“What, am I looking at?” That’s what I said to myself. Then I thought, “Sanjay must have sent me the wrong file.” Turns out, nope. I had asked him for an audit log report. My request was neither unusual nor surprising. I was, after all, the new privacy officer for Sanjay’s business unit. I received an email from him sans subject line with one large excel file attached; also not surprising, he was the lead software developer. I opened the file and began to scroll. Scroll as I might, I had not found the end of the document after 90 seconds. I tried scrolling both horizontally and vertically, as if doing so would help me make sense of the multitude of alpha numeric columns and rows that created a data maze on my computer screen. The scrolling did not help.
I had stepped through the looking glass. Sanjay and I were clearly not on the same page. I closed the file; put my cardigan on, and went downstairs to grab lunch. Thirty minutes later, I was back at my desk. I opened the file again. It still did not make sense. I stopped scrolling and looked around. I watched Sisyphus (the mobile floor cleaning machine) move slowly across the floor towards the bullpen of developers and spotted Sanjay. I caught up with Sisyphus and stopped at Sanjay’s desk.
“Hey, Sanjay. How’s it going? Sisyphus and I just wanted to say hey.”
“Sisyphus? Who…is Sisyphus?,” Sanjay asked.
“Him,” I said pointing to the machine, now bidding a hasty retreat after colliding with a cubicle wall.
Sanjay chuckled. I did not waste any more time. “I need help understanding the report you sent to me.”
“Me too,” he said.
“Wait, what now?” I thought to myself.
“But they were so clear and succinct,” I thought to myself, “what’s not to understand?”
Turns out a lot. I wasn’t the only one beyond the looking glass. That was the beginning of a long journey of translation and modifying assumptions we had in our roles of privacy officer and software developer.
Prior to joining the faculty at Seton Hall Law School, I was a privacy and compliance professional for over ten years; the majority of those years I partnered with software engineers and developers. That experience allowed me to cultivate a robust appreciation for the very real pressures of creating a functional product with life cycles spanning Waterfall to Agile. The most important takeaway remains that, when privacy is an afterthought, the costs are always much higher than if privacy is part of the initial plan/product design phases. Privacy concerns and considerations need to be on the minds of the creators of the products from the beginning.
Most software life cycle models entail the following basic components: Requirement gathering and analysis; Design, Implementation or coding; and Testing, Deployment, and Maintenance. If privacy is not considered at the requirement gathering and analysis or design stages, one thing is certain: you have decided to waste your company’s time, money, goodwill, and possibly its reputation when (not if) a data breach occurs. The landscape has changed with the onslaught of ransomware, identity theft, and cyberterrorism. Efficient and impactful privacy protection happens on the frontlines of technological developments before, during, and after data is created, transmitted and stored.
This is an iterative endeavor; the developer’s work is never done. There will always be a new threat, the need for a better process, a new backdoor, virus, bot, etc. From 2013-2017, The Ponemon Institute Cost of Data Breach Study reported alarming statistics for United States based companies. Companies in the United States had the highest per capita cost for breaches; ranking much higher than that in other countries such as Germany, Brazil, the United Kingdom, Japan, and India. Indeed, the average total costs of breaches and the loss of business costs were the highest in the United States. More telling, the top three factors that decreased costs from 2013-2017 were: 1) Presence of an Incident Response Team; 2) Employee Training; and 3) Encryption. While the Study’s statistics were disappointing, they were not surprising to me; the stats reflect the all-too-common phenomenon of privacy as an afterthought that continues to plague new technology development. The Ponemon Institute Study shows that cultivating and maintaining internal content expertise enhances the bottom line by decreasing costs resulting from a breach. Companies should be integrating privacy management competencies into their specific product business models instead of thinking of privacy as a silo, one beyond the looking glass.
Privacy training options for developers and professionals in the tech industry are growing. Seton Hall Law and The Institute for Privacy Protection have partnered to create the new online Privacy Law and Cyber Security concentration in the MSJ degree program. The new Privacy MSJ presents an opportunity for professionals to develop an understanding about privacy law fundamentals from both a competency and norm-based approach.