It’s important for individuals and the enterprises with whom they do business to think twice before either sharing or collecting confidential information.
Much of the intellectual energy in telecom policy circles has floated around the challenges posed by the concept of Net Neutrality as cases and challenges worked their way through academic, policy and judicial systems. However, this summer, much of the thoughtful discourse has moved on to the very challenging issue of Privacy which affects almost every single American (or connected global resident) in a way that's potentially more acute and certainly more real than any discussion of Net Neutrality has ever been. In fact, as commerce and information generally continue to migrate on-line, increasing amounts of private information are "out there," just waiting either to be accessed appropriately by those who need to know, or accessed inappropriately by those who can use the information for their own ends (legal or not) without proper notification and/or consent.
I had my annual physical this week. When I went to check in, the receptionist asked me if I wanted access to the practice's online portal. I thought about it (I'm still thinking about it, truthfully) and said "yes." She told me that if I signed up, I could get prescription renewals, and test results as well as make appointments on line. This sounded convenient, so I took the personalized letter that the receptionist had for me, containing a complex password that is unlikely (not impossible) to identify. Nonetheless, I haven't decided yet whether I want electronic access - not because I don't value the convenience, but because I'm not sure that information that I consider to be very private would stay that way, either as a result of a breach or attack at the medical practice or at the location where I store my own data ... but I digress.
The Federal Trade Commission is the governmental entity that is charged with handling issues of consumer protection (for more information, see the FTC website). Both this summer and last, FTC Chair Edith Ramirez gave speeches at the Aspen Institute where she highlighted the key issues posed by big data and privacy. She identified five risks of big data:
1) Indiscriminate data collection
2) Ensuring consumer choice regarding data collection
3) Breach
4) Profiling
5) Data determinism
Because space and time are limited, I will address only the first three.
The challenge of indiscriminate data collection has two separate prongs: data collection itself and the use of the data once it has been collected. There are those who argue, with some force, that data is the ultimate--and most useful--raw material that exists today. This is undoubtedly true. It's just that I'm not sure how many of us want to ALWAYS share all of our information with the world.
The second prong of this issue is how the data that has been collected is used. There is an unfathomable amount of information out there. The important question is what information is important or relevant? Not all data, like any other resource, is valuable. Simply collecting and holding all accessible information on the off chance that it might be useful someday seems not only ridiculous, but intrusive.
According to Commissioner Ramirez, "The First Commandment of data hygiene is: Thou shall not collect and hold onto personal information unnecessary to an identified purpose." (see "The Privacy Challenges of Big Data: A View from the Lifeguard's Chair"). Commissioner Ramirez continued, "keeping data on the off-chance that it might prove useful is not consistent with privacy best practices." No kidding.
How does a consumer know first that his/her data is being captured and retained, and what can a consumer do to protect his/her information. Although I'm not thrilled when a store knows my shoe size based on a profile of my shopping or searching preferences, I'm outraged to think that some random person could obtain access to my medical records. Those in the data mining business argue that what should be restricted is the use of data once it's been collected, while others argue that it's the collection of the data in the first place that creates the problem. In many cases, consumers have no opportunity to deny permission to those seeking to share their information--they don't know that it's happening at all.
The Fair Credit Reporting Act has been repeatedly amended and enhanced since its original adoption in 1970. It provides some use restrictions on collected data, although like any legislation (think of the adage that you never want to see legislation or sausage made), it's not perfect. It does give the FTC some tools to go after bad actors, but its power to address the challenges posed by unbridled access to and use of collected data is limited. A 2012 report on privacy published by the Federal Trade Commission recommends that "businesses should provide simplified choice before collecting consumer data for practices that are inconsistent with the context of the transaction or the company's relationship with the consumer, unless specifically authorized or required by law." Recommendations are a positive step, but they are often without the teeth that enforcement capability provides.
If you shopped at Target in late 2013 and used a credit card, you understand the risks caused by a data breach. Because of Target's large customer base, it was--and continues to be--an excellent target for those who want access to useful information like credit card numbers. As Commissioner Ramirez has said, "with big data comes big responsibility."
Between the time that Target first became aware of unauthorized access and today, Target has spent $61 million on costs related to the cybertheft of data in November and December of 2013. It has also said goodbye to its CIO and CEO, and while its stock price is inching back up, it has taken a significant hit as a result of the breach. While Congress has been urged by the FTC to enacted legislation, and while it can be hoped that others situated similarly to Target will beef up their own cybersecurity measures, the risks remain looming and large.
With this in mind, it's important for individuals and the enterprises with whom they do business to think twice before either sharing or collecting confidential information. As Commissioner Ramirez wryly commented, "information that hasn't been collected can't be misused."
