The media communications and advertising industries are buzzing over the new U.S. Federal Trade Commission report and framework entitled: Protecting Consumer Privacy in an Era of Rapid Change. The Operational Risk Management implications to your enterprise could be significant if you currently do not understand how your marketing department provides disclosures or manages consumer collected data. If you think that you are protected because you outsource to a 3rd party, then think again. The power to the consumer is increasing and the data privacy laws are playing a quick game of catch-up on regulation:
Scope: The framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.With 500 Million plus people who are self-profiling themselves on Facebook these days, you might wonder if they even truly think about their privacy. See Controlling How You Share, Facebook
A variety of business models involve practices that fall outside the proposed “commonly accepted practices” category. These include, for example, a retailer collecting purchase information directly from a consumer and then selling it to a data broker or other third party that may be unknown to the consumer. Other examples include online behavioral advertising, in which an online publisher allows third parties to collect data about consumers’ use of the website, as well as social media services, where the service or platform provider allows third party applications to collect data about a consumer’s use of the service. In addition, as noted above, using deep packet inspection to create marketing profiles of consumers would not be a commonly accepted practice.
The new framework and panel discussions has focused on the Operational Risks associated with collecting, storing and sharing data on consumers. The regulations that change going forward to assist in consumer protections and disclosures may not have much impact on whether the consumers "Personal Identifiable Information" (PII) is disclosed to nefarious transnational criminal syndicates without their permission.
If you are a U.S. government military employee you may have received notice lately from yourPenFed Credit Union that you too may have your PII in the hands of people that will use it for monetary gain. The continuous loss of data by institutions has now been verified as just another criminal business enterprise by organized crime and in many cases sanctioned by nation states. The data protection and data theft game is the modern equivalent of bank robbery yet it is moving at the speed of electrons across fiber optic networks world wide.
And now that this accelerating consumer issue of cybersecurity has made it's way to The White House, one can only wonder what may change. The cost to business is now $204.00 per record according to well respected research by Ponemon Institute. The MOU with DHS, Department of Commerce and the Financial Services Sector Coordinating Council (FSSCC) remains the window dressing on another unfunded effort to deter the cyber plague before us.
There is no shortage of people reporting about the breaches (this blog included), the hacks and the data leakage via employees using Peer 2 Peer file sharing software within the walls of their Fortune 500 company or government agency. Some people who are disclosing the information are doing it with alternative motives and rarely try to provide a potential solution to the problem.
So what can a PenFed or major U.S. Government agency do, to stem the tide of the growing digital tsunami of data thefts and transnational economic crime or acts of espionage? There is not one solution nor is there ever going to be a day when it all comes to an end. Which brings us to the mind set shift that is necessary to make a difference.
The Security vs. Privacy legal topic is somewhere in the mix of the solution. The education of our digital natives at a young age is another. Many kids know how to type with their thumbs better than they can write a legible letter to grand mother. And finally, the implementation of new technologies that will enable law enforcement to their jobs more effectively.
Now back to the mind set shift. Cecilia Kang of the Washington Post reports:
As the United States looks at ways to better protect Internet users’ privacy, Europe is going through its own update of online privacy rules. The 27-nation European Union is taking a more aggressive approach to privacy by setting higher bars for how data can be collected on Web users.
European laws prohibit Web sites from tracking users without their permission. The E.U. is also weighing legislation that would let users delete all their information from a Web site, such as Facebook, and transfer data from one wireless provider to another without leaving profiles behind.
Viviane Reding, the vice president of the E.U. Justice Commission and head of privacy regulation, visited The Post on Wednesday to talk about her approach to protecting users in the age of Internet over-sharing. On Thursday, she is scheduled to meet with U.S. Attorney General Eric Holder to discuss ways the E.U. and U.S. can cooperate on safeguarding consumers' personal information, including data on travel and finances. The talks may also touch on the recent disclosure of classified documents by Wikileaks.
