Consumer Privacy Bill of Rights
The Consumer Privacy Bill of Rights (CPBR) was proposed as a draft bill by President Obama on 27 February 2015. The CPBR is intended as a law that will govern the collection and dissemination of consumer data. The Obama administration re-introduced the CPBR as an enhancement to the Data Security and Breach Notification Act of 2015 which requires organizations to disclose data breaches in a timely manner to mitigate the risk of identity theft (Chernichaw & Freeman, 2015). This paper will explore the key provisions of the CPBR, related legal cases where the CPBR could have applied, explore how the CPBR could affect consumers and business, and discuss safeguards that would be used by organizations upon implementation of the CPBR.
Consumer Privacy Bill of Rights Background
Kerry (2015) states that the Edward Snowden leaks have brought about concerns among the public regarding government surveillance, and has also brought attention to how much electronic data can be collected and how much it can reveal about a person. Additionally, a rash of highly publicized cyber-attacks and data breaches that have affected organizations such as Target, Sony Pictures, and Anthem, has created anxiety among consumers about the vulnerability of personal information. As a result, it has brought to light an acute need to renew global trust in the United States government protection of privacy and in the companies that operate under U.S. privacy law. Currently, forty seven states have breach notification laws in addition to other federal laws that govern the protection of private information, but it has been noted that there are gaps in these laws due to the increasing proportion of electronic data collection that falls outside currently existing privacy laws. The CPBR is intended to fill in these gaps and provide a federal government established baseline standard for the protection of private information (Kerry, 2015).
Consumer Privacy Bill of Rights Key Provisions
The current discussion draft of the CPBR was submitted to the U.S. Senate with the last formal action on the bill performed in April of 2015 (Congress.gov Bill 1158, 2015). The following are the major key provisions of the current discussion draft:
- Transparency: Covered entities are required to provide individuals with concise, conspicuous, and easily understandable notices that provide accurate, clear, and timely information about the entities’ privacy and security practices. This provision specifies requirements for notices to include; information about retention practices, disclosures, and mechanisms for obtaining access to personal data (Whitehouse.gov CPBR Act, 2015, pg.6-7).
- Individual Control: Covered entities are required to provide individuals with reasonable means to control the processing of their personal data that are proportionate to the privacy risks. The provision defines privacy risk as “the potential for personal data, on its own or when linked to other information about an individual, to cause emotional distress or physical, financial, professional or other harm to an individual.” The provision requires that covered entities provide individuals with the means to withdraw consent to the processing of personal data (Whitehouse.gov CPBR Act, 2015, pg.7-8).
- Respect for Context: A covered entity is required to processes personal data in a manner that is reasonable compared to its context. Context would be determined by evaluating the interactions between an entity and individuals and what reasonable individuals would understand about the covered entity’s practices. The provision states that “covered entities shall provide individuals with notice regarding personal data practices that are not reasonable in light of context at times and in a manner reasonably designed to enable individuals to decide whether to reduce their exposure to the associated privacy risk, as well as a mechanism for control that is reasonably designed to permit individuals to exercise choice to reduce such privacy risk”. A privacy risk analysis would include; reviews of data sources, systems, information flows, partnering entities, and data and analysis uses. Exceptions for certain data analysis is governed by FTC-approved industry Privacy Review Boards that can exempt covered entities from providing heightened notice and individual control where the Privacy Review Boards supervise data processing that is otherwise not reasonable in terms of context (Whitehouse.gov CPBR Act, 2015, pg.8-10).
- Focused Collection and Responsible Use: Covered entities are permitted to collect, retain and use personal data only as is reasonable in the context that it will be used. Entities are required to delete, destroy, or de-identify personal data within a reasonable time after collected data has served the purpose for which it was collected (Whitehouse.gov CPBR Act, 2015, pg.10-11).
- Security: Covered entities are required to secure personal data against loss, compromise, alteration, and unauthorized use, or disclosure. Furthermore, entities are required to conduct security risk assessments and implement reasonable security safeguards (Whitehouse.gov CPBR Act, 2015, pg.11).
- Access and Accuracy: Covered entities would generally be required to provide individuals, upon request and proper identity verification, with reasonable access to the personal data about them that entities have collected and control. Entities are required to take reasonable and appropriate steps to mitigate related associated privacy risks and ensure that personal data held by entities is accurate (Whitehouse.gov CPBR Act, 2015, pg.12-13).
