IAPP-GDPR Web Banners-300x250-FINAL

Hopefully my foggy crystal ball outperforms the 12/21/12 Mayan prognosticators. 2013 promises to be a landmark year as it relates to the privacy and security of consumer information. Specifically, we will see increased complexity of breaches and elevated enforcement action but no meaningful federal privacy legislation. New technologies and business models will alter the risk posture for consumers as businesses seek to maximize big data revenue potential. It is through that lens that I forecast privacy and security challenges for businesses, privacy professionals, security practitioners and ultimately consumers who tend to have the most at stake but the least leverage. And now, the Second Annual Top 10 Privacy Trends, 2013 rendition.

10. Big Data, No Diet in Sight

Yottabytes of personal data has already been collected. I like to think that it is used for legitimate business purposes. OK, in case you don’t wear a pocket protector, traditional storage units go from bytes, to kilobytes up to yottabytes! The fact that a yottabyte holds 10 to the 24th power or 1,000,000,000,000,000,000,000,000 bytes of data isn’t important. The fact that we already have terms for storing that much personal data is alarming. This includes data collected by the government. For example, The New York Times reported that the National Counterterrorism Center (NCC) has a program to copy and analyze U.S. citizen government files; e.g., casino lists, U.S. residents hosting foreign exchange students, flight records, for possible criminal behavior. Didn’t Jack Bauer work for the NCC?

9. Your Privates Are Public

Consumers will continue to display a willingness to give up privacy for convenience. Consumers will skip the lengthy privacy policies, term and conditions, and just click “Accept.” But in their defense, I recently read such a notice on my iPhone 5; and even with the increased 16:9 ratio four-inch retina screen, the disclosure was still 37 screens! While reading the disclosure, my eyes glazed just past the “giving up my first born” clause.

8. Shussh, We’re Hunting Wabbits

Tracking is lucrative—monitoring where you are, what you purchase and where you are when you make purchases enables effective marketing. Even Mickey Mouse is aggregating your vacation data. Disney’s new MagicBands is Big Data on steroids. Guests on property no longer need park tickets, hotel room keys, attraction express passes or even credit cards. Instead, the MagicBand has an embedded RFID chip; simply wave past a reader. Nice, my kids can buy bottled water without my credit card. (Take off mouse ears, put on privacy hat.) They are using RFID chips to track you, your kids, your spending habits, your location, how long you spend dining, what time you get back to the hotel, etc.

7. A Face Only a Mother Could Love

Expect technology and innovation to continue to outpace regulations. For example, Facedeals, developed by Redpepper, uses strategically placed cameras to scan your face, correlate to your buying patterns and offer you tailored discounts by sending coupons to your smartphone while you are in the store. It raises some interesting philosophical questions. Can they offer deals to minors? Can government officials or police tap into the system to find people of interest? Will the system record co-shoppers? Imagine the guy shopping with his girlfriend, only to have his wife see the correlation. Anyhow, passive facial recognition is only one example. Your smartphone is really a tracking device that just happens to double as a phone.

Predictions 2013
By Kirk Nahra, CIPP/US

  • The plaintiffs’ class-action bar will continue to hammer away at the “no damages” line of cases in potential privacy and security breach situations. They will get some help from the FTC, which will pursue cases from an enforcement perspective that entails broader concepts of consumer harm. But, for class-action litigation, the non-damages line will continue to hold strong, absent very unusual cases where identifiable harm occurs.
  • Mobile devices will become an enormous continuing problem for companies in virtually all industries, as the tension between ease of use and data security will create real ongoing problems.
  • Similar issues will arise about the cloud—the appeal, from an economic perspective, will directly collide with data security and privacy concerns.
  • Although no one really knows what the eventual EU rules will look like, companies across the globe will overreact over the next few years and increasingly try to impose draconian contractual provisions in a wide variety of circumstances.
  • Enforcement will increase in a meaningful but not enormous way, both in number of cases and severity of sanctions.

Kirk J. Nahra, CIPP/US, is a partner at Wiley Rein LLP in Washington, DC.

