The Global State of PrivacyIAPP's Hughes on the Hot Topics Driving New Laws and Careers
Privacy professionals need to figure out how to use big data to do the most powerful things while still protecting it, says Trevor Hughes, president and CEO of the International Association of Privacy Professionals.
"That's a tough balance," he says in an interview with Information Security Media Group [transcript below]. "The bad news is that there's no single answer to this; there's no law, technology [or] smart person who's going to write a white paper that's going to answer the challenge as to how we resolve privacy in big data."
The good news: security and privacy professionals are getting better at understanding and assessing the risks associated with big data, he says.
"[Everyone is] embracing better privacy knowledge so they can do those risk assessments," Hughes says.
In an interview about the 2014 State of Privacy, Hughes discusses:
- The privacy impact of the recent Target and Neiman Marcus retail breaches;
- Why this is the best and worst time for privacy;
- New career opportunities for security and privacy pros alike.
Hughes is an attorney specializing in e-commerce, privacy and technology law. In his role as President and CEO of the IAPP, Hughes leads the world's largest association of privacy professionals. Hughes has testified before the U.S. House and Senate commerce committees, the U.S. Federal Trade Commission and the EU Parliament on issues of privacy and data protection, spam prevention and privacy-sensitive technologies. He is a member of the first class of Certified Information Privacy Professionals (CIPPs) and is co-author (with D. Reed Freeman, Jr.) of "Privacy Law in Marketing" (CCH Wolters Kluwer, 2007).
The Global State of Privacy
TOM FIELD: How do you assess the current state of data privacy?
TREVOR HUGHES: I guess I have to use a literary reference here. I think it is the "best of times and the worst of times." I think we are enjoying some of the greatest focus on the issue of privacy that we have seen certainly in many decades and perhaps ever in human history. We are more aware of issues associated with privacy and investments. Enormous investments are being made into managing privacy so that we meet not only the expectations of the law, but also the expectations of consumers and citizens.
On the other hand, it's also the worst of times. I don't think we can look at the news today and say that privacy is the healthiest it has ever been. NSA disclosures, concerns associated with emerging technologies and about the transition of data between the government and private sector; these are weighing very heavily on society right now. I think we are struggling to figure out how to balance these issues and how appropriately to respond to them.
FIELD: What are your biggest concerns about data privacy today?
HUGHES: One of the greatest concerns I have with regards to privacy today is the public policy gap between the bleeding edge of technology and the leading edge of public policy. Put really simply: Laws, regulations, self-regulatory standards and even social norms cannot keep up with the march of technology. We are trailing by many years, if not decades, behind what technology is doing with our data. In that public policy gap, that distance between what technology is doing with data and how our laws and regulations guide privacy, we have a lot of risk. We have societal risk; things happen that are unexpected and that we may not like. We have organizational risk; companies get sued and fined. They find that their customers abandon them in that public policy gap. So my greatest concern isn't so much about the invasive nature of any particular technology, or even the NSA issue that we see playing out in the media, rather it's the difficulty that we're having right now in keeping up with Morse Law and the march of technology.
Progress Being Made
FIELD: Where do you see progress has been made regarding privacy in the past year?
HUGHES: Clearly we have made real progress in many areas when it comes to privacy. Now I can't say that we've made enormous progress on the public policy front. We see debates emerging around the world on how to do a complete renovation of privacy law, and we can certainly talk about that. But one of the places that we've seen real progress is the evolution of privacy within organizations from a near-compliance function to a real programmatic management function. In that way, we are seeing privacy permeate across the entire enterprise. We have seen the development and adoption of really powerful tools like privacy impact assessments, data flow audits, and data classification. We've seen metrics and measures emerge so that companies can understand how well they are doing against their stated goals with regards to privacy. Privacy has moved from being something that just lawyers talk about to something that every single person inside an organization who touches data should at least be thinking about, if not actively managing.
Addressing Privacy Impact of Breaches
FIELD: How do organizations need to anticipate and address the privacy impact of such breaches?
