Relevance of privacy for corporate library and information services
The article considers privacy from the perspective of corporate libraries and their users, including the issues that the sector has in common with other types of library as well as those that are unique to the sector. The future of business information will include greater portability and personalization, both of which pose privacy challenges. Reliance on vendors and third parties in order to be able to deliver services; as well as increasing usage of cloud computing also creates privacy risks which need to be carefully addressed. Corporate libraries aren’t immune from data breaches. These can sometimes be traced back to vendors. Library vendors serving the corporate sector can’t be expected to fully address customer privacy concerns if information professionals don’t make clear to them precisely what those concerns are. Argues that components of strategies to address privacy concerns include vendor management as well as a privacy/data protection audit.
Privacy; Corporate libraries; General Data Protection Regulation; Cybercrime; Cyberattacks; Portability; Personalization; Vendor management; Third parties; Cloud computing; Encryption; Data breaches; Data protection audits
Relevance of privacy for corporate library and information services
Journal articles and books covering the topic of library user privacy tend to concentrate on privacy in the context of public, academic, or school libraries. There is less coverage of privacy in the context of special libraries, and within that hardly anything about privacy in the context of information services in the corporate sector. It is also worth noting that there is a lot more literature on privacy in library and information services generally which is written by North American authors than there is by UK authors.
The paucity of literature from a UK perspective on privacy issues affecting corporate libraries does deserve to be highlighted. Privacy issues are important. Indeed, they will become even more important on 25th May 2018 when the General Data Protection Regulation (or GDPR) becomes law. I am sure that some people will immediately be thinking about Brexit at this point, but it is worth bearing in mind that the UK won’t have completed the process of leaving the European Union by May 2018. Even when that process has been completed, the UK will still want to trade with the rest of Europe, and our data protection requirements would need to be the same as or very close to those of our European partners otherwise our ability to trade with other European countries could become something of an administrative nightmare due to our data protection laws being out of step with those of the European Union. The UK’s new Information Commissioner has said that the UK must avoid data protection Brexit[i].
Surely it makes it all the harder for information professionals working in the corporate sector to be able to read up and hear about best practice, lessons learnt, and to help them know how best to deal with the privacy issues most relevant to them if there is so little material available, and especially if what is available doesn’t tend to cover the corporate sector and doesn’t tend to be written by UK authors.
Library services in the corporate sector, as in the public, academic and school sectors, face a number of challenges common to all of them when trying to protect the privacy and confidentiality of their users:
- Libraries depend on external vendors and third parties in order to deliver their services. I am thinking here of library management systems, of discovery systems, of ebook platforms, of online databases and other content providers and so on
- Libraries often utilize cloud computing where their data is held remotely
- Both the volume and the level of granularity of the usage data that is routinely collected by vendors and third parties is growing rapidly and bears little resemblance to how things were even just a decade ago
- The sheer scale of cybercrime. According to Symantec’s internet security threat report[ii], over half a billion personal records were stolen or lost in 2015.
- The annual cost of cybercrime could reach $6 trillion USD by 2021 according to Security Affairs[iii]. Meanwhile the Ponemon Institute[iv] says that the average annualised cost of cyber attacks per company works out on average at £4.1 million for UK companies. A number of other sources put the figure somewhat lower than that. For example, according to BAE Systems the cost for one in 10 UK firms up to £1m[v].
In a white paper entitled “2020 vision: the future of business information”[vi] Dow Jones & Infodesk envisage the future of business information. Nowhere does the eighteen page white paper refer to the data protection and privacy issues that will arise increasingly, not least because the future that the paper foresees is one where business information products will become more portable and more personalized. Surely, both of those concepts – portability/mobility and personalization – pose privacy challenges.
