The pilfering of the unreleased blockbuster Annie from Sony and its appearance on file-sharing platforms serves as a stark warning to companies in every sector of the economy that, when managing privacy and data security, it’s a hard knock life. While for several years companies and consumers have been blasé about breaches involving customer data, the loss of a Hollywood studio’s crown jewels, worth hundreds of millions of dollars, will undoubtedly get the attention of CEOs.
The year of the breach
Businesses in finance, retail, health and IT can bet their bottom dollar that tomorrow new security vulnerabilities and privacy risks will emerge. Who is the next adversary? Your guess is as good as any security expert’s. Betcha they're young; Betcha they're smart; Bet they collect things (like credit card numbers and log-in credentials). They can be disgruntled employees, mischievous hackers, hardened criminals, rogue nation states or, most disconcerting, a combination of all of the above. In cybersecurity, playing offense is much easier than constructing a good defense. An investment of hundreds of millions of dollars in secure systems can go down the drain when hackers operating a $200 computer find their way in; and they will.
This year has already been called the year of the data breach. Home Depot, JPMorgan Chase, Neiman Marcus and recently Sony paid a dear price for letting security vulnerabilities go unattended. Exactly a year ago, Target saw its holiday season sales plummet as the result of a data breach, which eventually cost the Fortune 50 company’s CEO his job. Recognizing the risks of cyber threats to the nation’s security and critical infrastructure, President Obama designated October 2014 Cybersecurity Awareness Month.
For privacy professionals, cybersecurity presents a conundrum. On the one hand, data security is a prerequisite for good privacy. As the FTC has asserted in case after case of Section 5 enforcement, privacy and security are two sides of the same coin. On the other hand, cybersecurity programs require intrusive monitoring of data infrastructure as well as the sharing of threat information not only among companies but also between the private sector and government. This presents formidable privacy risks, which have so far precluded Congress and the Administration from agreeing on cybersecurity legislation.
With cybersecurity risks mounting, Republicans consolidating power in Congress and nation states such as North Korea and Iran increasingly implicated in damaging attacks, expect the needle to turn toward CISPA-like data-sharing initiatives. It is therefore incumbent upon advocates of privacy and online freedom to ensure that the pendulum does not swing too far. A principled, measured response to cybersecurity threats would fare much better in the long run than an impulsive, gut reaction to a “cyber Pearl Harbor,” which former Defense Secretary Leon Panetta has warned the nation about.
Introducing data ethics
Another major development in 2014 was the realization that, for privacy, legal compliance is not enough. This year, companies discovered that just because their actions may be legal doesn't mean they're not stupid. Facebook’s foray into psychological research of (unaware) human subjects set off a firestorm of criticism. Most critics didn't care if an obscure phrase in Facebook’s data use policy alerted users to the possibility of being observed in a laboratory-like setting. The issue, in other words, wasn’t whether Facebook’s actions were legal but if they were ethical.
Facebook, of course, is not alone in researching big data. As Jules Polonetsky and I wrote in The Facebook Experiment: Gambling? In This Casino?, many companies are engaged in A/B testing to assess users’ reaction to subtle changes in interface design or delivery methods. Such testing has long been an essential means to create new products, improve existing features and to sometimes advance scientific research when breakthroughs are reported to the public. And the scope and degree of sensitive, sometimes provocative uses of data is only set to escalate with the advent of the Internet of Things, through which data touches individuals’ lives not only through mediated platforms but also in the physical world.
As a potential response to this ethical choke point, Ryan Calo suggested companies should create data ethics review committees, or consumer subject review boards, to vet data projects that involve innovative or surprising data uses. Such boards would address questions such as whether data research can be conducted without subject consent and, if so, whether subjects must be informed in retrospect; how to account for the possibility of harm and measure countervailing benefits to individuals and society at large; whether there are alternative mechanisms that could lessen the impact while achieving similar results; whether research can focus on vulnerable populations; and what are the guidelines for collaborating with academic researchers. To avoid concerns about transparency, such boards would comprise not only corporate insiders but also outside experts, whose expertise and compensation scheme would assure professionalism and independence.
Over the next few years, we can expect to see procedures and substantive rules develop for this brave new world of data ethics.
Privacy, jurisdiction and trade
Europe continued to scramble this year to push forward the comprehensive package reforming its data protection regulation. Like a massive snowball rolling down a hill, this 119-page piece of legislation has amassed sufficient momentum to make its way to its final destination, probably towards the end of 2015. But keeping it on track and in the right path continues to require a Herculean effort on the part of European policymakers, including the rotating Council presidency, the Commission and Parliament. As this process approaches culmination, consulting and law firms are rushing to increase capacity for what promises to be an avalanche of corporate demand for advice. Clearly, one way or another, lawyers and consultants will benefit greatly from the upcoming sea change in laws and regulations.
A major development this past year is the emergence of the Court of Justice of the European Union (CJEU) as a force on the global data protection stage. The CJEU, which in April 2014 invalidated the Data Retention Directive and a month later announced the existence of a right to be forgotten, is now charged with deciding the future of the U.S.-EU Safe Harbor arrangement, pursuant to a challenge by Austrian provocateur Max Schrems. The fate of the Safe Harbor has been debated extensively between the U.S. Department of Commerce and the European Commission over the past year. Working to operationalize the 13 requirements set forth by the European Commission in its November 2013 post-Snowden review of the arrangement, the two sides have repeatedly been at loggerheads around an issue that cynics say neither of them is even authorized to discuss: the access of national security agencies to private sector data.
As demonstrated by a recent Guardian report, building on additional Snowden revelations, neither side to the discussion has a monopoly on fundamental rights. Rather, with government surveillance and its implications for crossborder data transfers, privacy has been promoted (some say demoted) from a legal issue to a political one. The recent comments by Manuel Valls, Prime Minister of France, suggesting that the EU should balance the dominance of the U.S. tech sector through regulation as opposed to competition left little room for doubt about the transformation of data protection into a tool of industrial policy and trade negotiations. In this respect, both sides have engaged in jurisdictional overreach, with the Article 29 Working Party opining the right to be forgotten must extend to dot.com domains, and the U.S. government imposing on cloud vendors requests for information stored on foreign soil.
At some point, this jurisdictional struggle will come to a head. A Federal court of appeals will decide whether Microsoft must turn over data stored remotely in Ireland. European and American courts may have to decide a case dealing with the scope and reach of the right to be forgotten. And the future of the Safe Harbor, with or without a national security exemption, will be determined – until the next round.
Clearly, 2015 promises to be yet another thrilling year for privacy professionals.
If you want to comment on this post, you need to login.