Will Regulators Dictate Privacy?Attorneys Say Lack of U.S. Legislation Fuels Regulatory Action
The failure to pass national privacy legislation in the U.S. hasn't stopped regulatory agencies from taking matters into their own hands - a pattern that will continue throughout 2013, says a panel of attorneys.
"In the U.S., progress and actually getting to legislation that's going to pass has been anemic," says attorney David Navetta during a roundtable discussion on legal trends with Information Security Media Group [transcript below].
"What I do see, though, goes back to the regulators taking action and putting out guidance documents," he says. "The biggest area where you're actually finding legal obligations starting to arise is coming out of the regulatory side of the equation, not the legislative side."
Attorney Lisa Sotto echoes Navetta's observations, saying regulators and individual states have taken the lead in the enforcement landscape. "The states are very active now," she says. "Not only is the FTC enormously active, but state [attorney generals] also are seeing this as an area where they want to play in a big way."
In part two of a five-part series of roundtable discussions, the attorneys talk about:
- Top privacy trends for 2013;
- Key global privacy initiatives, particularly in the EU;
- What the U.S. must do to keep pace.
About the participants:
Lisa Sotto is managing partner for New York-based law firm Hunton & Williams, where she focuses on privacy, data security and information management issues. She has earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners.
David Navetta is co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. He has been a keen observer of information security-related litigation, including financial fraud and state privacy laws.
Ronald Raether is partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.
The remaining installments of this series focus on:
- The legal merits of 'hack back';
- Fraud litigation trends;
- Breach response best-practices;
- Top security/privacy issues of 2013.
Today's Top Privacy Threats
TOM FIELD: Lisa, what do you see as today's biggest threats to privacy?
LISA SOTTO: Not to harp on the same thing, but the question really does call for a similar response, and that's: Security vulnerabilities remain the biggest threat to privacy. If we think about privacy as the appropriate use of data, we can't even get to that question unless we can be sure that the data is appropriately safeguarded and that the integrity of data is remaining intact. We have perpetrators who really are criminals, specifically targeting people's data, seeking to commit identity theft and account fraud. I think that theme will certainly be continued in the mobile arena.
Now we're operating using 4x4-inch screens, and the same security measures are not necessarily as appropriate on the smaller devices as on the bigger devices. But I think we really don't have a sense of how to protect the mobile devices as well as we do the larger devices. I do think that mobile threats are going to be a theme that we're going to be hearing a lot of in the future.
Shifting a little bit away from data security, we're talking a lot in the privacy world about data uses by very legitimate actors that people may find offensive. For example, [there's] online behavioral advertising where your activity is being tracked across various websites as you're using your computer so that a profile is being formed about your IP address and you can then receive, presumably, ads that are targeted to your interest. We're hearing a lot about online behavioral advertising or targeted marketing, and this is being done so that companies can market more effectively. It's not a question of stealing data, or going to use data for identity theft purposes.
The other big theme that we're hearing a lot about this year is the concept of big data. Big data is interesting. It's not so very different from what we've been talking about for many years, which is data analytics, but the concept of big data really is data analytics on steroids and the use of data to analyze everything under the sun. [It's] considering issues using your instinct and then also backing that up with actual data and statistics. The data mining that we're seeing now is just enormously complex, very, very sophisticated, and the results are sometimes quite surprising when we see something backed up by the data.
Why is this an issue? In order to do the deep data mining and deep analytics, we have to have a lot of data, so the volume of data that companies are massing or purchasing is just absolutely out of whack with what had been maintained in the past by entities, and certainly the amount of data that we're producing as a society is extraordinary, and there are some statistics out there that make your head spin.
Big Data Issue
DAVID NAVETTA: I was going to add on the big data issue. One of the key factors of privacy I'm concerned about is not only the ability to crunch numbers on large volumes of data, but the combination of data from a lot of different sources now is being crunched in a way that allows organizations to know such detail about their customers to the point of when you go to Target and you're pregnant and you haven't told anyone, you're getting ads for certain pregnancy-related types of products. It's evolving not only from the online world, but it's going into the offline world as well. Online/offline mobility is all combined together such that you could argue essentially everything we do on some level is being recorded and analyzed and the feedback is in typical advertisements or massive profiles about ourselves.
