p0temkin - Fotolia


Should the government set consumer data protection rules?

If private companies aren't adequately protecting consumer data against breaches, should governmental agencies step in and develop guidelines?

As data breaches continue to ravage consumers' personally identifiable information, companies have failed to make necessary improvements to security capabilities.

Establishing the limits of privacy for consumer data has been a particular sticking point. With a raft of high-profile data breaches -- from Walgreens, to Experian, to the CVS hacks -- 2015 witnessed a spate of data leakage of personally identifiable information (PII). In the absence of clear solutions to consumer data protection problems, the government has stepped in with new methods of dealing with data breaches. The largest trend in these new rules is to make clearer what the limits of use of PII are in an organization and help consumers understand how their data is being utilized.

Defining a Cybersecurity Bill of Rights

We see a movement toward defining data privacy in new and beneficial ways for consumers.

The National Association of Insurance Commissioners (NAIC)'s move to establish a Cybersecurity Bill of Rights for insurance consumers is one such effort in this direction. NAIC is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. The Cybersecurity (EX) Task Force has put forward a draft of the bill, defining the rights of consumers related to PII generated by insurance companies.

Specifically, the Cybersecurity Bill of Rights would provide the following six rights related to consumer data protection:

  1. Know the types of personal information collected and stored by insurance companies and agents, or any business with which the consumer contracts.
  2. Expect insurance companies and agencies to have privacy policies posted on their websites and available in hard copy -- the bill also defines what should exist in that privacy policy.
  3. Expect an insurance company, agent or any business with which they contract to take reasonable steps to keep unauthorized persons from seeing, stealing or using PII.
  4. Receive notice from the insurance company, agent or any business they contract with if an unauthorized person has -- or it seems likely they have -- seen, stolen or used the consumer's personal information.
  5. Receive at least one year of identity theft protection paid for by the company or agent involved in a data breach.
  6. If a consumer's identity is stolen, he or she would have additional specific rights related to fraud alerts, credit freezes and debt collectors.

All of these items seem straightforward and are likely best practices already in place in most major insurance companies, but this finally codifies a required response for insurance agencies.

Consumer data protection guidelines for identity brokers

Similarly, during the past year, the National Institute of Standards and Technology (NIST) has developed guidelines related to privacy on everything from mobile devices to IT assets. One big data privacy-related guide from NIST is related to password credential reuse.

When one service's authentication can be used to log into another service -- for example, a Facebook login -- the authenticator would be referred to as an identity broker. NIST has developed new guidelines for how identity information can be used by identity brokers.

While the guide is still open for comment, again, we see a movement toward defining data privacy in new and beneficial ways for consumers. A solid summary of what NIST is attempting to solve is through this quote from the guide:

"Federated identity solutions raise new risks for the privacy of individuals and confidentiality of business information. The interoperability that provides the benefits described above can also create the potential for more tracking and profiling of individuals' transactions. The same interoperability can expose businesses as the relationships between RPs [relying parties] and [identity providers] IdPs reveal who their customers are to each other; such exposure may be particularly problematic if the federation occurs within the same industry sector. In addition, the identity broker can become an appealing target to gain access to identity attributes being transmitted through the broker or to RP accounts. Thus, participants in federated identity solutions -- whether individuals or organizations -- must be able to trust that the solutions are not going to reveal sensitive information or they will not participated in identity federations."

While we've seen data privacy issues proliferate during the past year, it has also been a year of defining and improving consumer data protection responses. The movement to make clearer the requirements of companies and the rights of consumers related to data privacy can be seen as only beneficial to both companies and consumers. We may finally see an end to the murky protection of consumers' data.

Next Steps

Find out how data privacy policies build trust when launching analytics tools

Experts debate whether consumer data privacy can be expected

Learn why companies are battling over customer data

Dig Deeper on Information governance management