- Accountability: Covered entities would be required to provide training to employees, conduct privacy assessments, adopt privacy policies and procedures, require those working with personal data to use the data consistently with the entities goals and policies, and take reasonable steps to ensure compliance with the all provisions of the CPBR (Whitehouse.gov CPBR Act, 2015, pg.13-14).
- Enforcement and Civil Penalties: The FTC is responsible for enforcing the CPBR on a federal level. The bill makes provisions for State Attorney General’s to also enforce the bill with notification provided to the FTC. Civil penalties for violation of the bill are calculated by multiplying the number of days that the covered entity violates the Act by an amount not to exceed $35,000. The total civil penalty determined by the court shall not exceed $25,000,000 (Whitehouse.gov CPBR Act, 2015, pg.14-16).
- Safe Harbor: The Secretary of Commerce may convene interested stakeholders, such as members of industry, civil society, the public safety community, and academia, to develop codes of conduct. Covered entities that adhere to this code of conduct can apply to the commission for Safe Harbor. Covered entities that can demonstrate that they have maintained a commitment to adhere to the Commission-approved code of conduct shall have a complete defense (Whitehouse.gov CPBR Act, 2015, pg.17-20).
Related Legal Proceedings Discussion
Currently the United States does not have a single comprehensive federal law that covers consumer information privacy and security. Instead it has enacted several industry specific laws, for example; the GLBA and HIPAA that cover personal information privacy for financial information and health information. For this reason most states have enacted their own data privacy and security laws that cover gaps on how to handle private information and its security. The issue is that the provisions and penalties of these laws can vary from state to state (Grama, 2015, pg. 248). The CPBR is intended to fill in the potential gaps not covered by existing federal and state laws, and establish a single baseline standard for the protection of private information (Kerry, 2015). Since the CPBR has not been implemented as law yet, there are no historical cases or case studies directly related to the bill. The following case studies examine a few privacy related incidents where provisions of the CPBR would have been beneficial to the protection and securing of consumer private information.
Related Legal Proceedings Case Study (1), Sony Pictures.
On 21 Nov, 2014, Sony Pictures Entertainment executives received extortion emails from a cyber criminal group warning of an attack. On 24 Nov, 2014 Sony discovered internal documents, emails and movies had been leaked and that it had lost control of its IT network (Tamir, 2015). Apparently hackers targeted Sony employees in Russia, India and other parts of Asia with spear-phishing e-mails to which a malicious PDF document was attached, which included a remote-access Trojan. After some Sony employees opened the PDF file, their PCs became infected with the malware, and the hackers used this to gain access to the Sony Pictures network. The hackers provided Sony with samples of stolen documents, emails, and other data that proved to be authentic. The hacking group claimed to have initiated the attack because of a movie titled “The Interview” which portrayed the country of North Korea in an unflattering light. The attackers sent the warning message demanding that Sony pull the movie from release. When Sony failed to pull the movie release by the allotted time specified by the attackers, the hacking group proceeded with the attack (Schwartz, 2015).
In this case most of the publicity and target of investigation was related to intellectual property and company business data that was exposed. It was noted that since Sony was not a health care organization or a type of financial institution, there wasn’t a requirement for Sony to meet a specific and detailed regulatory requirements for data security involving personal data even though a very large quantity of the data exposed was personal in nature. This included documents, correspondence, and salaries of employees, as well as other private information about staff and actors. While Sony faces regulatory action and lawsuits from former employees, most of the attention and negative business implications have nothing to do with personal data (Nahra, 2015).
In Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600 (RGK), U.S. District Judge R. Gary Klausner approved a settlement between Sony and 15,000 current and former employees for an undisclosed amount of money. Sony still faces potential liability for negligence based on its three-week delay in notifying its employees of the data breach, as well as statutory claims under the California Confidentiality of Medical Information Act and the Unfair Competition Law (Hunton Privacy Blog Sony, 2016).
