PROVIDENCE, R.I. -- According to a group of data privacy experts, enterprise information security teams are increasingly being asked to take on challenging data privacy management responsibilities, but technicalities in outdated data privacy laws are helping diligent organizations avoid legal entanglements.
It doesn't take 9,000 words to protect your privacy.
Steven J. McDonald,
Rhode Island School of Design, on Facebook's privacy policy
"There are many things we want to do in our lives simply without being intruded upon," said attorney and author Robert Ellis Smith, one of several speakers at a colloquium held by Brown University's Information Security Group, marking National Data Privacy Day on Jan. 28.
While Smith said individuals' greatest privacy threat is the government's ability to track people in real time using cell phones, GPS, ATM transactions, automobile toll systems and the like, companies are increasingly pushing the envelope on personal data collection. He noted that Facebook Inc. founder Mark Zuckerberg and Google Inc. Chairman Eric Schmidt have disparaged privacy in an effort to downplay their companies' growing efforts to collect and monetize the often-private information their users share.
Attorney Steven J. McDonald, general counsel for the Rhode Island School of Design, said Facebook is the perfect example of a company that claims to care about the privacy of its users, while its actions suggest otherwise.
For instance, McDonald said the company goes to great lengths to publicize the privacy choices it provides its users, but in order to effectively safeguard their data, users must decipher well over 100 specific privacy options, which Facebook changes often.
Similarly, the company makes its privacy policy difficult to read and understand. McDonald noted that in 2005, Facebook's privacy policy was 1,000 words long. As of 2010, it had grown to 5,830 words; more than 1,000 words longer than the U.S. Constitution. Today, Facebook's privacy policy tops 9,000 words.
"It doesn't take 9,000 words to protect your privacy," McDonald said.
Enterprise CISOs and data privacy management
Brown University CISO David J. Sherry said he is among the many CISOs he knows whose organizations have charged them with data privacy management duties in addition to the traditional responsibilities that come with information security management. Despite an industry trend among large organizations to install a chief privacy officer to work alongside the CISO, Sherry said he's embraced managing both disciplines.
"Back when I first got into information security, it was about building a firewall and installing anti-malware. Now, it's a broader risk management environment. Privacy is just another new thing that's emerging," Sherry said. "Holistically, the way security and privacy officers think, it's the same mindset: It's all about protecting data."
Sherry said he's sought to augment Brown's information security program with new wrinkles that address data privacy. For instance, the Ivy League school's executive committee now holds a regular meeting that focuses on ways to foster processes that emphasize data privacy throughout the organization.
One of many byproducts of those discussions is the manner in which Brown now evaluates third-party contractors. Even when arranging something as seemingly inconsequential as a paper mailing to students, Sherry said that printing companies are queried about their backup capabilities, business continuity plans, and asked to provide assurance that sensitive data will be used properly and then returned or destroyed.
"Privacy is now a showstopper. If a contractor pushes back on us, we say we don't want to do business with them right now," Sherry said. "You'd be surprised how often they're willing to take another look" at their contract requirements.
Weak, outdated laws ease data privacy management
Fortunately for enterprises -- and unfortunately for consumers -- the weak and outdated jumble of privacy laws in the U.S. often help limit a private organization's liability when managing data privacy.
McDonald said privacy is regulated by the 4th Amendment, by acts of Congress in the Electronic Communications Privacy Act (ECPA), the Family Educational Rights Privacy Act (FERPA), and a variety of federal and Supreme Court decisions. Yet, these laws and decisions often contradict themselves, even in fundamental matters such as the definition of an electronic communication.
What makes all that moot, McDonald said, is contract law. By using legal disclaimers and privacy policies, and requiring consent on the part of users and customers, organizations can bypass virtually all laws on the books today instead of falling back on the private contract laws first created hundreds of years ago to forge legal agreements between two parties.
In other words, as long as someone has consented to grant an organization use of his or her data, whether they realize it or not, an organization can greatly limit its legal liability in the realm of data privacy.
"When it comes to contract law, consent is a defense," McDonald said. "We are giving up our privacy through contracts and ignoring any pretense of privacy law. It's really kind of a depressing scenario at this point if you care about legal protections for privacy, because there really aren't any."
Still, the speakers advocated for organizations to be good stewards of data privacy. Smith encouraged enterprise privacy managers to undergo their organizations' business processes as an outsider, such as calling the customer service line or using its website, to evaluate how it handles privacy in specific, real-world business situations.
"The 'golden rule' always works," Smith said. "See what it's like to be a customer. That'll give you perspective."
McDonald advocated for the concept of privacy by design, namely investing in what's needed to affirm data privacy when business processes are created and systems are built. He said fixing data privacy problems after the fact is always harder, more time-consuming and more expensive than planning for it beforehand.
"It's a pain… but if you think about it," McDonald said, "It's not that hard most of the time."