Personalization allows the business information user’s experience to be enhanced. The report gives four examples of business to consumer (B2C) personalization:
– Personalization based on customer behaviors
– Personalization based on social media relationships
– Personalization with regard to cross-selling
– Personalization based on location
Personalization is a trade-off which involves giving up some privacy in return for an enhanced user experience, one which is more tailored to the user where the most relevant content is made more prominent and where the tasks or functions you undertake most frequently appear first. It is essential that users of business information products are given a choice as to whether or not they wish to give up some privacy in exchange for a more relevant and tailored user experience. Unless vendors are transparent about how personalization comes at a cost, and unless users are able to fully understand the implications of the choices they are presented with there is a real danger that they will lose whatever confidence or trust that they might have in the vendors and their products; and in some cases that could simply be down to a misunderstanding.
Meanwhile, in terms of portability or mobility, the report says that “According to InfoDesk’s Stites, “Taking cues from digital assistants and other new personal apps, mobile business information users can also look forward to a new breed of business information apps and tools, all of them designed to help personalize mobile experience.” I can well imagine that there will be more and more instances of people using multiple devices, where they are looking for a seamless experience across all of them. If at the same time people are encouraged to take advantage of greater personalization doesn’t personalization combined with greater portability create significant privacy risks.
James Evans[vii] says businesses outsource processes to third parties, and they believe that they are handing over responsibility for securing them. He is thinking here specifically of software as a service apps. Evans rightly points out that the primary business is responsible for protecting the interests of both customers and shareholders, rather than being able to pass on all responsibility to the cloud provider. He believes, as do I, that businesses must have an effective security solution that can deal with the challenges of having data and processes held by 3rd parties, or else they are risking disaster.
Locally managed or remotely hosted
Library-related software could potentially be deployed either as software which the library installs within its own technical infrastructure or as a service hosted by the vendor (software as a service or SaaS). The use of cloud computing in a library context is certainly not restricted to the vendors of library management software.
Library services typically use web-based resources, whether that be the library management system, an online database, a discovery service or a content management platform. Marshall Breeding[viii] says “One of the realities of the internet lies in the ability for any third party to intercept the transmissions of information as it travels among devices and servers. Wireless networks are an especially easy target. It has to be assumed today that any information transmitted as clear text across a local network or the internet will be intercepted and used”. In order to protect privacy, user sessions require encryption.
When corporate information professionals think about how to deal with privacy issues, a key question to ask themselves is whether the library IT infrastructure is locally managed or remotely hosted. The answer to that question will have a bearing on just how easy or difficult the task will be; it can determine whether you have direct control of the data; and is also likely to affect your choice of which are the best strategies to deploy in order to minimise the risk of a data breach occurring.
It is self-evident that where a library relies on cloud computing that this will place a greater burden on the vendor. But even if a service is remotely hosted, the library is still ultimately responsible for protecting the privacy of its users. You can delegate responsibility, but you cannot delegate accountability. Ideally, the library will want to understand and ultimately be in control of the procedures in place. We as information professionals need to ask ourselves – do we know enough about what the vendors are collecting all of this usage data and information for; do we know enough about their policies and practices regarding user data.
Given that libraries rely on external vendors in order to deliver their services, this can be problematic from a compliance point of view. Each vendor will have different tolerances for taking risks, different ethical policies, different cultures – all of which makes life hard for corporate compliance teams.
Data protection/privacy audits are a useful way of testing compliance with the key provisions of the requirements laid down in the Data Protection Act 1998, and other legislation such as the Privacy and Electronic Communications Regulations.
An audit will help an organisation check that information is obtained and processed fairly and lawfully; that it is accurate, complete, up to date, relevant and not excessive; that it is held for no longer than is necessary, and that it complies with the rights of individuals, such as their right of subject access.
An important aspect of an audit is that the very fact of undertaking a privacy audit raises awareness of privacy issues and their importance. It will help to identify any weaknesses in the system which may then need to be addressed.
