Creating a New Privacy Principle
By Steven Lerner-Wright
Last July, a new California privacy law went into effect. The law,
commonly referred to as "SB 1386" and formally a part
of California's Civil Code, Sections 1798.29 and 1798.82-84,
requires those that store sensitive personal information
including government agencies, businesses, and persons engaged in
business activities to notify California residents when that
information data has been, or may have been, accessed without authorization.
The purpose of the new law is to give California residents adequate
time to take steps to check their credit ratings and protect against
identity theft. An almost identical bill is now before the US Senate.
The California law is important for two reasons:
1. It's the first in the US requiring government agencies and businesses
to alert individuals when private personal data has been accessed
without authorization. In 2002, California led the states with more
than 30,000 reported identity thefts. More generally,
California is a trailblazer in the US and often sets the stage for
how to solve the new ethical and legal issues that arise in our
fast moving societies. It is no surprise for California to enact
the first law requiring notification when data has been breached.
2. It appears to be creating a foundation for what may be a new
"principle" concerning privacy. Privacy principles have
been formulated and expanded upon since the mid-1970s. Numerous
organizations, individuals, and businesses have developed such principles
to help them lay the foundation for developing more detailed privacy
policies and procedures.
The First Law to Require Notification
During the last twenty-five years, a number of significant privacy
laws and regulations have been proposed and enacted in various jurisdictions
around the world. Milestone legislation in the US includes the Privacy
Act of 1974, which controls and limits collection and disclosure
of personal information by the US government, the Family Educational
and Privacy Rights Act of 1974, which enforces similar controls
over educational institutions, and the Right to Financial Privacy
Act of 1978, which prevents financial institutions from providing
federal authorities unfettered access to customer financial records
(and requires such institutions to notify customers when their records
are handed over to the authorities).
These first laws focused on public concern that the US government
was collecting information about its own citizens without authorization.
Privacy legislation has changed as social issues have evolved, particularly
in response to technological advances.
For instance, in the last ten years, US privacy law has focused
on regulating non-government entities such as businesses and individuals.
Two pieces of important legislation are representative: the Gramm-Leach-Bliley
Act, also referred to as the Financial Modernization Act of 1999,
and the Health Insurance Portability and Accountability Act (HIPAA)
of 1996. These laws tend to focus (1) on regulating electronic collection
(especially via the Internet) and warehousing of personal information;
and (2) sharing or unauthorized distribution of that personal information
with other entities and individuals, particularly among business
partners and affiliates.
Privacy law is evolving further to reflect newer and more immediate
concerns, particularly identity theft. As consumers move to online
purchasing, personal information -- including credit card information
and US Social Security numbers -- have been electronically collected
and stored by retailers. Numerous high-profile thefts, such as the
alleged online theft by a Russian hacker of more than 300,000 credit
card numbers from an online music retailer in the US, have led to
new laws regulating what can be collected electronically and how
it should be protected.
A New Privacy Principle?
Privacy principles have been proposed for some time. For example:
* Robert Ellis Smith gathered a list of general privacy principles
developed in the US and Europe in his 1993 book _Our Vanishing Privacy_.
* The nearly four-year process of developing a health information
privacy standard required by HIPAA resulted in the creation of numerous
patient information privacy principles. Review the list developed
by the Institute of Electronic and Electrical Engineers (IEEE) at
http://www.ieeeusa.org/forum/POSITIONS/healthinfo.html or the position
developed by The American Medical Association at http://www.ama-assn.org/ama/pub/category/2703.html
* Canada, which has created numerous privacy regulations as well
as a government-appointed privacy ombudsman, the Office of the Privacy
Commissioner, articulated a set of privacy principles, which appear
These and other various principles generally fall into the following
* Transparency and Access
* Consumer Consent and Choice
* Appropriate Use
* Safeguarding Information
Here is a brief summary of each category:
TRANSPARENCY AND ACCESS
No system that gathers personal information should ever in and of
itself be kept a secret. Individuals have a right to know why personal
information is being collected, and information should be used only
for the originally intended purpose. Individuals must have access
to the information being collected about them and they must be told
how that information is to be used. As much as possible, personal
information should be gathered directly from the individual with
that individual's informed consent.
CONSUMER CONSENT AND CHOICE
Individuals must be given a way of preventing information gathered
for one purpose from being used for some other purpose without prior
consent. People must be able to correct, amend, or add to the information
gathered about them. Individuals should have the opportunity and
method for "opting out" of programs using their personal
information for commercial reasons.
An information-gathering system must have socially desirable purpose
and only data relevant to that purpose should be collected. Those
entities that gather personally identifiable information must make
sure that the data are used as intended and must take steps to prevent
Those entities that collect information should act as trustees.
They do not "own" private information. They must safeguard
the information they collect, and they must use it in the best interests
of the individual. Whenever data systems are designed, privacy protections
should be included in the specification and implementation of the
system. The definitions and standards for privacy may change as
new technologies, social concerns, and markets emerge. Personal
information may be transferred between parties only when the privacy
protections of the recipient trustee are at least equal to the protections
provided by the original trustee.
Individuals whose privacy has been violated have the right to seek
relief of some kind. Privacy violations can be resolved by either
negotiation, complaint resolution, or civil and criminal procedures.
In terms of current privacy principles, notification of the individual
in the case of security breach is a new concept. With passage of
SB 1386, we may be seeing the development of a new principle that
could be added under the heading, SAFEGUARDING INFORMATION: Organizations
that collect, use, and distribute personal private information are
responsible for notifying individuals when personal information
may have been accessed without authorization -- especially in circumstances
where there is a reasonable suspicion or expectation that the personal
information may be used to commit a crime or harm the individual.
Other Pending Laws
Although SB 1386 is the first law requiring notification in case
of a security breach, it won't be the last. This year US Senator
Dianne Feinstein, D-CA, introduced S1350, a federal law which is
almost identical to the California law; and nearly simultaneously
US Representative John Shadegg, R-AZ, introduced HR2617, which requires
the Federal Trade Commission to "provide guidelines for a business
to follow in notifying customers of the likelihood that information
concerning such customers has been stolen or compromised."
During the summer of 2003, in response to the requirements of Gramm-Leach-Bliley,
the Office of the Comptroller of the Currency, the Office of Thrift
Supervision, the Board of Governors of the Federal Reserve System,
and the Federal Deposit Insurance Corporation issued "Interagency
Guidelines on Response Programs for Unauthorized Access to Customer
Information and Customer Notice." The proposed
guidelines create a standard for notifying customers "whenever
[a financial institution] becomes aware of unauthorized access to
sensitive customer information." The Treasury, Federal Reserve
Board, and the FDIC have gathered comments on the proposed guidelines.
Over time, these new laws will have more and more impact on the
conduct and management of privacy-sensitive businesses. Recently,
a consultant to a large bank based in San Francisco suffered an
office break-in: his laptop containing personal data on thousands
of bank customers was stolen. The bank had to
notify thousands of affected customers about the potential breach
and decided to change each account number and purchase a credit-monitoring
service for each impacted individual.
Vulnerable companies can reduce the risk of this kind of pain and
expense by protecting sensitive information with PC Guardian's computer
and information security solutions, which are used by numerous enterprises
in the defense, financial services, and healthcare industries. For
more about PC Guardian, visit our home page http://www.pcguardian.com.
See you next issue. 'Til then, keep your guard up.
 You can find the text at
 See the Federal Trade Commission's report at
 Federal Register, Vol. 68 No. 155, August 12,
2003, pages 47, 954-60.
 Lazarus at Large, San Francisco Chronicle,
Nov. 21 2003. See