« Appellate Court Upholds Hacking Conviction for Misusing Workplace Computer | Main | Nice Win for Online Publishers in Ninth Circuit Today »

May 05, 2009

Federal Proposal Could Bolster Trust in Online Business

The House Energy and Commerce's Subcommittee on Commerce, Trade, and Consumer Protection is holding a hearing this afternoon on the Data Accountability and Trust Act (H.R. 2221), an information security measure.

Among other things, H.R. 2221 would authorize the Federal Trade Commission to issue regulations setting out a baseline level of information security for U.S. businesses that handle personal information (basically, every business).

Businesses would also be required to publish an FTC-approved "security policy" outlining the procedures they have in place to secure personal information in their possession. Topics covered by the "security policy" are "the collection, use, sale, other dissemination, and maintenance of ... personal information." So, for all intents and purposes, H.R. 2221 is mandating a privacy policy as well.

Few Privacy Supporters in Washington

Information-dependent businesses are reflexively opposed to privacy/security legislation like H.R. 2221. Privacy and security obligations create financial burdens, the benefits are enjoyed by somebody else assuming there are any benefits at all, laws on technology create straitjackets that restrain innovation, etc. I wonder if we haven't reached the point where anti-legislation views should be reconsidered. Online, this is already happening, with Microsoft, Google and even AT&T publicly stating they support some form of privacy legislation.

Elsewhere, however, support for yet-another-business-regulation is tepid. Yet, I wonder, is the current lightly regulated market in personal information really working for businesses or consumers? Consumers cannot meaningfully determine which businesses can be trusted to care for their personal information. Nor can consumers be sure that businesses they do trust will not transfer their data to less-trustworthy business partners. The lengthening list of data breach incidents publicized each year is a testament to the poor state of information security practices in many sectors of the economy. The patchwork quilt of self-regulatory codes, best practices documents, "Trust Me" Web icons, lawyerly advice, and state-law schemes has failed to produce the sort of trust that nearly everyone says is necessary for a healthy online business environment.

Thinly Veiled Distrust of Data Brokers

The feeling that businesses can not be trusted to care for sensitive personal information has crept all the way to the New Jersey Supreme Court, which held last week in Burnett v. Bergen County, N.J., No. 43-08 (N.J. April 27, 2009), that a large commercial data broker was not entitled to obtain several years' worth of real estate records under the state's open records act because many of those records contained social security numbers. The plaintiff wanted to create a commercial, searchable, online database with the records. And it wanted them unredacted--i.e., with the social security numbers included. The court announced a balancing test that weighed individuals' rights of privacy in their social security number against the policy favoring release of public documents and the risk of harm created by their release.

Social security numbers were not required on the real estate records covered by the data broker's request; unfortunately, they were frequently included anyhow. (Since 2005, New Jersey has forbidden the inclusion of social security numbers on real estate documents required to be publicly recorded.) "But for the [social security numbers], the documents are plainly subject to disclosure," the court said.

The court's opinion, by my reading, was redolent with distrust for the plaintiff's intentions as well as its ability to properly handle the public records it was requesting.

Real Danger of Identity Theft. The court held that the state's open records act recognizes a privacy interest in social security numbers, due in large part to the danger of identity theft and financial harm that could arise if the numbers are mishandled. The court chided the plaintiff for suggesting that misuse of social security numbers contributed in only a small way to identity theft: "Identity theft is real, and it is directly linked to the misuse of exposed or stolen SSNs. Plaintiff's plan to place documents containing SSNs in a centralized, easy-to-search computer database presents just such a risk."

Individuals Lack Ability to Protect Themselves. Interestingly to me, the court treated the release of the social security numbers to the plaintiff as if it were a data breach incident:

There is simply no practical way to give advance notice to an untold number of citizens whose personal identifiers would be disclosed under the pending [open records law] request. Some of them filed documents a quarter century ago. None have reason to expect that their SSNs might now be sold for inclusion in a searchable, computerized database. As a result, those individuals would not know to request that their SSNs be deleted before they are disseminated more widely.

No Assurance of Proper Safeguards. Nor would there be any "meaningful control" over the records once they were released to the plaintiff, the court complained. "Nothing would prevent the plaintiff's paying customers from using the database for inappropriate purposes. Also, nothing would prevent plaintiff from reselling its searchable database or placing it on the Internet if its marketing approach were to change."

Commercial Purposes Don't Count for Much. Finally, the court treated the plaintiff like a second-class citizen under the open records law. The purpose of the open records law is to maximize public knowledge about public affairs and to ensure an informed citizenry, it said. "Neither of [the open records law's] goals is furthered by disclosing SSNs that belong to private citizens to commercial compilers of computer databases," the court said. "Were a similar request made by an investigative reporter or public interest group examining land recording practices of local government, this factor would weigh differently in the balancing test."

This case might have gone the other way if (1) there were better security controls on the information requested by the plaintiff, (2) the affected individuals had some control over their information, and (3) court had some assurance that the information released would be put to a lawful purpose. If I were in the information business, I'd be concerned that this court thinks I can not be trusted with somebody else's social security number. (I didn't see any evidence in the court's opinion that the plaintiff had defended its information security practices or otherwise tried to alleviate the court's concerns.) Legislation like H.R. 2221 could go a long way toward solving the trust problem the industry has with this court ... and with Congress too.

Follow me on Twitter at @bnatechlaw

Posted by Thomas O'Toole on May 05, 2009 in Privacy |

Technorati Tags: , , , , ,

Comments

The comments to this entry are closed.

Subscribe to this blog's feed

Twitter Updates

    follow me on Twitter

    Recent Posts

    Recent Comments

    Notice to Subscribers

    Categories

    Archives

    More...

    Copyright

    About