Pressure is on Privacy ProsBreaches, Lawsuits Add New Urgency to Protecting Critical Data
"For a long time to come, we're going to see this issue continue to explode," Hughes says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
Hughes has testified before the U.S. and European governments on issues of privacy and data protection, spam prevention and privacy-sensitive technologies.
The rapid progression of technologies in the information economy is exceeding the current system of laws, regulations and societal norms, Hughes says. Privacy will continue to come up in regulatory, online and mobile platform issues.
Add to that the confusing mixture of regulations and policies implemented on a global scale that make it exceedingly difficult for organizations to operate globally. "The global environment is incredibly difficult to navigate," Hughes says.
Figuring out a safe path through all the regulations and distilling the process down into the best, safest and most secure way is what organizations need to do to move forward. Compliance isn't enough when it comes to privacy. Protecting critical information is a business imperative. "If your customers don't trust your privacy, they don't trust you," Hughes says.
Privacy needs to be implemented into the design of products and services from the start, rather than later on, in order to cut back on expenses and address the issues up front before they become a concern later.
In an exclusive interview about global privacy trends, Hughes discusses:
- Top privacy issues that emerge from recent breaches;
- Global turbulence over regulatory and legislative issues;
- What best-in-class organizations are doing about privacy.
Hughes is an attorney specializing in e-commerce, privacy and technology law. In his role as executive director of the IAPP, Hughes leads the world's largest association of privacy professionals.
Hughes has testified before the U.S. Congress Commerce Committee, the U.S. Senate Commerce Committee, the U.S. Federal Trade Commission and the EU Parliament on issues of privacy and data protection, spam prevention and privacy-sensitive technologies. He is a member of the first class of Certified Information Privacy Professionals [CIPPs] and is co-author [with D. Reed Freeman, Jr.] of "Privacy Law in Marketing" [CCH Wolters Kluwer, 2007].
Top Privacy Issues & TrendsTOM FIELD: When you look at the recent data breaches, such as Epsilon and Sony, what are some of the top privacy issues that immediately come to mind for you?
TREVOR HUGHES: The recent data breaches tell us a lot. First of all, breaches happen. They are inevitable. There are bad people in the world, and they're always trying to find ways to get access to data because data has increasing value in the information economy. Organizations need to make sure that they are paying attention to all of the information security demands, both technological and also legal and compliance-wise, so that they're on top of what they should be doing to prevent those breaches. But increasingly, it's clear that it's not enough. Not only do they have to be paying attention to how they are securing data, they have to be preparing for what happens when things go wrong. Increasingly, organizations are using privacy professionals to ensure that, as part of their post-breach response plans, they're talking to consumers, regulators, congressmen and sometimes class-action lawyers about what went wrong, to [communicate] that they've got plans in place to mitigate the amount of harm that occurs when a breach happens.
FIELD: I know your organization has grown tremendously. That reflects the growth in the industry. What do you see as today's top privacy trends that are driving this growth?
HUGHES: There are a number of privacy trends that are in play right now, and certainly the issue itself is one of the things that is growing. Privacy as a concept seems to be in the media every day, and people mean a lot of things when they say the word privacy. We see privacy come up in the context of anti-terrorism efforts. We see privacy come up in social media, mobile platforms and location-based privacy. I think what we're seeing is the rapid progression of technologies in the information economy exceeding our current system of laws, regulations and, in some cases, societal norms, how we expect we will deal with data. All of those are being pressured by the advance of technology. In that gap, the delta between that leading edge of technology and where our legacy systems for controlling technologies are, creates instability. That gap creates instability. For a long time to come, we're going to see this issue continue to explode. We're going to see it in regulatory branches, we're going to see it online and we're going to see it in mobile platforms. We're going to see it in everyday life. Privacy is going to become something that we have to pay more and more attention to.
FIELD: You mentioned the term regulatory, and I know there have been some regulatory and legislative issues that have come up. Which ones do you see as creating turbulence, I guess is the word to use, regarding privacy?
HUGHES: Turbulence is a great word to use. In fact, we could look at many of the major jurisdictions around the world, the major markets around the world, and there are new or revised privacy laws and regulations in play. Let's just do a really quick global survey of what's happening. In the European Union, they have an E-Privacy Directive which is being implemented, which has some tremendously challenging standards for relatively ubiquitous technologies like cookies, which are creating real headaches for organizations. The broad-based European Privacy Law, the EU Data Protection Directive, is currently under review and there's significant debate about what that should look like in this new era. In Canada, PIPEDA [Personal Information Protection and Electronic Documents Act], their major piece of privacy legislation, is being reviewed. In the United States, we have a number of bills that have been dropped in Congress. We have hearings that are occurring it feels like almost every week - certainly one this week, one last week - where privacy is the main topic of conversation. And even outside of Congress, we have the Department of Commerce, the Federal Trade Commission, the Securities and Exchange Commission, Health and Human Services, the brand new Consumer Finance Protection Bureau, all claiming a piece of turf when it comes to privacy, and all discussing what the new standards in privacy should be. Throw into the mix for global organizations the fact that Mexico has a new privacy law, Brazil is working on one, India just passed one, and you have a recipe for, again, a very unstable and turbulent regulatory environment for organizations that operate globally. And one of the things that we see that is increasingly true in this era of globalization is that pretty much everybody, if they are online in some form, has some connection to global commerce. That global environment is incredibly difficult to navigate. Figuring out a safe path through all of that is a job for someone who can assess hundreds of different variables and distill them down into the best, safest and most secure way for an organization to move forward.
