Rethinking privacy protection and Big Brother

As a security expert, I worry about my privacy as much as everyone does--probably more--because I have seen what can go wrong. With recent federal regulations such as the USA Patriot Act, some companies believe they need to protect themselves from "Big Brother" by getting rid of data.

But privacy advocates are making a big mistake by harping on only one side of the picture. Privacy isn't about deleting my data, it's about controlling access to my data--most of which I don't want thrown away.

I want to know who's been looking at my medical records, my credit report and my bank account. Privacy means that the right people (my doctor or loan officer) get to see the data they need, while the wrong people (credit card thieves) don't.

Through privacy rules, I get to decide who the right people are--and what they see. Every time my data is accessed, it should be logged and reviewed by me or by a delegate I trust. For this to work, I need a log of every single instance that my data is accessed: who saw what, where, when, and most importantly, why, in order to keep proper checks and balances in place.

Privacy advocates should take a break from obsessing over new legislation that pends on Capitol Hill to read the laws already on the books. Many require companies to keep data--to not throw it away--as a way to identify and punish insider abuse of access or leakage of information.

The best known example is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Already seven years old, HIPAA requires health providers and insurers to protect the confidentiality and security of their clients' data through enforced standards. Your HMO (health maintenance organization) must adhere to written procedures for regular review of activity on their information systems. That includes access reports, audit logs and tracking reports for suspicious incidents that could point to a security breach.

HIPAA mandates that companies keep this audit data for six years. So, if an HMO client loses his job because his employer obtains a leaked copy of his patient record, he can demand the evidence necessary to obtain legal recourse against the HMO for compromising his privacy.

New laws set similar requirements for the financial industry, such as the Gramm-Leach-Bliley Act of 1999, which forces financial services companies to guard credit card information against employees who might sell it to thieves. But these laws were just a warm-up for the Sarbanes-Oxley Act.

Sarbanes-Oxley applies information technology to the problem of corporate governance by requiring companies to keep and produce detailed electronic records of internal activity for auditors. Introduced to Congress and signed by President Bush last year, the law was a heated response to the shameless destruction of corporate records at Enron and Arthur Andersen. It's a wonder that the Enron fiasco didn't cause more people to rethink the notion that deleting data may bring more privacy for white-collar criminals but could actually harm their employees or customers.

Privacy advocates should take a break from obsessing over new legislation that pends on Capitol Hill to read the laws already on the books.

In a March 2003 speech, an officer of the U.S. Securities and Exchange Commission (SEC), the group responsible for enforcing Sarbanes-Oxley, spelled out its vision for the new corporate accountability: "All records of the firm are covered--not just those specifically required by rule to be made and kept, but all records." According to the SEC, these records, which include all e-mail messages, will need to be nonerasable, nonrewriteable, organized and immediately produced or reproduced on the day requested. Tape backups won't do anymore, especially since Sarbanes-Oxley requires audit records to be kept on hand for seven years.

As usual, the oversight committee that's convened to set the exact standards for Sarbanes-Oxley probably won't come to agreement on the final specifications until much too close to June 15, 2004, when corporations and their auditors will be required to meet them. But the SEC means business--it's beefing up its staff with at least 200 more regulatory examiners to keep an eye on corporate audits.

Rather than risk going the way of Arthur Andersen, the remaining Big Four auditors--KPMG International, PricewaterhouseCoopers, Ernst & Young and Deloitte & Touche--are pushing their clients today to implement systems and procedures that Sarbanes-Oxley will likely require.

Unless you're going to live in a Volkswagen bus, you're going to want the benefits of having your full medical and financial records available.

According to Paul E. Proctor, a Meta Group security analyst, more than 75 percent of large enterprises will be pressured into creating some form of risk management program in 2003 and 2004, "in response to Sarbanes-Oxley concerns raised by their external auditors." These companies will need to implement a broad set of best practices in order to provide the level of investigative support that the SEC increasingly requires.

Yes, managing all that data is going to be a lot of work, but the laws were passed with the knowledge that new technologies are already making the job much easier. Those same technologies can protect your privacy as well as they protect corporate accounting records. And unless you're going to live in a Volkswagen bus, you're going to want the benefits of having your full medical and financial records available.

You'll just want to be sure that the companies you give them to can be trusted, because their employees--and executives--can't mess with your data without being caught. That kind of assurance doesn't come from deleting data, but from keeping more of it. I don't know about you, but I'll sleep a little better at night knowing that my data is in check.