International organizations must move beyond the “agree-to-disagree approach” to information sharing and develop mechanisms to protect consumer privacy while facilitating the global flow of information, according to Jon Leibowitz, chairman of the U.S. Federal Trade Commission (FTC).
In one of his first speaking engagements as FTC chairman, Leibowitz addressed international regulators, industry representatives, and consumer advocates, who gathered in Washington for the recent conference Securing Personal Data in the Global Economy to discuss global privacy and security challenges and how best to move forward. The two-day conference was organized by the FTC, Asia-Pacific Economic Cooperation, and the Organization for Economic Cooperation and Development.
FTC Commissioner Pamela Jones Harbour highlighted the scope of the challenges, citing a 2008 Pricewaterhouse- Coopers’ information security survey in which three out of 10 respondents could not answer basic questions about the risks to their company’s key information. The study surveyed 7,000 corporate information security professionals, including chief information officers, chief security officers, and directors of IT and information security in more than 100 countries.
In the same survey, 71 percent of respondents said that their organization did not have an accurate inventory of where personal data for their employees and customers was stored. In response to a question about how confident executives were about the security of their information as it passed between partners and suppliers, 53 percent said they were only somewhat confident, 10 percent were not at all confident, and 15 percent didn’t have a clue. “These findings are very disconcerting,” said Harbour.
Another concern discussed was the lack of international standards for handling data security across jurisdictions. “If you have a centralized HR database that is centralized to the U.K., and it comes from all the countries in Europe including Spain, France, Finland, Italy, which security do you apply?” asked Bojana Bellamy, director of data privacy in the London offices of global management consulting company Accenture. “You end up applying probably the strictest.”
Martin Abrams, executive director of the global think tank the Centre for Information Policy Leadership at Hunton & Williams LLP, said problems arise when one jurisdiction’s regulation conflicts with another’s, because companies expend resources on trying to resolve the conflict, rather than on defining the risk and implementing the measures to reduce it.
Breach notification laws are an example of the complexities companies face; these laws differ even within the United States. Most experts agreed, however, that data breach notification requirements have forced companies to take data security more seriously.
Some panelists posited that the trigger for notification should be tied to the risk for misuse, which is the case in about half of the breach notification laws passed by U.S. states. David Sohn, senior policy counsel at the Center for Democracy and Technology, said the burden of proof should be placed on the companies. “If they can verify that there is not much risk,” he said, “they won’t have to notify, as opposed to the reverse incentive, which is as long as you don’t know there is a risk, you don’t have to notify.”
Some panelists said that industry should work with regulators to establish ground rules for data security that don’t stifle innovation and a company’s ability to respond to changing risks. They proposed technology-neutral standards and a less prescriptive approach.
Others recommended that companies consider the benefits of collecting less data overall or less of the sensitive data, a strategy Eli Lilly and Company employed after a data breach. “We went back, and we redacted Social Security numbers from almost everything that existed,” said Stan Crosley, the drug company’s chief privacy officer.
“We realized we didn’t need some of the information we were collecting,” and that practice of collecting only what is needed continues today, he noted. The company’s global privacy program, which was revamped after the breach, won the 2007 Innovation Award from the International Association of Privacy Professionals.
The conference also addressed the challenges to data security and privacy presented by cloud computing. Consumer advocate Marc Rotenberg, who is executive director of the Electronic Privacy Information Center, said personal data belongs to the individual and should be treated more responsibly by service providers of cloud-computing. He likened the potential for future damage from mishandling of information in cloud computing to problems in the financial sector.
“I predict we are going to experience something very, very similar with respect to personal privacy in the emerging information economy,” he said. “We are going to wake up in a few years and realize that we allowed very similar complex transactions to be managed by large, nontransparent organizations…without oversight or accountability.”
Kristin Lovejoy, IBM’s director of governance and risk management, praised the PCI Security Standards used by credit card companies to regulate payment account data security. Lovejoy recommended something similar for the cloud-computing sector.
Lovejoy said consumers don’t understand the challenges either. Companies should empower individuals to manage elements of their identity, she said, adding that IBM is developing technology that would allow individuals to create digital profiles. The profiles could include financial information and would allow users to decide what to provide, what to protect, how to protect it, and whether to share the information with another party, such as a retailer. All the pieces are not in place yet, however. “There needs to be innovation in and around the technologies which push choice to the individuals,” Lovejoy said.