Being part of the Data Privacy group I wanted to put a post that will give a basic overview about the issue we found and a proposed approach.
We think that your personal information is valuable. People with bad intentions can harm you if they have access to your information. On a small scale: your last name is used for flight locators/reservations, your date of birth is used to recover passwords, and/or your PIN is used to withdraw money from an ATM. On a larger scale: your browsing history can be used to predict what type of spam/advertising you would be more likely to click, data related to your health (i.e. Fitbit activity) can be used to determine if you’d be a good person to give insurance, and your financial records can be used to determine if you should get a loan. Information about you, whenever possible, should be kept private.
At the same time, we live in an era where data is something that is unavoidably used by services that we want/need access to. It’s just part of how things work: you want to use a Fitbit to track your activity, you want to use Facebook to stay connected with family and friends, and you want a bank account. But as you begin using more services your data is also available in many more places.
From the companies’ side, it is in their best interest not to be victim of a breach. However, attacks happen, and they happen a lot. Penn State, for instance, gets attacked a few million times per day (Barton Pursel, personal communication). Furthermore, it only takes one successful attack to become the next Target. Now, if you can avoid it, of course you won’t want to tell your stakeholders that you are constantly under siege, or even worse, that you have been breached. As is the case with many companies in the US.
Customers put their trust in companies. If companies haven’t invested enough in having information security (Sony) they should be forced by the law (or at least have the decency) to let users know that their information could have been compromised in some way. And this is where things become a problem, because there’s no national standard of data breach report laws.
This becomes an issue for all parties: companies, government, and users. From the companies’ perspective, they have to deal with contradictory regulations and ambiguity in every state. Agencies like the FTC or FCC can’t properly enforce laws because of this ambiguity and, therefore, rely on the proposal of many “self-regulatory” laws (a.k.a. best practices) that they propose to companies. And finally, users can’t do anything but perhaps wait until their bank notifies them that their card has been used to buy dresses and shoes in the other corner of the world. An unfair condition considering that the power to change this relies exclusively on the first two entities mentioned above.
There have been pushes for national law standards on data breach reports, such as President Obama’s data-breach initiative earlier this year. Our first approach is, then, to provide more research that would support the passing of the proposed bill. We also plan to analyze the arguments against such bill and seek to provide solutions and possible amendments. We hope that our policy proposal can, ultimately, further users’ rights on the internet (something to be considered almost an anomaly).
Follow Us!