SearchStorage.com brought questions about this new frontier in government regulation and data security to University of California, San Diego (UCSD) professor Dr. Roger Bohn. Professor Bohn is a specialist in technology and operations management whose primary research is on the management of engineering activities in technology-driven companies. Bohn recently became director of a new center to study the information storage industry at UCSD.
Bohn's answers to the questions raised by the new bill were surprising and candid -- and brought new emphasis to the idea that compliance is a topic absolutely every enterprise will need to consider from now on -- or the future could look grim indeed.
Who does this really affect? Anyone that hasn't already been regulated? Any particular industries?
Companies that deal with the public will be especially affected -- the financial industry, of course, any industry that sells direct to consumers, like airlines, hotels, rental agencies, retailers who have affinity programs… Every company in any industry is affected if it has more than 10,000 employees in that all their data is affected by this. The University of California, my employer, for example -- and they had a breach like this, a market consultant doing research on a laptop that was stolen from their car -- stolen six steps removed from original collection of the data.
The trigger for notice is tied to risk of harm and there are exemptions for notice where the risk is de minimis or where fraud prevention techniques prevent harm to consumers. What are those exceptions? How can users minimize risk?
Bohn: If it's information that's already publicly available in a telephone book, it's considered minimal risk if it's exposed. But you'll notice there is a requirement in this bill that the Secret Service, of all things, be told about this even when the public is not notified. So you still have to keep track of them. Again, we're just going to get a series of court cases to establish what this actually means. Is your frequent flier number covered under this? How about your phone number, if you have an unlisted telephone?
It's really difficult to determine what data is tied to risk of harm. I mean, this is totally speculative, but I would imagine somewhere in the former Soviet Union there is a server farm grabbing up all the data on all the wealthy people in the world and harvesting it to sell it. If not yet, there will be at least one within 10 years. In the face of an aggressive adversary putting together scraps of information, stuff that doesn't look important could become important.
The bill specifically addresses the use of Social Security numbers. "The use of Social Security numbers has expanded well beyond the intended purposes," according to Sen. Specter. Do you agree? How does this specific aspect of the bill affect enterprises?
Bohn: I certainly agree with the statement. My Social Security card says on it in red letters, 'Not to be used for identification,' which has become a universal joke. In the last five years, it has improved a lot, but it's still the case that with someone's name, date of birth and Social Security number, you can uncover huge amounts of other information about them. Reporting campaigns have documented this. I think there is a broader movement away from use of Social Security numbers when not absolutely essential.
Why are we seeing this bill come into effect now?
Bohn: In my view, this is opening up a can of worms that needed to be opened, but it is going to still take years to resolve. This bill is actually an effort to preempt and standardize what California started with SB 1386, a law that says that if there's a breach of your personal information by any company, that company has to notify you that your information has been breached. There are a number of states, on the order of a dozen so far, that have passed similar laws. Companies would like to see this information standardized and clarified so they don't have to deal with this growing patchwork of state laws.
But they're approaching this bill piecemeal. Different government policies like open meeting laws and policies about public information on the Internet are already in conflict with privacy. That conflict in government will now be coming to companies -- for example, the FBI is getting legislation passed that says they have to be able to intercept communications and be able to examine them. They are not happy about things like telephone calls, in the case of Voice over IP, automatically being encrypted to meet privacy standards.
So how can it be balanced out?
Bohn: I think it will take years and a fair amount of legal action on the implementation of these laws to figure out exactly what the standard of care is for companies. In some ways this is a little more salient than SOX [Sarbanes-Oxley Act]. In SOX it's the top executives putting their signatures on things, so they're concerned. But here you're going to have a lot of much smaller incidents -- not just when the SEC [Securities and Exchange Commission] comes after you, it's when any little thing happens. We're going to see a lot of class-action lawsuits of all kinds and typically, in the U.S., these things take years to sort themselves out.
Also, in my opinion, Congress should be biting the bullet and holding comprehensive hearings on this over a period of a year, which is not going to happen. As a result, inherent conflicts are going to be popping up for a long time to come.What can the affected industries, including IT, do right now?
Bohn: Being proactive is definitely indicated. Companies like Microsoft have definitely figured that out. Simply waiting for legislation to happen means you're going to be playing catch-up for a long time to come, and the legislation will be framed in ways that have long-term detrimental consequences on you. We should get industry trade associations of various kinds trying to take a leadership position on this. No one company by itself wants to be the bearer of these bad tidings, but if an entire industry gets together in some forum and comes together on legislation that actually benefits different groups -- they will make some progress.
