I read an article recently in the MIT Technology Review titled “Laws and Ethics Can’t Keep Pace with Technology”. It helped me to understand that laws naturally follow our actions and experiments and there can sometimes be a lag between the action and the law. As technology development cycles become shorter, I expect the lag to become greater as we wrestle with exactly what needs to be regulated and in what form. With that in mind, I started thinking about privacy and security. Specifically, what message are we sending to our lawmakers about privacy? Do our words match our actions? Are we asking for laws that we are not truly passionate about, at least in deed?
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 in response to a need to protect health information and the need to transport patient information securely from doctor to doctor. Within the HIPAA legislation, there is a privacy rule and a security rule. According to the U.S. Health and Human Services (HHS):
The Privacy Rule establishes national standards for the protection of certain health information. The Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.
The Security Rule operationalizes the Privacy Rule and sets standards for maintaining and transporting patient information. This is a case where a privacy need was met but it did not come to fruition until there were some lapses of security surrounding patient information. It took a strong call to action before standards were formulated and established.
Current Privacy Debate
There are some serious lapses currently in how we handle customer or personally identifiable information (PII), such as credit card and social security numbers. I am thinking of TJX and the security lapse that lasted from mid-2005 to December 2006. It is estimated that 47.5 million customer records were stolen. More recently was the Target security breach, which left customer information vulnerable to theft. Target announced that they are moving to a more secure “chip and pin” card system, but this is of little consequence to those Target customers that have already been affected. The barn door is open and the cows are out. When breaches such as this happen, we are all outraged and there is a temporary furor, but then we go back to using the same card, downloading unsecure apps and shopping at unsecure websites. Are we really angry enough to ask for laws calling for stronger protection of our personal information? What if it inconveniences us? What if we could no longer find our best friend whose smart phone is constantly broadcasting their geolocation?
The Flip Side
I believe that there is a lot of complacency and apathy today in terms of privacy and security. There are a lot of apps that gather our personal information. They can and do so because we allow and enable them. While there is a growing number of people concerned about their privacy and security, flawed applications and flawed financial cards have become a way of doing business. It is becoming difficult to find alternate paths to work in a secure world. Although flawed applications and flawed financial cards have become a way of doing business, there are a growing number of people who are concerned about their privacy and security.
I don’t think that new laws are necessarily the best way to generate a sense of responsibility for our own security, but we need to stand up and vote with our feet and our pocketbooks to say, “I choose to keep my personal information private, and I will only deal with others that will do the same”. Let me know your thoughts.
Kelly Brown is an IT professional, adjunct faculty for the University of Oregon, and academic director of the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.