There are still many questions that remain unanswered about this case today to include questions about Sony’s information system security at the time of the breach. The most important item of note though is that most federal and state investigations into the incident are not related to the personal information that was exposed. It is also of note that any future potential liability is only partially being pursued using the California Confidentiality of Medical Information Act and the Unfair Competition Law. There is no other legal mechanism in place that applies specifically to information privacy on its own that can be used in the Sony case (Hunton Privacy Blog Sony, 2016). Since the Sony breach did not fall under specific existing industry laws such as HIPAA or GLBA, the possibility of any legal penalties being leveled against Sony for the exposure of staff personal private information is still unclear and being explored (Nahra, 2015). The information privacy loopholes revealed in this case are an example of where a law like the proposed CPBR would cover the exposure of the staff’s private information related to this breach. The employees would still have the option of pursuing civil suits, but Sony would also still be liable for penalties under the CPBR. Furthermore, if a law like the CPBR was implemented, it specifies that Sony would have a legal obligation to protect this private information and compel them to implement security safeguards to protect private information, even the private information of its employees.
Related Legal Proceedings Case Study (2), Uber
The popular ride-sharing service Uber has been the target of several complaints alleging the exposure of the private data of its customers and drivers the past few years, and is currently involved with many lawsuits. Currently, Uber uses a technology that is referred to as “God Mode” which Uber claims is an application that allows them to track all Uber customers in real time. However, it has been reported that Uber often used this function as entertainment for parties, showing the Ubers in a city and the silhouettes of waiting Uber users who had flagged cars. One party attendee reported that real-time information was used and as a result individuals were identifiable. It has also been reported that it is not just employees who have too much access. A reporter for the Washington Post interviewed for a job at Uber in 2013 and was given unrestricted access to customer data for an entire day, just as if he were an employee. The data collected by Uber during the normal course of business to include; name and credit card information are private information protected by many existing privacy laws. The issue in these cases is that other private information is routinely being misused, and this misuse is not covered by many state information privacy laws. Additionally, since Uber is not a health related organization or a financial organization, federal laws such as HIPAA and GLBA do not apply (Mueffelmann, 2015).
On 22 June, 2015, the FTC filed a “Complaint, Request for Investigation, Injunction, and Other Relief” against Uber related to the privacy infractions described above. The filing states that Uber has ignored the FTC’s prior decisions, and their current actions threaten the privacy rights and personal safety of American consumers. The filing further states that Uber continues to ignore past bad practices of the company involving the misuse of location data, an action that poses a direct risk of consumer harm (Epic Uber Injunction, 2015).
The Uber case is a good example of why laws such as the proposed CPBR need to be implemented. The CPBR contains provisions that specifically address much of the misuse described in this case, specifically, the provisions for Transparency, Individual Control, Focused Collection and Responsible Use, and Security.
The Transparency provision requires organizations to provide individuals with concise, conspicuous, and easily understandable notices that provide accurate, clear, and timely information about the entities’ privacy and security practices. Something Uber currently does not do.
The Individual Control provision requires organizations to provide individuals with reasonable means to control the processing of their personal data that are proportionate to the privacy risks. The provision defines privacy risk as “the potential for personal data, on its own or when linked to other information about an individual, to cause emotional distress or physical, financial, professional or other harm to an individual.” The provision requires that covered entities provide individuals with the means to withdraw consent to the processing of personal data. The “God Mode” application can be used to provide accurate location information on Uber users. As such this information is private. Uber sharing this information with other customers exposes this private information. Additionally, Uber does not provide customers a method to “opt-out” of being tracked by the application.
The Focused Collection and Responsible Use provision states that entities are permitted to collect, retain and use personal data only as is reasonable in the context that it will be used. Uber using data collected by the “God Mode” application for entertainment purposes would violate this provision.
The Security provision would specifically cover incidents such as allowing prospective employees to have unrestricted access to private information of its customers. This provision would also provide instruction for safeguarding private information (Whitehouse.gov CPBR Act, 2015, pg.6-11).
Impact of the CPBR on Information Security Safeguards – Security Provisions
The CPBR Security provision (Whitehouse.gov CPBR Act, 2015, pg.11), states that safeguards must adhere to several sub-provisions that are as follows:
- “Identify reasonably foreseeable internal and external risks to the privacy and security of personal data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information”.
- “Establish, implement, and maintain safeguards reasonably designed to ensure the security of such personal data”.
- Regularly assess the sufficiency of any safeguards in place to control reasonably foreseeable internal and external risks. Evaluate and adjust safeguards as required. Make any material changes to operations or business arrangements as required to ensure compliance.
