Privacy and Legal Liability
f you read this blog regularly you’ve read me explain that privacy is big news these days. The FTC is settling with companies with increasing frequency, Facebook’s historic IPO brought to the fore many privacy concerns, Europe is moving to strengthen it’s privacy protections, and that’s not to mention the numerous coverage of data breaches and stories on big data. The prevalence of these stories all further the importance of data privacy in the public’s mind.
However, while the public is experiencing real fear, the basis of that fear isn’t so clear. It’s not so easy to find people who have actually been hurt by the collection of their personal data. And most privacy disclosures don’t put the public in immediate physical or emotional distress either. But, given a worldwide population and the millions of records disclosed every year, harm is inevitable – at least that is what the regulators believe.
And it is with that in mind that they are starting to take a more expansive view on what they enforce. In the US, the Federal Trade Commission now says privacy-related harms needn’t be economic or physical but can also include practices that unexpectedly reveal previously private information like purchasing habits.
During the last two years, the FTC levied fines against data brokers like Spokeo and brought high-profile cases against both Facebook and Google for violating privacy commitments to its customers. The problem is though that its authority is fundamentally limited. It works from outdated laws like the 1970 Fair Credit Reporting Act that were passed long before we even could conceive our currently connected world.
Given that, the FTC is asking for broader consumer protections. In March, the FTC, backed by President Obama, announced the US Privacy Bill of Rights which calls on Congress to pass new privacy and data security legislation that would lay out the responsibilities of companies that collect personal data online or off.
Included in the Privacy Bill of Rights is a call for a “Do Not Track” (DNT) mechanism. The idea of DNT is to provide a more uniform and comprehensive consumer choice mechanism for online behavioral advertising targeting. But, as it currently stands, participation is voluntary, technology companies are arguing over implementation details and there’s no built-in compliance mechanism—we can’t be sure it works unless auditors descend on IT giants’ data centers to ensure they aren’t cheating.
In Europe, legislators proposed a far-reaching data protection law that would allow people to demand copies of any information companies store about them and even give them a “right to be forgotten,” or to demand that such data be deleted. Unfortunately, while the right to be forgotten may become law in Europe, technically it is very difficult to enable and many people believe that when you consider all the secondary uses of personal information that it is an impossible goal to achieve.
As regulators around the world scramble to enact and/or enforce laws protecting privacy, there is currently an explosion of trial lawyers suing over privacy. Since, particularly here in the US, as the FTC actions have demonstrated, there is no need to prove harm to win damages, lawyers are finding fertile hunting grounds. This, in turn, has lead to the birth of cyber-insurance. Corporations don’t like the liability of the exposure to lawsuits so they are seeking to transfer that liability though this new type of insurance.
We’ve seen this same exact scenario before in the information security space and, as I’ve written before, it looks like the privacy space is moving right along with it. It’s an interesting confluence of events: Governments are trying to enforce privacy regulations that either have no teeth or can’t be enforced but they are opening the way for personal lawsuits that could bring real monetary penalties. This has given birth to an insurance industry to protect against that corporate liability. It’ll be interested to see where this leads in the coming years.
I’m sorry if this post is a little thin and hurried – it is. After a year of focusing on privacy I’m a bit burned out on the topic, but wanted to get this last thought down in words. I’m going to take August off and either come back reenergized on the topic or shift to new ground. See you after Labor Day!