Data and Information Privacy and Security: Article 1
The most important thing any human does in their life does not physically exist. The premise of this series of articles is the idea of data and information, encapsulated in legal rights, is vitally important to the economy, your business and you personally. According to Ocean Tomo, the Chicago based intellectual property capital merchant, intangible property makes up about 80% of the valuation of the S&P 500; primarily intellectual property (including trade secrets, patents, trademarks and copyrights). Losing this can cost dearly but there is another intangible that may have value, but also a liability if not handled properly.
What was once relegated to “a fact of nature” or otherwise called “data” is now of more than valuation concern. High profile data breaches in the western world pepper many financial institutions, human resources operations and health care organizations. There are stories that the only reason a person’s credit card number is not stolen is that there are so many to choose from, malefactors simply cannot get around statistically to using all that is available in online marketplaces that swap illicit data. This is a function of statistics, and can be predicted by game theory and other methods. So the idea of privacy seems illusive or non-existent in many nations. China for example, has no privacy laws. So we are left to ask the question: “Is Privacy a Legal Fiction?”
Comes, now, a raft of legislation and a new awareness of privacy given individual, corporate espionage and state sponsored system trespass. We begin our series by noting that the idea that a “right to privacy” is neither mentioned in the Magna Carta (which celebrates its 800 year anniversary in 2015), nor the U.S. Constitution. In the late 19th century, the idea of a right to privacy was penned as a modern construct by Samuel Warren and Louis Brandeis in “The Right to Privacy” in the Harvard Law Review, but the concept dates back to, who else, the Greeks. The concept is handled in ancient religious texts where discussions range from ideas of home and physical security to gossip. Legislation in the quest for privacy and security has gone from internment camps, relaxed warrantless searches in the Patriot Act in the post 911 United States, to internet protocol (IP) version 6 (IPv6) which links user devices owned by individuals to traceable IP addresses, including mobile phones and tablets. Location based services is among the great filter that makes information personally identifiable. These texts and legislation describe fundamental concepts that we break up into four subsets: information, bodily, territorial and communications.
1. Information privacy deals with collection, storage, transfer, custody and destruction of personally identifiable information (PII) as well as intangible information such as intellectual property elements, such as trade secrets, which may take the form of customer lists, formulas or other unpublished information.
2. Bodily privacy which deals with the physical invasion of one’s body.
3. Territorial privacy or limits on and privacy expectations at home (the so called “castle” doctrine), work place (this may involve personal effects in your cube) or even in public spaces (surveillance cameras ubiquitous first in the United Kingdom and now almost everywhere). I refer to these as “situational surveillance” or “tactical surveillance” (this is now raging in debate on police officer bodily cameras that can be turned on and off).
4. Communications privacy involves the concept of privacy in correspondence, regardless of form, paper, electromagnetic pulses or photons.
This series will deal with all the above, but primarily with 1 and 4, but information regarding all the above can be distilled to data, in a video, a GPS coordinate or a data stream. Knowledge of our entire existence is data. The growing issue is that much is personally identifiable, or may become identifiable, primarily in three great repositories: public records that are available to the general public, like house purchase records in the United States; publicly available information that we get the majority of via search engines that link to public and private databases that may require subscriptions; and non-public information that requires a legal right of some sort to obtain.
Given the four types of privacy and the three types of private information, we still wrestle with the question: Can privacy really be legitimate in a modern technological society? The answer is sometimes. It is a negotiated right. If we navigate the phalanx of rights and remedies, our individual and business privacy can be maintained if we attend and act out the performance.
So all businesses should inventory what their business model is, what goals they seek, and are they in the privacy business as more and more are (80 percent of the market capitalization mentioned). There are firms that specialize in this linkage between business goal and rights sought. This is the task of our era and of every business in it to succeed.
In our next installment we will outline the roles of those involved in an organization’s privacy focus and what they should be doing.