by Paul Rubell, Esq.
Big data is disruptive technology. As a result, cloud computing poses both legal and practical challenges to privacy and information security.
The digital location of data is essential to its warehousing, use and manipulation.
This is not a new phenomenon. “Name, rank, and serial number” was the axiomatic way that the Army sought to minimize the disclosure of military secrets and private data – yet by design, it also disclosed a modicum of personally identifiable information; namely, one’s name, rank, and serial number.
Today, the law tries to keep up with the rapid pace of technology, but it cannot.
Legislation compels companies, governments, healthcare providers, financial institutions to adopt Big Data and to deploy protective measures.
The litany of statutes that aim to urge the adoption of cloud technology and at the same time, to protect corporate secrets and individual privacy, grows by the day, including these:
- HIPAA and the HITECH Act (electronic medical records and their privacy and security);
- Stored Communications Act (data at rest);
- Electronic Communications Privacy Act (data in transit);
- EU Privacy Directives;
- Digital Millennium Copyright Act (prohibits anti-circumvention).
The solutions to legal privacy problems can only be legislated so far. Business needs to deploy smarter technology to protect their own information and that of its customers, B-to-B and B-to-C alike.
Technology providers need to rethink and retool their security measures continually. How is it possible that vulnerabilities occur on a daily basis to software applications created by global developers such as Microsoft, Oracle, and Adobe?
It is always the weakest link that poses the greatest threat to secrecy and privacy and security.
Therefore, identifying weak links must be a mission-critical priority.
The recent credit card breach at Target stores was caused by an outside vendor’s sloppiness. But said another way, it was Target’s sloppiness in its selection and oversight of its outside vendor that enabled the breach to occur.
Similarly, weakness in cloud security can disrupt the disclosure of private information that belongs solely to a business, an individual, or a government.
Without politicizing the incident, the Edward Snowden debacle highlights how security lapses at one layer can lead to the unauthorized disclosure of confidential information.
Snowden, Booz Allen, or the US government: who facilitated the secrecy leaks? Was it the person (Snowden) who illegally took data and released it publicly and purposefully? Or did the lapse really occur when Snowden’s employer, Booz Allen, failed to take appropriate measures in hiring him and maintaining his security clearance? Or – did the United States of America deploy enough safeguards to oversee the actions (and inactions) of its vendor, Booz Allen?
Cybersecurity and the law need to work together, not at cross-purposes.
If corporate policy doesn’t require frequent changes of hard passwords and encrypted email, it really doesn’t matter what the law says.
If security privacy is not enforced from a criminal as well as civil standpoint, runaway hackers will be emboldened.
Unless social media precautions are taken, trade secrets and personal information can leak like a sieve.
The solution is clear. The technology, business, government, and legal communities need to work hand in hand if the homeland, business, and personal security are to be protected.