Data privacy standards, American style

NetIQ's Kimber Spradlin says that when it comes to data privacy, the EU is way ahead of Uncle Sam. That may be about to change.

Oct. 11, 2005 6:18 a.m. PT

4 min read

perspectives With Congress considering the first national standards for data privacy, American companies are looking to long-standing European Union regulations for a heads-up. But as is often the case these days, the EU and United States are marching to different drummers.

Companies that collect, store and process personal data should take note not just of the similarities, but also of the significant differences, because ultimately, our version of data privacy may prove the tougher compliance challenge.

When it comes to data privacy, the EU is certainly ahead of the game. It has been 10 years since Europe enacted the EU Data Protection Directive, which requires member nations to develop their own data privacy regulations based on a set of broad principles. To the rest of the world, the EU said, in effect: If you want to do business here, you ought to adopt similar regulations. Many have followed suit, including Canada, Australia, Japan and Hong Kong. The U.S. has not. As with the Kyoto Protocol on global warming, we have gone our own way.

Part of the reason is cultural. Despite the vocal warnings of some privacy rights advocates, U.S. consumers have never pushed hard for national privacy laws. American companies have been free to exchange subscriber and customer lists with little public outcry. Europeans have viewed this information as the property of the individual. Europeans may "loan" their data for a specific purpose, but they still retain ownership. We Americans have been far more laissez-faire.

To date, U.S. data privacy laws have been industry-specific, arising as byproducts of broader legislation. For example, Congress realized that our health care system could be more efficient if the exchange of patient records were more fluid. To compensate for potential abuse, legislators added more privacy protection. The result was the Health Insurance Portability and Accountability Act, or HIPAA. Something similar happened in deregulating the financial industry, which lead to the Gramm-Leach-Bliley Act.

U.S. consumers have never pushed hard for national privacy laws.

National legislation is finally being considered: It is the Personal Data Privacy and Security Act of 2005, introduced by Sens. Arlen Specter, R-Pa., and Patrick Leahy, D-Vt. But note what's driving it. The act is not a concession to the EU, but rather a response to Americans reading CNET and watching the evening news.

With countless stories about identity theft and Internet security breaches, people have gone from being casual to concerned when it comes to their personal data. The tipping point was undoubtedly the news that some 40 million credit card accounts had been exposed. That story broke in mid-June. Specter and Leahy announced their legislation before the month's end.

For IT departments in the United States, this historical context matters because it affects the privacy "climate" likely to prevail over the next few years. In the U.S., data privacy is much more intertwined with data security than in Europe. Legislators are reacting to their constituents' newfound sense that their very identities are under siege.

It is no coincidence that key provisions of the Personal Data Privacy and Security Act increase criminal penalties for identity theft and limit the buying and selling of Social Security numbers. Nor is it surprising that the legislation borrows from a California law that customers be informed if their personal information has potentially been breached. That provision, in particular, is a distinctly American contribution to the legislative model.

But national government regulations are only the beginning. While legislators think in terms of broad outcomes--better record keeping, communications, security--industry demands are far more specific. Credit card companies have created their own highly detailed security standards for merchants that accept and process their cards, and for the third-party companies that process the transactions.

Driven by bad publicity and legal liability, MasterCard and Visa are strengthening those requirements. We can expect similar moves in other industries. Many companies will find themselves more accountable to business partners and customers with the clout to enforce all kinds of new security procedures.

For IT, this all adds up to a cautionary tale. Many companies will need to figure out how to deal with not one, but multiple sets of privacy requirements. As with HIPAA and Gramm-Leach-Bliley, automation will be key, but the application will be broader. Instead of answering to a single piece of legislation, companies will be formulating policies that satisfy multiple parties: government, industry and corporate. They will then generate multiple reports that satisfy the reporting requirements of each one.

All of this will cost. For some time, IT managers have seen security consuming ever-larger chunks of their budgets. In the coming years, that may be the only thing that doesn't change.