In trying to write this piece about privacy, I struggled to keep it short and make it understandable and relevant. The same can not be said about the myriad privacy laws and regulations that are proliferating throughout the world. From Europe’s General Data Protection Regulation (GDPR) to the California Privacy Rights Act (CPRA) to, most recently, the Virginia Consumer Data Protection Act (VCDPA), there are thousands of pages of privacy regulations to which many businesses are subjected. Reading through them has daunted even some legal scholars.
A legal scholar I am not but I have read through most of the existing regulations (a painful endeavor I do not recommend for non-lawyers) and have come to some conclusions. Privacy is not “rocket science” nor is it a monolithic concept. Privacy is, however, an issue that the security industry should take more seriously as challenges to the “surveillance” state, in which many of our technologies operate, are on the rise. The “creepiness” factor is a big reason for this.
First, let’s address the idea that privacy is not “rocket science.” If you adopt and implement privacy’s core principles, first espoused in the United States’ Privacy Act of 1974, you will be on your way to understanding how to build privacy into your products and how they are deployed in myriad settings – from businesses to single family homes to multi-family dwellings.
While the five original core principles – notice/awareness, choice/consent, access/participation, enforcement/redress, and integrity/security – have expanded to ten to now include accountability, purpose for use and collection and use limitations, they are, at heart, common sense ideas. Putting them into practice may take some time, effort and thoughtfulness but your business and customers will be better for it.
Recently, an article on the use of license plate readers discussed how they are ubiquitous, often hidden and virtually impossible to avoid and as such violated privacy egregiously. The “creepiness” factor amplified. This despite the technology’s efficacy in solving crimes including kidnapping and murder. In the same article, the author cited one community that had accepted the use of license plate readers despite privacy concerns. Herein lie some lessons for our industry on ways to consider privacy in practice.
Law enforcement and leaders in the community applied privacy principles including notice, limits on use and sharing of data collected, and data retention and deletion policies to their use of license plate reader technology. Informing the public, officials told their story so that citizens understood the value of the technology in keeping them safe and secure.
The key lessons we can learn from this are:
- Consider privacy principles every step along the way, in design, manufacture, installation, and operation. This means thinking through how your product or solution will be used and potentially abused. For example, physical access control systems use personally identifiable information (PII) to achieve their purpose. Limit PII’s use to that purpose only.
- Inform all stakeholders about the security technology being deployed. I remember participating in a webinar years ago with a major security industry integrator whose customers included owners of multi-family dwellings. Before installing cameras and physical access control systems, this integrator convened owners and residents to discuss the installations, answer any questions and share details about what data might be collected and how it would be used. This avoided what happened to a California school district that installed RFID-based access control systems without informing parents. This led to the introduction of legislation that would have banned the use of RFID in many security applications.
- Secure your security products. The recent breach Verkada, a maker of security cameras, experienced was the result of a lapse in security. A user name and password for a Verkada administrative account was exposed on the Internet. With the increasing use of web-based platforms in the security industry cyber hygiene is critical.
- Tell your story so that stakeholders understand that you take privacy seriously while being committed to protecting people, places and assets. Make sure your employees understand this commitment as well, training them and building a culture of privacy from the inside out.
The ethical and lawful treatment of PII will instill confidence and trust in your customers and end users. As your business faces more and more regulatory and compliance hurtles related to privacy, adhering to core privacy principles will help you meet these challenges.