Privacy Advisor

The 2013 Privacy Forecast

February 1, 2013

By Brian Dean, CIPP/US

Hopefully my foggy crystal ball outperforms the 12/21/12 Mayan prognosticators. 2013 promises to be a landmark year as it relates to the privacy and security of consumer information. Specifically, we will see increased complexity of breaches and elevated enforcement action but no meaningful federal privacy legislation. New technologies and business models will alter the risk posture for consumers as businesses seek to maximize big data revenue potential. It is through that lens that I forecast privacy and security challenges for businesses, privacy professionals, security practitioners and ultimately consumers who tend to have the most at stake but the least leverage. And now, the Second Annual Top 10 Privacy Trends, 2013 rendition.

10. Big Data, No Diet in Sight

Yottabytes of personal data has already been collected. I like to think that it is used for legitimate business purposes. OK, in case you don’t wear a pocket protector, traditional storage units go from bytes, to kilobytes up to yottabytes! The fact that a yottabyte holds 10 to the 24th power or 1,000,000,000,000,000,000,000,000 bytes of data isn’t important. The fact that we already have terms for storing that much personal data is alarming. This includes data collected by the government. For example, The New York Times reported that the National Counterterrorism Center (NCC) has a program to copy and analyze U.S. citizen government files; e.g., casino lists, U.S. residents hosting foreign exchange students, flight records, for possible criminal behavior. Didn’t Jack Bauer work for the NCC?

9. Your Privates Are Public

Consumers will continue to display a willingness to give up privacy for convenience. Consumers will skip the lengthy privacy policies, term and conditions, and just click “Accept.” But in their defense, I recently read such a notice on my iPhone 5; and even with the increased 16:9 ratio four-inch retina screen, the disclosure was still 37 screens! While reading the disclosure, my eyes glazed just past the “giving up my first born” clause.

8. Shussh, We’re Hunting Wabbits

Tracking is lucrative—monitoring where you are, what you purchase and where you are when you make purchases enables effective marketing. Even Mickey Mouse is aggregating your vacation data. Disney’s new MagicBands is Big Data on steroids. Guests on property no longer need park tickets, hotel room keys, attraction express passes or even credit cards. Instead, the MagicBand has an embedded RFID chip; simply wave past a reader. Nice, my kids can buy bottled water without my credit card. (Take off mouse ears, put on privacy hat.) They are using RFID chips to track you, your kids, your spending habits, your location, how long you spend dining, what time you get back to the hotel, etc.

7. A Face Only a Mother Could Love

Expect technology and innovation to continue to outpace regulations. For example, Facedeals, developed by Redpepper, uses strategically placed cameras to scan your face, correlate to your buying patterns and offer you tailored discounts by sending coupons to your smartphone while you are in the store. It raises some interesting philosophical questions. Can they offer deals to minors? Can government officials or police tap into the system to find people of interest? Will the system record co-shoppers? Imagine the guy shopping with his girlfriend, only to have his wife see the correlation. Anyhow, passive facial recognition is only one example. Your smartphone is really a tracking device that just happens to double as a phone.

Predictions 2013
By Kirk Nahra, CIPP/US
  • The plaintiffs’ class-action bar will continue to hammer away at the “no damages” line of cases in potential privacy and security breach situations. They will get some help from the FTC, which will pursue cases from an enforcement perspective that entails broader concepts of consumer harm. But, for class-action litigation, the non-damages line will continue to hold strong, absent very unusual cases where identifiable harm occurs.
  • Mobile devices will become an enormous continuing problem for companies in virtually all industries, as the tension between ease of use and data security will create real ongoing problems.
  • Similar issues will arise about the cloud—the appeal, from an economic perspective, will directly collide with data security and privacy concerns.
  • Although no one really knows what the eventual EU rules will look like, companies across the globe will overreact over the next few years and increasingly try to impose draconian contractual provisions in a wide variety of circumstances.
  • Enforcement will increase in a meaningful but not enormous way, both in number of cases and severity of sanctions.

Kirk J. Nahra, CIPP/US, is a partner at Wiley Rein LLP in Washington, DC.

