In the first grade, I was sent to second grade for math classes. I was five. I was close to the youngest person in my school for first grade (simply due to my birthday being in December), so many of my classmates were already a year older than I was, and second graders were two or more years older than that. One day, the teacher told us "No talking." So I whispered. My verbal logistics were well-rewarded with the only time-out I ever had in school. I explained that whispering is not talking, but she was having none of it.
In a poorly worded segue, let's transition to a deposition. In 2010, an Ohio Supreme Court case contained a ten-page argument over the meaning of the word "photocopier" from a deposition of the head of IT of a county recorder's officer. You can watch a verbatim reenactment of the transcript here. It is well worth the time, for attorneys, IT, or laymen. Both sides seem slightly ridiculous, but also logical.
Second poor segue alert (but stay with me...it all comes together): That is a problem we have with technology and law. We use terms that when in question can have minute differences that matter. The word makes sense. The concept makes sense. People generally understand what the intent is with the law, but when trying to determine whether a specific technology or its use falls within or outside the law, it becomes quite complicated.
For example, let's play off the transcript above. If there is a rule that a document cannot be photocopied - we know it means, no copying of the document, right? Or does it? Does it mean no photostatic copies - or no digital scanning? or who knows, someone may have an old carbon copying machine lying around just waiting to be used to circumvent the new rule.
Words have meaning and technology is testing the ultimate limits of the words used in our current laws. Courts do their best to interpret law based on its intent, but that intent can usually only be present if the way in which something functions can be imagined (Constitutional wording aside - that is a whole 'nother argument). And sometimes, if the intent can be inferred - or is even explicit - the wording of the law/rule/regulation/guidance is so ambiguous that the courts can do nothing but decide against what seems to be fair to a layman.
This is where data protection and privacy seem to reside. Technology and its resulting misuse far outstrips the incremental changes in law. We're not even talking cigarette boats vs. paddle boats. We're talking hummingbirds vs. platypuses (platypi was incorrect). They exist on the same world and breathe the same air, but they probably do not play well together - seriously, a platypus could squash the hummingbird, but the hummingbird moves too fast for the platypus to catch. Hummingbirds might not even notice the platypus exists! Hummingbirds are stunning to observe and need to keep moving. Platypuses need to be protected and well-grounded. One can absolutely exist without the other, but both need to co-exist with humanity. (wow, this analogy really works all the way through for technology and privacy.)
(and five-year-olds who play with words just might become attorneys.)
Tuesday, April 29, 2014
Tuesday, April 22, 2014
InBloom: Seeded before its time
Yesterday, inBloom (non-profit education software company) announced its plans to wind down operations over the next few months due to objections by parents and legislators. Adults became concerned about putting in too much information into this database (400 fields), such as students' social security numbers, details about school withdrawals, and family relationships. This month, New York passed legislation prohibiting their department of education from providing data to aggregators (like InBloom).
In mid-November of last year, parents in New York petitioned for a restraining order against the state department of education preventing them from providing student data to inBloom. Parents cited that providing this information was a dramatic departure from the then current practice and seemed to be taking steps backwards in terms of privacy.
inBloom describes its mission and goals as:
"a set of shared technology services that includes a secure, multi-tenant data store and middleware for identity management and data integration . . . designed to help School Districts and State Educational Agencies provide educators, parents, elementary and secondary school students with learning data from many sources and connect them to relevant instructional resources to support personalized learning through inBloom. The service also helps State Educational Agencies in evaluating federal- and state-supported education programs."
The goal was to provide "districts and states as a utility for them to more easily synchronize and transfer data, including student personally identifiable information (PII), across the various learning applications they deploy to teachers, students, and families."
So now it ends. inBloom is Out.
But let's think about this for a few moments...
Is the population of the United States seriously considering the privacy rights of its vulnerable citizens? What?? This turns my privacy meter on its head. Since when did we care what information we share as long as no one gets hurt. What harm can come from this type of data aggregation? It's not like inBloom was going to turn over its education records to the department of child services to show that certain students had certain educational challenges - or home challenges that interfered with education. Data would not be misused or misinterpreted, right? Or shared with watchdog groups or even governmental agents who would put a spin on the data that might adversely affect students, families, school districts, or state funding, right?
Good googli moo
In mid-November of last year, parents in New York petitioned for a restraining order against the state department of education preventing them from providing student data to inBloom. Parents cited that providing this information was a dramatic departure from the then current practice and seemed to be taking steps backwards in terms of privacy.
inBloom describes its mission and goals as:
"a set of shared technology services that includes a secure, multi-tenant data store and middleware for identity management and data integration . . . designed to help School Districts and State Educational Agencies provide educators, parents, elementary and secondary school students with learning data from many sources and connect them to relevant instructional resources to support personalized learning through inBloom. The service also helps State Educational Agencies in evaluating federal- and state-supported education programs."
The goal was to provide "districts and states as a utility for them to more easily synchronize and transfer data, including student personally identifiable information (PII), across the various learning applications they deploy to teachers, students, and families."
So now it ends. inBloom is Out.
But let's think about this for a few moments...
Is the population of the United States seriously considering the privacy rights of its vulnerable citizens? What?? This turns my privacy meter on its head. Since when did we care what information we share as long as no one gets hurt. What harm can come from this type of data aggregation? It's not like inBloom was going to turn over its education records to the department of child services to show that certain students had certain educational challenges - or home challenges that interfered with education. Data would not be misused or misinterpreted, right? Or shared with watchdog groups or even governmental agents who would put a spin on the data that might adversely affect students, families, school districts, or state funding, right?
Good googli moo
Thursday, April 10, 2014
Privacy: Don't let it go (our take on the ubiquitous song)
Information is shared around the world today
With a few data laws to be seen
One might wish for regulation
So do I, the Privacy Queen
Companies collect data like a swirling storm inside
Couldn’t keep them straight, heaven knows we’ve tried
Don’t let them in, don’t let them see
Be the private person you always want to be
Conceal, don’t reveal, don’t let them know
How much do they know?
Don’t let it go, don’t let it go
We can stop it furthermore
Don’t let it go, don’t let it go
Block cookies and slam the door
Someone should care
What they’re going to say
The argument rages on
Cause breaches don’t bother them anyway
It’s great how some countries protect personal data by law
And the companies that once controlled it can’t get to it at all
It’s time to see what we can do
To test the limits and break through
Do right, not wrong, pass data laws
For all
Don’t let it go, don’t let it go
Pass some laws and rules
Don’t let it go, don’t let it go
Scrap those data tools
Take a stand, the data stays
Let your rights rage on
Big data flurries through the web and into the ground
Information spirals in millions of bits all around
And one thought crystallizes like an icy blast
Data is rarely deleted – the past is never past
Don’t let it go, don’t let it go
New uses rise like the breaking of the dawn
Don’t let it go, don’t let it go
Once given, that data’s gone
Take a stand
In this big data reign
Should data brokers rage on?
Privacy never stopped them anyway
Thursday, April 3, 2014
Job Security?
In 2013 at the IAPP fall conference, Lisa Sotto (a renowned privacy and cybersecurity attorney with Hunton & Williams and member of the Board for IAPP) remarked during an open session to the attendees that if she heard one more person exclaim "Job Security" she might have to punch them - I may be paraphrasing. I think she was kidding. But she was not exaggerating the repetitiveness of the sentiment by the attendees.
Is there job security for privacy professionals? Probably yes. Oh, what the heck - let's abandon the pretense of being objective: yes. Yes. YES! The world of privacy and data protection is growing by leaps and bounds. And not just in one area of the globe. Privacy and data protection is growing everywhere.
You may recall the somewhat recent headlines containing words like Snowden, NSA, and leak. These headlines, or rather the actions behind them, have created some additional headlines involving European Union and the U.S. trade. I will not address whether Snowden is a hero or a traitor - or whether what he did is even right or wrong. The end result is that the European Commission and various data protection authorities seemed to question their faith in the U.S./EU Safe Harbor program.
I do not really believe that the EU will completely withdraw it's determination in the adequacy of the Safe Harbor program if only because international trade would suffer tremendously. But on the other hand, I would not brush off their concerns either. Recently, the U.S. FTC Commissioner and the U.K.'s Information Commissioner signed a memorandum of understanding to work together to protect the privacy rights of consumers. Rather contemporaneously, the FTC initiated actions against 13 U.S. companies for violations of their safe harbor certification statements, as this author wrote about in an earlier post. So international cooperation is on the table and probably not disappearing anytime soon although there is a lot of work to be done.
Which segues rather nicely back to job security. Privacy is probably the hottest area of law right now, but privacy professionals can not allow themselves to get cocky or complaisant. We must be strategists and visionaries; we must foster understanding and better understand the business case; and we must see the trees and the forest. Privacy law is growing faster than any one person can track. There are multiple think tanks and watch dog groups dedicated to the topic.
I laugh - usually out loud - when I hear other compliance professionals complain that they run from fire to fire. We all do. It's the nature of compliance. I dream of a day when I am notified that some area is suffering a drought and we can proclaim a high alert for the potential for fire. And even ban burning. Ha. Are you following me in this analogy? Privacy professionals are like the forest rangers on lookout towers. There is a lot of landscape to watch, we are usually alone, we have to track winds, investigate smoke, and be able to call the troops when needed....but only when needed.
It's not glamorous. It's a hard job, but someone needs to do it. In fact, lots of someones need to do it.
If I were to counsel someone who was interested in either entering the privacy profession or growing within it, there are three things I recommend:
I would not proclaim job security except when joking. Half the time I am afraid I am failing at the job because there is so much to do. The other half does a victory dance when a co-worker knows what the letters PII mean. It's the small things that make me happy - and the big things that keep me employed.
Is there job security for privacy professionals? Probably yes. Oh, what the heck - let's abandon the pretense of being objective: yes. Yes. YES! The world of privacy and data protection is growing by leaps and bounds. And not just in one area of the globe. Privacy and data protection is growing everywhere.
You may recall the somewhat recent headlines containing words like Snowden, NSA, and leak. These headlines, or rather the actions behind them, have created some additional headlines involving European Union and the U.S. trade. I will not address whether Snowden is a hero or a traitor - or whether what he did is even right or wrong. The end result is that the European Commission and various data protection authorities seemed to question their faith in the U.S./EU Safe Harbor program.
I do not really believe that the EU will completely withdraw it's determination in the adequacy of the Safe Harbor program if only because international trade would suffer tremendously. But on the other hand, I would not brush off their concerns either. Recently, the U.S. FTC Commissioner and the U.K.'s Information Commissioner signed a memorandum of understanding to work together to protect the privacy rights of consumers. Rather contemporaneously, the FTC initiated actions against 13 U.S. companies for violations of their safe harbor certification statements, as this author wrote about in an earlier post. So international cooperation is on the table and probably not disappearing anytime soon although there is a lot of work to be done.
Which segues rather nicely back to job security. Privacy is probably the hottest area of law right now, but privacy professionals can not allow themselves to get cocky or complaisant. We must be strategists and visionaries; we must foster understanding and better understand the business case; and we must see the trees and the forest. Privacy law is growing faster than any one person can track. There are multiple think tanks and watch dog groups dedicated to the topic.
I laugh - usually out loud - when I hear other compliance professionals complain that they run from fire to fire. We all do. It's the nature of compliance. I dream of a day when I am notified that some area is suffering a drought and we can proclaim a high alert for the potential for fire. And even ban burning. Ha. Are you following me in this analogy? Privacy professionals are like the forest rangers on lookout towers. There is a lot of landscape to watch, we are usually alone, we have to track winds, investigate smoke, and be able to call the troops when needed....but only when needed.
It's not glamorous. It's a hard job, but someone needs to do it. In fact, lots of someones need to do it.
If I were to counsel someone who was interested in either entering the privacy profession or growing within it, there are three things I recommend:
- Learn the technical aspect of the job. Yes, there are Information Security Professionals who generally originate in IT, but it would benefit the privacy professional to learn to speak intelligently about the technology.
- Partner with the Information Security professional. This person should be your other half. They need to respect your knowledge and be able to depend on you and vice-versa.
- Never think you know it all or that you are an expert. There is simply too much untested in the courts and much too much being changed every day - from laws to technology.
I would not proclaim job security except when joking. Half the time I am afraid I am failing at the job because there is so much to do. The other half does a victory dance when a co-worker knows what the letters PII mean. It's the small things that make me happy - and the big things that keep me employed.
Subscribe to:
Posts (Atom)