For each library system or service, there are a few key things which need to be considered:
- What data is recorded – and what does the data reveal
- Where is it located – and is it within the library’s direct control
- Who has access – is access limited to those who absolutely have to have access in order to do their jobs
- How long is the data held – and is it held for longer than is strictly necessary
- Comments & recommendations – are there any flaws in the way things work at the moment, and do you have any recommendations on how the procedures might need to be tightened up in order to ensure compliance with data protection laws
Privacy audits do take place in a corporate library context. Here, for example, is an article on privacy audits in a legal library context: Gordon, Rachel E, Privacy Audits in the Law Library (July 1, 2014). Available at SSRN: http://ssrn.com/abstract=2461235
In order to provide access to resources such as ebooks, journal articles and online databases, corporate libraries enter into licence agreements with commercial vendors. The resources are then delivered via the internet and/or networks. The vendors collect data on library users for a number of reasons such as authentication, digital rights management, consumer analytics, and personalization features.
Imagine, for example, how much information you can glean from a user’s saved searches, search history, download history, alerts, annotations and so on.
The risks posed by third party relationships are huge (vendors, suppliers, agents, distributors, resellers). It is impossible to adequately address the risks of a data breach occurring if the risks posed by third parties are overlooked.
If corporate information professionals don’t ask vendors about privacy issues; if they don’t raise questions about the wording of privacy clauses in licence agreements; if they don’t set out what they ideally want from a vendor on this issue, how can they expect the vendors to fully meet their expectations and requirements?
To ensure that contracts governing the provision and use of digital resources reflect organizational policies, legal obligations, and library ethics it is essential for librarians and vendors to work together. I would like to suggest that what is required is vendor management. That would include:
- Vendor selection and evaluation. This can, for example, include taking soundings from other customers of the vendor (not necessarily from the reference sites that the company uses), due diligence on the vendor and its finances, and judging the vendor against a checklist of requirements. When selecting a vendor, do you ask them about privacy issues. More specifically, do you ask whether they have ever encountered a data breach? In May 2016, for example, Ex Libris announced[ix] that it had become the first vendor within the sector to achieve ISO 27018 certification for cloud privacy.
- Negotiating the right contract terms. Does the vendor contract even address privacy issues, and of so how? Do librarians insist in their contract negotiation processes with vendors that the providers protect their users’ information. And if not, is it reasonable to expect the vendors to know that it is important to us, and precisely what our requirements are? Information professionals need to be wary of contracts which have clauses containing limitations of liability for breaches of confidential information. In an ideal world, agreements between libraries and vendors should specify that libraries retain ownership of all data; that the vendor agrees to observe the library’s privacy, data retention, and security policies; and that the vendor agrees to bind any third parties it uses in delivering services to these policies as well.
- Risk management. Identify the potential risks, and develop appropriate responses
- Know the contract terms and what they mean. It may seem like an obvious thing to say, but before signing any contract you need to understand precisely what the agreement actually means. If the contract contains ambiguous words or phrases, these should be removed or replaced before the contract is signed, otherwise they may well be the cause of a dispute at some point in the future.
- Continuous oversight of the contract. Is the vendor living up to its contractual commitments? Are they doing their job properly? Is the relationship with that vendor working well? It is important to have an ongoing dialogue, so that any issues or problems can be addressed at an early stage. Working with vendors requires a number of skills including good communications, both written & verbal, in-person and remote; as well as strong interpersonal skills.
Vendors have been behind a number of data breaches. That is true, for example of the data breaches at Target[x] and Home Depot[xi]. It is essential to take that into account when developing a policy around what you would do if a data breach were to occur.
There are a number of areas specific to the corporate sector where a data breach or a breach of confidentiality could potentially have disastrous consequences for a company and its ability to compete effectively:
(a ) Product development
Some research across the range of information products that a company subscribes to could very well be related to product development work. Researchers within the company may be looking at where there are gaps in the market, who competes in a particular space, or be doing background work to support the development of a new product or service. The company would be mortified if its plans were somehow leaked, particularly if a direct competitor found out about the product development plans.
(b ) M&A activity
Similarly, a company may be on the acquisition trail, looking for potential targets. They might research as much information as they can about a target company, including its financials, its product mix, its customers and so on. If it became known that the organisation was looking to acquire another company that would be a serious matter. That piece of information could even lead to insider trading.
