Yesterday, May 1, was a big day for privacy in the news. The White House issued 2 reports on the privacy implications of Big Data, and the Florida legislature overhauled the state’s security breach notification law, strengthening and adding several new requirements relating to data security and breach notification.
The Podesta Report - “Big Data: Seizing Opportunities, Preserving Values”
In January of this year President Obama asked John Podesta to lead a ninety (90) day study to examine the changes big data technology will have on our lives and the future of individual privacy. The study, entitled “Big Data: Seizing Opportunities, Preserving Values,” was released yesterday, May 1, 2014. A full copy of this report is available here.
The study attempts to balance the unique benefits and challenges big data brings to grow the US economy, improve health and education, and to make the United States safer and more energy efficient against the social and ethical questions of discrimination, stereotypical biases or assumptions, and individual privacy.
Current Privacy Framework Addresses “Small Data”
The report first recognizes that the most common privacy risks to individuals involve “small data.” Privacy concerns in the “small data” context are already addressed in the United States by the Fair Information Practice Principles (FIPPs), the various sector-specific laws, robust enforcement mechanisms, and the various global privacy assurance mechanisms such as the U.S. Safe Harbor Framework.
New Laws May be Needed for “Big Data”
However, “big data” technology permits the collection, analyzing, and assembling of large volumes of data to analyze and profile the discrete digital traces individuals leave behind every day to reveal a surprising number of things about an individual and their lives. The traditional framework of “notice and consent” that forms the foundation of privacy in the “small data” context may not adequately protect privacy in the big data context. Instead, a focus on how data is used and reused may be more productive for managing privacy in a big data environment.
The Report’s Six Recommendations
The study’s authors make six policy recommendations to protect privacy in the big data context: First, the study calls on the Department of Commerce to advance President Obama’s 2012 proposal for a Consumer Privacy Bill of Rights. Second, Congress should enact national data breach notification legislation to replace or supplement the existing patchwork of state breach notification laws. Third, the Privacy Act of 1974 should be applied to non-U.S. persons as much as possible or establish meaningful and appropriate alternatives which protect their privacy. Fourth, the federal government should ensure that data gathered about students for education is not shared or used inappropriately. Fifth, civil rights and consumer protection agencies should improve their technical expertise to be able to identify and investigate the discriminatory impact on protected classes facilitated by the use of big data. Sixth, the report recommends that Congress amend the Electronic Communications Privacy Act to ensure the same levels of protection for online and digital content as is afforded to physical objects.
Impact to Businesses
The report is significant to businesses as it increases the intensity of the spot light on companies’ data privacy and security practices. Whether the result is new laws and regulations, or increased and new paths of enforcement by the Federal Trade Commission, or both, the report is a clear indication that the legal compliance risks with respect to the privacy of personal information will continue to increase in the months and years to come.
Businesses may no longer be able to rely on the traditional notice and consent framework used in the small data context. The recent trend, even before this report, has been to base accountability and compliance on how a company uses and reuses data. A national breach notification law may decrease the burden of nationwide companies to comply with the various different state breach notification laws, each with different definitions of personal identifiable data and different notification requirements. Companies should continue to monitor which, if any, of the recommendations are adopted and carefully analyze the impact on their business.
The PCAST Report – “Big Data and Privacy: A Technological Perspective”
In addition to asking for the Podesta Report discussed above, President Obama also asked his Council of Advisors on Science and Technology (PCAST) to examine Big Data from a technological perspective, and in particular what can and should be done to help preserve privacy. PCAST also released its report yesterday, May 1, which discusses the technical aspects of big data and privacy. A full copy of the report can be found here.
The Growth in Big Data Technology Increases Risks to Privacy
The collection, analysis and use of personal information has exploded in recent years as a result of the significant advances in computing and electronic communication technologies. Individuals are more concerned than ever with protecting their privacy in light of the ability of new technologies to analyze tremendous amounts of data from numerous sources, often in ways entirely unknown to the individual. The report addresses the changing privacy and legal compliance environment as companies in the United States through the world have embraced and developed these big data technologies.
