Tech leaders call for global harmony on privacy, security
- 28 January, 2012 05:30
For large multinational companies, or even smaller outfits with modest aspirations of foreign expansion, the patchwork of global laws and regulations governing security and privacy can present a major compliance challenge.
It is small wonder then that a group of executives from major technology and finance firms, gathered at George Washington University's law school for an event to mark Data Privacy Day, lamented the overlapping and often conflicting security and privacy landscapes their firms must navigate.
"I think that we still have quite a ways to go," said JoAnn Stonier, global privacy and data protection officer with MasterCard Worldwide. "It's really still a challenge, the lack of consistency."
MasterCard, with operations in more than 200 countries, often finds itself dealing with regulatory or law enforcement authorities overseas who ask the credit card firm for a level of cooperation that would actually run afoul of that country's own privacy restrictions concerning data sharing or other sensitive issues, according to Stonier. That puts the company in the strange position of education a regulatory body about the rules and policies of its own country.
Paul Otellini, Intel's president and CEO, echoed those concerns. In a pretaped video message prepared for Thursday's event, Otellini touted the advances that private sector players have made in privacy and security, including his own firm's efforts to embed security into the microprocessor, but acknowledged that "there is also a government role," though still warning against overly prescriptive remedies that could curb the pace of innovation.
"Precisely because technology and the threats it faces are always changing, we need laws that protect individuals long-term. These laws and regulations ought to be technology-neutral. They should protect individuals even as our technology evolves," Otellini said.
"And if it's going to work on a global scale, the regulators of the world need to harmonize standards so that laws are crafted to go beyond a single market or a single country," he added. "Cybercriminals do not respect borders."
Stonier noted, cautiously, that she is "hopeful" about a gradual meshing of the legal and policy regimes: "I think we're seeing regulators talk more." European Union Addresses Privacy and Security
Earlier this week, the European Commission took the first step in what could be a major overhaul of its own privacy and security policy frameworks, as European Union Justice Commissioner Viviane Reding unveiled a proposal to update the body's 1995 Data Protection Directive, the set of privacy principles that have been the law of the land dating to the early days of the commercial Web. While many provisions in Reding's proposal would differ dramatically from U.S. laws and regulations, they would seek to create consistency within the European Union. Even as 27 member states have adopted the 1995 directorate, it has been implemented inconsistently, leaving firms with a presence across Europe dealing with different sets of rules.
Similar confusions can arise domestically. At the federal level, AT&T, like other major network providers, often finds itself making the same case to multiple agencies and members of Congress. On the regulatory side, the company has often sparred with the Federal Communications Commission on matters of oversight authority.
"It's not always clear that they are coordinating or aware of their jurisdiction," said Bob Quinn, AT&T's senior vice president of federal regulatory affairs and chief privacy officer "I don't think the FCC views the limits of its jurisdiction the same way that I view the limits of its jurisdiction."
"We would like some clarity in that area," he added.
Then on the state side, companies of all industries are subject to a maze of laws stipulating different disclosure and notification requirements in the event of a data breach. Tech companies, including those on hand for Thursday's event, have long campaigned for a national data breach law that would supplant the various state measures.
"It's a lovely make-work exercise, but I'm not sure it really protects the consumer," Stonier said. "One way to go would be a whole lot easier than what we have to deal with now."
Several speakers also emphasized that the forced choice between privacy and security, long presented as opposing forces, is a false dichotomy. That pairing has recently come into sharp relief for many in the industry who have observed the rash of high-profile data breaches in recent years.
"Last year we realized that privacy and security are so tightly combined and there are so many ways people need to understand that privacy and security work together," said David Hoffman, Intel's and director of security policy and global privacy officer.
Indeed, the privacy officials on hand said that at the organizational level, they work closely with both the security and legal teams within their companies.
FewÂif anyÂcompanies in recent years have been more closely connected with privacy controversies than Facebook, which has also been tagged with numerous malware incidents and other security threats. Facebook Is Misunderstood
"There's a misconception that perhaps we're not as thoughtful on all these issues as we are," said Erin Egan, Facebook's chief privacy officer for policy. Egan, a recent addition to the ranks of the social networking giant, said she was "blown away at the number of safety and security features" when she first met with the company's security team.
"There's so much that we're doing day in and day out on the security side and the safety side," she said. "They're trying to innovate around privacy and security, which I think is fascinating."
Egan, like the others, expressed her company's support for a nationwide data breach law, though no one was willing to predict passage in this election-shortened session.
Many tech companies have also been pressing lawmakers to update privacy laws to account for new methods of computing and information sharing. In particular, they look at the 1974 Privacy Act and the 1986 Electronic Communications Privacy Act, governing statutes whose authors could not have envisioned the rise of Web services or cloud computing, yet still define their policy framework.
"The laws in this area are tremendously out of date," Hoffman said. "We need to be able to increase the ability of government and industry to work together to provide better cybersecurity and national security while still protecting privacy. The opportunities are there; we need to get some political will behind it."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Read more about government in CIO's Government Drilldown.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- The Flexible Workplace: Unlocking Value in the “Bring Your Own Device” Era
- Print intelligently; Control, Save and Conserve
- Transforming Virtualised Infrastructure: The Key to Enabling Mission-critical Databases and Applications
- How Web Security Improves Productivity and Compliance
- Bring ‘em on!‖ – The Consumerisation of Enterprise Mobility
"How many of the Fortune 500 companies have access to PRISM? https://en.wikipedia.org/wiki/Industrial_espionage ..."Australia suspected to have PRISM data: Ludlam
Australia Post’s mail business to lose $200 million this year
Australia Post’s mail business to lose $200 million this year
Microsoft's ambivalence about Office on the Web gives Apple shot with iWork on iCloud
3 Lessons Learned From a Failed Customer Feedback Test
Staying Ahead of the Data Explosion
The total volume of data being processed and stored by businesses is rising exponentially. IDC has estimated that the size of the "digital universe" will increase 29 fold between 2010 and 2020. Data storage technology has undergone a steady increase in capacity, along with a steady decline in the cost per unit to store information. Unfortunately, data storage capacity is not keeping pace with data growth and necessitating greater intelligence in the storage infrastructure. Read more.
Vodafone Ireland Implements World-Class Service Excellence with HP BSM
Shane Gaffney, head of IT operations explain how HP Business Service Manager solutions have helped Vodafone to transform from a reactive to a proactive IT Operations function, and to align their priorities to match the business and drive business value, delivering 300% ROI in one year. Download today.
ESG Whitepaper: Integrated Computing Platform Survey
Data centres, servers, storage and more are being combined for simplified management and cost savings. In this survey, ESG looks at the current and future trends surrounding today’s integrated computing solutions. Download to find out how organisations are more likely to see commit IT budgets to the purchase of integrated solutions. Read more.