Privacy Trends, Lessons Learned from Breaches, and Understanding the “Ick Factor” in Big Data Analysis

BY JOHN KROPF, DEPUTY COUNSEL FOR PRIVACY & INFORMATION GOVERNANCE, REED ELSEVIER -

-

This is a very exciting time to examine regulatory trends in privacy and data security. The rapid pace of technological advancements has forced regulators to rethink and revise their guidelines for industry.   

Last spring, the Obama Administration released a report called the Consumer Privacy Bill of Rights, which spelled out the policy direction the Administration wants to pursue in the consumer and private sector space, and outlined the privacy principles they would like to apply. A lot of these principles will not be new or revolutionary to those who have been following the privacy rules for a long time, but they have been updated. The Consumer Privacy Bill of Rights is built around “the fair information practice principles,”  and the Administration is pushing for legislation crafted around these principles.

Shortly after the Administration’s paper, the FTC issued its own report on protecting consumer privacy called Protecting Consumer Privacy in An Era of Rapid Change.  The FTC outlined its five areas of focus for the coming years:

1. 1. Implementation of “do not track” capabilities on websites.

   2. Application of privacy principles to the mobile environment and mobile apps.

   3. A focus on data brokers and the need to be more transparent with consumers.

   4. A focus on large platform providers.

   5. Development of enforceable self-regulatory codes within different aspects of private industry.

Regulatory movement in the mobile application space is also very intense. Since the Administration's report was issued the FTC has run a series of public workshops about applying privacy principles to mobile apps and initiated several high-profile enforcement actions. 

Not only do you have the FTC’s outreach, enforcement, and distribution of best practices in the mobile space, but the Department of Commerce, which is not a regulator, has also facilitated a group to generate short-form privacy notices for mobile consumers.  Smaller screens on mobile devices simply don’t allow an individual to read a 10-page privacy notice; there needs to be practical adaptations for these new devices.

There has also been activity at the state level, most notably the California Attorney General’s Office, which issued its own guidance and initiated  enforcement actions in the mobile space.  European regulators, such as the United Kingdom's Infomation Commissioner's Office, also are  working on regulations to protect privacy in the mobile environment. 

Lessons From Data Breaches

Practitioners may be looking to understand lessons learned when looking at data breaches.  Perhaps, the most valuable sources to review are the FTC consent decress regarding privacy and security incidents.  These include a number of both lesser known companies and high-profile corporations (e.g., Facebook, MySpace, Google, and cell phone maker HTC), on data security and privacy incidents. Typically, the FTC enters into a consent decree with the company to rectify what they see either as a pricacy failure or a security failure.  Those consent decrees set out the elements of  what the FTC views as a  comprehensive data security and data privacy program.

The consent decrees, which are public, have been fairly consistent. Common elements include such things as:

1. 1. Designating an employee or group of employees to be accountable for the program.

   2. Performing risk assessments.

   3. Implementing mitigation strategies where vulnerabilities are found.

   4. Conducting employee and management training

   5. Performing regular testing and monitoring for privacy and security issues.

   6. Ensuring that third-party service providers act appropriately and have security systems in place.

   7. Incorporating a principle referred to as “privacy by design” into product development. This means having your privacy experts engaged during the product or service app development stage so protections can be built in from the start.

   8. Periodically evaluating and adjusting existing privacy and security programs.

With the rate of change in technology and its impact on privacy and security, it is imperative that you look to these elements and remain current on developments in the technology and privacy space.

Big Data Talent and Ethics

A lot has been written lately about the intersection of big data and privacy.  A new challenge for companies who use large data sets is to find workers who have the right skill sets handle and manage big data analysis in a privacy sensitive way.  These skills will include a strong ability to perform privacy risk assessments, and the ability to minimize privacy risks when collecting large volumes of data.  Companies will  need workers who have greater technical competence  in the understanding of the large mathematical and analytical models being used.

Finally, companies need people who have skills as “information ethicists,” someone who will ask probing questions.  For example, “Just because we can do certain things with data does that mean we should? Some commentators called this the ability to identify the “ick factor.” Do people feel uncomfortable by a particular use of big data? 

Companies need people who can consider ethics in the use of big data and stay on top of both regulatory and technical changes to remain compliant.

John Kropf, CIPP/US, CIPP/G, is Deputy Counsel for Privacy and Information Governance, Reed Elsevier.  Kropf joined Reed Elsevier in 2012 as deputy counsel for privacy and information governance. The views in this article are his own and may not represent the views of Reed Elsevier. Previously, Kropf was a career member of the United States Senior Executive Service and served as the deputy chief privacy officer for the Department of Homeland Security’s Privacy Office and senior adviser on international privacy policy. Before joining DHS, Kropf worked for 10 years as an international lawyer with the U.S. Department of State in the Office of the Legal Adviser.  He is also a member of the International Association of Privacy Professionals (IAPP), serves on its Certification Advisory Board and has earned the CIPP/US and CIPP/G credentials. He is the author of the Guide to U.S. Government Practice on Global Sharing of Personal Information as well as numerous articles on global and strategic privacy issues.

Disclaimer: The views and opinions expressed in this article are those of the individual sources referenced and do not reflect the views, opinions or policies of the organizations the sources represent.