Is the United States doing enough to guarantee your data security? And how far should the government be allowed to go? CNET News.com has assembled a roundtable of leading figures from the worlds of business, technology and politics for their insights.
While there are significant vulnerabilities in our information systems, Web-based networks and procedures for protecting sensitive personal information, research tells us that the magnitude of harm caused by those security breaches is significantly less than current perceptions. Some security breaches create real risks for individuals, while others are benign. Some have everything to do with information technology, while others are products of process, poor management and carelessness in the physical handling of information.
Nevertheless, it would be foolish to deny that we do have information security problems. We all--industry, government and consumers--have a role to play in improving information security. Improvement needs to happen quickly. The government will attempt to "fix it," if the private sector does not lead the way.
Some suggest to corporate and organization leaders that the entity should not engage in stated privacy policies and promises, because of the obligations they create. Others advise corporate leaders to avoid major investment in information security, because the return on investment is inadequate. This is irresponsible. Obviously, personal information has value: Information is the currency of our economy.
A recent Federal Trade Commission action against B.J. Wholesale Club made a huge statement recognizing that information has value. Simply stated, if you use information (and who doesn't?), you have an obligation to protect it. All should pay attention.
Until recently, Orson Swindle was a commissioner at the Federal Trade Commission who specialized in privacy and security. Now he is a senior policy advisor at the law firm of Hunton and Williams. While at the FTC, he participated in the launch of the Do-Not-Call program and the Organization for Economic Cooperation and Development's information security guidelines. A former assistant secretary during the Reagan administration, Swindle had a distinguished military career in the U.S. Marine Corps. He flew 205 fighter missions over Vietnam, won two Purple Hearts and was held in North Vietnam as a prisoner of war for more than six years.
First, let's calm down. Data security has been oversold in the media. The one-to-one ratio between records breached and consumers harmed, implied in much reporting, is off by several orders of magnitude. Yes, many entities have handled data stupidly--underestimating its value, the threats and the consequences of breaches--but what matters for public policy is whether consumers have been harmed.
Holders of sensitive personal data should be liable if their negligence does harm consumers. The question is what form that liability should take. State common law cases have already established liability for data holders, and common law retains the flexibility to adjust to changed circumstances. The statutes and regulations out there miss the mark--some of them, badly. Legislation and regulation is the playground of corporate lobbyists and bureaucrats, not the haven of consumer protection some people think.
Politicians, bureaucrats and lobbyists don't know how to do security any better than anyone else. Given the wide variations among breaches and ongoing changes in technology and business models, legislators in 2005 or 2006 cannot write a regulation that lastingly balances the consumer interests at stake, including protection from harm, low prices and innovations that generate better goods, services and conveniences.
Jim Harper is director of information policy studies at the Cato Institute in Washington, D.C., and a member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. He is writing a book on identification and edits the Web site Privacilla.org, devoted to explaining privacy topics. Harper frequently testifies before Congress on data security, privacy and civil liberties.
The California security breach law, which required notice to the public of information security leaks, shed light on the fact that commercial data brokers sold sensitive personal information to just about anyone. For many, this was the first they had heard of these secretive companies. They learned that their security practices were poor, but they were also troubled by the companies' data-selling practices.
Prior to the breaches, one commercial data broker assured regulators that its security was "exceptional." In a government/industry initiative led by the Federal Trade Commission, serious attention was focused on the importance of security practices. Nevertheless, the California law has shown that security wasn't adequately addressed.
Knowing what we know now, shouldn't we ask more questions about commercial data brokers' operations? What data do they collect? How is it collected? How it is used? To whom is it disclosed? What rights do individuals have to limit, correct or delete this information? What accountability measures are in place?
This is the dialogue we need to have. We need to go beyond security and inquire into the use of personal information. We need to determine whether the operations of commercial data brokers comport with individuals' expectations and values.
Chris Hoofnagle is director of EPIC's west coast office in San Francisco and a nonresidential fellow at Stanford University's Center for Internet and Society. He is a graduate of the University of Georgia School of Law and has testified before Congress on privacy and Social Security Numbers, data security and commercial data brokers, identity theft and the Fair Credit Reporting Act.
Everyone knows two facts about risk: Emerging data security threats are legion and identity fraud is at record levels. However, ignorance beyond this elementary understanding threatens to spawn inefficient investments and regulation. Yes, identity fraud now totals $52.6 billion annually in the United States, and emerging data threats are seemingly boundless in volume and ingenuity.
Yet we are often distanced from increased safety through the simplistic assumption that increased use of technology can only lead to increased risk. In fact, our data shows that new channels and methods also bring effective safety measures. Companies, regulators and individuals often act on the belief that technology brings us only to the edge of catastrophic loss, while ignoring technologies' doubled-edged nature, which allows more effective prevention, detection and resolution of fraud and security incidents. When responding to data security threats, a blind eye to technologies' strengths will lead to missed advantages, such as reduced exposure to paper records, improved ability to communicate status or risk conditions, and precise controls that lead to higher safety.
Laws that acknowledge only the technologies' vulnerabilities are likely to be ineffective, inefficient and even irrelevant.
James Van Dyke is Founder and Principal of Javelin Strategy & Research. Previously, he headed financial services and payments efforts at Jupiter Media Metrix.
I am the author and co-author of AB 700 and SB 1386 respectively, California's Security Breach Notification law, which requires that notice be provided to individuals in a public or private database whose personal information has been compromised.
The premise is simple. What you don't know can hurt you. Ignorance is not bliss. If you don't know that your personal information has been compromised, you can't protect yourself.
The goals of the Security Breach Notification law were to provide Californians with the knowledge they need to protect themselves and to provide an incentive for improved database security (and thus reduce the risk of identity theft for all of us). These goals have clearly been realized.
We also hoped that consumers around the country would be protected to some degree, since as a practical matter, it's difficult to inform only the customers in California when a national database is hacked.
Finally, we hoped to prod the federal government into taking meaningful action on a national level.
Regrettably, Congress has failed to act (and has even considered preemption legislation weakening existing state protections!). It's time then for D.C. to let our 50 states take the next steps in protecting consumer privacy throughout the country.
Sen. Joe Simitian represents the 11th District of the California State Senate, which includes parts of San Mateo, Santa Clara and Santa Cruz counties. He is the sponsor of the state's Data Breach Notification Law, the passage of which placed California as the first state to require businesses and government agencies to notify individuals if a database containing personal data is compromised.
The members of the Roundtable panel have agreed to have a discussion with News.com editors and our readers. Participate in the debate here.
Click here to return to the main resources page.