Typically, regarding physical security systems and programs, there are significant gaps in the management of what is today considered personally identifiable data (PII). This question is one that many practitioners are dealing with right now, relating to ongoing pandemic prevention and response measures.
Q: Human Resources has asked me to evaluate contract tracing regarding COVID-19. Aren’t their significant privacy concerns?
A: Yes, there are, you shouldn’t ignore them despite the fact that some organizations seem to be doing just that.
This column’s length precludes examining the privacy concerns in depth. So I’m recommending the white paper I wrote for the Security Industry Association titled, Big Data and Privacy for Physical Security, which you can read online or download. The definitions in this column are based on those in the paper.
Evaluating Solutions
First of all, there are so many mobile apps and various technical approaches emerging for contract tracing that it can be prohibitively time-consuming to evaluate them all. That's why when sifting through such data, I filter out solutions that don’t put data privacy and control front and center. Next, I look at the ease of use, which includes manageability at the required scale as well as auditability (appropriate logging and ability to verify the integrity of controls) followed by ease of deployment. After that, I consider the total risk mitigation cost including organizational impact. Some organizations have had their production capabilities constrained by pandemic related processes, procedures and personal protective equipment (PPE) constraints as well as social distancing and other considerations. The total cost of ownership (TCO) includes the cost of any production constraints, which often aren’t considered early enough.
AlertTrace
I know of one new contract tracing solution that was specifically designed with data privacy in mind and is deployable within hours, thanks in part to the system being cloud-based. The system can be deployed fully on-premises where that is an organizational preference or requirement. Importantly, the product is not based on cellphones, but on small purpose-built wearable devices. That eliminates a whole host of deployment rollout and user concerns. It can be deployed completely consistent with the guidelines in the ACLU white paper titled, Government Safeguards for Tech-Assisted Contact Tracing (http://bit.ly/ACLU-contact-tracing-sasfeguards).
The devices are about the size of a stack of five U.S. quarter coins. It utilizes end-to-end encryption, and its data is anonymized to prevent the ability to identify users from the raw data alone. It doesn’t track employee whereabouts, only the distance between one device and another. It’s like an employee ID badge with no identifying markings, that knows when it’s near other ID badges. The data belongs to the customer organization, and data handling can be performed consistently with the organization’s existing data security practices. The system can perform automatic firmware updates of the wearables, an important product security feature required for manageability at scale for high device count deployments.
The manufacturer is VOS Systems, a joint venture of three leading U.S.-based tech companies: Volt, Ottogee and Scout. Under non-disclosure terms, I was able to learn about the existing customer base, which includes U.S. military organizations and federal agencies, and product security testing for the wearables and the core system. Get more information from the AlertTrace website (www.alerttrace.com) or contact Matt Kolmes, partner at AlertTrace at ([email protected]).
Collaboration for Secure Deployments
Practitioners not already collaborating with the organization’s people whose responsibilities include information security and privacy, data governance, and compliance should do so – and not just around COVID-19 issues. Because location data is now considered personally identifiable information (PII), any organization with access control and video systems needs to have a specifically defined data protection element in their physical security program.
Two concepts are critical to addressing information privacy concerns, including corporate liability stemming from weak data handling: Data Stewardship and Data Governance.
Data Stewardship
The overall concept of stewardship is the performance of responsible planning and management of resources. Data stewardship is the management and oversight of an organization’s data assets to help provide business users with high-quality data that is easily accessible in a consistent manner. Data stewardship ensures the integrity, usability, and security of the organization’s data.
Data stewardship involves hands-on roles that are typically performed by individuals referred to as data stewards. Most data stewards do not hold full-time data management roles but fulfill the data steward role for the particular part of the business where they work or for which they are responsible. Some focus on the technicalities of the data processes themselves. Data stewards’ collective efforts improve the utilization and accuracy of data and information in a way that drives business performance and mitigates organizational risk.
As the use of business insights derived from security system data spreads throughout an organization, data stewardship for information generated or handled by the security function becomes critically important and necessarily involves people outside of the security function.
Data Governance
Data stewardship is part of the organization’s data governance program. Data governance assures the availability, visibility (knowing what data is available where, and ensuring that business functions for whom the data has value are aware of it and can obtain appropriate access to it), usability, integrity and security of the data employed in an enterprise. Data governance is a strategic function that does not directly deal with data but sees that the people, policies and processes are in place and functioning as they should be to manage the data assets. Data stewardship is tactical in that each data steward’s focus is on a particular set of data being used by or generated by a particular business function.
The Big Data and Privacy paper goes into much greater detail regarding the specific data protection requirements necessary to corporate and facility physical security functions.
About the author: Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS