Privacy Advisor

Notes From the Executive Director

November 1, 2007

Trust & the Internet

Earlier this month, the UK government flatly rejected calls for a security breach notification law — a move that angered the members of the House of Lord Science and Technology Committee. The committee pushed for such a law as part of a comprehensive package of changes it said was necessary to assure the continued success and confidence in the Internet.

The recommendations came after the committee undertook an analysis of the threats that have the potential to undermine consumer confidence in the Internet. The UK government's stunning rejection of the committee's premise ignores similar warnings advanced by privacy commissioners as well as companies such as Microsoft Corp. and Google.

In an iTnews column published the same day the news broke about the UK government's reaction to the committee's recommendations, IAPP Board member Peter Cullen, CIPP, Chief Privacy Strategist for Microsoft Corp., addressed the threat to Internet commerce in the absence of aggressive data security efforts. Cullen, drawing from a 2005 study conducted by Princeton Survey Research Associates International, noted that 30 percent of people in the U.S. "report to have reduced their overall Internet use due to concerns about identity theft, and nearly half of U.S. consumers have ‘little or no confidence' that organizations are taking sufficient steps to protect their personal data." He added that "each new report of a data breach" or loss or theft of personally identifiable information, "threatens to further erode public trust in the Internet and blunt the growth of online services and commerce."

But these concerns clearly are not unique to the U.S.

Consider a Unisys survey last month that found among consumers across eight European countries, UK respondents expressed the highest sensitivity when it came to an organization's ability to keep its data secure. The survey found that 81 percent of UK consumers cited an organization's ability to lock down its data as a key factor in building trust. Furthermore, the survey found that the UK lead with 76 percent of consumers taking the position that ineffective data privacy protection would erode trust.

Despite an emerging global consensus among many stakeholders and regulators, the UK government rejected the "suggestion that the public has lost confidence in the Internet and that lawlessness is rife." The government's response added that there was "an acceptable level of comfort with the technology."

Finally, the committee added that it was skeptical that a security breach notification law "would immediately lead to an improvement in performance by business in regard to protecting personal information" and that it failed to see how "it would have any significant impact on other elements of personal Internet safety."

It is at this intersection of disconnection that the IAPP will continue to serve its role by facilitating the discussion among the holders of these divergent opinions. One thing is abundantly clear: the debate will not abate!

J. Trevor Hughes, CIPP
Executive Director, IAPP