It’s been an interesting week in the world of regulatory compliance: Within the span of a few days, the FTC released a report recommending online privacy rules and the House approved the JOBS Act, which reduces regulatory compliance obligations for small and emerging businesses.
The FTC’s recommendations are part of a privacy report that expands on one originally issued in December 2010. It recommends companies improve consumer privacy by implementing privacy protections at every stage of product development and increasing transparency around the collection and use of consumer information. The FTC also recommends Congress consider privacy legislation, data security notification legislation and mandating a “Do Not Track” option for consumers to opt out of online tracking.
In another big piece of regulatory compliance news, the House approved the JOBS Act and sent it to President Obama for his signature. Under the JOBS Act, emerging companies — defined as those with at most $1 billion a year in revenue — would be exempt for five years from external auditors’ review of internal controls as stipulated under Sarbanes-Oxley requirements. It also lessens other compliance regulations that JOBS Act critics say provide checks on corporate misconduct.
An interesting aspect is that both of these issues take into account the burden of small businesses. In the FTC’s preliminary report, it recommended the proposed online privacy rules apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer or other device. But after “recognizing the potential burden on small businesses,” the FTC’s report concludes that the final framework “should not apply to companies that collect and do not transfer only nonsensitive data from fewer than 5,000 consumers a year.” As for the JOBS Act, proponents say loosening compliance regulations for small and emerging companies would boost the economy.
It’s admirable (and necessary) that the federal government is taking small businesses and their limited resources into account when developing these rules. But there are a few questions: Don’t these small and emerging companies have potential infractions? If they don’t have the resources to comply with online privacy rules and compliance regulations, doesn’t this lack of resources make them even more vulnerable? Instead of excluding these smaller and emerging businesses from the rules altogether, perhaps catering regulations to take their plight into account is a better answer. If not, we could be back in the same boat again in a few years, after these types of businesses are found to be in violation of rules designed specifically to protect consumers.
In recent months, both the European Union and the United States have made strides to protect online data privacy: In January, the EU adopted legislative proposals to reform its online data protection rules. A month later, President Obama released a “Consumer Privacy Bill of Rights” proposal.
The two countries believe there’s strength in numbers when it comes to online data privacy: In a joint statement delivered Monday at a conference on online data privacy and protection, the European Union and the United States committed to work together to maintain it.
Doing so will enhance consumer trust and promote continued growth of the global Internet economy, they say. This last part is important — anytime there’s the potential for new regulations to comply with, be it privacy or otherwise, at least some companies cry foul about how it will ultimately affect the bottom line.
“Both parties consider that standards in the area of personal data protection should facilitate the free flow of information, goods and services across borders,” according to a joint statement released by European Commission vice president Viviane Reding and U.S. Secretary of Commerce John Bryson.
And the two countries don’t want to stop there: They pledged to engage with other international partners to increase interoperability in privacy laws and regulations, as well as cooperate on enforcement. By creating “mutual recognition” privacy frameworks, the U.S. and EU hope they are just the beginning in steps toward privacy rules on a more global scale.
The two promised to build on the U.S.-EU Safe Harbor Framework, and the statement pointed out that since its inception in 2000, over 3,000 companies have self-certified to it. This demonstrates these companies’ “commitment to privacy protection and to facilitate transatlantic trade,” according to the joint statement.
The statement again mentioned the commitment to fostering business as well as privacy maintenance, and promised to use the Safe Harbor Network as a tool to promote economic growth.
As I stated before in this space, this buy-in and commitment to business is key to any privacy initiatives’ success. This is especially true if these online data privacy push continues to lack hard and fast privacy rules — and hefty fines for noncompliance. Until then, protecting consumer data privacy will largely be left up to the businesses themselves.
But judging by the U.S. and EU’s joint statement, universal online data privacy compliance may be on the horizon.
Electronic health record systems are often touted as a way to reduce medical costs, make personal health information easily accessible for patients and increase quality of care.
Not so fast, according to recent reports.
