Happy Data Privacy Day. This “holiday,” observed Jan. 28, is marking its fifth year, but this year organizations and individuals may be a little more tuned in to the importance of data privacy than in years past. As David Ginsburg, vice president of Marketing at Cavirin, noted: When it comes to privacy issues, we’ve just concluded “Annus horribilis.”
“Over the last 12 months, we’ve endured a constant barrage of news regarding the latest hacks, vulnerabilities or organizations paying the price for just plain stupidity,” said Ginsburg in an email comment. “Though IoT and critical infrastructure vulnerabilities as well as foreign attacks were top of mind, ongoing thefts of confidential financial, healthcare and other PII data presented greater risk to enterprises and individuals.”
Last year might have been so bad that Joseph Carson, chief security scientist at Thycotic, thinks National Privacy Day should be known as “Data Privacy Remembrance Day.” That’s because privacy as we know it now may be reaching an end.
“Privacy definitions are very different between nation states and cultures; however, one thing that is common is that privacy is becoming less and less of an option for most citizens,” he said. Everything about us is being constantly monitored, whether we want it to be or not. Sure, we can ask for data we share with a company to not be stored or used for anything but its original intent, but what about the way our phone location shares data with nearby organizations or smart cities that record and track our moves?
Consumers Want Protections
While many consumers enjoy the benefits of this shared data, they increasingly worry about what it means to lose the privacy over their information, and they want the government to do something about it. According to a new survey from SAS, 83 percent of respondents want more regulation of PII, 80 percent want to know more about how where and to whom their data is being sold and 73 percent want to know how their personal information is used.
On a state level, governments are taking action, but there is a growing push toward a national privacy law.
“A national privacy law in the United States would directly support the rights of U.S. citizens, but also would provide organizations’ additional incentives and guidelines for safeguarding their own data against these threats,” explained Dr. Andrea Little Limbago, chief social scientist at Virtru.
Also, she added, the current patchwork of state-driven privacy laws complicates the regulatory environment and will continue to do so absent a national law. “If successful, a U.S. national privacy law could become the global standard for democracies around the world, and provide an alternative path to the digital authoritarianism that continues to spread,” she said.
Elements for a National Privacy Law
Because Limbago thinks we need a national law rather than the patchworked state laws that are emerging, I asked her what elements should be included in such a law. At the top of her list were transparency and accountability.
“A national privacy law must first require transparency in how organizations collect, share and use consumer data,” she said. “This not only refers to clarifying the nebulous terms of service contracts and who has third-party access, but also how data is used and even manipulated within algorithms.”
Transparency also would boost security by prohibiting unauthorized access to data, and Limbago’s ideal U.S. national privacy law would explicitly prohibit unauthorized access or other security-weakening requirements.
There also would be a need for transparency in the standards and storage of that data. “For instance, any privacy requirements should also facilitate cross-border data flows, aim to augment the digital economy while preserving privacy and, in turn, enhance security,” she explained.
Once policies around transparency are in place, the law can develop the processes to ensure accountability as a way to increase compliance. “As we’ve seen in the past, if violators face few repercussions, there will similarly be minimal compliance,” she said. “Accountability must be at an appropriate level to ensure organizations take the recommended steps to ensure data privacy.”
Data is so vital to any organization that it is easy to see why they may hesitate to fully embrace data privacy. However, Limbago pointed out that data privacy can provide a competitive edge and support innovation, especially when methods meant to protect consumers also offer similar protections to intellectual property.
If we approach data privacy laws in a way that will provide protection, transparency and accountability, we may be on our way to a solution that makes everyone more comfortable about how we share and use data.