This article can also be found in the Premium Editorial Download "Information Security magazine: Inside the Data Accountability and Trust Act and what it means for security."
Download it now to read this article plus other related content.
So, here's what enterprises will want to keep an eye on in Washington D.C. for the upcoming year:
- Cybersecurity Legislation, which we expect to be along the lines of the pending bill proposed by Senator Joseph Lieberman in the 111th Congress, S. 3480, that would address both public and private sector cybersecurity;
- Do-Not-Track Registry for Web Activities, given the popularity of the National Do-Not-Call Registry, this is a tangible concept for consumers no matter how difficult it would be for industry to implement (and there have been recent statements by the FTC that such a registry could be created unilaterally by the agency).
- Privacy by Design, given recent statements by FTC Commissioners that privacy by design -- or privacy contemplated in the R&D process -- is paramount to staying ahead of the technological curve (and is in line with efforts abroad);
- Greater Breach Notification Uniformity, in recognition of the angst that private industry is feeling over the current patchwork of sector-specific federal breach notification laws and breach laws in nearly all 50 states;
- Harm Standard, given FTC consumer protection chief David Vladeck's numerous statements that focusing solely on tangible harm -- current protections against financial harm (identity theft), physical harm (stalking) and intrusions (spam and malware) -- leaves gaps in the life cycle of online information collection, we expect the FTC to discuss whether privacy protection should move from a harm-based standard to something closer to the European individual right model;
- Sensitive Information, we expect a statement regarding the categories of personally identifiable information that should not be collected at all (such as health data and sexual orientation) in keeping with the FTC's preliminary statement about this topic in its Behavioral Advertising Guidelines.
- Customer PII Access and Correction Mechanisms, which would be in line with EU privacy law and some US laws;
- Behavioral Advertising, we expect continued discussions regarding Internet advertising issues before Congress or the FTC and whether this activity is best addressed under regulatory mandates or voluntary self regulatory principles;
- Increased International Transborder Data Flow Cooperation, especially given the EU's differing approach to transborder transfers of data and the continued dialogue regarding revisions to the U.S. Safe Harbor Program.
As we are all aware, the devil will be in the details as to how each of these issues will be addressed. Finite definitional points (such as the meaning of first-party collection or personally identifiable information), jurisdictional issues, and whether any new guidance would apply to off- and on-line data will be important, heavily-debated issues. And with the Republicans now in charge of the House of Representatives, there is still ample support for privacy in principle. But, in the months ahead, we can expect a change in tone of the debate. Republicans will be more suspect of any proposed government enforcement mechanism that has the potential to stifle innovation.
Judith L. Harris, Christopher G. Cwalina and Amy S. Mushahwar are attorneys in the Data Privacy, Security and Management practice in the Washington D.C. law offices of Reed Smith LLP. Send comments on this column to firstname.lastname@example.org.
This was first published in December 2010