In cybersecurity, we often hear about the importance of having tidy cyber hygiene and a good security posture, but far less attention has been paid to what it means to have a good privacy posture with respectful data guardianship. We combine these two concepts into capable guardianship, a term more commonly used in medical ethics to describe what it means to guard something that ought not to be owned – people’s digital data mirrors. At Obsidian, we fully understand that our ability to enact capable data guardianship relies just as heavily on our privacy protections and the affordances we offer for sharing control over data as it does on our security features.
We are sharing a series of three blog posts that explain our approach to capable data guardianship. In this first post, we explain the four basic pillars of our data guardianship practice. By sharing our own data privacy and user empowerment practices, we hope to be a resource for organizations looking to mature their operational processes and policies and for new businesses implementing best practices from the beginning.
- Do not hoard data.
We are thoughtful about why we collect each type of data and refuse to collect what we don’t need. Data hoarding is a sign of corporate sloth (nobody took the time to audit each data type), greed (wanting all the data), or fear of missing out on some type of data that may be useful in the future. All of those are signs of immature data practices. That’s why our first principle is: do not hoard. We run an audit process for each type of data we collect from each service we monitor. We also run a similar process in reverse, for the employee data we share with our vendors. If the data is highly sensitive from a privacy, IP, or security perspective – either because there are laws like HIPAA, FERPA, GDPR, or Gramm Leach Bliley that require special controls or because the data are sensitive for ethical reasons – those data types should be mission critical or they should not be collected and stored.
For instance, it was an easy decision to avoid collecting gender as a data type. Technically, it would be easy and financially it’s cheap to store, but those considerations were not even part of the conversation because that’s not what data guardianship is about. There is no clear cybersecurity advantage to systematically collecting gender data, but there is a slight privacy risk and a disparate impact on people who identify outside of the gender binary. That’s the type of thought process we use in our data collection audits. We analyze every data type for its privacy sensitivity, potential for disparate impact, legal status, and importance to our core business function.
- Take a stand on which types of data are simply too privacy sensitive.
Some types of data may be too privacy sensitive to collect, even if collecting them may add value to the product or data models. This privacy principle is derived from what philosophers call virtue ethics, which is a little different than the more utilitarian approach in our first principle. The reason for this is that applying a utilitarian analysis can still lead to collecting and using data that’s privacy sensitive in ways that may be unethical, illegal, or that fail to uphold our core virtue: protecting our customers and their employees. At Obsidian, for instance, we decided early on that even though there are some reasonable security arguments in favor of collecting the body of emails, Slack messages, attachments, and other large free-form text inputs, we felt that the privacy risk is too high. Body content is highly sensitive and could contain credit card numbers, social security numbers, health data, personal information, communications with minor children, and any manner of communications people assume is private. We decided that using our product should not subject anyone to this level of exposure. Open input data has legal and ethical ramifications that exceed our capacity to provide capable data guardianship. Obsidian does not collect the body of messages or the content of files. We adopted this governance position because our duty to provide capable data guardianship is a bright line we will uphold.
- Be transparent about data guardianship practices.
Transparency and accessibility are not only key attributes of GDPR compliance, they are also core tenets of the principle of informed consent. In practice, companies should put forth a consistent effort towards educating potential users and data subjects, similar to the effort they expend educating customers about product features. That’s one of the reasons we are writing this series and making it publicly searchable without an NDA.
Privacy policies and terms of service are important legal documents and are posted publicly. But studies show people don’t read and don’t understand them. One of the core pillars of taking capable guardianship of other people’s data is working to educate them about what is being collected (or not), what their data are being used to achieve, when their data are deleted or de-identified, and how they can interact with their data record. At Obsidian, we don’t expect our data subjects to be legal experts with a lot of time on their hands. Instead, we write in plain language, create videos, are available for calls, give talks, and generally put a concerted effort into making ourselves available.
- Know thy data.
There is no shortcut to doing the work. It is critical to build a data map and take a data inventory of every type of data entering and exiting your organization. One of the most onerous expectations of GDPR and related privacy rules is the requirement to understand exactly where and how data are entering the company, what they are being used for, the security practices in place at each stage of the data’s everyday life, and what happens at the end of the data (or company) lifecycle. There are templates for getting started, though of course these will need to be tailored to your uses. I’ll be covering this in the third part of the series: GDPR: live it, love it.
Because of new data regulations like the GDPR and CCPA, organizations must be rigorous in the implementation of data privacy practices. The recent PWC fine proves that even consultants advising Fortune 500 companies on GDPR, with all the best intentions, struggle to interpret this complex piece of legislation that as yet has only a thin body of case law to clarify how it will be interpreted. The modest fine PWC received is a cautionary tale of the nuances all organizations are expected to expertly navigate in a rapidly evolving regulatory landscape.
We believe security and privacy are equally important and have committed to being capable data guardians for our customers, data subjects, and employees. Proactive, accessible, public transparency about our core data ethics principles and practices is part of our value proposition, one we hope to see other companies adopt. Want to talk about data guardianship? Reach out to me at privacy@obsidiansecurity.com or on Twitter at @digitalFlaneuse.