An interesting interview on SearchCIO about data storage, privacy, regulation, and the implications for the IT industry. I am always impressed when I find someone involved in IT academia who also apparently has a good grasp of business practicals – although in this case Dr. Bohn comes from a business background and has moved into IT.
I like this quote:
Bohn: First thing they always want, and this bill now is something of a response, at least, is clear national-level standards and legislation so they don’t have to enforce a multiplicity of laws, some of which will conflict, in each state where they do business. Even achieving that requires effort and is by no means guaranteed. The Specter-Leahy bill preempts state legislation, but of course preemption is also controversial because some states have stronger laws than the national versions, typically California. That’s the absolute first thing they should be aiming for.
We need comprehensive hearings and stepping back and thinking about this for a few years instead of all this piecemeal legislation done in isolation where we end up having all these terrible Catch-22s and frauds come to light — for example, as a result of California’s legislation, at times criminals have signed up as fake companies and extracted data and paid for data in seemingly legitimate ways, but they’re really a front organization using data for ID theft. The new bill would allow even more access to databases through the provision of allowing users to see what data a company has on them.
It’s the old conflict — any time you give access to people you make data less secure. On other hand, the motivation behind that provision is clear and reasonable…
It acknowledges that business actually needs a cogent set of rules to follow while pointing out the difficulties involved in trying to standardize this sort of thing. I’ve heard a lot of criticism of Specter-Leahy, primarily because it waters down SB 1386, but I’m enough of a realist to know that what we think is a good idea here in California isn’t going to gain nationwide acceptance… and that’s not necessarily an indicator of Big Business Having Its Way.
Maybe in 20 years we’ll all be issued a government ID at birth based on a retinal scan and use that to encrypt all our information. But, of course, that will raise other problems, won’t it.
Personally, I find the idea of a pervasive government ID to be horrifying. There are some distinct advantages, however… I’d be interested in hearing what Dr. Bohn’s risk analysys of such a program would look like (edit – he’s against it, see the comments).
For example, if you’re a hotel chain, you have information on frequent flier numbers, credit card numbers, names and addresses, personal preferences, who shared the room with a patron. They’re now going to have to think about the differences between that info and who will have access to it, who will want access to it …
…and (a major disappointment that this isn’t mentioned here, although that may be an editing decision on the part of the interviewer) whether or not the hotel chain ought to want to have that information in the first place. This analysis has been absent in almost all of the articles about SOX, HIPAA, GLB, et.al. that I’ve read. Institutions, as a whole, are approaching data privacy regulation issues from the standpoint of, “How can we protect ourselves from exposing this information that we have gathered?” instead of “What information that we have is valuable enough to us that we ought to try and keep it?”.
Data storage has become so cheap that people now regard data as something to be stored by default. Finally, regulations are forcing business to start to perform actual analysis on how valuable this data is, and take responsibility for guarding it. However, most businesses are starting their analysis *still* at the “data is something to be stored by default” premise.
Unfortunately, I don’t know of any way to force companies to stop collecting and collating all the information they can grab without assigning actual substantive penalties for data breaches. I think that this will eventually occur in the US, however, and intelligent CIOs and IT professionals ought to start pushing their business compatriots towards rethinking information storage.