NPR’s Morning Edition had an interesting piece on Big Data this morningg. In the security profession, I think that we have always been concerned wi th Big Data, but we might not have always had a word for it. This is not a new problem. Ever since companies and governments started collecting data on its customers and citizens, we have had the Big Data risk.
Now for the interesting part of this post. What is risks do Big Data pose? I think there are two risks. FIrst is the compromise of legally protected data such as Personally Identifiable Information (PII), Protected Health Information (PHI), and cardholder data defined by the Payment Card Industry (PCI). The second risk is the compromise of behavioral data. I’m defining behavioral data as data that can be used to uniquely identify individuals and their tendencies and preferences. This data could include web surfing data, credit data, geolocational data, mobile device use data, or TV viewing habits.
The first risk is old hat. Security professionals know what that data looks like and what the reasonable steps to protect it look like. The second risk is a little more interesting. Who owns that behavioral data? What are their obligations to use it? How do you protect it? Does it matter if you are a government or a private business if you collect the data?
I think there are significant privacy risks associated with this data. Some of the organizations interviewed on the news piece described technology that can help identify people about to commit a crime or violate policy. What is the law enforcement community started using this technology? Would it be the Minority Report driven by technology rather than clairvoyance? As a security guy who is responsible for investigations, I can see myriad ways to use this technology. As a private citizen, I see myriad ways to invade my privacy and pigeon hole me. How do we balance these factors as security professionals?