The provision further states that the reasonableness of the safeguards that a covered entity adopts must account for: the degree of the privacy risk associated with the personal data under the covered entity’s control, the foreseeability of threats to the security of such data, widely accepted practices in administrative, technical, and physical safeguards for protecting personal data, and the cost of implementing and regularly reviewing such safeguards (Whitehouse.gov CPBR Act, 2015, pg.11)
Impact of the CPBR on Information Security Safeguards – Discussion
The first item noticed about the Security provision of the CPBR bill in its current form is that it does not reference any specific standard or law. It simply states that safeguards must meet “widely accepted practices in administrative, technical, and physical safeguards for protecting personal data”. The Safe Harbor provision states that there is to be the creation of codes of conduct that would be overseen and approved by the FTC, but this code of conduct has not been created yet (Whitehouse.gov CPBR Act, 2015, pg.17-20).
Lustigman & Solomon (2015) state that the largest impact of the CPBR if implemented would be on organizations such as online marketers, retailers, service, and sales oriented businesses, since they often do not fall under many of the existing privacy laws such as HIPAA and GLBA. Organizations that currently fall under existing laws usually already meet compliance standards of the CPBR. The implementation of the CPBR would force the sales and retail organizations mentioned above to change their privacy policies and how they currently handle and secure private information.
A safeguard baseline standard could reasonably be derived from the health and financial industries governed by laws such as HIPAA and the GLBA, or, generated using guidelines provided by the National Institute of Standards and Technology (NIST), and The International Organization for Standardization (ISO). NIST computer security publications for example are a widely-recognized as a standard for information security guidelines that identify key security web resources to support users in industry, government, and academia (NIST Computer Security, n.d.).
Since most organizations that are subject to existing federal and state information privacy laws use publications from organizations such as NIST, these publications would be a good source to use in the implementation of security safeguards required by the CPBR.
Impact of the CPBR on Information Security Safeguards – Safeguards
The following are security safeguards that can be implemented to meet CPBR Security provisions using NIST publications as guidelines:
- The Transparency provision requires organizations to provide individuals with concise, conspicuous, and easily understandable notices that provide accurate, clear, and timely information about the entities’ privacy and security practices (Whitehouse.gov CPBR Act, 2015, pg.6-7). Technical safeguards are not well suited to enforce this provision, an administrative safeguard such as a policy would work best. The NIST 800-14 provides guidelines that can be used to generate policies and procedures (Swanson & Guttman, 1996, pg.11-15).
- The Individual Control provision states that entities are required to provide individuals with reasonable means to control the processing of their personal data that are proportionate to the privacy risks. In the case of this provision, a means would have to exist that allowed users to access private information held by the entity. One privacy concern would be authentication. An example technical safeguard could entail an online authentication where a user would need to provide two-part authentication.
- The Respect for Context, Focused Collection and Responsible Use, and Access and Accuracy provisions, would be best addressed with policies and procedures as outlined by NIST (Swanson & Guttman, 1996, pg.11-15).
The overall objective of security safeguards is to protect private information. This process requires a method for determining risk and exactly how an entity handles privacy, determine which safeguards are in place and how effective they are, and what additional safeguards need to be put into place. The CPBR Security provision instructs that entities must conduct risk assessments which would satisfy the need to identify risks and implement security safeguards against these risks. NIST Publication 800-30 provides guidance on how to organize and conduct risk assessments, as well as guidance on implementing controls (Gallagher. NIST 800-30, 2012, pg.4-38).
Upon research and examination of the proposed Consumer Privacy Bill of Rights bill it appears that the provisions proposed do in fact fill in many gaps and loopholes in privacy laws. In the cases of Sony and Uber, it clearly shows that much of the private information exposed in these incidents did not fall directly under existing federal and state laws. The CPBR would provide a baseline standard that would fill in the gaps not already covered. The law is proposed as one that sets a standard, but it is important to note that it will preempt current and future state privacy and security laws (CDT, CPBR, 2015).
The CPBR initially appears to be an excellent proposal, but it does have a few areas of concern in its current form. Sullivan (2015) discusses the political environment that surrounds the law and also discusses the alternative Consumer Privacy Bill proposed after the CPBR by Senators Leahy and Franken. This particular proposal goes a few steps further than the CPBR in regards to not requiring demonstration of harm before notice (Sullivan, 2015). This lack of vision and direction appears to be slowing down the passing of either bill while legislators work them out.
Another primary concern of the CPBR includes penalties for violation. Penalties in the bills current form are for amounts not to exceed $35,000 per incident (Whitehouse.gov CPBR Act, 2015, pg.14-16). If these penalties were to be applied to very large organizations, the $35,000 per incident for a violation is not much of a deterrent.
