Letters to the editor: Add data privacy to Congressional agenda

Add data privacy to Congressional agenda

A serious issue the new Congress needs to address is data privacy. The past few years have seen a sharp increase in the leakage of personal data such as credit card and Social Security numbers from institutions ranging from universities, to banks to government agencies such as the Veterans Administration. According to a list maintained by the Privacy Rights Clearinghouse, a San Diego-based advocacy group, more than 190 such incidents have been reported since February 2005. Ninety of those have been reported since January of this year. The Federal Trade Commission estimates the inadvertent or deliberate extrusion of critical data costs consumers and businesses $50 billion a year. Beyond these immediate costs, data leakage threatens the integrity and growth of ecommerce. Even more ominously, it could harm national security.

State governments and private organizations have responded with legislation and voluntary standards. The federal government has also entered the picture. Last year the FTC recently leveled the largest data privacy fine in its history. But the FTC has publicly stated its investigations and fines are not enough. It needs better tools to ensure that consumers’ most important information isn’t lost, stolen or peddled to the highest bidder. That means new and stronger legislation.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Add data privacy to Congressional agenda

A serious issue the new Congress needs to address is data privacy. The past few years have seen a sharp increase in the leakage of personal data such as credit card and Social Security numbers from institutions ranging from universities, to banks to government agencies such as the Veterans Administration. According to a list maintained by the Privacy Rights Clearinghouse, a San Diego-based advocacy group, more than 190 such incidents have been reported since February 2005. Ninety of those have been reported since January of this year. The Federal Trade Commission estimates the inadvertent or deliberate extrusion of critical data costs consumers and businesses $50 billion a year. Beyond these immediate costs, data leakage threatens the integrity and growth of ecommerce. Even more ominously, it could harm national security.

State governments and private organizations have responded with legislation and voluntary standards. The federal government has also entered the picture. Last year the FTC recently leveled the largest data privacy fine in its history. But the FTC has publicly stated its investigations and fines are not enough. It needs better tools to ensure that consumers’ most important information isn’t lost, stolen or peddled to the highest bidder. That means new and stronger legislation.

Data privacy bills have been introduced in Congress. The new Congress should take up these bills and pass data privacy legislation in 2007. Any legislation should be guided by the following principles:

* Clear, uniform and comprehensive application. By the end of 2006, 35 states had some type of data privacy law. The leading state law is California’s SB 1386. Given that it covers any company with operations in California, SB 1386 has been called a de facto national data privacy law. But that’s a misnomer. SB 1386’s provisions differ with those of other state laws. The result: Large organizations must tailor their processes and procedures to SB 1386 and other, different state laws. Compliance with multiple legal and often conflicting legal frameworks increases costs and, more important, minimizes the clarity necessary to inspire trust among consumers. It is this trust that is the basis of the continued growth of innovative, digitally based business models and practices. Federal legislation should be clear, uniform and comprehensive. It should authoritatively define “personal data” and “identity.” It must establish national benchmarks that set a floor of protection, rather than a ceiling. Finally, privacy legislation should apply to private and public enterprises, including federal, state and local governments.

* Use of current best practices. While clear, uniform and comprehensive legislation is necessary, it need not be constructed from whole cloth. As noted above, numerous states have addressed the data privacy issue. Government bodies have been joined in this effort by private businesses, trade associations and advocacy groups. Together, our nation’s public and private organizations have developed best practices that can and should be utilized in the development of a national standard. These best practices include: an expansive understanding of private data; disclosure of a breach even if security procedures are in place; disclosure of a breach when data is reasonably believed to have been compromised; delayed disclosure to meet the legitimate needs of law enforcement; and an annual risk assessment by organizations that meet a certain threshold, such as the quantity of identities held. California SB1386 and the Payment Card Industry Security Standard are two strong benchmarks for the federal legislation.