Will Regulators Dictate Privacy?

Attorneys Say Lack of U.S. Legislation Fuels Regulatory Action

By , January 17, 2013.
This panel of attorneys says U.S. regulators and states will step in to enact privacy controls.
This panel of attorneys says U.S. regulators and states will step in to enact privacy controls.

The failure to pass national privacy legislation in the U.S. hasn't stopped regulatory agencies from taking matters into their own hands - a pattern that will continue throughout 2013, says a panel of attorneys.

See Also: Combatting Account Takeover Fraud & Remote Access Trojans

"In the U.S., progress and actually getting to legislation that's going to pass has been anemic," says attorney David Navetta during a roundtable discussion on legal trends with Information Security Media Group [transcript below].

"What I do see, though, goes back to the regulators taking action and putting out guidance documents," he says. "The biggest area where you're actually finding legal obligations starting to arise is coming out of the regulatory side of the equation, not the legislative side."

Attorney Lisa Sotto echoes Navetta's observations, saying regulators and individual states have taken the lead in the enforcement landscape. "The states are very active now," she says. "Not only is the FTC enormously active, but state [attorney generals] also are seeing this as an area where they want to play in a big way."

In part two of a five-part series of roundtable discussions, the attorneys talk about:

  • Top privacy trends for 2013;
  • Key global privacy initiatives, particularly in the EU;
  • What the U.S. must do to keep pace.

About the participants:

Lisa Sotto is managing partner for New York-based law firm Hunton & Williams, where she focuses on privacy, data security and information management issues. She has earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners.

David Navetta is co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. He has been a keen observer of information security-related litigation, including financial fraud and state privacy laws.

Ronald Raether is partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.

The remaining installments of this series focus on:

Today's Top Privacy Threats

TOM FIELD: Lisa, what do you see as today's biggest threats to privacy?

LISA SOTTO: Not to harp on the same thing, but the question really does call for a similar response, and that's: Security vulnerabilities remain the biggest threat to privacy. If we think about privacy as the appropriate use of data, we can't even get to that question unless we can be sure that the data is appropriately safeguarded and that the integrity of data is remaining intact. We have perpetrators who really are criminals, specifically targeting people's data, seeking to commit identity theft and account fraud. I think that theme will certainly be continued in the mobile arena.

Now we're operating using 4x4-inch screens, and the same security measures are not necessarily as appropriate on the smaller devices as on the bigger devices. But I think we really don't have a sense of how to protect the mobile devices as well as we do the larger devices. I do think that mobile threats are going to be a theme that we're going to be hearing a lot of in the future.

Shifting a little bit away from data security, we're talking a lot in the privacy world about data uses by very legitimate actors that people may find offensive. For example, [there's] online behavioral advertising where your activity is being tracked across various websites as you're using your computer so that a profile is being formed about your IP address and you can then receive, presumably, ads that are targeted to your interest. We're hearing a lot about online behavioral advertising or targeted marketing, and this is being done so that companies can market more effectively. It's not a question of stealing data, or going to use data for identity theft purposes.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Obama Cyber Coordinator on Global InfoSec

White House Cybersecurity Coordinator Michael Daniel says the toughest international cybersecurity...

Latest Tweets and Mentions

ARTICLE Obama Cyber Coordinator on Global InfoSec

White House Cybersecurity Coordinator Michael Daniel says the toughest international cybersecurity...

The ISMG Network