Needed: National Data Privacy Legislation

from Educators' eZine

A multitude of technology-related laws already govern schools. Do school administrators—and the country—really need more regulation in this area?

When it comes to data privacy, the answer is yes. The wave of data loss in businesses, government agencies and educational institutions makes data privacy legislation more pressing than ever.

The past few years have seen a sharp increase in the leakage of personal data like addresses and social security numbers. According to a list maintained by the Privacy Rights Clearinghouse, a San Diego-based advocacy group, more than 190 such incidents have been reported since February 2005. Ninety of those have been reported since January of this year. The Federal Trade Commission estimates the inadvertent or deliberate extrusion of critical data costs consumers and businesses $50 billion a year. Beyond these immediate costs, data leakage threatens confidence in institutions large and small, including K-12 schools.

State governments and private organizations have responded with legislation and voluntary standards. The federal government has also entered the picture. Last year the FTC recently leveled the largest data privacy fine in its history.

But the FTC has publicly stated its investigations and fines are not enough. It needs better tools to ensure that consumers' most important information isn't lost, stolen or peddled to the highest bidder. That means new and stronger legislation.

Data privacy bills have been introduced in Congress. While these bills have been sidetracked by other concerns, the threat to consumer, student and even military data hasn't been. The newly elected Congress should take up these bills and pass data privacy legislation as soon as possible. Any legislation should be guided by the following principles:

1. Clear, Uniform and Comprehensive Application. By the end of 2005, seventeen states had some type of data privacy law. The leading state law is California's SB 1386. Given that it covers any company with operations in California, SB 1386 has been called a de facto national data privacy law. But that's a misnomer. SB 1386's provisions differ from those of other state laws. The result: Large organizations must tailor their processes and procedures to SB 1386 and also to other, different, state laws.

Compliance with multiple legal and often conflicting legal frameworks increases costs and, more importantly, minimizes the clarity necessary to inspire trust among consumers and voters. Federal legislation should be clear, uniform and comprehensive. It should authoritatively define "personal data" and "identity." It must establish national benchmarks that set a floor of protection, rather than a ceiling. Finally, privacy legislation should apply to private and public enterprises, including Federal, state and local governments.

2. Use of Current Best Practices. While clear, uniform and comprehensive legislation is necessary, it need not be constructed from whole cloth. As noted above, numerous states have addressed the data privacy issue. Government bodies have been joined in this effort by private businesses, trade associations and advocacy groups. Together, our nation's public and private organizations have developed best practices that can and should be utilized in the development of a national standard. These best practices include: an expansive understanding of private data; disclosure of a breach even if security procedures are in place; disclosure of a breach when data is reasonably believed to have been compromised; delayed disclosure to meet the legitimate needs of law enforcement; and an annual risk assessment by organizations that meet a certain threshold, such as the quantity of identities held. California SB1386 and the Payment Card Industry Security Standard are two strong benchmarks for the Federal legislation.

3. Vigorous Enforcement and Substantial Penalties. Experience with SPAM and other abusive and criminal activity has demonstrated that enforcement is a critical element of any digital protection legislation. Appropriate government agencies must be fully empowered and possess necessary resources to enforce the law. In addition, to encourage compliance penalties must be designed that genuinely lessen the risk of private data loss. This translates into significant funding; substantial penalties for intentional violations; lesser penalties for unintentional violations; and penalties based on the number of identities disclosed.

It is also critical that the legislation reward the organizations that make significant efforts to comply. Unfortunately, no system can be one hundred percent secure. School districts, businesses and other organizations that deploy processes and technology to protect information should be rewarded for this effort. Penalties should escalate for organizations that do not meet these industry standard requirements. To both deter potential perpetrators and protect consumers, penalties should be severe for intentional violations.

The intentional or accidental leakage of student data can do serious damage to a school district's reputation. In the business world, data extrusion can destroy a brand and, with it, sales and profits. Our country's economic and educational needs don't track the electoral calendar. The time for clear, uniform and comprehensive federal data privacy legislation is now.

Email:John Jordan