« December 2010 | Main | May 2011 »

April 2011

04/13/2011

Does Data Integrity Promote Privacy?

Consumer Privacy Bill of Rights

Some codes of privacy say that the holder of personal data must take steps to ensure the “integrity” or “accuracy” of the data.

Why?  Such a requirement seems to interrupt the privacy of individuals.

Data Integrity Requirement

Consider Section 303, the “Data Integrity” section of the “Commercial Privacy Bill of Rights”  announced April 12, 2011 by US Senators John Kerry and John McCain: “(a) IN GENERAL – Each covered entity shall attempt to establish and maintain reasonable procedures to ensure that personally identifiable information that is covered information and maintained by the covered entity is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm.” (emphasis added)

This Section 303 would give the holder of data an affirmative duty to keep its information about an individual up-to-date. To fulfill that duty the data holder would need to pester or check up on – or search for or track -- the individual. Pestering, checking, searching or tracking seems antithetical to an individual’s desire to be left alone.

In this age of information, each individual has relationships with thousands of commercial entities – merchants, websites, clubs, charities, magazines, advertisers, social networks, mobile app operators, online game impresarios and many others.  Technology is causing the number commercial entities having a relationship with any given individual to grow rapidly.  The growth will continue as new technologies like social media are invented.

Let the Relationship Come to an End

Very often, after establishing the relationship the individual is no longer interested in it and just forgets about it.  The individual desires to take no steps to terminate or opt-out of the relationship because those steps take too much time and attention. And very often today, the individual never hears about the relationship again.   The individual and the commercial entity just leave one another along . . . which achieves the goal of privacy.

Until now, in the US, the commercial entity has no obligation to keep its records accurate and up-to-date.

Still, the commercial entity maintains a record of the relationship.  The reasons for maintaining the record are numerous, including compliance with tax, warranty, customer service and consumer protection interests.

As a holder of the record of the relationship, the entity is ready to acknowledge the relationship and support it should the individual ever return. “Hello, Ms. Smith!” says the online game host. “Our records show that you have played cyberspace bingo with us in the past.  We are so glad you have returned to test your skills and luck.”

Proactive Updating of Records

But look what Section 303(a) purports to do.  It says the commercial entity must keep its records accurate, which means up-to-date. To do that, the entity must be proactive.  It must do something, such as send a periodic email, or place a phone call, or conduct some kind of Internet search. Imagine the automated phone call that says, “We are calling you today to update our files.”  Are not inquiries like this an annoyance and an encroachment on privacy?

Inaccuracy Promotes Privacy!

Oftentimes for an individual, outdated/inaccurate records actually promote privacy.   If Ms. Smith changes her email address and fails to notify a merchant with which she has a relationship, then the merchant cannot bedevil her with emails offering “discounts” and “sales” and “membership privileges.”

Granted, Section 303(a) does have limitations. One of the limitations is that it only applies if the inaccurate information would cause the individual to be denied consumer “benefits.”  Yet that is a meaningless limitation. Most any commercial entity will believe that the relationship it has with the consumer provides her “benefits.”  Among other things, the relationship enables the entity to reach out (via email, text message, postal mail, Skype chat or who-knows-what-is-the-next-medium-of-communication) to Ms. Smith and urgently notify her that next week cyberspace bingo winners will be given Kewpie Doll avatars that they can post on their Myspace pages!

The drafters should rethink Section 303.



Mr. Wright teaches the Law of Data Security and Investigations at the SANS Institute.

Related:  Influence of consumer privacy bill of rights on professional investigators

Posted at 01:30 PM in data protection, investigator, privacy | | Comments (0) | TrackBack (0)

Wright's Online SANS Education

My Photo

Blogger

  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

IT Administrators

Custom Professional Training

Important!

  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

SANS Quote

  • Professional Education
    "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

About

MY BLOGS HAVE LOADS OF CONTENT. SEARCH! ↓

Twitter

  • Follow benjaminwright on Twitter

Become a Fan

Benjamin Wright
Benjamin Wright

Find More on This Blog

Subscribe to this blog's feed