• United States



by Kristin Gallina Lovejoy, CTO, Consul risk management

Patchwork of Privacy Regulations

Mar 08, 20067 mins
Access ControlComplianceCSO and CISO

Absolute privacy has never truly existed. Before the industrial revolution, mankind largely inhabited small villages where everyone knew everything about everyone else.

Absolute privacy has never truly existed. Before the industrial revolution, mankind largely inhabited small villages where everyone knew everything about everyone else. The desire to remain isolated, or to maintain privacy regarding details of health and welfare, would have been regarded suspiciously.

With the onset of the industrial revolution and large cities, the concepts of anonymity and privacy took root. These philosophical concepts were born during this time-when governmental structures did not have the means to collect and maintain personal information on a consistent basis. In fact, individuals came to expect privacy as a right. Interestingly, the period where humans experienced the greatest privacy was during these early years of the industrial revolution.

Today’s construct of anonymity and privacy is more in line with that of the pre-industrial age—where the introduction of radio, television and the computer has turned the world into a “global village.” Attainment of anonymity is virtually impossible. Privacy-though still expected as a right-has gradually eroded in a world where information has become a commodity, and that commodity can be collected, processed, stored and retrieved at speeds unimaginable 50 years ago.

The Challenges

Today, in order to protect and enforce the right of privacy, we focus on data security. That’s our first self-imposed challenge. We talk about data security when we should be talking about information security. Semantics? Not really. “Data” is pervasive and has no intrinsic value. “Information,” on the other hand, does have value. Attempting to institute a data security model is like trying to design Utopia. Alternatively, information security is achievable. Why is this important? Anyone who has ever worked with a security engineer understands that use of poor descriptions quickly leads you down a rabbit hole.

Here’s a quick primer defining the terms: Data is an individual fact or multiple facts, or a value, or a set of values, but is not significant to a business in and of itself. Giving data context, or meaning, turns it into information. Without this context the data is useless to the business. Information is an aggregation of elements formatted in a way that allows the user to take action.

Our second challenge is that we have no idea what information is considered private and must therefore be secured. Let’s be truthful—information is a commodity, and its use and availability fuel the economy. What is needed is a more pragmatic approach to information security, which recognizes the value of the commodity, yet balances the individual right to have personal information maintained securely. Is this achievable? Yes. How? For starters, we must again define our terms. What information is worthy of protection? One of the biggest problems I see on the horizon is the patchwork of disclosure mandates being passed by the individual states.

These regulations often conflict with each other when it comes to defining private information. What does that mean for the consumer, and what does that mean to U.S. businesses, who must meet these local mandates? My fear is that both will suffer? the former because of unclear jurisdiction, and the latter because of increased expense, which can be attributed to regulatory compliance. This conflict impairs action.

What action is needed? My answer is implementation and adoption either by statute or via industry acceptance of an information protection framework by U.S.-based companies. This framework, which I describe below, should be based upon common definitions of privacy, identity and protected information. Instead of a patchwork of regulations, we need an omnibus protection act that not only institutes a requirement for the kind of information organizations must disclose and when, but also implements a “good governance model” for all businesses collecting protected information that allows a consistent, pragmatic approach to control.

What Is Information Protection?

Since terms like privacy, confidentiality and security often create confusion, the label information protection was coined to encompass the range of mechanisms that guide collection, use and disclosure of information. An information protection regulation is one that enforces the right of privacy by dictating, among other things, requirements regarding the maintenance of confidentiality, integrity and availability of protected data.

In general, information protection regulations require that organizations do the following:

1. Be accountable. Establish ownership and accountability within the organization for confidentiality, integrity and availability.

2. Identify and document purposes. Identify the reasons for obtaining private information from an end user; make those reasons available to the end user.

3. Ensure consent. Establish mechanisms for gaining consent of the end user before collecting private information.

4. Limit collection. Limit collection of private information to only that information you need for business purposes.

5. Limit use, disclosure and retention. Limit use, disclosure only for the purposes for which you have gained consent. Limit retention of information to a time period specified by law and/or consent.

6. Ensure accuracy. Ensure that information collected is correct.

7. Implement safeguards. Implement administrative, technical and physical controls around information in order to ensure its confidentiality, integrity and availability.

8. Create openness. Create a culture of openness, so that if the confidentiality, integrity or availability of the information is breached in a significant way, the end user is notified.

9. Provide recourse. Present the end user with documented escalation policy and process.

In the United States, information protection mandates have generally had impact in certain market segments (e.g., HIPAA in healthcare and GLBA in banking). Examples of U.S. information protection laws include the Fair Credit Reporting Act (1970), the Electronic Funds Transfer Act (EFTA-1978), Health Insurance Portability and Accountability Act (HIPAA-1996) and the Gramm-Leach-Bliley Act (1999).

Will there be increased pressure to regulate, potentially even an Omnibus Information Protection regulation? Simply, yes. The question of privacy is pre-eminent in the minds of consumers and businesses alike. Everyone wants to enforce the right of privacy and develop controls to protect private information, but we don’t know what and how. What elements associated with identity must be held private? Once you define that, how do you translate it into protecting it through technology? Again, we must start with what we need to protect. It is up to the government to define privacy and what is private information.


In sum, the issue of privacy raises more questions than answers. What are we trying to achieve? The way we are trying to solve the problem—through state regulations—isn’t working. In fact, it appears that the entire world is trying to solve this as evidenced by the range of legislation:

  • Federal Privacy Act (Australia) – 1988
  • Law of Personal Data Protection (Chile) – 1999
  • Personal Data Protection Act (Argentina) – 2000
  • Personal Information Protection and Electronic Documents Act (Canada) – 2001
  • Bill to Protect Personal Data (Japan) – 2001
  • Directive on Privacy and Electronic Communications (EU) – 2002

More recently, the Senate panel approved the Specter-Leahy Personal Data Privacy and Security Act (November 2005) to help consumers protect the privacy of their personal data and help ensure that laws keep pace with technology. The premise of this Act primarily seems to be yet more about alerting consumers. What we need is stronger steps to protect and enforce privacy.

The key is consistency. This patchwork of regulations is confusing and dilutes the effectiveness. To counteract that we must derive a common set of definitions for such terms as compliance, privacy, control, policy, IT security and information security. The next step is to adopt an information protection model that establishes a structure by which organizations collect and manage information to ensure privacy.

Indeed, the trend is moving from a consumptive economy—using the Internet to get information—to a more productive one, including wikis, blogs, auctions, online banking and other interactive programs. That opens people up to greater privacy challenges by putting more “cooks in the kitchen.” So we’re tracking a moving target. As such we need consistency in the definitions and approaches at the very least.