Personalized privacy policies: challenges for data loss prevention

Abstract

Given the prevalence of data leaks, organizations appreciate the importance of implementing privacy policies to protect sensitive data. The growing field of Data Loss Prevention (DLP) offers tools to enforce such policies for both data stored within an organization and data being shared outside of an organization (e.g. through email). While the DLP community has given much attention to the problem of enforcing data privacy policies in a comprehensive manner, little has been done to support the {it development} of such policies. We present a small user study demonstrating that developing such policies is also a very challenging problem. In our study, users were asked to evaluate various expressive file names for sensitivity; that it, they were asked to consider how broadly they were willing to share those filenames both inside and outside their place of employment. The study indicates that users interpret their employer’s privacy concerns in differing ways, resulting in complex, personalized privacy policies at the user end. These results suggest that it may be difficult for users to form a coherent organization-level privacy policy and that the results of a DLP-based enforcement of such policies (e.g. quarantined emails) may be confusing for many users in the organization.