Newsline October 2017

Last month, events brought to attention even people who are unclear about how the issues surrounding privacy and data security impact them. When Equifax revealed in early September that its systems had been breached and the financial data of more than half of the U.S. adult population compromised, data security and privacy became a top priority for consumers. A torrent of media coverage, consumer advice, Congressional hearings, and lawsuits have followed. Few organizations have data at the scale and sensitivity level of Equifax, but the lessons to be learned here about the implications from lax information security protocols, inadequate authentication systems, and slow data-breach reporting should resonate with every organization, large or small. Failing to protect user or patron personal information could have disastrous implications, potentially leading to tremendous liability, reputational damage, and even the complete collapse of a company.

NISO has been addressing issues surrounding the privacy of user data for several years now. Beginning with our work on patron privacy and continuing more recently in partnership with the Research Data Alliance on a joint project focused on research data and privacy, NISO has striven to find a consensus balance between users' legitimate privacy concerns and the insights to be gleaned from data analysis. These issues are inherently complex, raising mind-numbing legal issues and jurisdictional questions that can keep lawyers employed for decades. NISO's approach has been to take a practical, implemental approach that is built around consensus on core principles. The specifics will change as threats change, but if we are guided by a common set of principles and goals and work on continually enhancing services with those goals in mind, we will improve the entire ecosystem.

Data security is also at the heart of another active NISO project. For far too long, the publishing and library communities have relied on a simple, but fundamentally insecure, method of access control: IP-address-based authentication. Working in partnership with the International STM Association, NISO is advancing the RA21 - Resource Access in the 21st Century initiative. RA21 is developing prototypes for the publishing and library community to improve the user experience of using SAML-based authentication systems to access subscribed content and services. Even as some have suggested that the real solution to improving access is free content rather than better authentication, realistically not all content will be free, nor will all services be open. And publishers are not the only ones concerned about network security; libraries also face the problems caused by breached proxy servers, having access curtailed, and making users pass through additional hoops to get to content. Therefore, moving the community away from authentication that is tied to a person's network location is in all of our interests, both from a user experience and a security perspective. I will be discussing the RA21 initiative during NISO's monthly Open Teleconference on October 16, if you would like to hear more about the project.

I'll end with pretty common advice: limit your data sharing when possible, use and protect strongly created credentials, upgrade systems regularly, and if you manage private data, closely monitor your privacy and data protections. Sadly, one doesn't any longer have to be the sort of person who wears a tin foil hat to fear data compromise.