The push for electronic health record adoption has increased the number of health care data breaches and the costs to clean up after them, according to a report released by the American National Standards Institute. The report notes that even if an organization has effective policies in place to meet electronic health records system compliance, a lack of both resources and leadership support is a barrier to security.
Complicating the problem is that it’s no longer just traditional health care providers and billing organizations handling the data. More entities outside of hospitals and doctor offices (such as urgent care facilities, retail store clinicians and telemedicine offices) are using patients’ personal health information, increasing the likelihood for a breach.
The impact of a data breach can include monetary damage not only to the individual patient but also to the facility where the breach occurred, if the victim seeks reimbursement or sues for damages. The health care facility can also be subject to huge fines for violating compliance regulations.
Another recently published study, this one from HealthAffairs, is also related to the unexpected costs surrounding electronic health records systems, but of a different sort. The study examined the assumption that electronic access to patient test results and medical records saves money by reducing diagnostic testing.
HealthAffairs researchers analyzed the records of 28,741 patient visits to a sample of 1,187 physicians. They found physicians’ access to computerized imaging results was associated with a 40% to 70% greater likelihood of ordering (often expensive) tests. HealthAffairs researchers said the findings raise the possibility that electronic access does not decrease test ordering and may even increase it — as well as costs — possibly because of system features that serve as enticements to ordering.
So which is it? Are electronic health records system mandates a way to decrease health care costs, or are they actually making health care more expensive and personal information more vulnerable? The answer is somewhere in between, but providers need to be more vigilant about making their systems more secure and compliant with regulations. If not, the push to digitize personal health records will continue to cost patients and providers privacy, a lot of money and, ultimately, their reputation.
On the heels of proposed data protection reforms in Europe and the recently unveiled Cybersecurity Act of 2012, President Obama hopped on the bandwagon and last week proposed a Consumer Privacy Bill of Rights to protect personal information online.
Previous online consumer privacy legislation (and many other Internet-related laws, for that matter) have faced much of the same criticism: They either do not do enough to protect online privacy, or when they do it is at the expense of businesses that will spend too much time, money and resources trying to comply with the new rules. The White House promises that its proposal takes into account both sides of the equation by protecting online consumer privacy and economic growth.
The White House’s bill of rights pushes for consumer control over what personal data organizations collect and how they use it; transparency surrounding privacy and security practices; and “reasonable limits” on the personal data that companies collect and retain. In addition, a White House statement accompanying the Consumer Privacy Bill of Rights announcement noted that companies representing the delivery of nearly 90% of online behavioral advertisements — including Google, Yahoo, Microsoft and AOL — have agreed to comply with “Do Not Track” technology.
Buy-in from big names such as these will be essential to any online consumer privacy effort. The New York Times already reported that a mandatory “Do Not Track” mechanism may not stop as much online tracking as some may think. Until hard and fast rules with legal ramifications are implemented surrounding online consumer privacy, it will largely be left up to online businesses to decide how much their customers’ privacy means to them. If consumer privacy concerns are outweighed by the effects on the bottom line? One can only guess which side of the debate they would land.
One other big question surrounding the White House’s Consumer Privacy Bill of Rights proposal is that, well, it’s just a proposal. Congress would have to pass legislation to implement the rules as a law, and this would require time-consuming back and forth to debate the issue. It will be interesting to see what happens if large Internet-based companies realize business will be negatively affected by the new rules and decide to use lobbying influence to fight them. If they do, it’s an easy bet that any new online consumer privacy rules would end up watered down and leave room for more still more targeted rules to be proposed in the future.
After three years of hearings and negotiations, a group of Senate Committee leaders unveiled the Cybersecurity Act of 2012.
Under the new Cybersecurity Act, the Department of Homeland Security would assess the cyber-related risks and vulnerabilities of “critical infrastructure systems” to determine which should be required to meet a set of risk-based security standards. This would include those systems that, should they be disrupted, would cause mass death, evacuation or major damage to the economy and national security.
The Cybersecurity Act outlines several characteristics that stress it’s a public/private partnership, including:
- DHS would work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements.
