 in the US. From 1st April, 2010, the UK Information Commissioner has the right to impose fines of up to £500,000 for privacy breaches.
Why Is Information Security Important? Staying Legal
Thus, you are required by law to keep personal information safe and secure. In order do this systematically and show you have taken reasonable steps, you need an information security management system. It will need to cover topics such as security organization, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, system development and maintenance, and business continuity management and compliance. And if you want to go further, these are the basic elements of the ISO27001 security management standard.
This post is part of the series: Information Security Awareness
The best way to ensure everyone understands the importance of information security is through awareness.