(c ) Trade secrets
Cyberattacks are sometimes undertaken with the specific intention of stealing intellectual property. There is also the “insider threat” which mustn’t be underestimated. Misappropriation of trade secrets may well be down to an employee or business partner. According to Pamela Passman (2016)[xii], the courts are saying that “firms need to take “reasonable steps” to protect confidential corporate assets, and these efforts include not only securing computer networks but also embedding trade secret protection into business operations and processes”.
Back in 2013 the Telegraph reported[xiii] that the head of GCHQ had warned of how business secrets in the UK were being stolen on an “industrial scale” in the growing cyber war.
I have been gathering examples of data breaches involving libraries for some time now and I have to admit that I haven’t yet come across any that are specific to corporate library and information services. The ones that I have found cover education libraries (universities, colleges, and schools), public libraries, national libraries, as well as a number of breaches involving library professional bodies and special interest groups.
Analysing data breaches across the entire library profession, the root causes of those data breaches are things like a software upgrade glitch, ransomware, a misconfigured database, the “insider threat”, a hacking attack, DDOS attacks, human error, or lost/stolen computers.
The lack of examples in the corporate sector doesn’t necessarily mean that this is evidence of there being no data breaches within the corporate library sector. Nor does it mean that the corporate library sector is somehow immune from the threat of data breaches occurring. On the contrary, there are a number of publicly reported examples of data breaches which I have been collecting which involve vendors used by corporate information professionals:
Reed Elsevier – In March 2005[xiv] it was reported that Reed Elsevier company LexisNexis had suffered a security breach. This was initially said to relate to a userid and password being used fraudulently to download information on 32,000 individuals. The information accessed included names, addresses, social security and driver’s licence numbers. However, within days, it was reported[xv] that the security breach was somewhat larger than first thought. The New York Times said that the figure wasn’t 32,000 but was instead information on 310,000 people. It also reported that the company had found 59 separate instances where unauthorized users may have fraudulently acquired personal identifying information through Seisint, a unit of LexisNexis. Seisint data is used by employers making hiring decisions, landlords choosing tenants and also by debt collectors.
In 2013 it was reported[xvi] that a number of companies, including LexisNexis and Dun & Bradstreet may have unwittingly aided identity thieves. The story said that the operators of an underground ID theft service had infiltrated some of the biggest providers of social security numbers, dates of birth and other consumer information.
Bloomberg – In 2013 it was reported[xvii] that for years journalists at Bloomberg News had been using Bloomberg terminals to monitor when subscribers had logged into the service and to find out what types of functions – such as the news wire, corporate bond trades, or an equity index, that they had looked at. The sorts of information that the Bloomberg journalists had access to included background on individual subscribers, when they last logged on, chat information between subscribers and customer services representatives as well as weekly statistics on how often they used a particular function. It was suggested that reporters at Bloomberg News were using a function that tracks how recently a client has logged in as a way of generating story leads about personnel changes. Soon afterwards it was announced[xviii] that former IBM CEO Sam Palmisano had been appointed as an independent advisor with the task of reviewing and recommending changes on privacy and data policies.
Adobe – in the Autumn of 2014 there were a number of reports[xix] that Adobe Digital Editions was sending back to the Adobe servers in plain (unencrypted) text details including a list of books read, whether or not these had ever been opened using the Adobe software. The usage data being sent back to Adobe’s servers also included how long users had spent looking at particular ebooks, right down to an analysis of which pages had been consulted, and time spent looking at each individual page.
Tracking of user activity is becoming increasingly sophisticated, moving on from tracking usage of individual websites through to browser fingerprinting and on to device fingerprinting, where all activity undertaken on a specific device is collated. The volume of data being gathered has increased exponentially, as have the number of devices from which data can be gathered thanks to the internet of things[xx] – where even a lightbulb can be compromised in order to gain control of someone’s wi-fi[xxi]. The corporate library sector isn’t immune from all of these developments, and it is undoubtedly the case that privacy and information security issues are becoming increasingly important. Librarians in general need to wake up to the issues around privacy, the risks involved and what can be done to minimize those risks. In the corporate sector it is especially hard for librarians to build up their knowledge of privacy and information security issues – partly because of the paucity of articles, books, or other sources of material specific to the corporate library sector that they can turn to. But also because of an understandable reluctance to share information with competitors about best practice for dealing with privacy issues, and because corporates are unlikely to willingly share information about data breaches they have experienced, and the lessons they learnt as a result.
