Will Obama’s draft privacy law champion consumer rights?
By Byron Acohido, ThirdCertainty
The White House has taken another step toward framing President Obama as the “privacy president.” But it remains to be seen how assertively his administration will actually champion consumers’ rights in an age of unprecedented digital privacy invasion.
In a speech at the Federal Trade Commission today, President Obama stated the obvious: Identity theft is a growing problem, generating billions of dollars in commercial losses and posing risks to individuals that can “ruin your life.”
“This is a direct threat to the economic security of American families and we need to stop it,” Obama said. “If we are going to be connected, we need to be protected.”
Obama proposed a sweeping new federal privacy law that presumably would impose new rules on corporations for safer handling of personal data, as well as provide individual citizens with some level of control over the vast amount of online-tracking data generated and stored for consumers.
Devil in the details
But the devil is in the details. And both the corporate heavyweights making billions off of online tracking and privacy advocacy groups aim to influence the finer points. The White House is expected to deliver draft legislation in about two weeks when the president makes his State of the Union address
“One would hope it (the draft legislation) implements strong controls that empower consumers to protect against the collection of their sensitive data without their consent,” says Alvaro M. Bedoya, executive director of the Center on Privacy & Technology at Georgetown University Law Center.
With a newly elected Republican majorities in both house of Congress, Obama’s draft legislation may pick up a sponsor and get debated. But privacy and legislative experts say it has zero chance of being enacted as law.
So the thrust of Obama’s proposed Personal Data Notification and Protection Act will be strictly symbolic. Yet symbolism is important. Stiff federal sanctions, even proposed ones, on companies that fail to robustly deter data breaches could shift more of the corporate world’s attention to cybersecurity.
By the same token, a strongly-worded White House draft bill that spells out a specific level of consumer control over online tracking could likewise disrupt current commercial practices. It could slow the relentless collection and unregulated sharing of behavior data collected from smartphones, medical devices and wearable tech. That behavior currently is driven primarily by profit motives.
“Providing a clear set of rules, guidelines and practices that set basic expectations for both consumers and the businesses where they shop—not to mention the government they pay taxes to—would be the best of all possible worlds,” observes Eduard Goodman, chief privacy officer at IDT911, an identity and data risk management, resolution and education services firm. Full disclosure: IDT911 is the corporate sponsor of ThirdCertainty.
Lobby groups for the online advertising industry led by tech giants Google and Facebook, and giant data aggregators led by Axciom and Lexis-Nexis, will push hard for benign wording in Obama’s draft privacy law. Their interest is to protect the status quo.
Status quo not working
Yet the status quo isn’t working. Loopholes in data loss disclosure laws in 47 states enable companies to dodge notifying consumers when their data gets stolen. A federal notification law with teeth could prompt giant retailers to take better care of stored data than Target, Home Depot or Sony Pictures did.
“The past year has been marked with numerous security breaches that have affected big brand names,” says Jerome Segura, senior security researcher at antimalware vendor Malwarebytes. “Consumers are not only worried but also demanding more accountability from these businesses.”
“Although many states already have laws in place regarding breach notification, with federal legislation it will remove any doubt with regards to the notification periods,” says
Ken Westin, senior security analyst with Tripwire, says that federal legislation could ..
. “Particularly with the number of high- profile breaches over the past year, many companies are reticent to notify consumers when credit card and other data are compromised, simply because of the effect it can have on the business, from loss of trust, lawsuits, fines and fees and other related expenses to clean up the mess after a breach occurs.”
Meanwhile, the so-called Internet of Things, is accelerating the collection and storage of data that makes it possible to profile an individual’s moment-to-moment whereabouts, medical condition, and vital signs, down to counting steps taken, and even a heart rate.
At this moment, for-profit companies are collecting and sharing data amassed via the Internet of Things for commercial purposes. That collection and sharing is based on lax consumer consent standards, says Bedoya.
“One would hope Obama’s draft privacy law fills these gaps unequivocally by implementing strong controls for consumers and empowering consumers to protect themselves against entities taking and using their data without their consent,” Bedoya says.
Dave Frymier, CISO of Unisys, believes more needs to be done to prevent breaches from happening in the first place. Consumers and companies “remain vulnerable to the personal, reputational and financial ramifications of data breaches if we only aim to address them after hackers have infiltrated a network,” Frymier says.
Will President Obama stake out turf as the privacy president?
Stay tuned here for more discussion.
More on emerging privacy concerns