Read more by Kirk Nahra:
HIPAA’s unanswered questions

6. Belt and Suspenders

Keeping our breaches up: The belt and suspenders, dual-control approach, isn’t sufficient in protecting personally identifiable information (PII). Breaches and stealthy, sophisticated extractions of data continue to increase. Ponemon reports that 94 percent of hospitals polled suffered a data breach in the past two years. Recall HITECH/ARRA promises of saving billions in healthcare cost? One of the premises behind the projected cost savings is requiring protected health information (PHI) to be stored in a specific electronic format. No privacy concerns here, unless you recently visited www.privacyrightsclearinghouse.com. Of the 606 million records reported lost or stolen since 2005, 24 million contained PHI.

5. The Biggest Loser: The Losses Continue To Mount

Many employers still lack proper controls for Bring Your Own Device (BYOD) tablets, smartphones, USB drives. Plus, already ubiquitous mobile applications continue to proliferate, and so do their vulnerabilities. But what data can be gleaned from a phone? Contacts, Facebook details, calendar entries, geolocation; Oh, and blood pressure, cholesterol and blood glucose levels. Really? Yes. For example, last year the FDA approved a smartphone-mounted blood glucose meter application. Anyhow, portable media will continue to be the number-one source of data breaches. OK, I didn’t use my crystal ball for this one; I used a rearview mirror.

4. Show Me the Money

The healthcare industry will continue to see additional scrutiny and regulatory oversight. Expect more fines and settlements. After all, the HHS HIPAA audits were only funded for 2012; ongoing programs need to be self-funding. Keep in mind HITECH included business associates.

3. Mobile Privacy

We already covered smartphones, but what about the trend of wireless medical devices? For anyone who hasn’t recently been in a surgery suite, excluding those under general anesthetics, mobile technology significantly improves the surgeon’s ability to treat patients. Many of these devices use wireless technology and many are on Windows platforms. Fortunately, they are FDA-approved; unfortunately, often patches can’t be applied because the FDA won’t allow timely changes. What devices? Drug dispensers, insulin pumps, heart monitors, etc. So, you are saying some hacker in Pakistan may be able to exploit known security vulnerabilities because the patches are not applied?

2. Forecast – Mostly Cloudy

More data will be migrating into the stratosphere. HITECH’s Meaningful Use expedites the migration. OK, no crystal ball needed here, but the troubling part: In a 2010 Ponemon survey, only 31 percent of hospital officials reported they have confidence in preventing and detecting patient data loss. So to recap, regulatory requirements are hastening the migration of everyone’s medical information into large databases that the business owners of those data stores are fairly confident are not secure. The data is often used for medical fraud and identity theft. That may explain why when my wife went to the doctor last month for her annual checkup, her medical records stored in the cloud indicated she is recovering in Albania from her vasectomy.

And the #1 Privacy Trend for 2013: Summer 2013

Some things never change; as security controls improve, end users continue to be the weak link. Passwords like “summer13” will be used by seven percent of the population. How many times have I seen the chief information security officer and privacy officers dutifully implement hundreds of thousands of dollars of security controls, only to have my team ethically hack their network in less than two hours? The CPO asks, “We have everything locked down. How did you get in?” Our ethical hacker responds, “I gained access using the password “summer13.” Just so you know, we hacked in last year using “summer12.” Looking forward to “Summer 2014.”

In conclusion, Big Data gets bigger; the cloud expands, all while data owners question the security of the data. As a consumer, I am concerned because I am unsure of the amount of data collected, the correlations of big data and how it’s protected. As a privacy professional, I am concerned because businesses may be trying to do the right thing with the safeguarding and usage of data, but competing business priorities and complexities of data protection are daunting. The win-win paradigm has security and privacy professionals working with their business executives to employ constraints on the insatiable appetite for collecting yottabytes of PII while improving the security controls.

Editor’s Note: For more predictions on what the year ahead could mean in the privacy sphere, see “2013 to be the year of mobile regulation?” by Phil Lee, CIPP/E.

Brian Dean, CIPP/US, is the privacy officer and manages the audit and compliance team at SecureState. Prior to SecureState, he served in various positions including CPO, HIPAA officer, GLBA officer, regulatory liaison and senior IT project manager. His background includes expertise in risk management, strategic planning, resource management, project management, software development and implementation, vendor management and process reengineering. He is a member of the IAPP Publications Advisory Board and co-chairs the Cleveland KnowledgeNet.

Read more by Brian Dean:
Body scanners ignite privacy debate