European Union

National data privacy law coming; Big Brother, already here

Momentum seems to be growing for a federal electronic data privacy law that would pre-empt the 44 state data breach notification laws already on the books and is more in line with European data privacy laws.

“If you work for an information broker, you definitely should be paying attention to this,” said Miriam Wugmeister, who chairs the global privacy and data security practice at law firm Morrison & Foerster. “But if you’re just a CIO at a national retail chain or at a financial institution, then this really is not that different.”

With this important caveat: The bill, like laws in states such as Massachusetts and Oregon, is moving toward what Wugmeister calls the next evolution in data privacy — a preventative approach with specific requirements for protecting data in the first place.

The proposed federal electronic data privacy bill, known as H.R. 2221, was introduced in April with little fanfare but is generating a bit more buzz in the wake of recent hearings on Capitol Hill.

Last week, representatives of the nation’s biggest brokers of online information — Google, Yahoo — appeared before House subcommittees on communication and consumer protection to answer questions about behavioral targeting, the tracking of users’ online behavior for various kinds of gain. Debate focused on the conflict between the individual’s right to privacy online and the advertising industry’s ability to make money.

Privacy advocates argued that most Internet users don’t understand the extent to which their online behavior is being monitored or how much electronic personal identifying information (PII) is being collected by large data brokers, such as Yahoo and Google. Nor are users aware of their ability to opt out of these data collection systems. Therefore, users need regulations that would require their consent to be tracked — or an opt-in (not opt-out) provision.

Advocates for the advertising industry argued these provisions would upend an industry already seriously weakened by the economic recession.

Another aspect of the law, if passed, would strengthen consumers’ ability to access and correct any personal information collected by businesses.

“In the U.S., unlike in the European Union, we don’t typically have the right to call up Amazon and say, ‘Tell me everything about me,’” Wugmeister said.

For CIOs at businesses that do not collect PII for sale to others, Wugmeister has two pieces of advice.

“I were a CIO, I would read Massachusetts,” she said.  The law is among the nation’s most stringent for data protection and is proactive, requiring a comprehensive written security program and employee training. It also applies to any business, in or out of the state, that collects personal identifying information from a Massachusetts resident.

“The other thing you could read is the federal safeguards rule of the FTC,” she said. The rules are forming the consensus used by enforcement authorities, including the drafters of this bill, she said.

As for the increasingly anxious discourse on online behavioral tracking by data brokers, Wugmeister is a bit more mystified. “Those profiles of us for our offline behavior already exist. Every time you walk with your cell phone you are constantly transmitting your location. Your cell phone carrier has a log of every place you’ve been. Every time you use your credit card, there is a record of every place you’ve been and every place you’ve shopped.” In other words, Big Brother is already here.

In the coming months, I’ll be writing a lot more about H.R. 2221 and other IT compliance and security in weekly news articles for SearchCompliance.com. Let me know what compliance issues you’re grappling with and what kinds of information would be useful.

Booz Allen wins Open Enterprise Award for collaborative environment

Booz Allen Hamilton won the Open Enterprise Award for 2009 at the Enterprise 2.0 Conference in Boston today for their innovative internal collaborative environment. The Open Enterprise research project, led by Stowe Boyd and Oliver Marks, conferred the award to a company that was “truly transforming their organization at its core through deep, enterprise-wide adoption.” Walton Smith, a senior associate at the Virginia-based consulting firm, presented “hello.bah.com” to the crowd.

Smith described how Hello was built around people, focusing on connecting associates to each other and activity streams to profiles. According to Smith, more than 40% of the firm has added content to the system, rapidly forming connections with one another. Booz Allen Hamilton used agile development to create their Enterprise 2.0 platform, a methodology that now allows the team to roll out a new function every two weeks. Smith said that “functionality is driven by the users.” One upcoming feature, for instance, will allow users to rank and rate the quality of content entered into the system.

One initial roadblock that Smith noted was human resources, which viewed itself as the “official source” of data. In fact, the new intranet actually allowed employees to clean up bad data entered by HR into PeopleSoft on the back end.

When asked about security and compliance concerns – critical to a consulting firm that deals with government data or works with corporations with sensitive intellectual property – Smith noted several aspects of the system that are designed to prevent data leaks. First, only Booz Allen employees are allowed on Hello – not contractors. Second, data that comes under regulatory compliance actually resides in SharePoint, which Booz Allen uses for document-based collaboration for restricted content. Users can link to content from blogs, Confluence wikis or other pages but are confronted with an access control layer. Within the restricted environment, familiar compliance tools used in knowledge management are employed, like access management, monitoring and logging.

Smith is aware of the possibilities for a data breach, noting that “our weakest link is our people – we spend a lot of time making sure they know which tools to use.” He’s also cognizant of potential regional compliance issues, such as European Union laws that require that employees must opt-in to share information like pictures or work history with others.

The creators of Hello also had thought through employee departures. Smith allowed that departures weren’t “so much of an issue, given the economy,” but that there is a process in place. When someone moves on, a banner is added to the top of his or her profile page indicating the departure. That person won’t show up on the dropdown menu, which only includes actives employees for searchers, but the profile page itself, including connections and intellectual property created for Booz Allen, remains.