Part 4: Data Security
On Friday, Feb. 27, the Obama administration unveiled a proposed Consumer Privacy Bill of Rights that would require “covered entities” to be more transparent in privacy practices, and provide individuals certain rights aimed at helping them understand how their information is collected, used, and shared. It would also require covered entities to take certain measures to secure personal data.
As referenced in Part 1 of this series, personal data would include data that is not publicly available and linked or linkable to a specific individual or to a device associated with or routinely used by a specific individual.
Covered entities would be required to reasonably assess the existence of any risks to the privacy and security of personal data. They would also be required to put reasonable safeguards in place to prevent the compromise of personal data, and to regularly assess the sufficiency of those safeguards. The proposal would create a risk-based analysis to determine the reasonableness of the preventative safeguards. This would involve a review of the degree of privacy risk to the data, the foreseeable security threats to data, “widely accepted practices” in information security, and the cost of implementing and regularly reviewing the safeguards. It would require all businesses to develop and maintain operational information security programs, document their risk-based analyses, and ensure that their system defenses continuously evolve to meet existing and foreseeable threats. While any business with an information system should strive to develop and maintain a robust information security program, attempting to devine what the FTC might deem to be widely accepted practices or foreseeable security risks to data, among other things, will be challenging. Best practices in information security are constantly evolving, as they must to meet the ever changing security risks to data. The FTC and other regulatory bodies have referenced the National Institute of Standards and Technology Cybersecurity Framework as a “standard of care” for information security systems, but the devil is in the details, and it is a much more complex challenge than is often contemplated by regulators.
The proposal provides for the creation of a safe harbor through “enforceable codes of conduct.” These codes of conduct will, presumably, be some set of recognized practices to keep personal data private and secure. The proposal calls for an amorphous process, overseen by the Federal Trade Commission, to identify and recognize codes of conduct. The process would involve rulemaking, a multi-stakeholder review mechanism, public comment, and approval by the Commission. While a safe harbor would be welcome to those businesses that would otherwise be subject to the proposal, it does not appear to be something that will occur anytime soon.