Ubiquity of CookiesFIELD: You talked about the ubiquity of cookies, and I get the sense that there's a greater sensitivity to cookies today as well. What are your thoughts on them?
HUGHES: Cookies are an issue that have been debated for over a decade, and in some ways it feels a little like Groundhog Day because many of the arguments that are being made today were made 10 or 15 years ago when cookies were first introduced. But it's significantly different today for two reasons. One is because of some of the existing controls on cookies. The marketplace has actually moved towards different types of global unique identifiers, of state management tools, and I'll talk about those in just a second. The other thing that's different is that the regulators have gotten a bit more aggressive, and some of the technologies have gotten a little bit more excessive or aggressive. Let me cover all three of those areas.
First, it's not just cookies anymore. Notably, Adobe with Flash just came out with some new updates where Flash cookies, locally stored objects under Flash, are now managed in some of the cookie controls in browsers. There has been a lot of criticism about so-called Flash cookies not being subject to many of the cookie controls that exist within browsers or elsewhere. But it's not just flash cookies. There are many different ways of identifying devices now, and I think there's a concern that perhaps cookies are like rotary dial telephones. They're almost quaint now because of some of the more significant ways that organizations have to identify devices. So-called super cookies or IP addresses targeting are creating some real challenges.
When we look to what the regulators are doing, European Union has passed a law, which - there's some debate on this - ostensibly says you have to get consent before you set any cookie or identifying device. That would suggest that you've got to get an opt-in. Think about a pop-up box for every cookie coming up on your system. However, in that E-privacy directive, the European Union indicated that browser controls may be sufficient, so if your browser was set to accept cookies, that could be a proxy for consent. Add to that the fact that the U.K. Data Protection Commissioner just came out with an opinion that, in fact, browser controls may not be sufficient, and you have an enormous amount of confusion in the marketplace. When we take one step further and talk about the technologies, we are seeing more and more robust cookie controls and identifier controls in all of the major browser releases. Certainly, Explorer is very active in this space. Safari blocks third party cookies in a default setting. But we're also seeing the implementation of the "do not track" header, and that's creating some really interesting questions. That goes beyond cookies to online behavioral advertising, but this issue of cookies is the prow of the ship. It's that bow spur on the ship that breaks the water first, but there's a lot of stuff that comes behind it, and I think, like many privacy issues, this is not going away anytime soon.
FIELD: Trevor, I'd be remiss if I didn't ask you about the recent controversy that's come up with Apple regarding person tracking with the iPhone and iPad. What are your thoughts on that?
HUGHES: You know, it seems to me that there are real risks for organizations out there today, and you can knowingly violate privacy law or the expectations of privacy of your consumers in a cynical way. I don't think that's what happened here with Apple. I don't think there was intent to do anything inappropriate or that would violate the trust of Apple's customers. But that's not to say that something concerning did not occur. In some ways, I think that the "a-ha" or "gee-whiz" moment is just as threatening to an organization. Apple probably had an engineer who realized that there was value in creating a record of the wireless tower hits of devices for all sorts of purposes - for logging, optimization of call quality, all sorts of things could have been benefits derived from that. But as much as I believe that that's the case, that it was an innocent decision to implement this tracking mechanism, I also think that there was a lack of awareness or understanding of the potential privacy issues. And that's the thing that I think we have to change in the future. Engineers generally, IT professionals broadly, and information security professions are going to have to have issue-spotting abilities when it comes to privacy. So when that opportunity comes up in a line of code or in the implementation of a new product, service or hardware system where a particular piece of data may be collected or gathered, they might not have the ultimate answer to whether it's okay or not, but they know enough that there's a question.
Apple, given the enormous strength of its brand and the customer loyalty that they have, get the benefit of the doubt from their customers in a lot of these situations. I think without that kind of brand magnetism, other companies don't have that same kind of benefit of the doubt, so they need to be even more cautious. I think it speaks to a larger issue in the marketplace, and that is we all have to become privacy professionals at some level. We all have to have a broad environmental awareness of how data can create risks for our organizations.
Privacy Law SuitsFIELD: Trevor, there have been a number of class-action lawsuits that have come under scrutiny. What can you tell us about the rise of these legal actions?
HUGHES: Well, I can tell you it's rising. I can tell you that just like legislation seems to be exploding right now, just like regulatory action seems to be exploding right now, we are seeing class-action lawsuits really proliferating around the U.S. right now. We're also seeing some pretty significant settlements with some of these. Notably, Facebook settled for, I believe, $6 million in a class-action lawsuit. Google settled on Buzz, their social networking platform, for, I believe, $13 million. There are millions of dollars of settlements that are out there in the class-action space.
