Legal: Security Regulation Is Coming

Let’s consider the problem first. It wasn’t until 1997 that credit cards could be “securely” used online. Obviously the definition of “securely” was rather subjective, but the consuming public was told to trust the new world of ecommerce. Ten years later, data breaches and related identity thefts are exploding in volume. Reported losses of sensitive personal data such as credit card numbers or financial information are up 40 percent, and in 2007 there were reportedly 446 breaches exposing over 128 million records. Since the very infancy of viable online commerce, there has been in the making a recipe for disaster. And that recipe begins with a little bit of self-indulgence, continues with a tad of self-regulation, is spiced up with a spoonful of regulatory intervention, and is consummated with a heaping helping of new laws.

Who controls the data?

And new laws are the ingredients of today, laws that will control the life of data. How important is control of data to the online world? Pretty important. Data lead to information. Information leads to knowledge. Knowledge is power. Power leads to cash, and cash is king! You would have thought, given the importance, that more attention would have been paid to preserving this asset over the past ten years. Every precaution should have been taken to avoid unwanted guests at the table.

The initial response to the risk came in the form of the PCI data security standard, an attempt by the major credit card brands to implement self-regulation. But data losses continued to mount. Then the FTC promulgated the “Behavioral Advertising Privacy Principles,” the government’s effort to gain some reasonable control over personally identifiable data being used for advertising purposes. At the same time, privacy advocates were pushing for the establishment of a “Do Not Track Registry” for online behavior tracking. Congress and state legislatures didn’t seem impressed by the new regulatory schemes, so they have jumped in with ideas of their own.

Anti-spyware legislation

The state of Washington passed the first “anti-spyware” legislation several years ago, and now Congress is today considering a similar law. You’d be surprised by the broad nature of the definition of “spyware.” There are proposed laws working their way through Congress requiring data breach notifications to those affected by data loss, strengthening “security freeze statutes,” restricting social security number transfer and publication, restricting the ability to maintain data, and requiring those responsible for data theft to reimburse financial institutions. Also, at the state level there are laws being considered that would require opt-in for data sharing and the establishment of “do not sell” lists for personally identifiable data.

What does today’s environment tell us? It tells us that we, as an industry, missed the boat. We missed the opportunity to self-regulate, to establish privacy policy standards with teeth, to establish data security standards and meaningfully enforce them, to buy and sell data and leads in a responsible way and treat the information as if it was our own, to be forthright about what data we are tracking, keeping, storing, sharing, packaging, using and selling.

So, we let the state legislatures and Congress into our kitchen, opened up our cupboard and fridge, led them to the oven and invited them to turn up the heat and start cooking. We’ll surely end up with some half-baked dishes. After all, they aren’t using our recipe. They brought their own, a recipe that includes a little bit of misunderstanding, seasoned with a touch of carelessness, invigorated with an infusion of privacy mania, shaken vigorously by special interests and lobbyists, and all for the ready consumption of the voters in an election year. The ecommerce business world, having not really offered an ounce of prevention, needs to be bracing for a pound of cure. And if you can’t stand the heat…

I’ll be looking at the need for pro-active self-regulation in the online world on other legal subjects in coming months. The Internet world is an environment in which exuberance sometimes displaces good judgment. Netizens love to test boundaries. We’ll look at where the boundaries are being drawn and the advisability of self-regulatory initiatives in avoiding another recipe for disaster.

The information in this article is not intended to be legal advice. Always consult your attorney when faced with legal issues.

John W. Dozier, Jr.
John W. Dozier, Jr.
Bio   •   RSS Feed