Patchwork of Privacy Regulations

Absolute privacy has never truly existed. Before the industrial revolution, mankind largely inhabited small villages where everyone knew everything about everyone else.

By Kristin Gallina Lovejoy, CTO, Consul risk management

March 08, 2006 — CSO —

Absolute privacy has never truly existed. Before the industrial revolution, mankind largely inhabited small villages where everyone knew everything about everyone else. The desire to remain isolated, or to maintain privacy regarding details of health and welfare, would have been regarded suspiciously.

With the onset of the industrial revolution and large cities, the concepts of anonymity and privacy took root. These philosophical concepts were born during this time-when governmental structures did not have the means to collect and maintain personal information on a consistent basis. In fact, individuals came to expect privacy as a right. Interestingly, the period where humans experienced the greatest privacy was during these early years of the industrial revolution.

Today’s construct of anonymity and privacy is more in line with that of the pre-industrial age—where the introduction of radio, television and the computer has turned the world into a "global village." Attainment of anonymity is virtually impossible. Privacy-though still expected as a right-has gradually eroded in a world where information has become a commodity, and that commodity can be collected, processed, stored and retrieved at speeds unimaginable 50 years ago.

The Challenges

Today, in order to protect and enforce the right of privacy, we focus on data security. That’s our first self-imposed challenge. We talk about data security when we should be talking about information security. Semantics? Not really. "Data" is pervasive and has no intrinsic value. "Information," on the other hand, does have value. Attempting to institute a data security model is like trying to design Utopia. Alternatively, information security is achievable. Why is this important? Anyone who has ever worked with a security engineer understands that use of poor descriptions quickly leads you down a rabbit hole.

Here’s a quick primer defining the terms: Data is an individual fact or multiple facts, or a value, or a set of values, but is not significant to a business in and of itself. Giving data context, or meaning, turns it into information. Without this context the data is useless to the business. Information is an aggregation of elements formatted in a way that allows the user to take action.

Our second challenge is that we have no idea what information is considered private and must therefore be secured. Let’s be truthful—information is a commodity, and its use and availability fuel the economy. What is needed is a more pragmatic approach to information security, which recognizes the value of the commodity, yet balances the individual right to have personal information maintained securely. Is this achievable? Yes. How? For starters, we must again define our terms. What information is worthy of protection? One of the biggest problems I see on the horizon is the patchwork of disclosure mandates being passed by the individual states.