Leadership Laboratory
- Leadership Lab: Information Technology and the Law
This series of essays explores the many aspects of technology law relating to computer and information security.
Let Credit Card Industry Allocate Data Security Risks by Negotiation - March 12th, 2007
Data Thefts - Give the Public the Disclosure It Seeks - March 22nd, 2007
Network Neutrality - Updated July 3rd, 2007
Can Cyber Criminals Consent to Being Watched and Foiled? - May 14th, 2007
The Dangers of Too Much Data Privacy - May 28th, 2007
New Merchant Liability for Losing Credit Card Data - June 14th, 2007
ChoicePoint Marked New Era in Data Security Law - May 31st, 2007
The Dangers of Too Much Data Privacy
May 28th, 2007
By Philip Alexander
Data privacy is a real hot topic nowadays. Thirty six states plus Washington
D.C.
have passed data privacy laws
requiring that companies notify consumers if their personal data has
been
stolen. In addition to the disclosure laws, there is an abundance of
laws
restricting the use of social security numbers, credit/debit card
numbers and
other types of sensitive information. The federal government has passed
its own set of laws including HIPAA, SOX, GLBA and more that require
companies to
protect the privacy of the non-public personal information that they
have from all of us. On the whole, this is a very good thing. Nobody
wants to be the
victim of identity theft or get unwanted solicitations. How many of us
would
love to cut out even half the amount of junk mail we receive on a
regular
basis? The problem has gotten so bad that some companies now offer
services to
protect consumers from identity theft.
The private sector, as a whole, has not
always been
responsible stewards of the non-public personal information that is
entrusted to them by the public. It is axiomatic that when the private
sector fails to act
responsibly, the public sector will enact regulations to mandate
changes in
behavior. The volume of highly publicized data breaches and the
accompanying
public outcry are at least partially responsible for the stampede of
data
privacy laws passed in recent years.
The issue is that a certain amount of data sharing is
important. Businesses routinely send personal financial information about all
of us to the credit bureaus (Experian – Equifax – TransUnion). The bureaus
assign us our credit scores, and companies use that information in deciding whether
or not to lend us money for major purchases such as cars, homes, etc.
Here’s the problem; there is such a thing as too much data
privacy. A certain amount of responsible data sharing is important to reduce
fraud, combat terrorism and to fight crime.
Financial institutions combat fraud by sharing information
about people who are going from one bank to another committing illegal acts
such as trying to pass checks. In an effort to combat terrorism, banks are
required to notify the federal government when certain transactions meet the
guideline that are deemed suspicious by law .
Too much data privacy can even be deadly. Seung-Hui Cho
massacred thirty two people at Virginia Tech. The incident happened despite the fact that he had serious mental problems and was
considered very dangerous. This tragedy might have been avoided if the aforementioned type of
information was included in the normal background checks that are performed
when somebody tries to purchase a firearm. The precise nature of the mental condition
wouldn’t have to be disclosed, just the fact that the person was not eligible
to purchase a gun. To take matters to
the next logical step, the attempted purchase itself should send an alert to
the authorities if the person has been advised they are forbidden from owning a
gun. If the attempt is a violation of
the conditions of parole, the person should go right back to prison.
The federal government is currently considering passing more
data privacy laws. As they conduct their deliberations, they need to keep in
mind that the bad guys thrive on secrecy. All levels of law enforcement need to
be able to freely and responsibly share information about criminals. For example, as a parent, I want my school
district to be able to know that somebody who was arrested for child
molestation in another state is now applying for a job at a school where my kids attend! If
somebody is wiring money out of the country from several different bank
accounts, that information needs to be captured and submitted to the
authorities. Such activity is not
normal and is an indication of possible illegal activity worthy of
investigation. Just as bright light will flush out rats, shining the light on
the bad guys will send them running too. We can’t afford to let criminals and
terrorists operate in the shadows.
Philip Alexander is an Information
Officer for a major financial institution and the author of the book Data
Breach Disclosure Laws: A State-by-State Perspective published by
Aspatore Books. Write him at pmalexan@cox.net.
