Government Issues Guidance on Security and Privacy Practices for Companies
August 10, 2007
New tracking technologies such as RFID are giving companies powerful new tools for business management. However they also raise compelling privacy and security concerns. Companies should develop appropriate policies as they go forward with these new tools. The federal government offers guidance on best practices.Every sector of the economy is finding new ways to use radio frequency identification (RFID) technology to improve their operations. From retailers to manufacturers, hospitals, government organizations, transportation companies and utilities have been finding that RFID technology can improve inventory control, logistics, tracking and monitoring of various industrial processes and supplies and a myriad of other applications. Use of the technology, however, has always been accompanied with concerns over privacy and security issues, since it allows the collection and retention of information that may infringe on individual privacy and is subject to unauthorized access. To help address these issues, the Commerce Department’s National Institute of Standards and Technology (NIST) recently released a best practices document, which attempts to educate users of this technology on ways to minimize privacy and security issues.
RFID devices send and/or receive radio signals to transmit identifying information such as product, model or serial numbers. They come in a wide variety of types and sizes; some small enough to be implanted in equipment or clothing. However, as the Commerce Department pointed out, "unlike bar coding systems, RFID devices can communicate without requiring a line of sight and over longer distances for faster batch processing of inventory and can be outfitted with sensors to collect data on temperature changes, sudden shocks, humidity or other factors affecting products."
"As RFID devices are deployed in more sophisticated applications from matching hospital patients with laboratory test results to tracking systems for dangerous materials, concerns have been raised about protecting such systems against eavesdropping and unauthorized use and disclosure," The Commerce Department further notes, "RFID tags, commonly referred to as ‘smart tags’ have the ability to improve logistics, profoundly change cost structures for business, and improve the current levels of safety and authenticity of the international pharmaceutical supply chain and many other industries." The report lays the foundation for addressing potential RFID security risks so that companies can launch a smart tag program with confidence.
Concern over the security and privacy issues associated with the use of RFID smart tags became the focus of government efforts when the federal government itself was looking at using this technology in passports and other kinds of identification documents.
The government paused in its implementation of this technology to consider the steps it should take to protect personal privacy and security before going forward with full implementation. This latest initiative is another effort to assist companies in taking necessary precautions to avoid the potential downsides of widespread use of these devices.
The new Commerce Department publication focuses on RFID applications for asset management, tracking, matching and supply chain control. Its recommendations include:
- Firewalls that separate RFID databases from an organization’s other databases and information technology (IT) systems;
- Encryption of radio signals when feasible;
- Authentication of approved users of RFID systems;
- Shielding RFID tag or tag reading areas with metal screens or films to prevent unauthorized access;
- Audit procedures, logging and time stamping to help detect security breaches; and
- Tag disposal and recycling procedures that permanently disable or destroy sensitive data.
NIST prepared the new report as part of its responsibilities under the Federal Information and Security Management Act of 2002 to help federal agencies provide adequate security for their information technology systems.
Any company or enterprise considering an RFID implementation in any aspect of its business processes should carefully consider implementing procedures and policies to address personal privacy issues, as well as security concerns to avoid liability and unintended disclosure issues going forward.