So you think companies should intervene right now and lobby with their own legislation?
Bohn: Yeah, absolutely, getting involved in this process, I think, is pretty essential. To some extent IT companies should be doing this for their customers, although they have somewhat different interests, of course, since IT companies don't necessarily mind complexity per se -- they just don't like ambiguity. But things like the National Association of Manufacturers, The Hotel Industry Association and IT industry groups, definitely financial trade associations, banks, credit card agencies, and so on have to be lobbying on this issue.What should they be lobbying for?
Bohn: First thing they always want, and this bill now is something of a response, at least, is clear national-level standards and legislation so they don't have to enforce a multiplicity of laws, some of which will conflict, in each state where they do business. Even achieving that requires effort and is by no means guaranteed. The Specter-Leahy bill preempts state legislation, but of course preemption is also controversial because some states have stronger laws than the national versions, typically California. That's the absolute first thing they should be aiming for.
We need comprehensive hearings and stepping back and thinking about this for a few years instead of all this piecemeal legislation done in isolation where we end up having all these terrible Catch-22s and frauds come to light -- for example, as a result of California's legislation, at times criminals have signed up as fake companies and extracted data and paid for data in seemingly legitimate ways, but they're really a front organization using data for ID theft. The new bill would allow even more access to databases through the provision of allowing users to see what data a company has on them.
It's the old conflict -- any time you give access to people you make data less secure. On other hand, the motivation behind that provision is clear and reasonable... Maybe in 20 years we'll all be issued a government ID at birth based on a retinal scan and use that to encrypt all our information. But, of course, that will raise other problems, won't it.
So if the bill becomes law as is, what's your advice to users on how to meet the standards of this regulation? Where can a user, unfamiliar with compliance issues like this, start with setting new compliance policies? What will they need to do?Bohn: Well, I think it's going to be comparable to what SOX has set off, which is years of thinking about it and software development, and developing and implementing procedures, putting in auditing systems, and so forth. There's no simple answer. It's the fundamental conflict between access and protection for the same data.
There are some public interest groups, but I don't know how much detail they've gone into. Where I'd start is the companies that have already been dealing with this from Europe and figure out what they've done to comply with European law, which is many years ahead. If you look at what companies have had to do to comply with European legislation it's pretty extensive. Although, in Europe, they're more concerned with companies collecting data and less with the government collecting data. With Americans, it's the reverse.If the law is passed as is, can technology bring companies into line with it, or is it more about processes? Bohn: There are a lot of processes, but technology will certainly be something vendors try to leverage for this purpose. There's this whole information lifecycle management umbrella that turns out to be extremely amorphous in my opinion, but it's sort of getting at the same issues of thinking about what is in the data and deciding how it gets used based on the nature of a particular piece of data. For example, if you're a hotel chain, you have information on frequent flier numbers, credit card numbers, names and addresses, personal preferences, who shared the room with a patron. They're now going to have to think about the differences between that info and who will have access to it, who will want access to it … the classic case of someone's spouse calling up and saying 'what is this charge on my credit card bill?' and what do they say. They're all going to have to be examined and hopefully rationalized.
Technology wise, things like data encryption are going to become universal. In cases like backup tapes falling off the back of a truck -- in some cases literally, in others they're actually probably stolen -- someone who gets it and knows what to do with it can extract huge amounts of information. On the other hand, we don't know if anyone has really done that or if it has wound up in a dump somewhere. In general, though, end-to-end encryption is a good idea for any data that moves around.
If all data is automatically encrypted from one end to the other, whether it's sent over the Internet, a private line or through truck via a tape, it ought to be implemented at hardware level.
The bill "Requires companies that have databases with personal information on more than 10,000 Americans to establish and implement data privacy and security programs, and vet third-party contractors hired to process data," according to a press release. But it doesn't specify what those programs should be or how that vetting should be done. What is your suggestion on both these things?
Bohn: There are already some industry standards in the financial industry. The healthcare industry's experience with HIPAA [Health Insurance Portability and Accountability Act] has led to some fairly specific guidelines on almost exactly this kind of thing. If we look at what they've done, it provides an example.