By Agnes Bundy Scanlan, Senior Advisor and Ash Khan, Managing Director, Treliant
The United States has reached a critical point in determining data privacy standards. With mounting concern among all stakeholders, it is no longer a question of whether more privacy laws will be enacted, but how—and specifically, whether the problem will be resolved at the state or national level.
The NeverEnding Story
Privacy is becoming The NeverEnding Story—in fact, the conversation regarding consumer privacy is now more alive than ever. Sparked by seemingly endless news coverage of data breaches, data privacy has become a critical topic for everyday internet users, corporate executives, and regulators alike.
Social media platforms, ride-sharing applications, and online banking have created a world of connectivity, convenience, and, of course, data. With this convenience comes risk, as data is constantly being created, shared, sold, and stored.
Consumers want to maintain a reasonable expectation of privacy, even as they routinely give up privacy for discounts or free services. Executives want to avoid becoming the face of the next large-scale public data breach. Regulators want to prepare for the future and secure a world in which the internet and data privacy can coexist.
Here’s how prolific data has become: every minute, 473,400 tweets are sent; 3,877,140 Google searches are performed; and, Amazon ships 1,111 packages, according to “Data Never Sleeps,” published annually by the Domo business intelligence software company.
Yet, information regarding data storage and specific data uses is difficult to obtain. For example, professional data brokerage firms are only successful as long as they remain hidden. In addition to legal data collection practices, cybercriminals remain a constant threat to personal information as privacy data collected from data breaches is easily obtained on the dark web. Malicious actors target weak points in security defenses, hoping to obtain lucrative data to monetize or hoard for future nefarious purposes. Bank account numbers, Social Security numbers, health information, and now biometrics and genetic data are swept up in the process.
Recent monumental data breaches have escalated the global conversation on data privacy. Among them, a single event compromised close to 150 million customers’ personal data, including Social Security numbers, private addresses, and driver’s license information. Coincidentally, the company involved used to be “the agency that people relied upon to guard against identity theft and that businesses used to verify a person’s identity,” by one account.
Soon after that incident, voter manipulation headlines broke, showing that large-scale data breaches are not once-in-a-lifetime incidents. Nearly 50 million accounts were compromised by Cambridge Analytica, which used data from quiz takers (and their Facebook friends) to create 30 million psychographic profiles about voters in the 2016 presidential election. Then and now, the threat to individual privacy has been ongoing and tangible.
Why Privacy Matters
We know that privacy is essential for many reasons. Privacy puts a limit on power, whether that be governmental power, the power of companies, or simply societal power. As individuals, and as a society, we need the promise of privacy to be able to develop and grow, without being unduly influenced by outside social factors.
Yet, we are living in a society that treats every action as a data point for analysis. With the amount of aggregate data being created every day, it has become increasingly possible to link anonymous data points to a specific individual in order to create an actionable psychological profile. This profile may be used by a retailer to customize shopping advertisements or by an entity wishing to influence election opinions and outcomes.
Furthermore, with the right to privacy comes the right to manage one’s reputation. A person’s reputation, whether favorable or unfavorable, affects one’s opportunities, relationships, and general happiness.
Additionally, privacy leads to innovation. Conversely, a lack of privacy can result in a lack of advancement. This goes hand in hand with the fact that privacy is necessary to have freedom of thought and speech. We all have the right to think and experiment alone and without influence, but the increasing lack of privacy in our society is becoming a hindrance to this basic right.
Recent Policy Developments
Increased awareness of privacy and cybersecurity have, in turn, raised expectations for regulation. In the European Union (EU), the General Data Protection Regulation (GDPR) was enacted to protect all EU citizens’ data privacy by giving data subjects specific rights. In order for a company to obtain and process someone’s data, there must be a lawful basis. Specific instances that constitute a lawful basis include: if the data subject has given consent to the processing of her or his data, or if it is used to perform a task in the public interest or by an official authority. Otherwise, the data subjects themselves are really in charge of their own data.
In the U.S., recent California legislation might be the first step in a long-term national resolution to consumer privacy issues. The California Consumer Privacy Act of 2018 (CaCPA), the Assembly Bill 1906: “Security of Connected Devices” (Internet of Things Law), and Senate Bill 1001 (Bot Law) are all rooted in a 1972 amendment to the California Constitution in which privacy became an “inalienable” right of the states’ citizens. The regulations come on the heels of numerous scandals that brought about pressure for regulatory action, and they signal a shift in values toward consumer rights over those of corporations.
Under the CaCPA, consumers can no longer be left in the dark with regard to information collected about them. Consumers now have a “Right to Know” about the categories of information being collected and sold, and a “Right to Control” which information is collected. Certain entities that use, store, collect, or sell California residents’ data are subject to enforcement and regulatory action if noncompliant. As long as an entity conducts business with California residents, it is subject to the CaCPA, regardless of whether the entity is actually based in California.
Like the CaCPA, the Internet of Things law mandates disclosure to the consumer. Any manufacturer that produces or sells a device with internet connectivity capability in the state of California is required to implement reasonable security features commensurate with the level of information that the device processes. The Bot Law mandates clear disclosure of the use of a bot in any case that a bot is used to sway a consumer’s opinion.
Given that the new California legislation will not take effect until 2019 and 2020, it is too early to determine whether California has discovered a viable solution to growing privacy concerns. Still, California’s consumer-first regulation might become a successful model and encourage other states to take their own steps toward data privacy regulation.
This process would mirror states’ rollout of data breach notification laws, in which California set the first state law in 2002 and paved the way for other states to follow. However, the state-by-state adoption of regulations brings about risk of contradicting and overlapping laws, in addition to confusion in compliance and enforcement standards, especially given the fluid and unpredictable nature of technological advancement.
National vs. State Policy
A national law that standardizes expectations for consumer privacy and compliance might be a more prudent choice for a long-term solution. A federal law would eliminate the inevitable confusion of a patchwork of state laws with differing scopes and levels of complexity.
The focus may be shifting to federal policy, following recently reported public comments, including those by Apple CEO Tim Cook. These comments support national privacy security policy and praise the GDPR as the benchmark solution to counteract corporate misuse of personal information. In fact, given the prevailing theme of a united public-private defense in the “National Cyber Strategy of the United States,” the idea of federal legislation on consumer privacy might not be a stretch.
The question is not whether or not more privacy laws will be enacted. It is whether states will get free rein to regulate as they see fit, or whether the federal government will have the final word. Regardless of how the laws concerning privacy develop, it is clear that corporations handling personal data must remain vigilant and prepare for an inevitable increase in compliance standards and regulations.
Agnes Bundy Scanlan is a Senior Advisor with Treliant. She has over 25 years of in-depth experience in global regulation, risk management, and compliance. Her experience includes the creation, development, and execution of numerous global compliance risk management programs for some of the country’s largest financial institutions. Prior to joining Treliant, Agnes was a federal bank regulator and held senior leadership roles including Chief Privacy Office.
Ash Khan, a Managing Director with Treliant, a business and risk management advisory firm to financial services companies and consumer-oriented businesses. He has over 20 years of experience in information security, technology risk management, enterprise architecture, and technology infrastructure. His expertise spans a diverse range of industries including banking, insurance, pharmaceuticals, and government. Prior to joining Treliant, Ash held senior leadership roles including Chief Information Security Officer.