For large multinational companies, or even smaller outfits with modest aspirations of foreign expansion, the patchwork of global laws and regulations governing security and privacy can present a major compliance challenge.
It is small wonder then that a group of executives from major technology and finance firms, gathered at George Washington University’s law school for an event to mark Data Privacy Day, lamented the overlapping and often conflicting security and privacy landscapes their firms must navigate.
“I think that we still have quite a ways to go,” said JoAnn Stonier, global privacy and data protection officer with MasterCard Worldwide. “It’s really still a challenge, the lack of consistency.”
MasterCard, with operations in more than 200 countries, often finds itself dealing with regulatory or law enforcement authorities overseas who ask the credit card firm for a level of cooperation that would actually run afoul of that country’s own privacy restrictions concerning data sharing or other sensitive issues, according to Stonier. That puts the company in the strange position of education a regulatory body about the rules and policies of its own country.
Paul Otellini, Intel’s president and CEO, echoed those concerns. In a pretaped video message prepared for Thursday’s event, Otellini touted the advances that private sector players have made in privacy and security, including his own firm’s efforts to embed security into the microprocessor, but acknowledged that “there is also a government role,” though still warning against overly prescriptive remedies that could curb the pace of innovation.
“Precisely because technology and the threats it faces are always changing, we need laws that protect individuals long-term. These laws and regulations ought to be technology-neutral. They should protect individuals even as our technology evolves,” Otellini said.
“And if it’s going to work on a global scale, the regulators of the world need to harmonize standards so that laws are crafted to go beyond a single market or a single country,” he added. “Cybercriminals do not respect borders.”
Stonier noted, cautiously, that she is “hopeful” about a gradual meshing of the legal and policy regimes: “I think we’re seeing regulators talk more.”
European Union Addresses Privacy and Security
Earlier this week, the European Commission took the first step in what could be a major overhaul of its own privacy and security policy frameworks, as European Union Justice Commissioner Viviane Reding unveiled a proposal to update the body’s 1995 Data Protection Directive, the set of privacy principles that have been the law of the land dating to the early days of the commercial Web. While many provisions in Reding’s proposal would differ dramatically from U.S. laws and regulations, they would seek to create consistency within the European Union. Even as 27 member states have adopted the 1995 directorate, it has been implemented inconsistently, leaving firms with a presence across Europe dealing with different sets of rules.
Similar confusions can arise domestically. At the federal level, AT&T, like other major network providers, often finds itself making the same case to multiple agencies and members of Congress. On the regulatory side, the company has often sparred with the Federal Communications Commission on matters of oversight authority.
“It’s not always clear that they are coordinating or aware of their jurisdiction,” said Bob Quinn, AT&T’s senior vice president of federal regulatory affairs and chief privacy officer “I don’t think the FCC views the limits of its jurisdiction the same way that I view the limits of its jurisdiction.”
“We would like some clarity in that area,” he added.
Then on the state side, companies of all industries are subject to a maze of laws stipulating different disclosure and notification requirements in the event of a data breach. Tech companies, including those on hand for Thursday’s event, have long campaigned for a national data breach law that would supplant the various state measures.
“It’s a lovely make-work exercise, but I’m not sure it really protects the consumer,” Stonier said. “One way to go would be a whole lot easier than what we have to deal with now.”
Several speakers also emphasized that the forced choice between privacy and security, long presented as opposing forces, is a false dichotomy. That pairing has recently come into sharp relief for many in the industry who have observed the rash of high-profile data breaches in recent years.
“Last year we realized that privacy and security are so tightly combined and there are so many ways people need to understand that privacy and security work together,” said David Hoffman, Intel’s and director of security policy and global privacy officer.
Indeed, the privacy officials on hand said that at the organizational level, they work closely with both the security and legal teams within their companies.
Few—if any—companies in recent years have been more closely connected with privacy controversies than Facebook, which has also been tagged with numerous malware incidents and other security threats.
Facebook Is Misunderstood
“There’s a misconception that perhaps we’re not as thoughtful on all these issues as we are,” said Erin Egan, Facebook’s chief privacy officer for policy. Egan, a recent addition to the ranks of the social networking giant, said she was “blown away at the number of safety and security features” when she first met with the company’s security team.
“There’s so much that we’re doing day in and day out on the security side and the safety side,” she said. “They’re trying to innovate around privacy and security, which I think is fascinating.”
Egan, like the others, expressed her company’s support for a nationwide data breach law, though no one was willing to predict passage in this election-shortened session.
Many tech companies have also been pressing lawmakers to update privacy laws to account for new methods of computing and information sharing. In particular, they look at the 1974 Privacy Act and the 1986 Electronic Communications Privacy Act, governing statutes whose authors could not have envisioned the rise of Web services or cloud computing, yet still define their policy framework.
“The laws in this area are tremendously out of date,” Hoffman said. “We need to be able to increase the ability of government and industry to work together to provide better cybersecurity and national security while still protecting privacy. The opportunities are there; we need to get some political will behind it.”
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.