- The owners of a covered system would themselves determine how best to meet the performance requirements and then verify that they were compliant.
- The private sector and the federal government would actively share information surrounding threats, incidents, best practices and fixes, “while maintaining civil liberties and privacy.”
The senators were definitely not working in a vacuum — they made a conscious effort to curb criticism that plagued previous online security measures. The senators stressed that the Cybersecurity Act of 2012 “in no way” resembles the Stop Online Piracy Act (SOPA) or the Protect Intellectual Property Act (PIPA), and instead focuses on the “essential services that keep our nation running.” The Senators also omitted emergency authorities for the president, likely because of the backlash around the Internet “kill switch” proposed in an earlier version of the Cybersecurity Act.
But despite efforts to distance it from previous online security legislation, the new Cybersecurity Act is already facing criticism — some of it very familiar.
Opponents — including the Financial Services Roundtable and the U.S. Chamber of Commerce — have decried the act’s provisions and say it would create yet another burdensome, costly regulatory compliance mandate. Others are still concerned about the potential privacy implications the Cybersecurity Act could create — likely a hangover from the lengthy debate surrounding SOPA and PIPA from earlier this year.
So will the Cybersecurity Act of 2012 strike the right balance between protecting data and not hurt the companies it’s designed to help? The debate will begin in earnest tomorrow, when the Homeland Security & Governmental Affairs Committee will hold its first hearing on the Cybersecurity Act. The hearing is likely to address these questions and more, as it begins the latest chapter in the ongoing cybersecurity debate.
To speed the process, a federal district court judge has ordered an accelerated briefing schedule in response to EPIC’s complaint. The court gave the FTC until Friday to respond to EPIC’s complaints, and EPIC is required to respond to that by Feb. 21.
But Google has already started defending its compliance with the FTC’s original consent order: In a lengthy January self-assessment submitted to the FTC, Google’s legal counsel reported the company “is acting in a manner consistent with its public representations regarding the privacy and confidentiality of its covered information.”
Until these questions are answered, the questions surrounding Google’s online privacy practices remain.
After shooting down the Stop Online Piracy Act (SOPA), protesters opposing broad online antipiracy legislation have a new target: the Anti-Counterfeiting Trade Agreement. And this time, the protests are on a global scale.
The Anti-Counterfeiting Trade Agreement is designed to establish international standards for intellectual property rights enforcement. It establishes legal frameworks for targeting counterfeit goods, generic medicines and Internet copyright infringement. The agreement was signed by Australia, Canada, Japan, Morocco, New Zealand, Singapore, South Korea and the United States in late 2011. Last month, the European Union and 22 of its member states joined them.
But protesters — perhaps bolstered by the shelving of SOPA of Project IP — are not allowing the Anti-Counterfeiting Trade Agreement to go through without a fight. The international citizens group Avaaz is seeking 2 million signatures for a petition to drop the agreement (it already has 1.75 million). Last weekend, thousands of people marched in the Slovenian capital of Ljubljana to protest it. The worldwide protests have led some countries, including Poland, to delay the agreements ratification process.
Supporters of the Anti-Counterfeiting Trade Agreement say it would decrease pirating of copyrighted works. Intellectual property-based organizations such as the Motion Picture Association of America helped with its development. Protesters, however, say it is an assault on freedom of expression and that opinions from all sides were not considered in the negotiation process.
Do these traits sound familiar?
Protesters showed what can be done after legislators backed off of SOPA and Project IP following public outcry. Now, with the whole world watching, they’re trying to get their voices heard again.
When announcing its changes, Google said it was replacing 60 different privacy policies with “one that’s a lot shorter and easier to read.” Under the new policy, for the first time Google Account users could have their information cross-referenced among several of Google’s sites. By treating users as a single entity across Google products, Google said it can provide better search results, ads and other content.
Of course, like everything else surrounding big online security and privacy changes, these two announcements were not without controversy. Critics of the EU’s new data protection rules say complying would hinder Internet innovation and create expensive, unnecessary new regulations for companies. (These criticisms were similar to those surrounding SOPA and antipiracy legislation, and we all know how well that turned out.)
