JIS Senior Editors' Blog

Journal of Information Systems

This is a public blog  publicRSS

blog entry

    From the Senior Editors - is 2014 the year of Privacy or of...
    blog entry posted February 7, 2014 by Mary B Curtis 
    From the Senior Editors - is 2014 the year of Privacy or of Anonymity?
    intro text:

    A number of pundits claim that privacy will continue to be 'the topic' for 2014. As discussions of Snowden, NSA, phone tapping and FISA courts swirl at the national and international levels, the challenges to companies in regard to the privacy of information they maintain increase as well.

    text 2:

    Target is just the latest example where bad press - and bad policy - have come back to haunt the corporate world. In the old days, the pre-wired times, privacy violations were primarily the result of employee misdeed. Computer printouts, carelessly discarded, left the security of company perimeters via the trash. The term 'dumpster diver' was coined for those who mined the trash of companies in order to steal data. At the same time, companies were free to collect as much information as they possibly could. But, these efforts were constrained by both the ability to actually gain access to private information and the capability to deal with and use a great quantity of data, once captured. Thus, there was equilibrium, of sorts, on privacy breaches, based on limited avenues through which data could be stolen, on the one hand, and limited risk from the trivial quantity of private information available to steal, on the other.

    Today, as we all know, these limitations are all but eliminated. Data thieves need no longer wait outside the perimeter, but can instead forge their own paths into company data resources. The implications of this are limitless. Of course, most of the data theft today can be traced back to employee carelessness, as well, but in very different ways. Rather than employee forgetfulness in disregarding company warnings on what goes into the trash, now we have employee forgetfulness in disregarding company warnings on what goes into the USB drive. Or security specialists disregarding warnings about how data is transmitted and stored. In the old days, when corporate policy and resulting budget decisions were brought to focus on the problem, strategically placed shredders dramatically reduced data theft. Similarly, company focus on privacy today can significantly impact security practices.

    Ignoring for a moment the threats from distributed processing of revenue transactions, privacy experts assert that the best way to prevent the loss of private information is not to store it. Thus, the great culture clash of 2014 - Big Data! Companies want to store private data - as much as they can get their hands on. And, there is so much more available through many different outlets, including social media. Indeed, the strategic use of large volumes of personal data is viewed as significant competitive advantage.

    But, this will move the conversation from privacy (you can't have it) to anonymity (you can't use it). As Jed Rubenfeld (Professor of constitutional law at Yale Law School) states "Solving the riddle of anonymity is the central question of the brave new digital world".

    How can accounting information systems professionals meet these challenges? Significant political skill is necessary to convince Boards of Directors to look beyond the wind-fall of big data to the financial risks of inappropriate use and control of private data. As government regulation increasingly focuses on privacy, the costs of data breaches, previously mere externalities, will be greater. Additionally, as data losses grow in frequency and magnitude, public opinion backlash has increased. Never before have "What data should we collect?" and "How should we protect our data?" been governance questions. But, given the potential consequences, these conversations must take place at the highest levels of the organization, and it is the AIS professional who is uniquely qualified to participate. When ethical issues and strategic advantages point in opposing directions, we must join the conversation. At the operational level, accounting information systems professionals can assist in risk analysis and controls design to help predict and prevent data breaches originating inside or outside the organization.

    The journal has a call for papers on a theme issue related to security (http://aaahq.org/InfoSys/JIS/calls/InfoSecurity2014_Oct.pdf) and for the journal's first conference next spring on IT audit (http://aaahq.org/calls/JISC2015_call.cfm ). However, there is much to be done and many research questions to pursue beyond these two broad topics.