Category Archives: FTC

Accountability Does Work

143,000,000 people were the victims of a recent data breach when their data was stolen from Equifax, a company that has an obligation to keep their data safe. Data security is tough. The bad guys only need to be successful once, while companies need to win every time. However, from the perspective of many consumers, Equifax has not responded in the most responsible way to this data breach. The company’s website did not have a section to help consumers with this breach. So, people had to find the special website, visit a second time to request free credit monitoring, and many have still not received acknowledgment that their requests were received.
Accountable organizations need to be responsible and answerable. They must be transparent about their processes and stand ready to demonstrate those processes. It seems like Equifax does not reflect these concepts of accountability. So does this mean that accountability does not work? I believe that the opposite is true.
Could the event have been prevented by a different regulatory approach? Like, for example, a regulatory system that describes, in great detail, the data security actions a company would have to follow. The reality is the rules would be dated the moment they were enacted. Instead, appropriate security is explicitly required by the safeguarding rule and implicitly by Section 5 of the Federal Trade Commission Act. So, the obligation is there. Regulators could do spot audits; however, regulators will never have the bandwidth to examine every organization. An accountability approach creates the obligation and requires companies to implement the right tools to meet that obligation. Data breach laws required the company to announce data breaches that are impactful, and Equifax did so, creating the mechanism for being answerable. Once the breach was announced, news reporters began their own investigation. At least three federal regulatory agencies have announced investigations, and they have been joined by 34 state attorneys general. The company’s stock has fallen by a third. Several class action lawsuits have been filed. I have great confidence that the company will be answerable for its behavior. The market and regulatory punishment will be what encourages other companies to behave in a manner that consumers would find more appropriate.
At the end of the day I believe accountability does work. Where laws require accountable behavior and appropriate disclosures the mechanisms to hold companies responsible and answerable do work. And I also believe that accountability allows for the best combination of data driven innovation and individual protections.
As innovation powers forward and companies find new applications of data use, they will increasingly be expected to be accountable for the impact those data uses have on people. The IAF recently issued enhanced essential accountability elements for artificial intelligence that are also applicable to advanced analytics. The IAF is arguing that the price for being trusted to use data robustly is stakeholder focused accountability. So, as data is used more and more robustly, let’s enhance accountability as part of data governance infrastructure.

Fairness and Unfairness Moving Farther Apart

Fairness has become a huge data protection policy driver in Europe and the Americas.  Fairness is often hard to define in definitive terms, but the parameters of fairness are well known.  A fair data application creates identifiable value for individuals, mitigates risks to those individuals, and confirms the data is used within the context of… Continue Reading

Trust Deficits, Bright Lines and Verification

Freight trains heading through a tunnel are pretty hard to miss. The equivalent of a freight train in the world of privacy is a privacy trust deficit related to information use in an observational age driven by analytics. The many, many indicators that have piled up over the recent days, weeks and months are coming… Continue Reading

Legal, Fair and Just – The Benchmark for Big Data Analysis

Last month, the IAF presented our big data assessment process to industry representatives in Washington, D.C. One of the attendees, really trying to be helpful, asked why would any U.S. company conduct an ethical assessment of a big data project, since there really are not many restrictions in the use of data to develop insights.… Continue Reading

An Alternative Approach to Establishing Legitimacy in the U.S.

In an earlier post, I suggested that an alternative to notice and consent should exist in the United States and posited that the alternative could be balancing of interests relying upon the FTC’s unfairness authority.[1] The Administration’s Discussion Draft of the Consumer Privacy Bill of Rights of 2015 (“Draft Law”)[2] suggests other bases for such… Continue Reading

Legitimate Interests as an Alternative to Notice and Choice in the U.S.

The PCAST Report on Big Data and Privacy recognized the problems with notice and consent (i.e., often notices are unread, their legal implications are not understood, their terms cannot be negotiated). Yet, since notice and consent is so deeply rooted in current practice, rather than explore alternatives to notice and consent, the PCAST Report explored… Continue Reading