Exploring the fuzzy edges of privacy and security
At the moment privacy is a hot topic. Most of the chatter on the internet and in the media can be characterized as “Company X is abusing the trust (or taking advantage) of their customers.” I’m not going to debate that side of the issue but there is another side and it isn’t getting much coverage. What’s missing from all the hoopla is the coverage of the impending political ramifications of the major privacy story lines.
Governments around the world aren’t sitting still. They’re reacting to the general public’s growing attention to privacy rights and the results will have a direct impact on the way consumer companies operate. If you’re responsible for IT security, website development, data warehousing or any other job accessing or protecting customer data you need to start paying attention to what is going on because it will likely effect your job. And now is the perfect time.
In the next month or so we will hear from the US Federal Trade Commission, the US Department of Commerce and the European Union, each with their own proposals and recommendations. These will be more formal statements derived from draft reports published last year. To follow is a short run down of those drafts which should provide guidance on what we can expect to read in the formal reports.
First up, let’s go over the FTC report titled Protecting Consumer Privacy in an Era of Consumer Change. This report, released in December 2010, is a proposed framework consisting of three items: privacy by design, simplified choice and greater transparency. To put it simply the FTC wants you to consider consumer privacy in every stage of process and policy development, as well as maintenance procedures — much like you would integrate information security. It also calls for greater consumer control over how and when personal data is collected.
However, while that may seem daunting, it also suggests industry should self-regulate and doesn’t specifically call for the creation of new government regulations. And we all know that industry self-regulation tends to be less onerous than legally binding government regulations.
One caveat though: Keep in mind that the FTC brought action against Google, Facebook and others in 2011 over privacy violations, so they are getting serious and cracking down.
DoC Green Paper
The DoC green paper, concisely titled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, like the FTC report, calls for increased regulation and consumer choice, but also suggest modifications to existing laws and additional voluntary codes enforceable by the FTC. The report covers five topics: expanding Fair Information Practice Principles; promoting voluntary, enforceable privacy codes of conduct; encouraging global interoperability of privacy regimes; standardizing security breach notification rules, and revising the Electronic Communications Privacy Act.
"…enforceable by the FTC" is the key phrase to watch in this report. The word "enforcement" sets a risk manager’s alarm bells ringing which is usually followed by urgent corporate mandates.
EU Data Directive
The EU sent out a draft for comments on proposed regulations to replace the existing EU Data Directive. If you’re familiar with the current directive you know how difficult compliance can be. The draft regulations take things even further. The most potentially troubling proposal in the draft is the implementation of a consumer’s right to be forgotten. In other words, a company holding personal data would be obligated to remove that data if the individual requests it. Stop reading for a moment and reflect on what that means to your company for a second. Yeah, that’s a big deal!
Summing It Up
Best practice suggests you always get explicit consent before collecting personal data, with complete transparency of course, and only use that data for its intended purpose. Given the upcoming reports, current best practices may become mandatory in the near future. You should figure out what that means to your situation and start preparing for it. Following that line of thinking I suggest that any company that deals with consumer data should have someone on staff, or at least on call, that understands privacy laws and regulations.
The reality is that most companies don’t have the resources of a privacy professional available and, as a result, the responsibility to handle these issues falls on the IT department. Given that, as IT professionals, it is in our best interest to understand the current state of privacy laws and regulations and, more importantly, understand what we aren’t trained to know. Understanding legal abstractions, laws and regulations aren’t in our training and we shouldn’t pretend that they are.
So, head’s up my IT brethren. Once regulations are in place, the board room and upper management will likely require us to respond. A good start to preparing is to make sure you understand these reports when they come up. Check back here for some guidance. As the formal reports become available I will try to outline what they will mean to IT professionals in following posts.