HUGHES: The first thing that we need to note is that these retail establishments, Target, Neiman Marcus, and allegedly others, is that these retail companies were in fact victims, that this was criminal activity going on. It's difficult to categorize data breaches as one big category, one big set of a single thing. Data breaches come in many shapes and forms. Comparing, for example, the Target breach to a company that loses a laptop that happens to have a database on it, those are qualitatively different things. I think organizations today, from an information security perspective, need to be recognizing not just the risk that they are under the inevitability of some of these breaches, the likelihood that a laptop or flash drive with a database on it is lost, all of those qualify as data breaches, and all of them can have real privacy consequences. So for most organizations, I think we would say you need to be preparing not for the possibility, but the eventuality of a breach. It will happen to you, and you should be prepared for it.
The other thing is that it is not just an information security question. Data breaches go far beyond just the technical and control measures you have in place to protect the data, and they really speak to the relationship that you have with the customer. That is the area where privacy professionals have a great deal of experience and knowledge, so making sure that it is a cross-functional plan that you put in place where not only the information security team, but also the privacy team and others are participating in how you respond. The good news out of everything that we've seen with these retail breaches, and what we see in the marketplace today, is that more and more organizations are recognizing the need to create a real risk plan, a real data breach response plan, and expecting that they will need to use it at some point.
FIELD: How must we now exhibit even greater responsibility over big data?
HUGHES: I think it's one of the most critical questions that we have. We talk about big data all the time and about data as the new oil. Data is of enormous value and we are creating more and more of it. The ability for what Viktor Mayer-Schonberger and Kenneth Cukier had called algorithmists to analyze that data and extract greater value from it is really powerful as we look into the years ahead. But it comes with a cost. If indeed data is the new oil, well there is a by-product of that. In the industrial era, that by-product was pollution. In the big data era, that by-product is concerns associated with privacy. As we look ahead to this new technology, I think what we need to be doing is trying to figure out, how do we allow data to do the most powerful things for us while still protecting us? How do we balance concerns associated with privacy and recognize where harms or concerns may arise? That is a really tough balance and it is good and bad news.
The bad news is that there is no single answer to this, there is no law, technology, and no really smart person who is going to write a white paper that is going to answer the challenge as to how we resolve privacy in big data. But the good news is that multi-faceted dynamic risk environment is something that we are getting better and better at understanding and assessing. It needs to be understood and assessed day by day, minute by minute for every data use that you have. The privacy, information security, IT, HR, and financial services professionals, they are all embracing better privacy knowledge so they can do those risk assessments. So what does all of this mean? It means that information security and IT pros, anyone who touches data in a significant way, has to know enough about privacy so that they don't make stupid decisions in this big data world.
EU General Data Protection Regulation
FIELD: What do you see as the potential impact of the EU General Data Protection Regulation, if in fact it is enacted?
HUGHES: Six months ago we might have said that it had a sixty or seventy percent chance of being enacted or promulgated as a regulation in Europe. There has been some really strong political activity in the past three or four months, and the prognosis on this patient is probably less favorable then it was just a few months ago. I think many would say that it has far less than a 50/50 chance, and some would even say that it has no chance of being promulgated. So we need to watch that political process and be very aware of the likelihood of it passing or not.
If it passes, it will represent perhaps the most major legislative enactment in the field of privacy in the past 20 years. It will have an effect not just in Europe, but all around the world because of data transfer restrictions that exist in Europe. Without question, it will set a high water mark with regards to many concepts in the field of privacy, including ideas like the right to be forgotten. Any organization that is not paying attention to the proposed EU regulation should absolutely be assessing those provisions and thinking about what they mean to their organization.
