The TJX data breach scandal has demonstrated that information security breaches, particularly those that involve the theft of personal information like Social Security or credit card numbers, are nightmares for businesses and their customers. As the heat from the spotlight on the security of software applications and Web sites gets hotter, developers are being asked to add another item to their checklist: privacy.
While many large corporations have internal guidelines for handling private data, other organizations are still grappling with building security and privacy-conscious practices into their development cycles. To advance the discussion, Microsoft late last year released a set of privacy guidelines for developing software products, Web sites and services.
"A lot of companies understand the importance of privacy but are struggling with how to best help ensure their products and services actually empower customers to control the collection, use and distribution of their personal information," said a Microsoft spokesperson. "Developers can play a central role in addressing this concern, but they also need guidance to implement privacy-conscious development practices."
Diana Kelley, a vice president at Midvale, Utah-based Burton Group, said security and privacy have not been on the minds of developers. "Traditionally developers spend a lot of time focusing on getting code written quickly, and getting it to work effectively," she said.
For example, developers obviously know credit card information should be protected. However, if something goes wrong with a transaction, it might get put into a log file -- which now includes the credit card information -- and is now vulnerable to a breach, said Brian Chess, founder and chief scientist at software security product company Fortify Software Inc., in Palo Alto, Calif. "A developer might not think it all the way through if they're not told to focus on how to keep information private."
Microsoft's Privacy Guidelines for Developing Software Products and Services are based on the privacy practices incorporated in the Microsoft Security Development Lifecycle (SDL) as well as global privacy laws. The privacy guidelines cover topics such as:
- Definitions of different types of customer data that include personally identifiable information,
- Guidelines for notifying users that their personal data may be collected, and offering them ways to consent (or not),
- Guidelines for disclosing to users how their personal information may be used,
- Reasonable steps to protect personally identifiable information from loss, misuse or unauthorized access,
- Control mechanisms for users to express their privacy preferences, and
- Strategies to prevent data leakage by minimizing the amount of personal information that needs to be collected.
Many large organization already have privacy guidelines that are "much more specific to the business they're in and the regulations they have to deal with," Chess said. "[H]owever, there are a lot of companies making software that are smaller and don't have a privacy department. "
Having a baseline set of guidelines is beneficial, Chess said, but individual companies will have to address privacy at a deeper level specific to their own businesses. For example, he said, "before you take private information from a user and put it into the system, you have to ask permission. How does that map into your system? What is private? It will be specific to each system. What does a program that protects privacy look like? This will be a step further of refining."
Kelley said some privacy issues can be addressed as part of the software development lifecycle -- particularly during the requirements phase -- "but that doesn't mean you can solve every problem. The baseline Microsoft has created is not all you'll ever need to think about, and they state clearly that's it's a beginning."
In the Microsoft guidelines, Kelley said she liked discussion of how to expose consent to users and provide notification that private data is being collected, and the reminder to only store what you need. "Getting people to think -- do we need to collect and store this data? -- is critical. How long do you need to store it? In the case of a credit card, it could be just a few seconds."
Formalizing these types of privacy policies will ultimately be beneficial to everybody, she said.