Article

FTC experts explore new online privacy frameworks

Alexander B. Howard, Associate Editor
WASHINGTON, D.C. -- Following the last of three roundtables held here recently by the Federal Trade Commission on online privacy laws, some FTC experts called for new frameworks that can better keep pace with rapidly changing technology.

    Requires Free Membership to View

More on online privacy
FTC set to examine strength of cloud computing security, privacy

FTC pursuing HIPAA violations as a matter of consumer protection

Social networking security poses risks to online privacy: RSA panel

The Web of social media and compliance: Online privacy regulations
"It wasn't long ago when there were no privacy policies or statements on how information would be used," said Jessica Rich, deputy director of the FTC's Bureau of Consumer Protection. "The discussion at the roundtables made clear that the dominant models haven't kept pace."

But exactly what constitutes private data, or the manner in which it can be connected to expose sensitive information, has also evolved at a rapid pace.

"Technology has rendered the conventional definition of personally identifiable information obsolete," said Maneesha Mithal, associate director of the Federal Trade Commission's privacy division, speaking to The New York Times regarding the changing landscape for online privacy. "You can't find out who an individual is without it."

With the roundtable series concluded, enterprises will have to wait for what guidance top regulators will issue regarding new standards or frameworks for online privacy. Interest among those in the privacy community in such standards and frameworks stretches well outside the borders of the U.S, according to Jennifer Stoddart, who oversees the Office of the Privacy Commissioner of Canada.

"The FTC is an organization respected worldwide," Stoddart said. "There are a lot of hopes put in the FTC's initiative of data protection. We're all affected by technologies that wash over us. We're looking for some action within the United States."

No one should expect any guidance from regulators over the short term, and when it does come it likely will not be dramatic.

"Anything new will be a change," said Fred Cate, professor and director at the Center for Applied Cybersecurity Research at Indiana University's Maurer School of Law. "I'd be very surprised if the FTC came out with sweeping changes. That would require rule-making authority that at present does not exist."

The regulatory authority the FTC needs to make meaningful changes could be granted through the financial reform bill that passed in the House.

Anticipating online privacy regulation

"Ultimately, we'll have to face wrenching tradeoffs," said Lior Jacob Strahilevitz, deputy dean and professor at The University of Chicago Law School. "We can learn a lot by looking to the law of trade secrecy. Firms that stamp secret on everything don't get protection, as judges say they're overusing the label. The FTC should figure out what the hierarchy looks like so that people do treat 'crown jewels' as seriously as they need to be taken."

Potential for increased
FTC rule-making authority
Regulatory authority that isn't currently available to the FTC might be granted through the financial reform bill that passed in the House. As Berin Szoka, senior fellow and director at the Center for Internet Freedom pointed out in a post on FTC regulation, a key passage of Rep. Barney Frank's Wall Street Reform and Consumer Protection Act of 2009 (H.R. 4173) could grant rule-making authority to the FTC.

Whether such authority will be retained when the House bill is reconciled with Sen. Christopher Dodd's new Financial Stability Act of 2010 is still unclear. --A.B.H

One observer is calling for a privacy and security framework that offers balanced protection and can be applied to all organizations that control information.

"If we don't have this framework, we're not going to realize all the benefits we might from consumer engagement, research. We do have a privacy and security framework at HHS," said Jodi G. Daniel, director of the Office of Policy and Research for the Department of Health and Human Services' (HHS) Office of the National Coordinator for Health Information Technology.

Daniel said the HHS is working on a model of online privacy notice that could provide more transparency. "We need to think about how we hold people accountable."

Jim Harper, director of information policy studies at the Cato Institute, is advocating a harm standard for classifying the sensitivity of data. Harper suggested considering the harm that can be caused and then assessing the consequences for what can be done with it.

"Defining harms is a more productive way of approaching things and allows more innovation," Harper said.

Other compliance operations could be used to inform online privacy regulations such as financial reporting or environmental compliance, said David Hoffman, director of security policy and global privacy officer at Intel Corp.

"There's a lot of other reasons we need to run accountable organizations. One of the things I'm most intrigued by is that Accenture designed their entire process around the seven standards of the federal sentencing guidelines," Hoffman said.

Hoffman said the way user data is de-identified, as he described it, could be meaningful in the future. He focused in on the potential use of IP addresses in that context, tying together anonymous data sets with users.

"In any enterprise context, the [privacy] policies that have emerged do put pressure on an organization," said Beth Givens, founder and director of the Privacy Rights Clearinghouse. "Whether it's e-discovery or a data breach, the need is there for organizations to develop better data hygiene."

Data breach notification laws are coming under scrutiny as well. According to Cate, such laws have been an "unmitigated disaster." He contended that any hope of those laws becoming intelligible went away when the FTC said it would enforce them.

Regulators and advocates are putting the spotlight on access to consumer data because consumers are becoming nervous about how their information is being handled, according to Stoddard. She said she believes consumers' anxieties would be softened if there were more emphasis placed on proportionality and fair use of principles.

Think about data retention limitation as one of the best ways to limit the damages that come from security breaches.
David Hoffman
director of security policy and global privacy officerIntel Corp.
"Sixty percent of our complaints are about collection, use and disclosure of personal information," she said.

One best practice to follow, both from a risk management perspective and ahead of enhanced private regulation, is data minimization, Hoffman said. Data retention limitation is one of the best ways to limit the damages that stem from security breaches, he said.

"You can think about retention limitation as one of the best ways to prevent additional issues that come from security breaches. If you have gotten rid of the data, then it's not subject to being breached in the future," he said.

Identity, credential and access management is the meat of the issue for the enterprise, explained Ian Glazer, a security analyst at Midvale, Utah-based Burton Group Inc. Glazer said he sees the potential for authorization decisions to be externalized from the enterprise, which can improve data minimization. Instead of requiring an application to request multiple fields of personally identifiable information, an application could pull only the minimum required for authentication for a given need. "It's not just collection minimization, in that context," said Glazer. "It's usage minimization."

Let us know what you think about the story; email Alexander B. Howard, Associate Site Editor or @reply to @digiphile on Twitter. Follow @ITCompliance for compliance news throughout the week.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: