Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/8/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Data Privacy Should Be on President Biden's Agenda for His First 100 Days

The new administration is in an excellent position to make significant progress on data privacy -- not just because it's needed, but also because it's time.

In the best of times, a new US president has a lot on his plate. But these times are not the best — they are extraordinarily challenging. And while the new administration has a lot of priorities — getting the pandemic under control, stabilizing the economy, dealing with record unemployment, and more — it also needs to look at an issue that has ballooned in the last year and set legislators, companies, and even many citizens on edge: data privacy. 

Privacy during a pandemic is a tricky balancing act. On one side, personal data is being used to benefit public health — for contract tracing, self-reporting, and online screening tests, and more people are open to disclosing and sharing information. Personal data is also being distributed and used in new ways. For example, the government is working with Verily, a Google sister company, to offer online screening tests that require a Google account. One security company is applying surveillance cameras to detect coronavirus hazards by tracking locations that break occupancy rules and spotting fevers. And let's not forget millions of remote workers are now blurring the lines between home and work and challenging data privacy concerns along with it.

Related Content:

What You Need to Know About California's New Privacy Rules

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

On the other side, there's public backlash against data sharing. Some governments have suggested using COVID data for uses other than diagnosis and contact tracing, and others have tried. Also, the vague changes being made to privacy policies on messaging and similar apps are causing alarm. The increased pressure for more regulation is rising fast.

The importance of data protection and privacy will continue long after the pandemic is behind us. This is an opportunity for the new administration to create real change and prioritize some beneficial, transformative, and impactful privacy initiatives.

Where should the administration begin? We see three main areas.

1. Restructure Technical Categories of Data
Right now, all personal data is treated the same. If it can be used to identify an individual, it's personal data. Therefore, data privacy applies to everything, and protecting it involves casting a really wide net. In practice, this doesn't work. All data is not equal. For example, the location data your mobile phone uses to track your whereabouts isn't the same as the location data your smart vacuum cleaner uses to roam around your house. But technically, they are the same category of data and must therefore be treated with the same level of sensitivity, protection, and oversight. This creates excessive governing and impedes innovation.

The solution? Create a data classification based not just on its technical category but also its potency.

This is one area where the government can take charge. Acknowledging the variety of personal data and degrees of sensitivity within categories will make a huge difference. Big tech, small innovators, legislators, policymakers, and privacy experts who already deal with this will approve. And it will lay the foundation for the most modern privacy framework in the world.

2. Pick Up Where Privacy Shield Left Off
When the European Union struck down the Privacy Shield last summer, many businesses were left without a safety net. The Privacy Shield was designed to support transatlantic commerce, but US surveillance practices were deemed incompatible with the EU's data privacy requirements. So, it fell apart and almost took Standard Contractual Clauses with it.

More than six months later, businesses are still unclear how to build a forward-looking framework to legitimately transfer EU data into the US. This especially affects smaller companies that can't adopt the extra measures the European Data Protection Board requires. The previous administration did not pick up the ball, but the Biden administration has an opportunity to quickly address the problem.

3. Propose Federal Privacy Legislation
Federal privacy legislation is an obvious answer but also the trickiest. It's not a new topic; it's raised every time a new state-level privacy bill is introduced, as every addition increases the fear of exponential complexity. Most state bills and laws have the same motivation — to safeguard the rights of the individual. That's a good thing.

Most local laws overlap by 95%, but that other 5% is lethal. That 5% difference multiplied across dozens of states has the potential to create colossal complexity. This was the catalyst for GDPR. Chaos ensued when the 28 EU countries, despite a history of coordination and cooperation, created individual, uncoordinated data privacy legal frameworks. GDPR resolved a real problem of data transfer between these countries. The US should learn from this. State-by-state rules can increase difficulties and expense.

It's not just complexity that creates problems. It's the aftereffects. With so many jurisdictions, accountability is an issue. Because it's almost impossible to keep track of where rights have been violated, data subjects lose faith in their rights to data privacy. Lack of coordination leads to finger-pointing — it's not on me, it's on you — and non-adherence. Whether deliberate or otherwise, any level of noncompliance undermines all the individual laws.

All Signs Point to Yes
Indications are that the new administration is headed in the right direction. First, it appointed a seasoned privacy professional, Christopher Hoff, to a key role at the Department of Commerce. Hoff will oversee discussions with the European Commission on a new framework. An opportunity for new enforcement under the Federal Trade Commission, specifically advocating for more emphasis on individual liability, is also on the radar.

The process for protecting data privacy won't be all rainbows and unicorns. There will be stumbling blocks. However, the federal government is in an excellent position to make significant progress — not just because it's needed, but also because it's time.

Sophie Chase-Borthwick heads Calligo's privacy practice globally. She supports clients in their ongoing data privacy observance whatever their jurisdiction. She has spent over 20 years in IT and security, having served as a process architect through audit management and as a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23872
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in the File Lock component of McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by manipulating a symbolic link in the IOTL interface.
CVE-2021-23891
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by impersonating a client token which could lead to the bypassing of MTP self-defense.
CVE-2021-23892
PUBLISHED: 2021-05-12
By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitra...
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)