Dazed and Confused: Data Law Disarray
By Christopher Wolf
The call comes in from IT. A backup tape containing last week's online transactions, chock full of personal customer data, has not arrived at the archive center. The courier is reporting it lost. It may have been stolen by identity thieves -- or it simply may have fallen off a sorting table and be hiding in the corner of a distribution center.
What now? Who needs to be told? Customers? Government regulators? You call in the lawyers, but they tell you they will need a day or more to figure out what the reporting obligations are.
The lawyers explain that there are more than 20 federal, state, and local laws and regulations that govern the reporting obligations, and some are quite different from others. New laws are being passed every month. The lawyers say the road ahead is perilous.
Then they make the traffic signal analogy to help you understand. They tell you to imagine you are driving down the street. At the approaching intersection, instead of just one traffic signal, there are three lights, each with a different instruction.
Should you stop at the red light? Slow down for the yellow light? Proceed under the green light? Needless to say, at this strange intersection, chaos reigns. There are confused drivers, anxious passengers, and angry cops. Here is an accident waiting to happen.
The lawyers' point? On the information superhighway, when it comes to the rules on privacy and data security, businesses are like the confused motorist at the intersection of mixed signals.
In the absence of a uniform federal privacy law, well-intentioned lawmakers and regulators from around the country have, in an episodic manner, created rules to address the growing misuse of personal information and the loss or theft of sensitive data files. The result is a hodgepodge of overlapping, conflicting, and occasionally incomprehensible laws and regulations.
Unlike the European Union, which has a uniform "Data Directive," the U.S. does not have a comprehensive regime of privacy regulation. Which rules apply depends on what industry you are in, where you are located, and if you do business on the Internet. Companies are being told what to do, and what not to do, by authorities at all levels, and the result is uncertainty.
As a nation, we do not have clear rules of the road when it comes to privacy protection. Consumers do not feel well-protected, and businesses do not have the certainty that is necessary for compliance and planning. Take the example of multiple rules governing notices to consumers when there is a data security breach -- when that back-up tape goes missing, when a laptop with personal data is lost, or when a computer is hacked.
California led the way with legislation requiring notice to consumers when there is a breach affecting unencrypted data, to put them on guard against identity theft. Subsequently, 22 states and New York City have crafted their own rules, many modeled after California's but many with their own triggers and requirements, like notice to state regulators.
And the federal financial privacy law, known as Gramm Leach Bliley, has its own threshold for when regulators and consumers should be notified. So while a company may be in compliance with California law, a misstep may put it at odds with the law in, say, North Carolina, which has a different definition of a security breach that triggers notification, and which has different categories of people to notify. Meanwhile, a resident of a state without any security breach notification law may be out of luck.
As for the underlying security of the systems storing personal data, the FTC takes a "we know it when we see it approach," suing companies whose weak data security it believes amounts to an unfair consumer practice. California law provides that if you are a business located anywhere and holding data on Californians, then you must have "reasonable security," whatever that means.
The attorneys general of other states also have weighed in, and have gone after businesses that failed to "adequately protect" consumer data. Notably, the 2003 National Strategy to Secure Cyberspace did not do much more than exhort business and government to "do the right thing" when it comes to data security. How a company fares in the presence of multiple standards and multiple regulators is unpredictable.
Also the growth of the Internet means that most privacy laws are addressed to information collected or transmitted online. But what about the vast amount of personal data that is collected in hard copy and exists in filing cabinets? Whether that information is protected depends on a number of variables in state and federal law.
The time has come for uniform federal privacy and data security legislation to create a baseline of privacy protection for consumers and to provide businesses and organizations with a uniform set of standards on which to build their protection practices. Even Microsoft (MSFT), which long held the view that existing laws, self-regulation, and technology could provide most of the needed protection, has come around to calling for study of a broad federal law.
The exact parameters of such legislation would take careful study. Lawmakers must examine whether it is feasible to protect both offline and online data the same way. The hot button issue of federal preemption -- excluding the states from further regulation -- is not easy to resolve. The states, especially California, have served as a laboratory for some of the best privacy principles we have.
And in this interconnected world, we have to pay attention to how privacy is protected by our world neighbors. Canada, for example, has a nationwide privacy law, and we can learn from the E.U.'s experience over the past decade since passage of its directive. Our federal privacy law must harmonize with those of our neighbors, so that businesses that cross borders can have a global compliance plan.
Most important, the new federal law should give consumers confidence that it will really help to protect their privacy and the security of their data. Without consumer confidence, the full realization of our information economy cannot be achieved.