Evolving Privacy Legislation
FIELD: Lisa, how has privacy legislation evolved?
SOTTO: Interestingly, in the U.S. I would argue that it hasn't. We've talked ourselves silly for the last few years. Last year, there were over a dozen pieces of federal legislation introduced and still we have very, very little. I think we're now consistently out of step with the rest of the world.
Outside the United States is a completely different story, and what we're seeing are enormous numbers of privacy legislation passing generally in the form of comprehensive omnibus data protection legislation. Even in places outside of the usual suspect countries like the U.S., Europe and Canada, we're seeing new laws passed in the Philippines and Singapore. This year, Taiwan and Malaysia's laws become effective, and of course the biggest story is the draft EU regulation. This is truly a seismic shift in the data protection world with it operating under the EU data protection directive since the 1990s and now there's a new proposal to change the rules from a directive, which needs to be implemented in each of the 27 members states into law, to a regulation, which would be a single rule that would be binding on all the EU member states.
There are many pieces of the EU regulation that are quite controversial. For example, there's a proposal right now to require 24-hour notification of data breaches and also a proposal for enforcement purposes to impose a fine of up to two percent of annual turnover, annual revenues, on a company if there's a violation of the data protection rules.
NAVETTA: I agree with Lisa that in the U.S. progress and actually getting to legislation that's going to pass has been anemic. It's just about talking back and forth, and the interest groups on both sides are entrenched in many ways. It's unclear whether we'll ever have it on kind of a universal basis in the U.S. What I do see though goes back to the regulators, the regulators themselves actually taking action and putting out guidance documents, for example California's privacy policies for mobile devices. It doesn't have a force of law that a particular statute might have. And even if it's called a guidance document, it still has impact in terms of legal standards.
I think the biggest activity or the biggest area where you're actually finding legal obligations starting to arise is coming out of the regulatory side of the equation, not the legislative side. This has been going on for a while. For organizations out there trying to figure out where they need to be in terms of compliance, it makes it difficult to know how to react to and how to implement these guidance documents and these regulatory dictates. That needs to go forward, and in the near future it's probably going to be the case that regulators are driving the agenda, not the legislators at the end of the day.
2013 Privacy Outlook
FIELD: Lisa, what are the issues that you're watching most as we head into 2013?
SOTTO: As I mentioned earlier, I think the EU regulation is absolutely on the top of everybody's radar screen. We need to watch that carefully, and we also need to watch privacy legislation in other countries around the globe. China has been talking about passing an omnibus privacy law for several years now and that certainly will be a dramatic change when that happens. We're also expecting this year new HIPAA regulations to come out of the Department of Health and Human Services. We've been waiting for those regulations for months or years now, so I do expect those to be coming soon, and I think there are going to be serious consequences for the healthcare industry and those that service the healthcare industry, the service providers that work with healthcare entities.
In addition, we're expecting a change in the Children's Online Privacy Protection Act. We're expecting new regulations to be issued with respect to COPPA and certainly that's long overdue because the landscape has changed so dramatically since COPPA was first enacted now many moons ago.
As I mentioned earlier, I think the mobile environment is really changing the way we think about privacy. The idea of providing an appropriate notice on a mobile device as to a company's information practices, and attempting to get informed consent on a 4x4-inch screen, is an antiquated concept. We will see the historically accepted notice in choice paradigm shifting over the next few years.
And as others have also mentioned, we're seeing a huge shift in the enforcement landscape. The regulators really are taking the lead. The states are very active now, so not only is the FTC enormously active, but state AGs also are seeing this as an area where they want to play in a big way. And it plays right into their constituencies because nobody is against privacy, so it works very well for state AGs to be pushing along these lines.
With respect to the FTC, we will be seeing the appointment of a new chairman and also a new head of consumer protection. The chairman has announced that he's leaving and the current head of the Consumer Protection Bureau, David Vladeck, also is anticipated to move on. So we're going to be very much reacting to the new appointments and those are going to be very important appointments.
Finally, I would point to plaintiff lawyers as an area to watch. Plaintiff lawyers have been bombarding the courts with privacy and data security cases, and certainly there has been a slow but very steady shift in how courts are responding to these cases. They're now moving. They're not being stopped at the pleading stage, so we will be watching those cases in 2013.