igor - Fotolia

Manage Learn to apply best practices and optimize your operations.

Think mobile privacy and security are the same? Think again

Security breaches often have privacy implications, but IT must take extra steps to specifically protect mobile users' personal information.

Many assume that the terms privacy and security are equivalent to one another, and that challenges to security affect privacy in much the same way. This isn't exactly true.

Security, it seems, is the one truly insoluble challenge not just for mobility, but for IT overall. It is the one area of IT where no one's work is ever truly done. New threats appear constantly, and the fundamental complexity of today's IT systems increases the potential for vulnerabilities that might result in sensitive data being compromised. IT professionals have effective technologies available to address security challenges, including data encryption, authentication and authorization, mobile content management, and analytical tools that can spot problems before they become major issues. Still, eternal vigilance is the price organizations must pay for success in the security domain.

While mobile privacy -- and privacy overall, really -- can be viewed as a branch of security, it is actually quite different in practice. Security is about protecting information and IT resources. Privacy relates much more to the rights of individuals affiliated with the organization in some way -- employees, customers, partners, etc. -- and the information that belongs to them.

Where mobile privacy and security overlap

As might be surmised from all of the data breaches and thefts of personal information recently reported in the press, security fundamentally and perhaps essentially overlaps into the domain of privacy. Because it has historically been so difficult to establish and maintain the security and integrity of IT resources, we have consequently seen damage to privacy as well. And we can expect that the growing outcry for greater individual protections will continue, and this will undoubtedly lead at some point to legislative and other legal solutions.

It's best, therefore, for organizations to cultivate a culture of privacy that complements the existing culture of security. This begins with a written privacy policy, based on these guidelines:

Gather only information that is absolutely required, and protect this information like any other sensitive material. Cavalier behavior, lack of consideration for the seriousness of this issue, and incompetent solutions must be identified and banished.

Publish the privacy policy, and get end user buy-in. Many contemporary privacy policies are overly lengthy and often complex and dictatorial. These are very likely to be misinterpreted, challenged or even ignored by end users. Simplicity and two-way consideration are critical.

Stay in touch with legal counsel. The Fourth Amendment to the Constitution of the United States does not guarantee a right to privacy; it is about the relationship between the people and the government, not between individuals and corporations. Some laws to address this relationship are already in place, while others are clearly required and very likely to expand in scope over time. Note that federal, state and even international law may need to be considered in any given case.

Every IT organization should have a privacy checklist to assure that its privacy policy is being implemented and that the legal (and financial) exposure to the organization is minimized. To be sure, the entire field of privacy will continue to evolve.

Dig Deeper on Enterprise mobility strategy and policy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you think companies need separate mobile privacy policies?
Yes. Every company that uses mobile devices should have specific privacy policies detailing how and when information will be collected. This applies to both employees and customers - the changing nature of connections, including the rise of the Internet of Things, means that we have more reason than ever before to be careful and ensure that we're not allowing data to slip through the cracks. Policies should be revisited annually - you definitely want to be up-to-date.
I somewhat fail to see why mobile would make the idea of privacy somehow different.  In recent news, I've heard how providers like Verizon inject a little something in the packets on their networks to help with ad networks.  This sort of thing seems harmless at first, but I'm greatly concerned that a lot more sinister things could be happening that the general user would not appreciate if they knew.
There could be privacy implications even without there being a security breach.  Many trackers, beacons, and other components of websites may reveal and leak all kinds of information we'd not normally think about to anyone sniffing packets on a network.  For mobile devices, I have to think that things like device sim card identification, or phone numbers could be among the things unknowingly given up in what seem like normal every day internet transactions.