Individual Personal Data Protection will Continue to Fail in the Absence of a Unified US Data Privacy Law…It’s Time We Take Ownership of our Data!
Given that Sunday was Data Privacy Day observed in the United States and more than 47 other countries around the world, I feel it’s important to reflect on our data privacy laws and the public’s acknowledgement of same. It feels as if very few people outside of the legal and security industries cared or knew that it was Data Privacy Day, yet recent research conducted by the Pew Research Center concluded that 91% of US adults agree or strongly agree that consumers have lost control of how personal information is collected and used by companies. Particularly in the United States, our culture cares more about speed and convenience than it does privacy and security, however, the conversation needs to expand towards where, what and how personal data exists and is valued if we want to drive legislation to protect our data and how it is both collected and used. When people realize that their data is becoming the largest commodity in the world for which an equitable value can and will be established, then perhaps we will have a culture that cares and acknowledges the privacy and security element of their data. Until the global conversation expands with public awareness about personal data ownership and the value therein, the security and privacy conversation will remain among a small group of the population and we are unlikely to see government reform protecting individual rights. That said, we’re starting that conversation now with Personal Data Week as we explore how human contribution is valued throughout the world and the future economic related opportunities that will shape the future of Personal Data as an Industry.
That said, in light of the relatively non-existent Data Privacy Day, I wanted to bring some attention to the current US Data Protection Legislation and the unbalanced interests of the individual vs. those in security and commerce. I would argue that the strongest argument supporting that individual interests are ill served by the current US Legislation is from the absence of a centralized federal data protection regime. The lack of US Legislation protecting individual interests has by default trickled down to protection being tackled on an industry-by-industry basis that continues to change with new technology and are typically reactive in nature. I think we can all agree on this with the emergence of the Gramm-Leach-Bliley Act or the fact that HIPAA was actually created to improve employment-based health insurance. It wasn’t until the commercial interest of insurance companies claimed this would be too expensive and they would need to adopt expanded computerized processing to handle the personal health information that legislators mandated protection for the data.
Further complicating efforts is the fact that each state in the union has its own constitution with varying data protection laws. Let’s consider a situation where the Chief Information Security Officer of a healthcare provider in New York is asked by law enforcement to assist in the investigation of potential billing fraud by a former employee. Now, multiple state and federal privacy laws may apply, each with their own standards and procedures for accessing protected data. Without any explicit evidence yet, the legal costs alone can quickly escalate. The healthcare provider would have to consult with their attorneys to avoid exposure to several lawsuits even though this process was initiated by law enforcement. Likewise, the law enforcement agency will also need legal representation to minimize potential technical challenges to any fraud case that is brought as a result of the investigation. Furthermore, the existence of multiple regulatory regimes can create considerable compliance risks for the healthcare provider. If that former hospital employee had compromised protected health information (PHI), that could trigger an audit by the HHS Office for Civil Rights (OCR) under HIPAA. Now, fines in the millions could be imposed if the hospital was found to be in violation of HIPAA rules or state laws pertaining to the protection of medical data.
One simple example shows the complexity and disarray our country is in with respects to protecting the interest of the individual and the need for a unified Federal Data Protection Law. I didn’t even touch upon the security interest of our national government which has been excessive to say the least. There is clearly a need to evaluate genuine terrorist threats, but I cannot agree that warrantless mass electronic surveillance is the most effective response to national security. These issues combined with the absence of a comprehensive unified data protection legislation at the federal level leave nothing but a grey area regarding data privacy.
There is far too much latitude for anyone seeking to use an individual’s data without notice or consent, whether for profit or protection of the United States