The plethora of security incidents in the news have once again put security front and center of the international agenda. Predictably, this has triggered a number of responses from governments around the world. Some of these responses seem to have been ill-considered. However, one of the more comprehensive responses came out of the US President’s address to the Federal Trade Commission last week. A series of laws were proposed to address the increasing risks which are confronting individual security and privacy rights.
The President’s remarks at the FTC gives some valuable insight into where the US regulatory environment may end up in the next year or so. As a part of this analysis, one should focus on two very different agendas: Privacy and Security. These issues, while similar, are very different. Case in point, the UK PM’s comment around banning encryption could well result in increased security. However, it will absolutely damage individual privacy (and arguably also damage commercial security).
Security Breach Notification
President Obama has proposed a national standard for security breach notification. This is not the first time this proposal has been placed on the legislative agenda. While this is a step in the right direction, as is always the case, the devil is in the details.
One of the most challenging issues to deal with regarding a security breach is “what data” is impacted, and “does it matter”? In essence, the definition of “personal information” and the “harm” v. “access” triggers are the primary headache for those dealing with whether or not they have to provide notice. Elsewhere in the world, “personal information” is very broadly defined. Historically, the limiting definition of “personal information” was supposed to avoid over-notification. As has been pointed out, this does not seem to have worked.
Practically, it would be more useful to standardize the notice trigger around the concept of “harm”. This would operate to make the definition of “personal information” far less important. In effect, if there is a reasonable likelihood of harming someone with the information breached, a notice would be required. This “harm” concept is a well-established principle of tort law, and one that most lawyers are quite capable of dealing with when given the necessary facts. Removal of a variable always makes a solution more efficient, and the use of a results-driven variable such as “harm” should help avoid any unintended consequences which result in an imprecise definition of “personal information”. Let’s hope the Administration moves in this direction.
Another component which is concerning is the timing requirement around breach notification. While there have been instances of companies being slow to notify impacted consumers, notice is only going to be useful when you actually know what data was compromised, what was the source of the compromise, and who was responsible for the compromise. While a company may know it was breached, it may take well over 30 days to determine the scope and reasons for the breach. Without a clear understanding of the scope and reasons for a breach, an arbitrary 30-day notice requirement may lead to additional notice-fatigue. If this legislation is to be actually useful, there will need to be a considered discussion as to when the 30 day clock starts ticking; as well as when that clock can be stopped. Almost all the State breach statutes have a tolling period for law enforcement investigations. Hopefully, any national standard will at least have the same limitation.
Consumer Privacy Bill of Rights
Several years ago, the Obama administration presented a Consumer’s Privacy Bill of Rights as part of the US endorsement of the APEC Cross Border Privacy Rules System. There are 7 high-level principles contained in the Privacy Bill of Rights. These are: Transparency, Respect for Context, Individual Control, Focused (read: limited) Collection, Accuracy, Security and Accountability. As is usually the case, the high-level principles sound fine at first blush. However, the way they are implemented may have serious unintended consequences. For example, anti-fraud, development of new services, and IP protection are all activities which may become more challenging if the Individual Control principle does not include appropriate limitations. Additionally, some espouse a baseline set of obligations, regardless of individual choice, should be in place. Others point out that individuals often don’t have the time or expertise to exercise control in a meaningful way. Consequently, an over-broad reliance on Individual Choice may actually reduce the privacy protections of individuals.
Along with the Privacy Bill of Rights, careful consideration will need to be taken around remedies. Some proposals for law have included private rights of action for violations of privacy. The current trend is to rely on the FTC or State Attorney’s General to enforce privacy rights. Regardless of one’s position on this issue, it is going to be a significant policy driver, with significant impacts to innovation and business growth. Policy makers and legislators will need input from their constituencies to avoid unintended negative consequences growth.
In anyone’s analysis, Privacy and Information Security are going to be hot topics on the agenda for the foreseeable future.