Data privacy continues to make waves, both in the U.S. and abroad, as recent tech headlines highlighted the Obama administration’s promise to extend data protection rights to European citizens and a Supreme Court cell phone privacy ruling. Also attracting attention in recent weeks: how increasing consumer data risks and compliance regulations are driving demand for GRC professionals.
U.S. pledges data protection for EU citizens as Microsoft pushes for user privacy
Last week, the Obama administration promised legislation to grant EU citizens the same data privacy rights that U.S. citizens enjoy under the Privacy Act. U.S. Attorney General Eric Holder said that under the proposed bill, European citizens would have the right to “seek judicial redress” from the U.S. government if their private information is intentionally released or misused. Holder made the announcement at last Wednesday’s EU-U.S. Ministerial Meeting on Justice and Home Affairs in Athens.
The bill would apply to EU citizens being transferred to the U.S. for law enforcement purposes. It would be part of a data protection agreement the EU and the U.S. have been negotiating since 2011 as part of their efforts to combat terrorism, including investigations into foreign fighters traveling to Syria.
The announcement was met with skepticism by both the EU and human rights groups, which considered it a welcome development, but deemed the promise vague and in need of more concrete legal action. “Words only matter if put into law,” EU Justice Commissioner Viviane Reding said in a statement. “We are waiting for the next legislative step.” Human rights and privacy groups said that the promise does little to address other issues created by the mass global surveillance conducted by the NSA and its partners.
Microsoft is among the many technology companies that have also been critical of U.S. data collection practices. The tech giant’s general counsel has been on a months-long public campaign calling for the U.S. government to take legal measures to preserve citizens’ information privacy rights. Microsoft’s Brad Smith said last Tuesday that the Obama administration must significantly reform U.S. surveillance practices so that people can feel comfortable using technology to store their information. Earlier this year, Smith used Microsoft’s blog to inform users that it will no longer examine private information in their email accounts, even if the company is examining its own intellectual property theft.
Supreme Court’s cell phone ruling could impact health industry
A U.S. Supreme Court unanimous ruling last Wednesday found warrantless cell phone searches for law enforcement purposes a violation of the Fourth Amendment, in part because of the devices’ potential to hold personal healthcare data. The court decided that cell phones are different from other physical evidence due to their large storage capacities and ability to access information stored in the cloud. “There is an element of pervasiveness that characterizes cell phones but not physical records. Prior to the digital age, people did not carry a cache of sensitive personal information with them as they went about their day,” the opinion stated.
The ruling covers sensitive, private health data that might be contained in cell phones, The Washington Post‘s Morning Mix blog pointed out. For example, warrantless cell phone searches could reveal an individual’s private browsing history that might include searches for “symptoms of a disease, coupled with frequent visits to WebMD,” the ruling noted. Mobile devices could also disclose certain drug addictions or a person’s pregnancy status.
The decision could affect the healthcare industry from a patient privacy standpoint, iHealthBeat commented. For example, the ruling could provide more guidance over who has access rights to patients’ data and medical records.
Companies hire more GRC officers in response to breaches, regulations
There is increasing demand for data governance and risk management professionals to protect organizations from serious legal implications or financial fallout in the event of a data breach. A contributing GRC factor is data protection legislation expected to be enacted sometime this year, according to the Data Protection Commissioner’s Statement of Strategy for 2014 to 2016, which outlines which organizations it will audit and the standards they must follow. These increasing pressures, as detailed in the Silicon Republic, have led to the corresponding rise in demand for GRC professionals, particularly IT auditors.
As regulatory pressure stemming from the 2008 financial crisis continues, financial institutions have responded by hiring more senior-level risk officers, increasing their compensation and arming them with more leverage in the business’ decision making, the Wall Street Journal reported. Senior risk officers earn 40% more than they did a few years ago, according to a report from the Office of the Comptroller of the Currency (OCC). Additionally, three times as many people passed a risk management exam from 2010 to 2013 than from 2004 to 2007, according to the Global Association of Risk Professionals. Such developments are very costly for financial organizations, given recent dips in trading revenue and slow loan growth. But they have little choice in the matter, given Dodd-Frank and other post-crisis regulations enacted to limit these institutions’ risk taking.
Regulations issued in February require that by 2016, the largest bank-holding institutions in the U.S. must appoint a chief risk officer and establish a risk committee within their board of directors. These rules also require large banks to produce detailed statements on the type and quantity of risk they’re willing to take to meet financial goals, and risk officers are encouraged to lead the charge on investigating large losses.