New Trade Regulation Rules - The Quest for Data Privacy and Security

Written By Kenneth Holley

Written by Tony Ogden

Expansive commercial surveillance practices, poor data security, and the absence of uniform and comprehensive privacy and date security protections prompted the Federal Trade Commission (FTC) to publish an advance notice of proposed rulemaking (ANPR) and request public comment on the pervasiveness of commercial surveillance and data security practices that harm consumers. The FTC recently extended the deadline for comments. Silent Quadrant previously provided comment and this note summarizes some key points.

New trade regulation rules or other regulatory alternatives would set standards on how companies (1) collect, aggregate, protect, use, analyze and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. It’s imperative to act in the face of evolving data privacy laws and questions related to data security, collection, use, retention, and transfer of consumer data and consent.

Data Security

The U.S. woefully lags behind other countries (and several states) in protecting citizen data.  While some call for the FTC to wait until a federal privacy law passes, the time for public debate and action by the federal government is long overdue. Though rulemaking may not substitute for legislation, it can improve the current losing game in which neither individuals nor the law can keep up with the pace and scope of data collection.

New trade regulation rules would establish a baseline for business expectations and obligations to the benefit of U.S. consumers. Moreover, the FTC has authority to issue trade regulation rules, “which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce.” It’s time to shift the perspective on privacy from what is most convenient for businesses to what offers the greatest consumer protection.

Data collection, retention, and poor internal controls leave personal information vulnerable to unauthorized access. While the FTC is justified in implementing security obligations and should require minimum data security measures, I urge caution against a new set of standards. The federal government has established Minimum Security Requirements for Federal Information and Information Systems as well as Standards for Security Categorization of Federal Information and Information Systems. These standards, while applicable to federal information systems, could be adapted for the private sector and the Commission could incentivize their adoption. Creating a new set of standards would confuse, complicate, and diminish data protection efforts.

The underscore here is to standardize a general trade regulation rule across sectors, while avoiding a sector-specific-only approach. Many sectoral laws emerged long before technology innovations and reacted to then relevant risks and threats, but do not adequately address evolving data privacy issues in today’s increasingly digital environment. There might be additional requirements for certain sectors, but a baseline across all sectors would prove quite valuable.

Existing privacy rules, such as HIPAA, place the burden on individuals to know what and how to manage their data, and navigate the plethora notices and obligations associated with each. Consumers simply ignore the notices without considering the privacy or security impact. Trained lawyers have a challenging time navigating the minefield, so why would we think the average consumer could or should do better? It is time to take a fresh look at appropriate safeguards that support consumer awareness through a privacy-first approach. Meaningful change is possible through this rulemaking.

Collection, Use, Retention, and Transfer of Consumer Data

Three concepts underpin data privacy and should be mandatory provisions. These concepts are also foundational for establishing #DigitalTrust and should be a priority regardless the outcome of any rulemaking.

The first is data minimization, which provides the collection, processing and transfer of information should be limited to what is reasonably necessary, proportionate or required to provide the service requested by the consumer or individual.

Second, adopt tighter restrictions and prohibit data practices regarding sensitive information. If it’s not required, prohibit the collection, processing or transferring of social security numbers, biometric information, nonconsensual intimate images, and genetic information.

Third, require privacy (and security) by design. Rules should address implementation of reasonable data collection, processing, and transfer policies and practices that mitigate privacy risks (most certainly for minors, if applicable) related to the design, development, and implementation of business products and services.

Data protection requirements must account for the rights of the individual or consumer – the data subject. Placing the rights of an individual or consumer first is key to promoting privacy by default. If privacy by default is in fact a goal of this rulemaking, consumers must be empowered to make simple, universal choices regarding their personal information and to withdraw consent at any time without undertaking a complicated process to do so.

Kenneth Holley

Kenneth Holley's unique and highly effective perspective on solving complex cybersecurity issues for clients stems from a deep-rooted dedication and passion for digital security, technology, and innovation. His extensive experience and diverse expertise converge, enabling him to address the challenges faced by businesses and organizations of all sizes in an increasingly digital world.

As the founder of Silent Quadrant, a digital protection agency and consulting practice established in 1993, Kenneth has spent three decades delivering unparalleled digital security, digital transformation, and digital risk management solutions to a wide range of clients - from influential government affairs firms to small and medium-sized businesses across the United States. His specific focus on infrastructure security and data protection has been instrumental in safeguarding the brand and profile of clients, including foreign sovereignties.

Kenneth's mission is to redefine the fundamental role of cybersecurity and resilience within businesses and organizations, making it an integral part of their operations. His experience in the United States Navy for six years further solidifies his commitment to security and the protection of vital assets.

In addition to being a multi-certified cybersecurity and privacy professional, Kenneth is an avid technology evangelist, subject matter expert, and speaker on digital security. His frequent contributions to security-related publications showcase his in-depth understanding of the field, while his unwavering dedication to client service underpins his success in providing tailored cybersecurity solutions.

Previous

The Culture We Create: Resilience By Design
Next

Moving at the Speed of Trust – Cybersecurity as a Business Growth Enabler