Paul Pedley is a Visiting Lecturer at City, University of London, and is studying privacy issues in libraries for a PhD at City. He maintains a Twitter feed on the topic @priv_lib, as well as a website and blog at http://www.libraryprivacyblog.wordpress.com.
American Library Association (2016). Library privacy guidelines for e-book lending and digital content vendors.
Caro, Alex and Markman, Chris (2016). Measuring library vendor cyber security: seven easy questions every librarian can ask IN Code4lib journal, Issue 32, 2016
CEB Compliance & Legal (2015) How to help business partners manage third-party vendors, 19th November 2015.
InfoArmor (2014). How to protect sensitive corporate data against security vulnerabilities of your vendors, July 2014.
Royal, K (2015). Third-party vendor management means managing your own risk: chapter eight. The Privacy Advisor, April 28th 2015.
[i] BBC News Online (2016) Commissioner: UK “must avoid data protection Brexit” IN BBC News Online, 29th September 2016.
[ii] Symantec (2016) Internet security threat report, volume 21, April 2016
[iii] Paganini, Pierluigi (2016) Global cost of cybercrime will grow from $3 trillion in 2015 to $6 trillion annually by 2021 IN Security Affairs, August 28th 2016 http://securityaffairs.co/wordpress/50680/cyber-crime/global-cost-of-cybercrime.html
[iv] Ponemon Institute (2015) 2015 cost of cyber crime study: United Kingdom http://cybersecuritysummit.co.uk/wp-content/uploads/2015/06/2015-UK-CCC-FINAL-3.pdf
[v] Morris, Jessica (2016) Cyber attacks could lead to British firms suffering losses of over £1m IN City AM, 3rd October 2016.
[vi] Dow Jones & Infodesk (2016) 2020 vision: the future of business information – a guide to enterprise information strategy and actionable intelligence (see also http://www.biia.com/visionaries-wanted-the-future-of-business-information)
[vii] Evans, James (2016) Take control back from 3rd party SaaS apps today IN The Onion 7th June 2016.
[viii] Breeding, Marshall (2016) Issues and technologies related to privacy and security. Library Technology Reports (May/June), 5-12.
[ix] Ex Libris achieves ISO 27018 certification for cloud privacy, Ex Libris press release 11th May 2016
[x] Krebs, Brian (2014) Email attack on vendor set up breach at Target IN Krebs on Security 14th February 2014
[xi] SANS Institute (2015) Case study: the Home Depot data breach https://www.sans.org/reading-room/whitepapers/casestudies/case-study-home-depot-data-breach-36367
[xii] Passman, Pamela (2016) Eight steps to secure trade secrets IN WIPO magazine, February 2016
[xiii] Whitehead, Tom (2013) Hackers stealing trade secrets on industrial scale, warns spy chief IN The Telegraph July 1st 2013.
[xiv] Meredith, Luke (2005) Reed Elsevier suffers major security breach IN Techtarget, 9th March 2005
[xv] Timmons, Heather (2005) Security breach at LexisNexis now appears larger IN New York Times April 13th 2005
[xvi] Goodin, Dan (2013) How LexisNexis and others may have unwittingly aided identity thieves IN Ars Technica September 25th 2013
[xvii] Chozick, Amy and Protess, Ben (2013) Privacy breach on Bloomberg’s data terminals IN New York Times, May 10th 2013.
[xviii] Hesseldahl, Arik (2013) Bloomberg names former IBM CEO Palmisano to advise on data privacy IN Allthingsd.com May 17th 2013.
[xix] Hoffelder, Nate (2014) Adobe is spying on users, collecting data on their ebook libraries http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/
[xx] There will be 24 billion IoT devices installed by 2020 – see http://www.businessinsider.com/iot-ecosystem-internet-of-things-forecasts-and-business-opportunities-2016-2?IR=T