In the latest Draft of the “Commercial Privacy Bill of Rights Act of 2011,” the first Title, “Right to Security and Accountability” is actually quite short – in fact, the Right to Security section contains just 53 words. The key provision reads, “…to require each covered entity to impose reasonable security measures to protect covered information it collects and maintains.”
First, what is a “covered entity?” The Act defines a covered entity to be: any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period. Keep in mind; a “person” can also be a corporation, non-profit organization, or any other entity that the Federal Trade Commission has authority over.
What this says is that the Act will affect just about every size and type of organization that collects records on more than 5,000 people a year. That is huge in terms of scope!
Next, what is “reasonable security?” This is fairly easy to define, although it may seem vague. In law, the “reasonable standard” is often deemed to be a standard for what is fair and appropriate under usual and ordinary circumstances.
Here, the industry (both hackers and security vendors) will play a significant role in helping to define what is “reasonable security.” Certainly having a firewall is a start. But, is a firewall from 2003 “reasonable” by today’s standards? Possibly not. Given that hackers are more sophisticated than ever and utilize extremely nefarious techniques that constantly evolve, the traditional firewall from even a few years ago may not be sufficiently capable to meet today’s reasonable security needs.
Next we answer what is “covered information.” Covered information means personally identifiable information (PII), unique identifier information (UII) and any information that is collected, used or maintained in connection with PII or UII that may be used to identify an individual.
Some industry regulations, such as PCI DSS, have similar requirements, so for many businesses this is nothing unusual. The Act specifies that home addresses, email addresses, telephone numbers, cookies, user IDs, as well as the usual suspects of social security numbers or other government issued identifiers are all “covered information.”
Bottom line: Personal privacy is worthy of protection, which is exactly what this Act aims to achieve. The scope of this Act will certainly mean that nearly every business will have to, at a minimum, reexamine their security posture to ensure that they are reasonably secure. In the wake of the Epsilon breach, the “Right to Security” seems unquestionable. What remains, then, are the questions of the other provisions in this Act, and what they mean to consumers and businesses.
More to come on part two, where we examine the second half of Title I, “Right to Security and Accountability.” There we analyze the impact of “accountability.”