Privacy Bill of Rights: A Step Forward
'Can't be a Back-Burner Issue,' Privacy Lawyer ArguesAlthough the Obama administration's recently announced Consumer Privacy Bill of Rights shouldn't be seen as the "be-all, end-all," says privacy and data security lawyer Lisa Sotto, they are an important step forward in getting industries and leaders to start thinking about privacy more seriously.
See Also: Using the Netskope HIPAA Mapping Guide
"The real value that I see here is that I think many companies that are not active in this space are going to sit up and take notice now that this document has been issued and will understand that privacy and data security can't be a back-burner issue," says Sotto, a managing partner at the law firm Hunton & Williams, in an interview with Information Security Media Group's Eric Chabrow [transcript below]. "[Privacy] absolutely needs to be pushed forward in the compliance and regulatory agenda for companies."
The White House last month issued the bill of rights, which the administration says would provide a baseline of clear protections for consumers and greater certainty for businesses. The rights are:
- Individual control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
- Transparency: Consumers have a right to easily understandable information about privacy and security practices.
- Respect for context: Consumers have a right to expect that organizations will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security: Consumers have a right to secure and responsible handling of personal data.
- Access and accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
- Focused collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
Sotto sees the bill of rights as being flexible enough to take into consideration new technologies as they come out, and they cover important concepts all companies need to consider. "These are high-level principles and they are principles that I think any responsible company in the privacy space thinks about every day," she says.
In the interview, Sotto also discussed the impact of the Consumer Privacy Bill of Rights on:
- Corporate and governmental professionals charged with protecting the data and privacy of information stored in their systems;
- Mobile technology;
- Consumers and businesses on assuring privacy.
Sotto has earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners, publisher of leading guides to the legal profession.
Consumer Privacy Bill of Rights
ERIC CHABROW: First off, why the need for a Consumer Privacy Bill of Rights, and why now?
LISA SOTTO: The environment in the privacy and security realm has changed dramatically over the past few years. There have been many efforts to revamp the framework in the United States to modernize it so it meets the needs of those who are innovating in this space and the new technologies that we now have in place.
CHABROW: What elements of the bill of rights do you see as being adequate and other elements that need to be strengthened?
SOTTO: This is really a discussion point rather than a be-all, end-all document. I think it's one of the important building blocks in this space that we've seen over the last couple of years. It's not the be-all, end-all. It does call for legislation, and of course that would be a very significant change, but really this is just one of the critical building blocks that have been put out there in the move toward the development of a comprehensive privacy regime in the United States. There have been a number of significant proposals during the last couple of years and this is one more key ingredient toward building a more expansive and globally accepted privacy framework in the United States.
CHABROW: You mentioned a call for legislation, but in reality getting legislation passed in the IT security area has been very difficult recently, especially when you're trying to start regulating people.
SOTTO: That's right, and where this should be a bipartisan issue - it is in theory that - but in practice it's not and our legislators have really found that the devil is in the details.
Industry Responsibility
CHABROW: That's so true in IT security. How about industry and using these points in the privacy bill of rights of getting them to be more protective of consumer information?
SOTTO: I think it's a very important step forward. The real value that I see here is that I think many companies that are not active in this space are going to sit up and take notice now that this document has been issued and will understand that privacy and data security can't be a back-burner issue, and absolutely needs to be pushed forward in the compliance and regulatory agenda for companies.
CHABROW: Do you think that it's an area that the companies that are marketing and advertising will adhere to, that they'll find ways to satisfy consumers?
SOTTO: Well I would go even further. I think every business is now data intensive. We're not living in the industrial age anymore. We're absolutely, squarely, in the information era so everyone uses data regardless of the industry sector they're in. Of course there are more robust and less robust users of data. Those who use data in a much deeper way really do want to be part of this discussion, this multi-stake holder discussion that's going to take place as a result of the issuance of this document.
Privacy and CISOs
CHABROW: A lot of our audience consists of people who are responsible for securing their own IT systems and the data privacy of the information on their systems. They're not necessarily directly marketing to people. You're saying that other organizations have to be concerned. What would it mean to CISOs and organizations like that, this bill of rights and this whole drive toward privacy?
SOTTO: Well, this is really about privacy, which is really more focused on the appropriate use of information than it is on security, but of course a critical aspect of privacy is about keeping data safe and that's why we find security listed as one of the key principles in the bill of rights. The IT folks who are charged with securing data need to understand that the integrity of data must remain intact - data can't be lost, data can't be altered in untold ways and they need to work toward that objective goal of safeguarding information.
Mobile Devices
CHABROW: Does it matter, when it comes to consumer privacy, the kind of device a person uses, whether it's a mobile device or notepad?
SOTTO: That's a great question and the fact is it shouldn't matter. We should have over-arching privacy principles in place that are flexible enough to deal with changing technologies. We're not standing still in the technology arena and the change between five years ago and now is extraordinary - really dramatic. We can't have a privacy regime that focuses on specific technologies. We need to rise to a higher level and think about privacy so that it can apply to new technologies as they're developed.
CHABROW: And do you see the bill of rights doing that?
SOTTO: I do, I do. I think there's enormous flexibility in these principles. They're really just the fair information practice principles made modern. These are high-level principles and they are principles that I think any responsible company in the privacy space thinks about every day.
A Collaborative Effort
CHABROW: Let's talk about the onus for protecting one's own privacy. How much of that is on the individual user, based on what this proposal says, versus the various organizations, the businesses that are involved in there?
SOTTO: I think this really needs to be an effort both of the consumer and of businesses. It's a joint effort to protect information so users need to understand what their rights are and their ability to change their preferences and companies need to offer the options and the choices. It really is a collaborative effort, I think.
CHABROW: So this is a good step toward that?
SOTTO: It is.