4 Privacy Predictions for 2015

Monday, December 01, 2014

Rebecca Herold

65be44ae7088566069cc3bef454174a7

It is that time of the year again…time for prognostications about the year ahead!

I was asked to provide a few predictions for 2015. Based upon not only what I’ve seen in 2014, but also foreshadowing from the past two-three decades, here are some realistic possibilities.

1)         The Internet of Things (IoT) will get some parental oversight

First it is important to understand that I certainly see some great benefits to changing what have historically  been “dumb” things to “smart” things. Many safety, health, communications, and efficiency benefits are possible, in addition to those that are already here, through the use of smart gadgets within the IoT.  What greatly concerns me is the significant lack of data security controls and protections, not to mention the complete lack of privacy controls, within them.

Predictions:                       

At least one of the established standards organizations (e.g., NIST, IEEE, ISO/IEC, etc.) will draft a comprehensive set of security and privacy IoT standards or guidelines.

A major IoT privacy breach will occur before the end of 2015.

 

2)        Wearable smart devices in particular will get some privacy requirements

Wearables is a subset of the smart gadgets used within the IoT. From what I’ve found most make privacy and data security promises, but none of them I’ve contacted and asked for more information often multiple times, have provided it. This, despite claiming their “strong support” for privacy and their “complete transparency” for their privacy practices. They must be confusing opaqueness for transparency.

Prediction:

A regulatory agency, likely the FTC, will draft security, and possibly privacy, requirements for smart wearables. As a result we will see many currently existing wearables either go out of business, or get acquired by larger organizations.

 

3)        (Mis)use of Big Data analytics will result in a privacy breach

The capabilities continue to increase exponentially. To date the security and privacy risks have largely been overlooked in the excitement of discovering all the insights and discoveries that, to date, had been impossible. However, as many of us in the privacy field have been warning over the past few years, new privacy problems are going to arise as a result of big data analytics breakthroughs; these must be addressed.

Prediction:

By the end of 2015 there will be at least one significant privacy revelation that occurs that will highlight with a jolt the need to build privacy controls within Big Data Analytics (BDA), using yet-to-be-written BDA privacy standards.

4)        Explosion of more health data will create significant new privacy risks and breaches

Health data is on the brink of getting completely out of control. Especially as large and increasing numbers of entities are collecting health data directly from individuals that are not considered to be covered entities (CEs) or business associates (BAs), and so are not bound by the HIPAA security and privacy rules, leaving vast amounts of data exposed and vulnerable. Currently the HITECH Act covers entities considered to be health vaults and/or who collects and maintains “personal health records” (PHRs), and requires them to report privacy breaches of data considered to be PHI; the FTC is the oversight agency for these types of organizations. However, there are no comprehensive set of requirements for entities that do not fall under the definitions of CEs or BAs to follow to protect the full range of health information in the first place. And many entities collecting health data do not fall under the definition of a health vault, and so have basically no oversight or privacy and security requirements from any specific regulatory agency.

Prediction:

A significant breach will occur within one of the large health vault or other type of organization collecting vast amounts of health information directly from individuals. This will prompt the FTC to draft regulations that will apply to all types of organizations outside of CEs and BAs.

This was  cross-posted from the Privacy Professor blog.

9726
Firewalls IDS/IDP Network Access Control Network->General SCADA Privacy
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.