Government organizations, such as the US Congress, can be a bit slow on the uptake, taking decades to recognize new technology and adjust our laws accordingly. For industries that deal with sensitive data, however, relying on legislative lag can lead to a false sense of security. Governments around the world have grown wise to the rapid pace of technological development, and the law is prepared to incorporate new technology as it is developed.
Some of the biggest challenges faced by businesses that handle sensitive personal data are best practices laws. Best practices laws demand a constant awareness of current and new technology and its potential impact on a client’s business practices. Depending on your field, privacy laws and regulations are often so vague that “best practices” just means the most conservative practices you can design, including a good insurance policy.
Contractual obligations are another challenging part of maintaining sensitive data. Businesses and governments frequently mandate data protection via contracts. The European Union (EU) recommends contractual clauses designed to export its privacy regulations to foreign businesses dealing with companies from the EU. Banks, insurers and other large corporations often maximize their protection by demanding “all reasonable protections,” “the utmost care” and other vague statements that seem more concerned with shifting liability to their contractual partner than actually protecting sensitive data.
Employing best practices and fulfilling vague contractual obligations requires an understanding of technology that is still in development. Early adopters of encryption no longer rely on DES and other outdated standards, depending instead on expert consultants who apprise them of improvements and new standards. These experts now regularly advise on more modern technologies and practices, such as AES in encryption, FPE in tokenization, multi-layered privacy design and merging of access identity management practices with encryption and de-identification policies. Although not all of these technologies are relevant to all businesses, some are mandated or recommended, and others become relevant due to vague regulations or contractual obligations. The need for technological mobility, flexibility and increased performance requires more points of access and greater protection, in turn leading to bottlenecks and runaway costs. Thus, both profit and compliance demand fast adoption of emerging technologies.
Your client’s cybersecurity obligations must also be balanced with its duties under transparency laws and regulations. Transparency and privacy have always been in conflict. Today, we see evidence of the privacy/transparency conflict in arguments over making health data available to researchers, censoring internet search results in the name of privacy and, of course, the ongoingpublic debate about mass surveillance. You know your client’s current transparency obligations, but how can you prepare them for the future without further sacrificing data security? Developments in the EU offer a good insight into a difficult new reality, one where the privacy concerns of the past are swept under the rug every time a new technology promises to minimize the privacy impact of new transparency rules. The European Medicines Agency (EMA) recently mandated increased transparency of clinical research data—requiring researchers and companies to share sensitive data among themselves while necessarily mitigating the risks of a data breach. Even businesses have joined the fight, with Google and BBC both planning to undermine the EU’s “Right to be Forgotten” ruling via new transparency reports.
The US has already begun debating the merits of copying the EU’s rules, and American corporations are preparing themselves for the changes around the corner—and confronting the ones that are already here. We all balance priorities in constant conflict: compliance, maintaining consumer confidence and generating a profit. Governments know that new technology is the primary force shaping this balance, and the onus is on businesses to make sure they keep up.
Harris Buller, Attorney, HushHush
Virginia Mushkatblat, Founder of HushHush