The Effectiveness of Privacy Audits

This study concludes that there is a benefit to forcing companies to undergo privacy audits: "The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a breach of privacy related to credit cards are more likely to disclose privacy risks afterwards. Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading."

Posted on July 9, 2013 at 12:17 PM • 6 Comments

Comments

Julien CouvreurJuly 9, 2013 2:53 PM

Could you comment on what you see as the difference between security and privacy considerations?

Personally, I treat the two the same, except that privacy involves a unique set of risks.
The paper also uses "privacy breach" and "security breach" interchangeably.

In that light, I don't see anything surprising or unexpected in this paper: audits are a way to enumerate and evaluate risks and mitigations (for features, security, privacy, ...), so they should improve those. Otherwise, what's the point?

On PrivacyJuly 9, 2013 3:09 PM

Privacy is preserved through the (intentional or unintentional) ignorance of others. Security is enforcing that ignorance. The security can be provided by physical means (a fence around your house), mathematical means (encryption), cultural means (separation of restrooms by gender), legal means (theoretical requirements for a warrant to open mail) or illegal means (blackmail).

EvilKiruJuly 9, 2013 4:52 PM

The following part of the quote from the study is in dire need of a plain English translation:

"Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading."

Thomas AlbrightJuly 9, 2013 5:24 PM

Speaking of privacy, I love how you require a click on the Facebook, Twitter, etc. buttons before they can actually see any data from your visitors!

Julien CouvreurJuly 9, 2013 10:57 PM

On Privacy, you're saying that privacy is a goal and that security is a mean. I don't think so. Both are goals. Both concern bad situations which you desire to avoid. Privacy is a subset of security (addressing specific risks).

More on privacyJuly 10, 2013 3:37 AM

Privacy isn't so much a subset of security, as it has its own goals. While the most classical security goals would aim a availability, integrity, and confidentiality, the basic privacy goals go beyond by striving to achieve

- Transparency (in the meaning that the works of the system are NOT obfuscated towards the user but rather in such a way that the user can understand what happens)

- Intervenability (the user is able to interfere with data processing when it concerns him)

- Unlinkability (only the data absolutely needed should be processed to avoid all-embracing profiling of persons)

These complement (and sometimes contrast) the security goals. Therefore, privacy is not the same, even though admittedly, there are many overlaps. :)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..