Let me give you a sense of the rise of these class-actions. In California, there was a privacy lawsuit against Williams-Sonoma. In California there was a law that says you cannot gather additional personal information at the point-of-sale in a retail establishment if it's unnecessary for conducting the transaction. This is meant to be a mechanism to protect consumers from identity theft. You don't want to create extraneous data that can be attached to those point-of-sale records.
Williams-Sonoma was asking for a zip code, and they were asking for zip codes for the same kind of marketing reasons that most retailers at a point-of-sale do, and that is to understand where their customers are coming from in any one store so that they can more appropriately target their marketing efforts based on that data. The California Supreme Court found that the zip code was personal information and therefore said it violated the law, and Williams-Sonoma was liable for damages and for fines under that law. Within a couple of weeks of that case being decided by the California Supreme Court, we had over 100 class-action lawsuits filed against retailers in the State of California. That demonstrates to me that there is a very significant and energized group of plaintiffs' attorneys who are looking at this space very carefully and recognizing that there is enormous consumer concern around privacy. And if they can find the right legal argument, the right way to identify damages, there will be continued significant activity when it comes to class-action lawsuits.
Best-in-Class Organizations Regarding PrivacyFIELD: Now, Trevor, you have the opportunity to see any number of organizations internationally. What do you see the best-in-class organizations doing regarding privacy?
HUGHES: The best-in-class organizations are recognizing that compliance is not enough. There's a story that goes around startups. I'm a lawyer, and tech startups seem to have a process where they get to a certain number of employees and the CEO says, "We're spending so much on outside legal bills. We need to hire ourselves a general counsel." So they get their first in-house lawyer. But instead of having their legal bills go down, their legal bills actually go up, because that first person in the door, that first lawyer, sees all of the legal issues that were not being dealt with before, that no one without legal training could see within the organization.
I think we're seeing that same kind of trajectory on privacy, that increasingly, organizations are hiring their first privacy professionals. That privacy professional is coming in and pretty quickly full teams are being built. But the best-in-class are going beyond that now to see privacy as not just a compliance obligation but really a business imperative that goes beyond legal obligation. Privacy is an issue that's very intimately tied to the trustworthiness of the brand of your organization. If your customers don't trust your privacy, they don't trust you. And that has implications far beyond just the law; it has real implications for your business.
But even more than that, we're seeing best-in-class organizations pick up ideas like privacy by design, which is championed by a woman named Ann Cavoukian, who is the Information and Privacy Commissioner of Ontario. Privacy by design is similar to some thinking in the information security field over a decade ago that you bake privacy in as products and services are being developed, as opposed to bolting them on after the fact, because, inevitably, it's more expensive to bolt them on than it is to think about them up front.
Additionally, organizations are embracing a concept of accountability when it comes to privacy. Meaning yes, you comply with the law, but you also own up to the fact that you have people's data in your possession, and when you hold that data you're accountable for that data. You look after it. You do the right thing with it. You make sure that even if the law says you can do something, that doesn't mean that it's right to do something with the data. And you have experts on staff that can help you take those nuanced positions for the betterment of the organization long-term.
Demand for Privacy ProfessionalsFIELD: We've talked about so much today. It's clear that the issues have never been greater, the stakes have never been higher and the opportunities have never been more numerous for someone wanting to enter the profession. My final question for you is what advice would you offer to somebody who wants to be a privacy professional today?
HUGHES: The good news is that privacy has been growing phenomenally, and for anyone interested in entering the field, unlike a lot of other areas in the economy privacy professionals are being hired. It's not the easiest profession to just stand up and say, "I want to be a privacy professional." Like a lot of other jobs and professions, you have to immerse yourself in the field, and I think the easiest way to do that is to get into all the information that's being produced by organizations like the IAPP. Our website, PrivacyAssociation.org, is a great place to start. But you also have to meet other privacy professionals, so start networking. We have local chapter meetings. That's certainly a good place. There are privacy conferences that occur all over the world. You could consider training. There are very, very few privacy programs in higher education institutions in the U.S. There are some privacy law classes at law school and some information privacy programs in computer science programs. One of the primary mechanisms is through certification, and that's the Certified Information Privacy Professional [CIPP]. That's the designation that's recognized across the country.
Scouring job boards, talking to privacy pros, doing your networking, making sure that you're up on the issues - those are all probably the normal, but also most effective ways, to find your way into the privacy profession.
And let me just finish by saying it's a good place to be. It really is an incredibly hot issue. Privacy professionals are growing as the issue grows. To give you a sense of scale, on January 1, 2009, the IAPP had 5,000 members around the world. On December 31, 2010, 24 months later, we had 7,500. In the 24 months of the worst economic cycle - certainly in our lifetimes and in many generations, in fact - the IAPP grew by 50 percent. That's pretty phenomenal, 25 percent per year over that economic period. And I think it's an indication of the growth potential of this field, and it really suggests that it's a good place for a lot of people to be looking for future professional opportunities.