Author: Poblete Tamargo LLP

Due to the universal applicability of encryption technology, the general public also makes use of such programs. Based on the widespread use it is safe to say hackers, terrorists, and other criminals are using this technology to protect incriminating information that may be monitored by governments. The debate over ethical use of encryption technology is expected to be one of the dominating issues the Congress will face in 2016.

The current dispute among legislators calls in to question the extent to which federal agencies should have access to encrypted information without requiring probable cause or permissions.[i] The argument in favor of government access points to the fact that the terrorists responsible for the attacks in Paris used encryption technology in shielding communications with each other during the initial planning stages. Government officials argue that by having access to the encryption technology they will have an upper hand in pro-action and prevention of similar assaults in the United States.

Many in the technology industry strongly oppose this view. They believe that by granting the federal government this access it will increase opportunity for temptation for agencies to unnecessarily monitor private and personal communications here in the United States. Many point to the consequences of public disclosure of classified information by former CIA employee Edward Snowden and his observations regarding the National Security Agency and it’s ability to conduct global surveillance.

The concerns on both sides are substantial and legitimate. On one hand, the federal government is faced with infinitely evolving challenges as technology plays a crucial role in national security. Following the devastation of both the September 11 attacks and recent tragedy in Paris, prevention has become essential in combating terrorism. Yet, the idea of enabling government authority to indiscriminately override encryption keys for intelligence operations without instituting requirements ensuring honest oversight can be worrisome.

A third possible option, balancing preventative measures and the right to privacy, can be defined by regulatory humility. Regulatory humility is a term used by members of the Federal Trade Commission (“FTC”) regarding regulations and necessary use of current technology. It calls for a framework providing flexibility in establishing guidelines across various agendas instead of relying on a one-size-fits-all approach. The combination of authority, accountability and information collection allow for more rapid reaction and response to policies, which may become obstructive as conditions evolve.[ii]

Though it may sound like a simple solution, reflection can be increasingly difficult in times of trepidation, where reservations are high and the desire to maintain authority is confronted with acknowledging weakness that will require change.

Regulatory Humility can be achieved, however, once bias and insecurity are eliminated. The Congress is very capable of this and should focus on establishing a more flexible framework. As threats to national security become more serious we must provide federal intelligence agencies with the tools necessary in effectively combating terrorism while, at the same time, respecting privacy and maintaining accountability for those tempted by power and authority.

Instead of waiting until after the damage of a data breach has been done, companies should begin the process of assessing the data that they have stored in their systems and start keeping an up-to-date inventory of such information.  Assessing the data includes reviewing the following items:

• The network;
• The information stored; and,
• The access to the information.

Assessing the network includes not only your current system, but also any old computers and/or external hard drives that your company may have in storage. If your company has old computers in storage, it is important to see what information is stored in those systems. You may be surprised to find what may be sitting on those hard drives.

Assessing the information stored focuses on the content of the information and the purpose of the information. The content of the information may be considered to be personal identifiable information that is considered to be the subject of data protection statutes. If the information is considered personal identifiable information, then you are under an obligation to provide measures to protect that information. Your obligation to protect that information depends on the state that your business is incorporated.

Besides reviewing the content of the information, you must also review the purpose of the information. The purpose of the information answers the questions, “Why do I need this information?” and “How long do I need this information saved?” 

Finally, the issue of accessing the information focuses on the question of “Who needs to have access to this information?” If the information is of a personal nature, then access to that information must be limited. Another question to consider is “How much information should that person have access to?”  In other words, “How much access would that person need to complete their work?”

Suppose you own an accounting office. The executive assistant may need a client’s name and address because that person is mailing something. On the other hand, the accountant working on a matter for that client may need access to said client’s financial information, in addition to the client’s name and address. The access is dependent on the employee’s role.  

Assessing your network, the content of the information, and who has access is a crucial step in developing a data privacy policy.  Answering those questions allows you to implement and develop a data privacy policy that addresses your corporate needs, instead of having a one size fits all approach.

Please do not hesitate to contact us to discuss how we can help you assess your data security needs as well as implement a data privacy policy that fits your corporate needs.

This past September, the Online Trust Alliance, an industry group focused on e-commerce, released a report assessing the safety of presidential campaign websites.[i] The report focuses on the following three aspects of online campaign platforms: site security, consumer protection, and privacy.

Site security addresses whether or not the campaign website is the actual website and not directed to a counterfeit source. This category also includes factors on the investment of technology such as, firewalls and encryption technology, and other programs that make hacking more difficult.

Consumer protection scores are calculated by evaluating the “adoption of email authentication and associated technologies to help protect consumers from receiving fraudulent email purporting to come from candidates, their PACs or political parties.”[ii]  In other words, the political campaigns are assessed on how well they protect their websites and emails from hackers, who could create a false website and illegitimate emails.

Site Privacy compared methods of data storage, security of stored information, and actual use of the information received from political donors and volunteers. Content of a site’s “privacy policy” and accessibility of such disclosures also attributed to the assessment.

Online Trust praised the campaigns overall for their use of technology in the areas of consumer protection and site security; however, many presidential campaigns were given failing grades for their lack of implementing a data privacy policy. Six campaigns (out of twenty-three total campaigns assessed) had sufficient data privacy protection in place that sufficiently passed Online Trust’s assessment.[iii]

Many of the campaigns received low marks in these areas for not having privacy policies, or the policies disclosed were inadequate, or because the campaigns “claimed the right to share data with ‘like minded entities’ or unidentified third parties or anyone or even sell the data.”[iv] OTA shows this as a negative factor, because the person providing the information has no ability to consent whether or not their information can be sold, despite the terms of the privacy policy. Third-party data sharing is also in contrast to the generally accepted Fair Information Practice Principles (FIPPS).[v]

A major reason for the low marks in privacy is attributed to the use of micro targeting by both Democratic and Republican campaigns. Micro targeting[vi] involves collections of data and statistics from voter populations that is assessed for predictive voting trends, which allows political parties to tailor their messages based on the voters’ preference of issues and streamline campaign resources to potential supporters.

The report provides us with two important lessons. First, companies need to invest in technology that will protect their websites from cyber-criminals, viruses, and other forms of malware. It may not be as extensive as a presidential campaign, but as seen in the cases of Target, the Internal Revenue Service, and the Office of Personal Management, it is evident that no information technology system, even the “best of the business” is safe from attacks.

Secondly, companies need to develop a data privacy policy focusing on the security, storage and privacy of consumer information. Although no one has successfully hacked into a presidential campaign website, that we know of, the potential risk of bad publicity stemming from compromised donor and volunteer information is more than enough to end a campaign. That kind of negative publicity is equally devastating for businesses and organizations utilizing online platforms.

For more information on how to assess your own data privacy needs, please visit our website.