Who owns my personal information?
Is it me, or the organization that's collected it?
Saw this in the news today: Personal Information of 100 Million Americans At Risk.
OK, it's a bit alarmist, but it's yet another piece of one of those meta-trends that I think will shape IT in the coming years -- shared ownership models for personal information.
Context
Today, I would offer that none of us have meaningful rights or protections around who can use our personal information: name, address, phone number, social security number, health care records, etc.
Existing rights are either (a) insufficient, (b) poorly understood, (c) widely ignored, (d) have no serious penalties associated with them, or (e) some combination of the above.
I've gone through most of the existing rules in a casual sense, and just about everything falls in to one or more of the categories above.
The Basic Conflict
On one hand, organizations need to collect and use personal information to conduct their businesses. I would offer that they have a right to do so, simply because the alternative of not granting them that right would result in a very inefficient world.
I want my bank to know about me, and my doctor, and so on.
On the other hand, all of us are being exposed to more and more impact from the inappropriate management of that personal information.
It started with junk mail, escalated to annoying telemarketing and spam, and now has emerged into a host of cyber-crimes: identify theft, phishing, pretexting and so on.
If you step back and acknowledge that (a) more companies are collecting more information over time, and (b) we as individuals are being exposed to more frequent and more impactful abuses of this information, the inescapable conclusion is that Something Has To Change.
The Proposal
A modest proposal for a new law: if you collect personal information about me in any regard, I have a right to (a) ensure it is encrypted at all times, (b) you can produce an audit trail of who used it, for what purpose, on demand, (c) if you can't, you can be sued by individuals, and (d) if you're really bad, there's a big Federal fine for you.
On top of that, we can debate what exactly constitutes "personal information", but I would argue that it needs to extend to things like transaction histories, customer service interactions, and so on. It's not just name, address and account information.
We also can debate what exactly constitutes "appropriate use" of my personal information. Clearly, use within a company is one thing; sharing my information outside of our defined business relationship is another.
But neither can be debated without a strong foundation -- and that's what I'm proposing. Call it the "Information Rights Act".
Look, I trust my bank with my money -- something else that's very valuable. In return, they make great efforts to protect it, and to give me a very thorough accounting of it periodically.
All I'm saying is that we should have the same thing for our personal information.
Is This Feasible?
More than you might think. Digital rights management technology is in use today for other sensitive information assets. Strong identity management technology is widely available. And the frameworks for storing this information in a repository, authenticating uses, logging information, and so on also are starting to become more popular.
Speaking from an EMC perspective, we're starting to see certain unnamed customers with Very Sensitive Information start to use these technologies together to create a new approach to information security: everything DRM'd, everything in a repository, no use of information without strong authentication, and logging of everything.
It's not exactly a shrink-wrap solution (yet), but all the pieces are in place.
The Informationist Perspective
Getting back to one of my stronger themes ("Are You An Informationist?"), clearly the establishment of corporate policies regarding the management and protection of customer information falls within the domain of this new role.
And mandating architectural requirements that provide for the uniform information security required to implement the policy also falls within that role.
There are those that this is a "business" problem, or a "legal" problem, and not an IT problem. I would argue that you're looking at IT through your rear-view mirror. I firmly believe that IT's new role will be setting of information policy and controls, much the way finance does this for money today.
Stepping Back A Bit
So, we can wring our hands and say "yes, we should do this", and so on, but the truth is that unless there's a Really Big Stick being waved, nothing really gets done.
Right now, the folks at RSA are selling lots of solutions to retailers to encrypt credit card transactions, simply because the credit card processors threatened huge fines unless they did it. People did SOX compliance simply because there was such a clear downside if they didnt.
I don't want to even think about the decades of unprotected credit card information prior to this, or what corporate controls looked like prior to SOX.
So, that's why I think we need a law: simple, straightforward and with very expensive teeth.
I'm just waiting for the next step in this inescapable evolution. When there's enough of an outcry, the political machine will sense an opportunity, and the journey will begin. It's not a technology issue, it's a social issue.
Would you like your personal information protected in this manner? I know I would ...
Comments