This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
As I write this article, the world is observing International Data Privacy Day (DPD). The National Cyber Security Alliance and StaySafeOnline.org are behind the annual campaign to help consumers and businesses become more aware of the importance of preserving individuals' data privacy online.
Like the term jumbo shrimp, "data privacy" seems to be an oxymoron, at least in the United States. Our laws concerning the handling of private data – that is, data that can be used to identify a specific person – seem to be more about protecting the rights of business than the rights of the individual. In fact, many of the state laws pertain to what to do after the data has been breached rather than how to keep it safe in the first place.
Just recently President Obama made two proposals to shore up data privacy. The proposed Student Digital Privacy Act would prevent sale of students' personal data to third parties for any purpose besides education. In another proposal, new legislation would require companies to inform their clients within 30 days of a breach, and would include a consumer bill of rights to better help customers control how their data is shared. Keep in mind these are just proposals at this point.
The irony is that, at the same time Mr. Obama was stumping for his data privacy measures, a key part of his signature legislation was being pummeled for over sharing individuals' personal information. The Associated Press has reported that the website for the Affordable Care Act, Healthcare.gov, was sharing private data with companies that specialize in advertising and analyzing Internet data for performance and marketing.
Apparently Healthcare.gov's connections to these data firms were to serve the purpose of "improving the consumer experience." But the millions of individuals who applied for health insurance through the site were not informed that their personal data would be shared with third parties for any purpose other than to quote them health insurance plans. It's not clear how or even if the third parties in question were following the government's data privacy and security policies.
Data privacy? It's not private if you give it away to advertizing companies.
Another example of the antithesis of data privacy was highlighted (as a good thing) in The New York Times two weeks ago. This article features banking startup companies that use thousands of pieces of data about a person's online and offline lives (without their permission or even their knowledge) to determine if the person is a good credit risk for a bank loan. The idea is to collect data from an array of sources to build a profile on a person that would provide a more in-depth and accurate assessment of the person than a traditional old credit score can.
Ostensibly this sounds like a good thing, as a person's credit worthiness is comprised of more dimensions than a FICO score reflects. However, do we, as individuals, want to be viewed and judged by elements such as our social network connections, how much time we spend reading terms and conditions, and whether we print in all capital letters? Who knows what information and metrics about us get sucked into the Big Data pool to create a sort of 3-D view of our propensity to repay a loan? Frankly, this scares the heck out of me, and yet the idea is seen as a boon to the banking industry that wants to know ever more about their customers.
Again, good for business, bad for individuals.
As Americans, we are conditioned to giving out much more information than is actually needed for a business transaction. We give an email address to the clerk at the retail store because she asked for it. We give a birthdate to the stylist at the hair salon when we fill out the new customer form. When I was a Girl Scout troop leader a few years ago, we collected girls' social security numbers on permission forms to go on outings! None of that data is necessary for the service that is rendered.
On the flip side, the entities that collect those bits of personal information have a moral if not legal obligation to protect the data and ensure its privacy. But who knows if the retail store is going to sell that email address to a marketing firm to squeeze out a little extra profit?
Perhaps we should take a page out of the privacy code observed by Europeans. Individuals are wary of anyone who asks for more information than is truly necessary. What's more, businesses that collect data in the European Union (EU) have an absolute legal requirement to protect the data fully and not share it with third parties without a legitimate business reason. Personal data may not be used for any purpose other than the reason it was collected in the first place. As a result, the instances of identity theft are much lower in the EU than in the United States.
The EU is about to sign off on a new piece of legislation designed to further strengthen the data privacy law. The General Data Protection Regulation will allow individuals whose data has been compromised to collect compensation from the entity responsible for safeguarding the information. Imagine if these retail breaches where millions of credit card records were stolen led to the merchants having to compensate those customers for their pain and suffering. I imagine that would sink a few businesses for good.
As the world observes Data Privacy Day, we need to remember who really owns the data—the individual, not the businesses he or she transacts with.