The Report’s Five Recommendations
The report recognizes that technology alone is not sufficient for protecting privacy. PCAST recommends five steps the Federal government can take to balance the benefits of big data and the protection of privacy. First, as also discussed in the Podesta report, policy should be based more on the actual uses of big data rather than methods of collection and analysis. Second, laws and policies should not dictate specified technological solutions, but address intended outcomes. Third, government sponsored research should be increased for technological solutions to balance business interests and individual privacy concerns. Forth, the government should work with the educational institutions and professional societies to increase training and education for privacy protection, including career paths for professionals. Fifth, the United States should be a leader domestically and internationally by adopting policies that incentivize the use of practical technological solutions for privacy that exist today.
Impact to Businesses
As with the Podesta report, the PCAST report is further evidence that the regulatory and self-regulatory attention to data privacy and security will continue to increase in months and years to come. Companies are using technology in new and exciting ways to enhance revenues, profits and other business outcomes from big data initiatives. The PCAST report reminds business that technology should also be used to protect privacy. Companies should use a privacy-by-design approach to build privacy into its products, services and systems, and minimize the legal and reputational risks that result from inappropriate or unlawful uses of personal information.
Florida’s Revamped Data Security Breach Notification Headed to the Governor
The final piece of privacy news yesterday came out of Tallahassee, where the House followed the Senate and passed the Florida Information Protection Act of 2014. The text of the bill can be found here. The bill now heads to Governor Rick Scott, who is widely expected to sign the bill. If signed, the law will become effective July 1, 2014.
The action in Florida continues a line of recent data breach proposals and laws in a number of states, including California, New Mexico, Iowa, and Kentucky. Among other things, the law changes the definition of personal information that can trigger a notification requirement by adding health insurance, medical information, financial information and online account information, such as security questions and answers, email addresses, and passwords. Current law covers an individual’s first name or initial and last name, in combination with: (i) a social security number; (ii) drivers’ license or identification card number; (iii) or account number, credit or debit card number in combination with any required security code or password to access the account.
Notice to affected individuals is required as expeditiously as possible, but no later than 30 days after discovery of the breach or the business reasonably believes a breach occurred. Current laws requires notification without unreasonable delay and no later than 45 days after discovery of the breach.
In the event of a data breach affecting 500 or more residents, written notice to the Attorney General is required no later than 30 days after discovery of the breach. If requested by the Attorney General, the company must provide a copy of its policies in place regarding breaches, steps taken to rectify the breach, and a police report, incident report, or computer forensics report to the Attorney General.
If the breach involves over 1,000 individuals, the company must also notify the major consumer reporting agencies (Experian, TransUnion and Equifax).
Notice is not required if, after the organization conducts an appropriate investigation and consults with relevant law enforcement agencies, the company reasonably determines that the breach has not and is not likely to result in identity theft or any other final harm to the affected individuals. The determination must be documented in writing, maintained for at least 5 years, and provided to the Attorney General within 30 days after the determination is made.
The law adds a requirement that businesses must use reasonable measures to protect and security personal information in electronic form. While the law does not provide details on what these measure may be, in the event of a security breach the company will need to demonstrate at a minimum that it used commercially reasonable safeguards to protect personal information consistent with industry standards.
Finally, the law authorizes enforcement actions by the Attorney General under Florida’s Unfair and Deceptive Trade Practices Act for any violations. Civil penalties can be up to $500,000 - $1,000 per day for the first 30 days of violation, and $50,000 for each subsequent 30-day period for up to 180 days. If the violation continues for more than 180 days, the penalties can be up to $500,000.
Impact to Business
If signed by the governor as expected, the new law will impose additional and more stringent requirements for businesses that suffer a security breach exposing personal information of customers, employees or other individuals. The breach may be the result of a malicious hacker, disgruntled employee or inadvertent loss of a laptop or smart phone containing personal information. Businesses should modify their data breach incident response plans to comply with the new requirements (and, needless to say, develop a response plan if it does not have one). Companies should ensure that if a breach results in a request from the Attorney General for the companies’ applicable policies, those policies are consistent with the law and current best practices.