U.S. state governments, the European Union, the U.S. Federal Trade Commission, and other governing bodies around the globe—it seems every regulatory body is debating its own definition of personally identifiable information (PII). Recent topics from behavioral marketing to GPS to Anonymous hacks have elevated privacy to the regulatory priority list.
There is already significant regulatory variation about what data constitutes PII and personal health information (PHI). Existing rules were largely written in an attempt to solve known data challenges such as the problems of credit card fraud (PCI), identity theft (regional disclosure rules like the U.K. Data Privacy Act and U.S. state laws), and electronic data sharing inefficiencies (HIPAA). Some were written for loftier goals such as human rights and reputation management. They mandate controls over relatively easily characterized descriptors like credit card numbers, street addresses, and birthdates and affect physical as well as electronic disclosures.
However, as the internet expands to more users and web-enabled devices, the concept of “personal identifiers” starts to mean different things:
- What device are you using?
- Where are you?
- What domain are you using?
- What is your history of activity?
These concepts are more subtle, technically complex, and far-reaching than the simple data types of PII legislation as originally conceived. These ideas have an enormous current and potential impact on Internet solution providers and application developers building cloud-based solutions, as well as traditional product vendors enabling enterprises with products that use “Web 2.0” technologies. For instance, the answers to these questions allow more capable and personalized Internet, mobile, and local commerce services. They also allow security researchers to keep track of bad guys that hide their machinations behind Internet technologies or try to duck and cover behind otherwise innocent systems.
Enterprises must manage regulatory risk as they manage any other kind of risk: make a prediction, place a technical bet, enforce a policy. Waiting is not an option. Any hesitation in enterprise data protection efforts may further enable a major forward stride by the Internet bad guys—the phishers, hackers, scammers, and botherders that use increasingly industrial techniques to monetize other people’s systems and PII today.
As global economies work to seize the savings in the cloud, leaders are working together to enable the trust and common, harmonized standards that will allow safe adoption of next generation data centers and consumer services in the cloud. Organizations like the Cloud Security Alliance and the Open Data Alliance are helping the ecosystem to move more quickly, and we need every bit of acceleration they can provide.
Looking at the regulatory horizon, a few storms are expected, but there also may be a brilliant sunrise of opportunity because a shared definition of privacy will be understood and respected. By having confidence in our protections and partners, privacy can become an enabler of new personalized services, rather than an inhibitor that creates complexity and friction between security and business goals.
About the author:
Michelle Finneran Dennedy is vice president and chief privacy officer at McAfee. McAfee, with more than 2 decades of dedication to the safety and privacy of computer users, leverages information—anonymized in many cases—to monitor, understand, and ward off the internet-based attacks that threaten users. The protective value of McAfee products and services depends on well-grounded, clearly stated definitions of PII.