WASHINGTON, D.C. -- Following the last of three roundtables held here recently by the Federal Trade Commission on online privacy laws, some FTC experts called for new frameworks that can better keep pace with rapidly changing technology.
But exactly what constitutes private data, or the manner in which it can be connected to expose sensitive information, has also evolved at a rapid pace.
"Technology has rendered the conventional definition of personally identifiable information obsolete," said Maneesha Mithal, associate director of the Federal Trade Commission's privacy division, speaking to The New York Times regarding the changing landscape for online privacy. "You can't find out who an individual is without it."
With the roundtable series concluded, enterprises will have to wait for what guidance top regulators will issue regarding new standards or frameworks for online privacy. Interest among those in the privacy community in such standards and frameworks stretches well outside the borders of the U.S, according to Jennifer Stoddart, who oversees the Office of the Privacy Commissioner of Canada.
"The FTC is an organization respected worldwide," Stoddart said. "There are a lot of hopes put in the FTC's initiative of data protection. We're all affected by technologies that wash over us. We're looking for some action within the United States."
No one should expect any guidance from regulators over the short term, and when it does come it likely will not be dramatic.
"Anything new will be a change," said Fred Cate, professor and director at the Center for Applied Cybersecurity Research at Indiana University's Maurer School of Law. "I'd be very surprised if the FTC came out with sweeping changes. That would require rule-making authority that at present does not exist."
The regulatory authority the FTC needs to make meaningful changes could be granted through the financial reform bill that passed in the House.
Anticipating online privacy regulation
"Ultimately, we'll have to face wrenching tradeoffs," said Lior Jacob Strahilevitz, deputy dean and professor at The University of Chicago Law School. "We can learn a lot by looking to the law of trade secrecy. Firms that stamp secret on everything don't get protection, as judges say they're overusing the label. The FTC should figure out what the hierarchy looks like so that people do treat 'crown jewels' as seriously as they need to be taken."
One observer is calling for a privacy and security framework that offers balanced protection and can be applied to all organizations that control information.
"If we don't have this framework, we're not going to realize all the benefits we might from consumer engagement, research. We do have a privacy and security framework at HHS," said Jodi G. Daniel, director of the Office of Policy and Research for the Department of Health and Human Services' (HHS) Office of the National Coordinator for Health Information Technology.
Daniel said the HHS is working on a model of online privacy notice that could provide more transparency. "We need to think about how we hold people accountable."
Jim Harper, director of information policy studies at the Cato Institute, is advocating a harm standard for classifying the sensitivity of data. Harper suggested considering the harm that can be caused and then assessing the consequences for what can be done with it.
"Defining harms is a more productive way of approaching things and allows more innovation," Harper said.
Other compliance operations could be used to inform online privacy regulations such as financial reporting or environmental compliance, said David Hoffman, director of security policy and global privacy officer at Intel Corp.
"There's a lot of other reasons we need to run accountable organizations. One of the things I'm most intrigued by is that Accenture designed their entire process around the seven standards of the federal sentencing guidelines," Hoffman said.
Hoffman said the way user data is de-identified, as he described it, could be meaningful in the future. He focused in on the potential use of IP addresses in that context, tying together anonymous data sets with users.
"In any enterprise context, the [privacy] policies that have emerged do put pressure on an organization," said Beth Givens, founder and director of the Privacy Rights Clearinghouse. "Whether it's e-discovery or a data breach, the need is there for organizations to develop better data hygiene."
Data breach notification laws are coming under scrutiny as well. According to Cate, such laws have been an "unmitigated disaster." He contended that any hope of those laws becoming intelligible went away when the FTC said it would enforce them.
Regulators and advocates are putting the spotlight on access to consumer data because consumers are becoming nervous about how their information is being handled, according to Stoddard. She said she believes consumers' anxieties would be softened if there were more emphasis placed on proportionality and fair use of principles.
One best practice to follow, both from a risk management perspective and ahead of enhanced private regulation, is data minimization, Hoffman said. Data retention limitation is one of the best ways to limit the damages that stem from security breaches, he said.
"You can think about retention limitation as one of the best ways to prevent additional issues that come from security breaches. If you have gotten rid of the data, then it's not subject to being breached in the future," he said.
Identity, credential and access management is the meat of the issue for the enterprise, explained Ian Glazer, a security analyst at Midvale, Utah-based Burton Group Inc. Glazer said he sees the potential for authorization decisions to be externalized from the enterprise, which can improve data minimization. Instead of requiring an application to request multiple fields of personally identifiable information, an application could pull only the minimum required for authentication for a given need. "It's not just collection minimization, in that context," said Glazer. "It's usage minimization."