This article first appeared on 1776dc.com on March 10, 2015. Click here to see the original version.
President Barack Obama’s proposed privacy legislation aims to create a universal standard for consumer privacy, which could cause a privacy-policy scramble amongst tech companies in every industry.
“If this passes, it would create a baseline,” said attorney Anna Watterson in a phone interview. “It would bring (companies) within a privacy and security regulatory framework.”
Since 2012, the White House has called for universal privacy standards that would apply to all businesses in every industry. Now, the president’s recently proposed Consumer Privacy Bill of Rights has become the first piece of legislation to move toward that goal by increasing transparency and giving consumers more control over their personal data.
Yet, incorporating multiple industries and entities under a single set of privacy rules leads to challenges, and Obama’s proposal has already drawn a significant amount of criticism. The Center for Democracy and Technology recently released an analysis of the bill applauding its intentions while acknowledging significant room for improvement, namely in regard to enforcement and defining what is considered “personal information.”
“The United States produces cutting-edge technology but is in the dark ages when it comes to baseline privacy law. We are one of only two developed nations … that don’t have this type of basic protection,” CDT Deputy Director of Privacy Michelle De Mooy explained in an email. “Many consumers have expressed serious concerns about how their information is collected and used and are growing more wary of new technology with every privacy violation and data breach.”
The healthcare industry, long subject to restrictions such as the Health Information Portability and Accountability Act, is no stranger to such privacy regulations. As such, it offers a case study in what it will take to implement and enforce privacy legislation across all sectors. According to Watterson, who specializes in health information privacy laws, the privacy issues that the healthcare industry is facing can be used to predict and prevent operational challenges that may arise if the CPBR is passed.
Enforcement is one such obstacle, as evidenced by multiple security breaches such as the recent attack on Anthem, a national health insurer. These hacks have turned public focus and concern to the ways in which companies are protecting, collecting and distributing consumers’ personal data. According to HIPAA Violations, a site dedicated to outlining breaches and problems in health privacy, over 41 million patients have been affected by HIPAA breaches.
When breaches do occur, they raise another operational issue: The difficulty with which these criminal cases are resolved. Unlike identity theft in the credit card and financial industries, healthcare fraud is harder to detect. According to Politico, only 10 percent of health fraud victims say they fully resolved the crime—but that was after they spent thousands of dollars and hundreds of hours recovering their personal information.
“(Health identity thieves) can be claiming for years before it gets noticed,” Grant Elliott founder and CEO of Ostendio, a data security and risk management solutions provider, said in a phone interview.
The complexities of consumer privacy create even more unique challenges for startups that don’t currently fall under HIPAA regulations. As a result, Cindy Oxenbury, an independent privacy consultant, stresses the importance of making privacy a priority from the beginning.
“I think the challenge for startups is (that) they are subject to the same regulatory compliance as large organizations,” she said.
According to Oxenbury, startups can implement simple, yet valuable preventive measures against privacy infringements: be aware of what data is really needed; minimize data collection, and identify how data will be used.
With the combination of the CPBR proposal and recent security breaches, healthcare companies—no matter the size—need to pay more attention to security and privacy.
“Healthcare industries spend 3 percent or less of their IT budget on security,” Elliott said.
According to Elliott, incentives and rewards, combined with regulations, will help institutions achieve higher quality of security for consumers. With the spotlight on healthcare privacy protection, the difficulty is to determine how much of the responsibility lies on the government to impose efficient regulations, and how much the industry is responsible to take the initiative and govern itself.
“This goes back to the age-old question: can it self-regulate?” Elliott said. “It can to a point, but the question is, where is that point?