But there is also the possibility that it doesn't pass, and if it [doesn't], we are left with existing law. Existing law is the EU data protection directive, which was passed in 1995. Now the notable thing about 1995 is that it was really the first year of the broad consumer internet and web. The directive was written and designed, and the framework was put in place at a time when they could not conceptualize the web. They did not have smart phones. Geo location was really not even a reality at that point, and certainly ideas like the internet of things and big data were so far away that no one writing any of those laws could have any indication as to how to address those things. The data protection directive sort of emerged and was almost immediately dated, and we need to be concerned about the data protection regulation not passing because that leaves us with a 1995 law, which really does not fully reflect the reality in which we find ourselves today. [It] will only show more friction in years ahead as it gets further and further behind that bleeding edge of technology that I've described.
U.S. Privacy Legislation
FIELD: What is the future for privacy legislation in the U.S. in your opinion?
HUGHES: We continue to see significant calls for privacy legislation. For decades now, advocates have been calling for broad-based privacy legislation. Increasingly, there are even industry voices calling for broad-based privacy legislation, and I think we're starting to see even from the White House currently a gradual softening to the idea that this legislation in the United States is a good thing. This is against a backdrop of what we would call factorial or targeted legislation in the United States today. However, there really is not a lot of political will on Capitol Hill to achieve broad-based privacy legislation, and driving that type of consensus would require an enormous amount of political capital. It's just not clear whether any one party or individual is willing to invest that type of political capital into privacy legislation.
Or alternatively, many have said that it would require a privacy violation of such an egregious nature that Congress felt forced to act. On that front, I think it's really tough to imagine a privacy story any bigger than the NSA Snowden story, or a data breach any bigger than the one that we've recently seen with Target and other retailers. So, I actually discount the other possible triggers for privacy legislation; that idea that an Exxon Valdez moment of privacy where the data ship crashes on the rocks and has data spilling all over the place and it results in more restricted privacy legislation. We've seen those types of fact patterns and it has not resulted in more privacy legislation yet.
FIELD: How much security professionals approach privacy differently in 2014 than they have in years past?
HUGHES: This is perhaps the biggest message that I have, and that is privacy is going to be a major disruptive force in your field from this point forward. It has already been a disruptive force. The NSA and Snowden stories, the reality of data breaches crossing the information security field into the information privacy field, really the advent of new risks that information security professionals need to understand means that information security professionals must have broad-based issue spotting skills in the field of privacy in order to do their jobs in the future. I think for those who are looking forward and thinking proactively about this, it is a very good career move to make sure that you understand privacy today. For those who embrace it early, I think they will find that their upper mobility, their value to their employers is that much higher. For those who don't embrace it today, my suggestion to you would be that within the next few years, your employer is going to be demanding it of you. That very soon, broad-based privacy knowledge for anyone who touches or protects data in a significant way is going to be a requisite. So the big message for information security professionals is that privacy is a part of your job now, and it's going to continue to disrupt those things that you do on a daily basis. There is no time like today to make sure that you understand it very clearly and can spot issues and address them appropriately or elevate them within your organization.
New Privacy Careers
FIELD: What do you see as the new top career opportunities for privacy pros and how can they best prepare for them?
HUGHES: The good news is that privacy is creating many career opportunities. To give you a sense of that, just last year the IAPP added 3,000 new members and those are new privacy professionals. We see really dozens, if not hundreds, of job postings on our job boards and around the world every single week and month. There are many opportunities for privacy professionals popping up all over the place. I think that the best compensated, most-upwardly mobile privacy professionals are going to be those who can translate legal and compliance standards, risk assessments within an organization, and IT and information security environments seamlessly or fluently. Being able to jump between those areas of the organization and have things make sense for all of those constituencies are skills that are hard to find in the marketplace today. There are lots of information security professionals, IT professionals, and lawyers and compliance professionals, but there are not many who understand the domains of privacy, technology and information security and can bring all of those things together in a cohesive whole. So my sense is that we will see lots of job opportunities emerge in the years ahead, and that there will be increasing price pressure elevating the salaries of those who bring together those various domains in a really powerful way. That is a strategic career move for someone. If you're in any one of those domains, privacy law and compliance, or IT, driving your knowledge out to those other domains is a really good career move.