Opposing tensions are much in evidence in the legal wrangle over individual privacy rights and security in the digital environment. The dizzying pace of technological innovation continues as individuals and organizations public and private struggle to come to grips with its implications and ramifications.
There’s a clear trend towards strengthening personal privacy rights, as evinced by a slew of federal and state legislation, such as the Federal Information Security Management Act and California’s SB 1386.
On the other hand, there is clearly concern that an individual’s right to privacy is being steadily eroded by governments responsible for protecting citizens and by multinational corporations, whose tremendous power and influence over political and legislative processes has become a given.
The list of recent legislation dealing with protecting individuals’ data and privacy rights is a long one. Prominent among them at the federal level are the Federal Information Security Management Act (FISMA), the Graham-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX). Added to that list is legislation concerning customer and individual privacy rights on the books in a majority of U.S. states, as well as privacy and security regulations.
“California’s SB 1386 and the equivalent 30-plus state laws in other U.S. states are the laws with the most specific teeth around the protection of personally identifiable information (PII),” Ram Krishnan, senior vice president of products and marketing at GuardianEdge Technologies, told CRM Buyer.
Gramm-Leach Bliley, HIPAA, PCI (Payment Card Industry Data Security Standard) and FISMA protect sensitive individual information, he continued.
HIPAA spans beyond healthcare and insurance industries to impact all employers handling employee medical information; SOX is for general information protection controls, said Krishnan.
Many directives from the federal and states’ offices of management and budget (OMB) carry almost as much weight as legislation in federal environments, he said.
“From our experience, state laws like CA SB 1386 are the leading legislative reason that customers drive to deploy GuardianEdge data protection solutions. These laws obligate organizations to disclose theft or loss of laptops if they occur, unless they can demonstrate the information was encrypted,” Krishnan explained.
Federal customers also frequently make overt mention of their desire to comply with FISMA, OMB directives and other top-down mandates, Krishnan added.
“Commercial customers will sometimes reference laws like GLBA, HIPAA and PCI as compliance requirements,” and the others, less frequently, he said.
Wide-Ranging and Far-Reaching
These and other pieces of legislation, along with related self-imposed regulations, cut horizontally across and vertically down economic and industry sectors.
“Many of the verticals that have seen activity in data protection are all influenced to some extent by data protection legislation. Government, financial services, healthcare are very good examples and all of these have been affected by the state laws like SB 1386,” Krishnan continued.
Similarly, FISMA is having wide-ranging implications in the federal and government markets generally. “Healthcare and insurance have certainly been driven by HIPAA, though financial services has been affected to a lesser extent by GLBA — risk reduction tends to be a substantial motivation in banking and insurance,” he commented.
“SOX and HIPAA directly strengthen consumer’s privacy rights. GLBA wasn’t directly related to privacy rights, but as a side effect the financial privacy, safeguards and pretexting protection rules were made mandatory for all financial services institutions to follow,” added Shane Coursen, senior technical consultant at Kaspersky Lab.
PCI, meanwhile, has been the driving force in the consumer privacy area, affecting the retail, credit card and payments industries.
“Defense and aerospace is unusual in that it is driven more by intellectual property protection and by the downstream impact of doing a lot of business with the government, than by a desire to directly protect PII,” Krishnan said.
Business as Usual
It’s business as usual for most organizations despite the volume of new privacy legislation, according to Coursen. Most organizations not carrying sensitive information should not be affected, he said, adding that organizations that are potential targets may have some work in front of them.
“Looking at it another way, information security has been a constant issue since before the dawn of the Internet; even before computer networks existed. It is probably fair to say that consumers would demand security, regardless of the political climate,” he said.
The political climate calls for an even greater awareness of security, Coursen told CRM Buyer.
“As to what the acts mean for CRM software developers, just a slight shift in focus. Implementing security and reducing exposure to accidental information disclosures have become a more important part of the feature set,” he said.
Organizations that are directly affected are putting information security policies and best practices for employees in place, one example being a set of best practices to help employees avoid being victimized by attempts at social engineering, Coursen continued.
“Best practices have been notoriously difficult to implement, however. It isn’t surprising. Phishing and social engineering techniques change constantly, especially so in response to counter the latest best practice,” he noted.
The greatest challenge to protect private information will fall on individuals themselves, he added. It will be up to each individual, whether in a personal or professional capacity “to be aware of the security challenges they face and react appropriately. The trick is to be just paranoid enough, but not so much as to reduce efficiency to a crawl. As for technical challenges, we can be sure that at least one software developer will rise to novel innovation.”
Justice, AT&T, the EFF and Privacy Rights
While the aforementioned all aim to assure and strengthen customer and individual privacy protection and rights, concerns continue to be voiced about privacy rights incursions and the general erosion of individual privacy rights.
The Electronic Frontier Foundation (EFF) on July 26 argued before the U.S. District Court for the District of Columbia for the release of court orders that are claimed to authorize the government’s electronic domestic surveillance program, which allows it to intercept and analyze millions of Americans’ communications.
U.S. Attorney General Alberto Gonzales in January said that the Foreign Intelligence Surveillance Court authorized collection of communications and that the surveillance program would operate under its approval. The Dept. of Justice refused to comply with a Freedom of Information Act request filed by the EFF for the orders and other records concerning changes, which led to its filing suit in federal court.
The EFF is also taking on AT&T over privacy rights. In January 2006, it filed a class-action lawsuit accusing the telecom giant of violating the law and the privacy of its customers by collaborating with the National Security Agency (NSA) in its wiretapping and data mining program. A federal judge in July 2006 denied the government and AT&T’s motion to dismiss the case
The EFF lawsuit originally arose from news reports in December 2005, which first revealed that the NSA has been intercepting Americans’ phone calls and Internet communications without any court oversight and in violation of the privacy safeguards established by Congress and the U.S. Constitution. This surveillance program — purportedly authorized by the president at least as early as 2001 — intercepts and analyzes the phone and Internet communications of millions of ordinary Americans, according to the EFF.
The growth of peer-to-peer (P2P) file sharing and other distributed Web services has also heightened concerns about privacy rights incursions and abuses. The U.S. House of Representatives’ Committee on Oversight and Government Reform this month held a Congressional Hearing aimed at exploring potential privacy and security concerns associated with the use of P2P file sharing programs.
“With respect to safeguarding private information, current leading P2P software requires users to take multiple affirmative steps in order to share files that may include personal data,” Martin C. Lafferty, CEO of the Distributed Computing Industry Association (DCIA), told CRM Buyer.
“P2P software suppliers have also affirmed their commitment to further reduce risks and competitively enhance both the safety and value of the user experience on behalf of their consumers and the public at large.
The DCIA is also willing to contribute to the dialogue taking place between the Patent and Trademark Office, which issued a report on P2P networks and privacy concerns in March and more recently has been corresponding with the House committee and two leading U.S.-based P2P software developers-distributors regarding consumer disclosures, default settings, recursive sharing, un-installation procedures and other topics, he added.
“Because of both the technical complexity and relatively fast-moving innovation in this area, a federally mandated and closely monitored private sector initiative — rather than even the best intentioned legislative measure — will produce the most beneficial effect to the public and to government agencies whose sensitive and confidential information must be protected as a matter of national security,” Lafferty concluded.