Read more by Kirk Nahra:
HIPAA’s unanswered questions

6. Belt and Suspenders

Keeping our breaches up: The belt and suspenders, dual-control approach, isn’t sufficient in protecting personally identifiable information (PII). Breaches and stealthy, sophisticated extractions of data continue to increase. Ponemon reports that 94 percent of hospitals polled suffered a data breach in the past two years. Recall HITECH/ARRA promises of saving billions in healthcare cost? One of the premises behind the projected cost savings is requiring protected health information (PHI) to be stored in a specific electronic format. No privacy concerns here, unless you recently visited www.privacyrightsclearinghouse.com. Of the 606 million records reported lost or stolen since 2005, 24 million contained PHI.

5. The Biggest Loser: The Losses Continue To Mount

Many employers still lack proper controls for Bring Your Own Device (BYOD) tablets, smartphones, USB drives. Plus, already ubiquitous mobile applications continue to proliferate, and so do their vulnerabilities. But what data can be gleaned from a phone? Contacts, Facebook details, calendar entries, geolocation; Oh, and blood pressure, cholesterol and blood glucose levels. Really? Yes. For example, last year the FDA approved a smartphone-mounted blood glucose meter application. Anyhow, portable media will continue to be the number-one source of data breaches. OK, I didn’t use my crystal ball for this one; I used a rearview mirror.

4. Show Me the Money

The healthcare industry will continue to see additional scrutiny and regulatory oversight. Expect more fines and settlements. After all, the HHS HIPAA audits were only funded for 2012; ongoing programs need to be self-funding. Keep in mind HITECH included business associates.

3. Mobile Privacy

We already covered smartphones, but what about the trend of wireless medical devices? For anyone who hasn’t recently been in a surgery suite, excluding those under general anesthetics, mobile technology significantly improves the surgeon’s ability to treat patients. Many of these devices use wireless technology and many are on Windows platforms. Fortunately, they are FDA-approved; unfortunately, often patches can’t be applied because the FDA won’t allow timely changes. What devices? Drug dispensers, insulin pumps, heart monitors, etc. So, you are saying some hacker in Pakistan may be able to exploit known security vulnerabilities because the patches are not applied?

2. Forecast – Mostly Cloudy

More data will be migrating into the stratosphere. HITECH’s Meaningful Use expedites the migration. OK, no crystal ball needed here, but the troubling part: In a 2010 Ponemon survey, only 31 percent of hospital officials reported they have confidence in preventing and detecting patient data loss. So to recap, regulatory requirements are hastening the migration of everyone’s medical information into large databases that the business owners of those data stores are fairly confident are not secure. The data is often used for medical fraud and identity theft. That may explain why when my wife went to the doctor last month for her annual checkup, her medical records stored in the cloud indicated she is recovering in Albania from her vasectomy.

And the #1 Privacy Trend for 2013: Summer 2013

Some things never change; as security controls improve, end users continue to be the weak link. Passwords like “summer13” will be used by seven percent of the population. How many times have I seen the chief information security officer and privacy officers dutifully implement hundreds of thousands of dollars of security controls, only to have my team ethically hack their network in less than two hours? The CPO asks, “We have everything locked down. How did you get in?” Our ethical hacker responds, “I gained access using the password “summer13.” Just so you know, we hacked in last year using “summer12.” Looking forward to “Summer 2014.”

In conclusion, Big Data gets bigger; the cloud expands, all while data owners question the security of the data. As a consumer, I am concerned because I am unsure of the amount of data collected, the correlations of big data and how it’s protected. As a privacy professional, I am concerned because businesses may be trying to do the right thing with the safeguarding and usage of data, but competing business priorities and complexities of data protection are daunting. The win-win paradigm has security and privacy professionals working with their business executives to employ constraints on the insatiable appetite for collecting yottabytes of PII while improving the security controls.

Editor’s Note: For more predictions on what the year ahead could mean in the privacy sphere, see “2013 to be the year of mobile regulation?” by Phil Lee, CIPP/E.

Written By

Brian Dean, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»