Dazed and Confused: A Call for A National Privacy and Security Framework

Tuesday 4 April 2006
BusinessWeek Online has a good commentary article, Dazed and Confused: Data Law Disarray, discussing the current state and practical realities of dealing with privacy and security breaches by businesses.

The article concludes by calling for "uniform federal privacy and data security legislation to create a baseline of privacy protection for consumers and to provide businesses and organizations with a uniform set of standards on which to build their protection practices."

I've assisted clients with weaving though the web of state and federal privacy and data breach reporting requirements and can attest to the "stop light analogy" used in the article.

Below is an excerpt of the stop light analogy from the article:
. . . What now? Who needs to be told? Customers? Government regulators? You call in the lawyers, but they tell you they will need a day or more to figure out what the reporting obligations are.

The lawyers explain that there are more than 20 federal, state, and local laws and regulations that govern the reporting obligations, and some are quite different from others. New laws are being passed every month. The lawyers say the road ahead is perilous.

Then they make the traffic signal analogy to help you understand. They tell you to imagine you are driving down the street. At the approaching intersection, instead of just one traffic signal, there are three lights, each with a different instruction.

Should you stop at the red light? Slow down for the yellow light? Proceed under the green light? Needless to say, at this strange intersection, chaos reigns. There are confused drivers, anxious passengers, and angry cops. Here is an accident waiting to happen.

PATCHWORK QUILT. The lawyers' point? On the information superhighway, when it comes to the rules on privacy and data security, businesses are like the confused motorist at the intersection of mixed signals.

In the absence of a uniform federal privacy law, well-intentioned lawmakers and regulators from around the country have, in an episodic manner, created rules to address the growing misuse of personal information and the loss or theft of sensitive data files. The result is a hodgepodge of overlapping, conflicting, and occasionally incomprehensible laws and regulations. . .