Responding to growing pressure from privacy groups, California is poised to establish a new standard for how corporations use consumer data, and should it come to fruition, it will likely add to the workload of harried enterprise chief information security officers.
The Right to Know Act of 2013, also known as AB 1291, if passed, would mandate that companies send consumers reports that outline how they used their personal information each year.
In the past few years, there has been a groundswell of interest in the U.S. and abroad regarding how to better protect consumer privacy. The European Union has been developing the EU Data Protection Regulation, which has a similar goal and includes a requirement that companies delete all instances of an individual’s information once a person makes that request. Domestically, the Federal Trade Commission has taken an interest in this area as well.
The American Civil Liberties Union of California, California Public Interest Research Group, Consumer Federation of California, Consumer Watchdog, Electronic Frontier Foundation, Internet Sexuality Information Services and the Privacy Rights Clearinghouse all support AB 1291. These groups think that businesses are collecting volumes of personal information about their customers and disclosing it in unexpected and potentially harmful ways.
Vendors, such as Facebook Inc. and Google Inc., and consortiums, such as the European Network and Information Security Agency, have opposed such laws for a variety of reasons.
"Regulations tend to increase the cost of doing business," said Pete Lindstrom, principal at Spire Security, an information security analyst firm.
Indeed, new business processes may be needed if AB 1291 and other proposals become law. The first step, Lindstrom said, is figuring out who will be responsible for developing additional privacy protection procedures.
"Privacy has often fallen onto security administrators' laps," Lindstrom said. "However, new job titles, such as chief privacy officer, and new business units have emerged as companies have tried to interact with customers more intimately."
In addition, Lindstrom added, corporations will need to be able to track how customer data is used, consolidate that data in new reports, and put mechanisms in place to securely share that data with customers. They will also have to develop auditing functions to ensure proper procedures are followed.
Laws tend to be quite broad, Lindstrom noted, and translating them into narrow business transactions can be challenging.
Throughout the infosec industry, the definition of personal data differs among organizations, and even from one mandate to another. Many firms collect data at the composite level rather than the individual level, and it is unclear how the California bill views data of that nature.
Security managers have been trying to stay on top of a long and ever-growing list of industry and government regulations. With the recent explosion in big data analytics, enterprises have been collecting, slicing and dicing personal data in new ways, often blurring the line between what consumers do and don't consider acceptable use of their data.
Though the prospects of AB 1291 remain unclear, the specter of new privacy regulation in California and elsewhere looms on the horizon. Lindstrom recommended that security professionals monitor these legislative actions in order to gauge the potential effects on their companies in advance of the passage of any law.
Paul Korzeniowski is a freelance writer specializing in technology issues. He is based in Sudbury, Mass. and can be reached at firstname.lastname@example.org.