Greater connectivity has changed the way we view privacy - and the Fourth Amendment, says Hilary Wandall, CPO at Merck. Teri Robinson reports.
Hilary Wandall, CPO, Merck
Some would say the Fourth Amendment started to fade on the morning of Sept. 12, 2001, when lawmakers, and to some extent the American public, gave national security implicit permission to usurp privacy. And it has continued its vanishing act ever since with every unwarranted government data request leveled at a private company, unauthorized stingray device put in play and dubious cell phone search executed.
Since the fall of 2001, when Congress hastily passed the USA PATRIOT Act, and particularly after Edward Snowden lifted the veil on the extent of the National Security Agency's PRISM program (which exposed massive government surveillance of American citizens), privacy has become a much-talked-about moving target, difficult to define and even more difficult to protect for those in private industry and government charged with its care.
“The interesting thing is how things have changed in the last two years,” says Hilary Wandall, chief privacy officer (CPO) at pharmaceutical company Merck, who notes that her business “doesn't have the same obligation under the Constitution” as other companies, like Microsoft or Google.
Wandall, who has served in a privacy capacity for 15 years, says that early on, privacy was driven by regulatory compliance, which became more sharply defined as the Health Insurance Portability and Accountability Act (HIPAA) was further refined. But now, Merck, like other multinationals, must contend with a host of privacy issues, such as “how to move data across borders” and comply with European Safe Harbor laws, Wandall says. “We're very concerned about how to legally move data overseas, trying to globalize databases.”
That is particularly important because Merck, like all pharmaceutical companies, must have a mechanism for doctors and patients to report adverse reactions to drugs. And, that information needs to be collected and shared without revealing certain private details.
In addition to intrusive government requests and stricter policies overseas, privacy is a puzzle that has become more complicated as an avalanche of data – generated by everything from corporate servers to wearable devices, like Fitbits and smart watches – gain both mass and momentum. There is a certain opaqueness to the way that information is shared as well, in part because people, companies and organizations are more interconnected through technology than ever before.
When data leaves a computer or personal device, its path is not straightforward and linear. Rather, a web of interconnectedness among people, companies and machines means information is shared seamlessly (most of the time) among entities, with the implicit, if not explicit, permission of consumers and businesses that want – and have become accustomed to – the benefits of that fluid information flow.
And, it is fair to expect that data volume and the speed at which it travels will pick up as the Internet of Things (IoT) comes to bear.
While information flows behind the scenes, the individualized user experience has spawned as many definitions and concepts of privacy as there are inhabitants of the planet. Technology may be the great equalizer, but it doesn't bridge the privacy divide between generations or cultures. In fact, it likely widens the gulf. Just ask a Millennial who has been weaned on social media, or a Baby Boomer – who remembers when clouds were just those awesome fluffy shapes in the sky formed by water droplets – to define privacy. The differences in their answers are staggering.
But if digitization has grown seemingly faster than the speed of light, our legal system has not. Digitization and tech advances have outpaced our ability to manage and protect data. Privacy officers, law enforcement and government are working within a set of laws that by the most generous definition are antiquated, with progress, if any, hampered by a chronically stalled Congress.
And then there are the cyber thieves, whose bold intrusions into the systems of companies like JPMorgan Chase, Sony, Target and Anthem that most would (rightly) figure had invested gazillions of dollars in security measures, have exposed the private information of tens of millions.
“The number one challenge to privacy is the wantonness of [stealing] personal data being carried out by the millions by cybercriminals,” says Larry Clinton (left), president of the Internet Security Alliance (ISA), contending that the constant stream of attacks is a more serious issue than the NSA's surveillance activity.
While privacy advocates might disagree about where to put the emphasis, security threats and privacy issues share a symbiotic relationship.The security breaches that started happening in the 21st century, “changed the paradigm for companies managing data,” says Merck's Wandall, especially in the last couple of years where “much greater connectivity, devices like smart phones, wearables and all of these apps” emerged and created “a complex ecosystem.” All that has changed the way we have to view privacy, she explains.
The great leap forward
If digitization is the hare, then the rest of society are the proverbial tortoises, moving so slow that it might take time-lapsed photography to detect progress.
“A first grader can easily access things from all over the world,” says Clinton, noting that the lure of easy information flow “is so seductive that we haven't thought through how to manage the downside.” But, he says, “We are so busy eating this delicious dessert that we're unhealthy.”
J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals, concurs. “Technology advances are exceeding our ability to manage,” he says. “There is an unprecedented gap between our ability to develop standards and the bleeding edge of technology. With the rise of social media, he adds, “we don't know what the social norm is.”
The private sector, government and consumers have all benefited from the ease at which information flows, but are just starting to see consequences. “People expect everything to be connected, but at some time don't recognize that hundreds of organizations are in their ecosystems,” says Wandall. “They don't necessarily want to understand the complexity and they don't understand the risk.” That is, until something happens. “Then they begin to realize that this is a very complex world and bad things can happen.”
IBM has said that 2.5 exabytes of data was produced each day in 2012, while the BBC reported that 75 percent of it was unstructured. That is a lot of data, moving fast, with little or no management in place to handle it.
“All the digital footprints we're leaving tell a story,” says Malcolm Harkins, vice president, Intel Security Group, and chief security and privacy officer at Intel.
And, adds Matt Prewitt, partner, chairman of cybersecurity and data privacy practice, Schiff Hardin, “There is a proliferation of information online that vastly exceeds capability of law enforcement to handle.”
And it's only going to grow and move faster and leave more digital trails in light of the emerging Internet of Things (IoT) when products – like refrigerators, toasters and cars – all contribute their “voices” to the chorus of data on the internet, leaving companies grappling with how to respect consumer privacy.
“How do we know where data is?” asks Wandall. “What are people's expectations of how we use data?”
Wandall says that consumers often authorize the initial use of their data, but “they don't expect the secondary and tertiary uses.” The expectation is that information go no further than their initial authorization.
Malcolm Harkins, senior vice president and privacy expert at Intel, points to a Harris poll in which “we found 60-65 percent have no idea who has access to their data and a little over half wouldn't be able to show if it was to society's benefit.”
That struggle gets is reflected in the law itself. How data can be shared is “something not addressed very well with current legislation,” says Wandall.