Speaking of legislators, some were quick to point out detriments to Google’s new privacy rules. Reps. Edward J. Markey (D-Mass) and Joe Barton (R-Texas) have already sent a letter to the FTC saying Google’s new policy violates the agreement the company came to last year after privacy questions arose around Google Buzz.
It was an eventful week for Internet-related antipiracy legislation, to say the least. After threatening for weeks, Internet giants such as Wikipedia and Google participated in a day-long “blackout” Wednesday in protest of the House of Representative’s Stop Online Piracy Act (SOPA) legislation and its Senate counterpart, PROTECT IP.
But did it work? After all, it’s not like the sites were completely shut down for 24 hours. Users could still access most of the sites participating in the protest; they just had to bypass literature outlining why the protesting sites equate SOPA and PIPA compliance with Internet censorship.
It definitely brought more attention to the controversial legislation, if nothing else. The blacked-out sites encouraged users to contact their legislators to protest the bills, and many did. Following the blackout, approximately 10 senators and nearly 20 House members announced their opposition to the antipiracy legislation as written, according to the New York Times. Among the flipped was Sen. Marco Rubio (R-Florida), one of the co-sponsors of PROTECT IP.
Today, Senate Majority Leader Harry Reid announced he was delaying a PROJECT IP vote scheduled for Jan. 24. House Judiciary Committee Chairman Lamar Smith (R-Texas) also announced a postponement of moving forward with SOPA antipiracy legislation “until there is wider agreement on a solution.” To help create this wider agreement, Christopher Dodd, chairman of the Motion Picture Association of America (MPAA), has called for a summit meeting between Internet companies and content distributors, in an effort to reach a compromise.
Until then, the protests keep coming: After the federal government shut down the website Megaupload and charged seven people with Internet piracy, the protest group Anonymous threw its weight around, briefly attacking and shutting down the websites of the Department of Justice, the MPAA and the Recording Industry Association of America.
So, it’s clear that the online antipiracy legislation fight is far from over. Legislators need to strike the right balance between the needs of critics who contend the legislation is unconstitutional, and the rights of those who want to protect their intellectual property.
Both sides (each with huge influence, by the way) have a valid argument designed to protect the way they do business. It will be interesting to see how legislators respond.
Just last April, Google Inc. settled Federal Trade Commission (FTC) charges that it used “deceptive tactics and violated its own privacy promises” to consumers when it launched Google Buzz in 2010. Now, some critics claim Google still hasn’t learned from its online consumer privacy mistakes.
In a letter to the FTC, the Electronic Privacy Information Center (EPIC) is pushing for an investigation because of more Google Search changes. EPIC said the inclusion in Google Search results of personal data, such as photos and contact details gathered from Google Plus, raises “concerns related to both competition and the implementation of the commission’s consent order.”
Under the settlement reached with the FTC in April, Google was required to implement a comprehensive privacy program and submit regular, independent privacy audits for the next 20 years.
“Google allows users to opt out of receiving search results that include personal data, but users cannot opt out of having their information found by their Google+ contacts by Google Search,” EPIC Executive Director Marc Rotenberg wrote in the letter to the FTC. “In contrast, Google allows content owners to remove pages from Google’s public search results.”
The EPIC letter also contends Google’s changes create potential antitrust violations because the company prioritizes its own content when returning search results.
In Google’s official blog earlier this week, Google fellow Amit Singhal wrote a lengthy post outlining and explaining the benefits of Google Search Plus Your World. Singhal touted what he called the new feature’s “unprecedented” security, transparency and control. The company has also posted accolades from analysts and consumers touting Google’s Search Plus Your World.
The FTC has yet to comment publicly on EPIC’s letter and call for another investigation into Google’s online consumer privacy practices. But it’s worth noting that the last couple of times EPIC made similar complaints against high-profile Internet companies, it resulted in privacy-related FTC settlements for both Google and Facebook with the FTC.