Editor's note: The following is a guest article from Myke Lyons, CISO at data intelligence company Collibra.
Data helps us better understand our world and solve hard challenges, like tracking and controlling contagion.
But using, storing, sharing and safeguarding data is difficult even in the best of times. In circumstances when business is anything but usual, proper data management requires even more attention.
Data vigilance calls for an understanding of who will have access to data and their intent in using the data. Ensuring the people and systems with access to data use it appropriately is paramount. Companies must make and execute plans for how long data will be kept and when to delete data, particularly those most susceptible to security threats.
Everyone has a role to play in data vigilance. Addressing all that in the best way requires the involvement of a broad set of stakeholders.
The role of the developer
If you're building an application, it's your responsibility to do it appropriately. Application developers can't just rely on some regulation or regulatory body to tell them how to operate. They should operate with a high level of ethics in building applications.
Including a section in apps that provides transparency on how it uses data can help ease security concerns. Zoom, which has been in the news due to its increased use amid COVID-19 and security concerns, recently brought in leaders in the security space and a new acquisition to help.
Having a strong opt-in strategy is also important. Apple and Google have a good approach with their work on contact tracing. But opting in is not going to give you all – or even enough – of the data.
What's happening with regional contact-tracing efforts illustrates the challenge. Just 3% of people in North Dakota have downloaded that state's app. But epidemiologists estimate 60% of a region's population needs to be part of a contact-tracing effort to enable virus containment.
Reports suggest the Apple-Google technology preserves privacy by randomizing IDs and anonymizing data. Descriptions of similar apps also speak to anonymization. But the privacy challenge is you don't need to extract someone's name, number or phone model from data to know who they are. You can figure that out just based on their movements and location.
There are many implications to consider. But if Apple and Google – or even nations – do this right, these apps could be very valuable. They will offer value for a lot more than this health crisis. There are other health issues for which a technology like this could be massively useful.
The role of the government
Norway's coronavirus tracker app is being lauded as a success story. More than 1.4 million people in a population of 5.5 million have downloaded the app. But it's also been challenging.
The Norwegian government released the app in a closed-source way. People found vulnerabilities – not only from a data handling perspective, but also related to the security of how the application was built. That opened the door to concerns about the security of the app and the closed-door process in addition to a "slippery slope" conversation about data privacy.
It's important for governments to think broadly about app design and data vigilance. Closed-door efforts are not going to solve this problem because data sharing is going to be critical.
The role of the chief data officer
The chief data officer (CDO) is emerging to help address data-related considerations. Many businesses have installed CDOs in recent years. Now the U.S. government is doing the same.
In 2018, the federal government set rules requiring every agency to have a chief data officer. It's really to help agencies report to each other because government lacks parent-child corporate models that enable data to flow up through the organizations.
Several U.S. agencies now have CDOs in place. In many cases, they have been assigning the role to an existing employee rather than hiring a dedicated individual to do the job. But the CDO is a specialist role; you shouldn't just assign your smartest data scientist or tech person to do it.
The CDO should set strategy for managing all of an organization's data – both from a defensive standpoint (addressing compliance regulations, data privacy, good data hygiene, etc.) and from an offensive one (making data more easily consumable for those who want and need it).
Some key agencies do plan to have specialist CDOs. The Department of Defense has been working to recruit candidates for its CDO position. And at the end of March, the Centers for Disease Control and Prevention (CDC) published the official job post for its CDO opening.
The role of the consumer
Consumers are grappling with data collection, something they've struggled with for a while. People are trying to become more educated about application data collection and personal data privacy and security. At the same time, there's lots of misinformation out there.
Involvement is key, especially amid the coronavirus-created, work from home movement.
Here are a few ways in which consumers can work to protect themselves:
- Avoid creating usernames including your birthday (Joe1981 is not ideal)
- Change your passwords regularly, the more you use a password the more frequently you should change it
- Do not reuse passwords on different websites
- Do turn on multi-factor authentication features in apps many offer this e.g. Twitter, Facebook, Amazon and LinkedIn
- Use a password manager
Consumers also have every right to ask questions of app builders about how the app will use their data. They can read data policies, too. People can do that individually or as part of groups.
My kids use various applications on their electronic devices – maybe now a little bit more than normal. There are applications where groups of parents get together and write information about an application.
Rather than just downloading an app and installing it on our devices, I spend a little time understanding what the goal of the application is. And I'll work to get an idea of who the app creator is working with and connected to. Because there are always going to be bad people out there, and they haven't gone away – even in this crisis.
Physical distancing requirements and stay-at-home orders have led many of us to do virtual happy hours and get more sleep. Maybe this time at home also provides opportunity for self-improvement. Perhaps this is a chance to help ourselves and others with cyber improvement.