Content

Private matters: Privacy regulations

As organizations struggle to keep information private, experts say that stricter regulations may be on tap, reports Angela Moscaritolo.

Adding fuel to an already fiery debate over how privacy issues should be handled in the United States, internet search giant Google last spring admitted to committing a massive blunder.

The company's Street View cars, which capture photos for Google Maps and Google Earth, have since 2006 collected personal data from Wi-Fi networks that were not password protected. “Quite simply, it was a mistake,” Google said in a blog post in May.

To be fair, Google isn't the only high-profile company to face privacy snafus. In June, for instance, Twitter settled charges with the Federal Trade Commission (FTC) that alleged that the microblogging service failed to properly safeguard the data and privacy of its users.

As part of the settlement, Twitter “will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information.”

With a number of popular U.S. companies recently suffering privacy incidents, public awareness about such issues is undoubtedly heightened, says Gary Kibel (left), a partner at New York-based law firm Davis & Gilbert. Privacy and security have been major issues for years, but recognition about them is increasing, in part due to social networking sites.

“I think we are starting to reach a tipping point around public awareness about privacy,” says Kibel, who specializes in privacy, data security and information technology matters.

Social media – such as Twitter, Facebook and Google's Buzz – have grown quickly and contain vast amounts of users' personal information – not just names, email addresses and birth dates, but also details about what individuals are doing on a daily basis.

Privacy issues also seem to be reaching a head in Washington, D.C. Unlike a number of other countries, including some in the European Union and Canada, the United States does not have an overarching federal privacy law. However, two major privacy bills were introduced last year, both of which seek to address privacy and data security matters at the federal level.

“That was sort of groundbreaking,” Kibel says. “We have plenty of laws targeting specific industries and the guidance the FTC gives, but no federal law governing privacy and data security.”

The Best Practices Act of 2010, introduced in July by Rep. Bobby Rush, D-Ill., would govern the collection, use and dissemination of consumer information and impose fines to violators of up to $5 million. A similar proposed bill from U.S. Reps. Rick Boucher, D-Va. and Cliff Stearns, R-Fla., would require companies to obtain an individual's “opt-in” consent before collecting sensitive information.

Such proposals have not been met with universal support. The Boucher-Stearns measure has drawn harsh criticism from members of the internet advertising community, which calls it too restrictive, and consumer advocacy groups, which say it does not go far enough.

Eduard Goodman (right), chief privacy officer of Identity Theft 911, a provider of identity management and theft resolution services, says that some businesses want a federal bill to clarify and provide uniformity to privacy rules. However, he does not believe a broad federal privacy law is needed because it could deter entrepreneurship.

“The problem with an overregulated privacy environment is you end up like Europe, which is privacy to the other extreme,” Goodman says. “You don't have a European Google or Facebook or YouTube – they are all American companies because they aren't in an overly regulated privacy environment.”

But according to the FTC, the main privacy enforcement agency within the United States, industry-specific efforts to address privacy through self-regulation have so far fallen short. Many companies today do not even disclose their privacy practices, FTC Chairman Jon Leibowitz says. And even when privacy policies and user agreements are provided, they are often unnecessarily long and complex.

“Industry as a whole needs to do a far better job,” says Leibowitz. “From my perspective, a legislative solution will surely be needed if industry doesn't step up to the plate.”

For its part, the FTC, in December, issued a preliminary report detailing a proposed framework to protect consumer privacy. In its report, the commission called on companies to build privacy protections into their everyday business practices. Businesses should only collect data needed for a specific business purpose and retain it only as long as necessary to fulfill that purpose. As it relates to online behavioral advertising, the FTC said users should be able to opt-out of data collection though a browser setting. (Microsoft recently announced that such a feature will be available in the forthcoming release of Internet Explorer 9.)

While issues around privacy and security tend to overlap, security is about maintaining confidentiality, integrity and availability of data, while privacy focuses on managing expectations of individuals and using personal information in accordance with those expectations, says Peter McLaughlin, a privacy and information security lawyer at national law firm Foley & Lardner. It has been said that it is possible to have security without privacy, but impossible to have privacy without security.

All organizations that maintain personally identifiable information – including names, addresses, Social Security numbers and financial or medical records – are expected to keep it private. As a best practice, this means ensuring sensitive data is encrypted and shared only on a need-to-know basis, Identity Theft 911's Goodman says. Organizations must also be transparent about how and why data is being collected and what is being done with the information.

“I am always shocked about the people who have no awareness around privacy concerns,” he says. “They don't realize that this is another liability and risk that needs to be built into policies and procedures. There's still a big learning curve there.”

For example, despite facing strict privacy and security regulations, those in the health care sector are struggling to protect patient information, according to a recent study. In the survey of 65 health care organizations, conducted by the Ponemon Institute and sponsored by data breach solutions provider ID Experts, 60 percent of respondents said they have suffered more than two breaches in the past two years. Moreover, breaches cost the health care industry $6 billion annually, the study found.

Health care – an industry that faces some of the strictest privacy regulations – has since 2003 been subject to the Health Insurance Portability and Accountability Act (HIPAA), which mandates organizations protect the confidentiality of electronic personal health information. But with no real enforcement of HIPAA, hospitals in the past were able to get by with doing just a fair job of managing the privacy and security of health information, McLaughlin says.

Now, the HITECH Act of 2009, passed as part of the economic stimulus bill, allows state attorneys general to obtain statutory damages against health care providers for failing to comply with HIPAA.

Going forward, experts predict that stricter data privacy regulations are likely. And Google's headline-grabbing privacy blunder may just be the proverbial straw that broke the camel's back.

“It gives critics of the self-regulatory approach – whether they are consumer protection groups or regulators – another stone to throw,” McLaughlin says.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.