Overall the proposed CPBR appears to have the potential to be a valuable law that fills in private information protection gaps, however, in its current form, it still has a few issues that need to be resolved or it will be in danger of becoming an ineffective law.
More privacy and censorship news can be found at Online Censorship News
CDT, CPBR. (2015, March 02). Analysis of the Consumer Privacy Bill of Rights Act. Retrieved June 16, 2016, from https://cdt.org/insight/analysis-of-the-consumer-privacy-bill-of-rights-act/.
Chernichaw, A., & Freeman, B. (2015, April 08). White House Re-Introduces Consumer Privacy Bill of Rights Act. Retrieved May 05, 23, from http://www.whitecase.com/publications/article/white-house-re-introduces-consumer-privacy-bill-rights-act.
Congress.gov Bill 1158. (2015, April 30). S.1158 – Consumer Privacy Protection Act of 2015. Retrieved June 13, 2016, from https://www.congress.gov/bill/114th-congress/senate-bill/1158/action.
Epic Uber Injunction. (2015, June 22). Complaint, Request for Investigation, Injunction, and Other Relief. Retrieved June 15, 2016, from https://epic.org/privacy/internet/ftc/uber/Complaint.pdf
Gallagher. P. NIST 800-30. (2012, September). Guide for Conducting Risk Assessments. Retrieved June 16, 2016, from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Grama, J. L. (2015). Legal issues in information security (2nd ed.). Boston, MA: Jones & Bartlett Learning.
Hunton Privacy Blog Sony. (2016, April 18). Federal Court: Sony Pictures Data Breach Class Action Settlement Approved. Retrieved June 15, 2016, from https://www.huntonprivacyblog.com/2016/04/18/federal-court-sony-pictures-data-breach-class-action-settlement-approved/.
Kerry, C. (2015, March 06). We need a Privacy Bill of Rights. Retrieved May 27, 2016, from http://thehill.com/blogs/congress-blog/civil-rights/234741-we-need-a-privacy-bill-of-rights.
Lustigman, A., & Solomon, A. (2015, March 12). An overview and the impact of the Consumer Privacy Bill of Rights. Retrieved May 27, 2016, from http://www.insidecounsel.com/2015/03/12/an-overview-and-the-impact-of-the-consumer-privacy.
Mueffelmann, K. (2015, February). Uber’s privacy violations a cautionary tale for others. Retrieved June 14, 2016, from http://www.financierworldwide.com/ubers-privacy-violations-a-cautionary-tale-for-others/#.V2G3xbsrKHs.
Nahra, K. J. (2015, March). Lessons to Be Learned from the Sony Breach. Retrieved June 13, 2016, from http://apps.americanbar.org/buslaw/committees/CL925000pub/newsletter/201503/fa_2.pdf
NIST Computer Security. (n.d.). Computer Security Resource Center (CSRC. Retrieved June 16, 2016, from http://csrc.nist.gov/.
Schwartz, M. J. (2015, February 04). Report Claims Russians Hacked Sony. Retrieved June 13, 2016, from http://www.bankinfosecurity.com/report-claims-russians-hacked-sony-a-7873?rf=2015-02-04-eb&utm_source=SilverpopMailing&utm_medium=email&utm_campaign=enews-bis-20150204%20%281%29&utm_content=&spMailingID=7476382&spUserID=NTQ5MzMyMzQ1ODIS1&spJobID=620402043&spReportId=NjIwNDAyMDQzS0.
Sullivan, B. (2015, April 30). Will the New Consumer Privacy Bill Protect You? Retrieved June 16, 2016, from http://blog.credit.com/2015/04/new-consumer-privacy-bill-protect-115438/
Swanson, M., & Guttman, B. (1996, September). Generally Accepted Principles and Practices for Securing Information Technology Systems. Retrieved June 16, 2016, from http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
Tamir, D. (2015, February 05). Who Hacked Sony? New Report Raises More Questions About Scandalous Breach. Retrieved June 13, 2016, from https://securityintelligence.com/who-hacked-sony-new-report-raises-more-questions-about-scandalous-breach/.
Whitehouse.gov CPBR Act. (2015). Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015. Retrieved May 23, 2016, from https://www.whitehouse.gov/sites/default/files/omb/legislative/letters/cpbr-act-of-2015-discussion-draft.pdf