Moving back to the Washington, DC area after almost 10 years away, I’m finding a lot of cloudy activity in the halls of justice.
Let me go on the record and say that I’m not aware of any modern society that has thrived without the rule of law. Law is needed, yet it is impossible to ever get it exactly right. Bad rules can be counterproductive, encouraging the negative behavior they are meant to reduce. The Basel II Accord, which promulgated the quantification of operational risk, arguably encouraged financial service firms to take greater risks by giving them a justification mechanism.
2010 is looking like ‘The Year of Privacy’ in the US Federal Government. H.R. 2221, the Data Accountability and Trust Act (DATA), was voted on by the House and has been read at the Senate, where it is currently under committee review. A parallel bill in the Senate, S. 1490:Personal Data Privacy and Security Act of 2009, was approved by committee, but appears to have been superseded by the House’s somewhat eponymous DATA bill. Up to a dozen other proposed bills nibble away at identity theft, social security number conventions, and the use of PII, so clearly the legislative branch has an appetite for this issue.
DATA and S. 1490 require more than just breach notification. Organizations with PII must take proactive efforts to control private information, expecting “the Federal Trade Commission ( FTC) to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures.” It is no coincidence that the FTC has begun a series of roundtable discussions on the privacy implications of new IT practices and technologies, including social networking and cloud computing.
The FTC would become the primary regulatory body responsible for determining and enforcing appropriate standards of PII protection for all public and private data stores, including multi-tenanted cloud-based SaaS applications. Given that there is not yet any consensus as to how to assess the relative risks associated with this new technical and computing model, this will be a significant challenge for the FTC.
The Brookings Institute held a governance studies event in January on Cloud Computing for Business and Society. In his keynote speech, Microsoft’s Brad Smith strongly suggested the need for regulations on cloud computing. This is not a new theme for Microsoft. Ray Ozzie suggested similar ideas last year during a Gartner interview http://www.gartner.com/research/fellows/asset_240159_1176.jsp. I don’t want to second guess Microsoft’s motivations in lobbying so consistently for a larger Federal presence in their new business area, but one interpretation could be that they expect regulations to function as a barrier to market entry, reducing competitive pressures in the cloud.
Skepticism over commercial influence aside, I’m encouraged that attention is being given to the privacy risks of new computing models, and to privacy regulations. The Fair Information Practice Principles, and their continued utility, is one of the topics at the FTC Roundtables. A quarter century after the establishment of these principles, it is clear that they fail in ensuring socially desirable levels of control over PII. I’m not the only one who feels that the consumer choice and consent principle has become counterproductive, essentially providing commercial organizations with a legal out, while providing consumers with virtually no choice but to consent to whatever banks and other institutions choose. Confronted with 4 pages of legal jargon from their bank, the consumer has no choice but to go on record as having agreed to it. This is neither choice nor consent–it is tantamount to coercion.
Such a regulation allows the institution to wash their hands of the matter–at least until a breach occurs. Then all they need do is send a letter to their customers, notifying them of the breach, and again, they can wash their hands of it. At worst, the institution picks up the tab for some credit reports, and suffers a week or two of negative PR. Once lawyers learn to leverage the letter of a law, turning a hoped for minimum standard into a legally-mandated maximum level of effort, then the regulation works against the people it was meant to protect.
I’m concerned that we’re going to legally mandate the application of last century’s standards and practices (SAS 70, FISMA, etc) to new computing models that we have only begun to understand. I’m in favor of revisiting the US privacy regulations, but it would be premature to apply them to cloud computing in any highly specific way. Commercial and goverment entities that want to store PII in unproven multi-tenanted services should be held accountable if that experiment fails. Any new regulation should reinforce that accountability. Accepting adherence to some 20th century best practices checklist would be the wrong way to do that.