Fingerprint biometric dataIn today’s landmark ruling, the Illinois Supreme Court held that private lawsuits seeking statutory damages and injunctions for violation of the Illinois Biometric Information Privacy Act (BIPA) may be pursued by “aggrieved” persons without alleging any actual injury or adverse effect.

BIPA, enacted in Illinois back in 2008, was the seminal state statutory privacy

Person hiding head in the sandI keep getting asked about Cambridge Analytica and Facebook.  And no one seems to like my response – I’m frankly amazed that this all took so long to blow up.  How long?  How about since 1973.  That’s when the U.S. Department of Health, Education, and Welfare first articulated the Fair Information Practice Principles (FIPPs or FIPs) in its report Records, Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data SystemsThe FIPPs went on to become bedrock global privacy principles, and central to them are the principles of notice and consent.

As the FTC later explained in Privacy Online: A Report to Congress:

1. NOTICE/AWARENESS
The most fundamental principle is notice. Consumers should be given notice of an entity’s
information practices before any personal information is collected from them….

2. CHOICE/CONSENT
The second widely-accepted core principle of fair information practice is consumer choice
or consent. At its simplest, choice means giving consumers options as to how any personal
information collected from them may be used….

These mechanisms – notice and consent – are what make a self-governing privacy system work.  If someone (such as Facebook) is going to obtain and use our personal data, they should first give us notice of how they will use it (such as provide or sell it to others), and then we make a choice – we either consent and provide our data, or we don’t.  The government may enforce these representations and choices under fair trade practices laws, such as FTC Act Section 5, but the rules themselves are made in the marketplace.

There has to be some source of governance.  The alternative to self-governance through notice and consent is governance by government, with legislators and regulators making the rules for how our data is handled.  There’s quite a bit of that in the EU and elsewhere, but in the United States, outside of specific sectors such as healthcare (HIPAA), education (FERPA), and financial services (GLBA & FCRA), there’s little such regulation here.  In the U.S. we’ve made a policy decision to largely self-govern the privacy of personal data.

Fast forward from 1973 and, especially in our Internet-driven, U.S. self-regulatory environment, we’ve got a large, smoking crater – precious little government regulation, and even less personal responsibility.  Let’s face it.  We don’t actually pay attention to privacy policies and terms of use, and we don’t actually make informed choices on our consent to data practices for our personal information.  Under our self-governing privacy system, look in the mirror.  The enemy is ourselves.


Continue Reading (But wait, I didn’t) notice and consent

Fried egg on the sidewalk
“This is your information, ungoverned.”

2017 was rife with data dangers.  Nary a day passed without headlines of massive data breaches and ransomware attacks; Russian election-meddling through WikiLeaks and social media; fake news; and presidential tweet-storms.  Disruptive information-driven technologies continued to emerge, from block-chain to biometrics, IoT, AI, and robotics.  Meanwhile, the sheer volume of our personal and business data inexorably grew.

What better way to start 2018 than with a renewed commitment to Information Governance?  So, here are a dozen reasons why your organization should govern its information, in 2018 and beyond: 
Continue Reading 12 reasons to govern your information in 2018

Charging ElephantOur firm’s elephant icon is a nod to The Blind Men and the Elephant, the familiar, age-old parable for how we often do not see the big picture, but instead only the parts we directly encounter. And so it goes for organizations’ data. Individual company functions and departments often have their own, limited perspectives on information, seeing only the risks and opportunities with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk.

I actually prefer a slightly different version, The Blind Elephants and the Man:

One day, six blind elephants were in a heated argument about what Man was like. To resolve their dispute, they sought out and found a man. The first elephant “felt” the man and then proclaimed “Man is flat.” Each of the other elephants, in turn, felt the man, and they all agreed.

The moral? Limited perspective not only yields limited perception – it can also lead to very bad results.

“Information Governance” has become an overused buzz-phrase, often trotted out as marketing mumbo-jumbo for selling technology tools.  In all the hype one can easily lose track of what it really means.  At its heart, Information Governance is no more – and no less – than making sure the organization sees the big picture of information compliance, cost, risk, and opportunity when making strategic decisions.
Continue Reading Why govern your information? Reason #2: Your information risks and opportunities arise from a single source – your data. Your response strategies should be synchronized too.

Weird SportIt’s a common nightmare.  As you toss and turn in bed, you picture yourself on a strange playing field with other athletes swirling around you.  You have absolutely no idea what sport you are playing, nor a clue what the rules are.  it’s not only embarrassing – it’s downright dangerous.

This is not just a bad dream – it’s reality for companies possessing third-party data without clarity on what rules and responsibilities apply.
Continue Reading Why govern your information? Reason #3: “Your” information may belong to others … and you’re responsible to take care of it.

Mobile portable public toilet WiFi provider Purple recently added a “Community Service Clause” to its usual terms and conditions for wireless service:

The user may be required, at Purple’s discretion, to carry out 1,000 hours of community service. This may include the following:

  • Cleansing local parks of animal waste
  • Providing hugs to stray cats and dogs
  • Manually relieving sewer blockages
  • Cleaning portable lavatories at local festivals and events
  • Painting snail shells to brighten up their existence
  • Scraping chewing gum off the streets

More than 22,000 people accepted these terms during Purple’s two-week-long T&C gambit, with only one attentive person claiming the prize Purple offered to anyone who noticed this silliness. Purple conducted this experiment “to highlight the lack of consumer awareness when signing up to use free WiFi.” Winners include snails, local parks, sewer lines, and stray dogs and cats, now the potential beneficiaries of up to 22 million community service hours.  The clear loser? Those. Who. Don’t. Read. Notices.   
Continue Reading Reading privacy policies to avoid surrendering your firstborn child

Bean of Chicago Millennium Park, Illinois, USAIt happens every day.  A company spends a huge amount of money on a new technology system, without fully addressing the information implications.  Maybe the decision (to move on-premise operations to a cloud SaaS or PaaS, or to retire and replace an enterprise database, or buy a comprehensive new tool suite) was reactive, driven by an impending crisis.  Maybe the decision-making was siloed, with IT not clearly hearing what the rest of the business truly needs (or more likely, the rest of the business not speaking up).  Or maybe IT just responded literally to a business directive of the moment (let’s get into IoT, or Big Data, or Blockchain!).  Regardless, the green light is lit, the dollars are spent … and problems ensue, painfully multiplying the procurement’s all-in cost.

What was missing? Strategic consideration of repercussions for information compliance, risk, and value for the organization as a whole, including privacy, data security, retention/destruction, litigation discovery, intellectual property, and so forth.  In other words, Information Governance.  And when was it missing?  Before the decision was made and the dollars were spent.

So, what if something could be hard-wired into the procurement process, a trigger that timely prompted decision-makers to call time-out; get focused input from all stakeholders; assess the repercussions for information compliance, risk, and value; and align the procurement requirements and purchase decisions with organizational strategy for governing information?


Continue Reading X Percent for Information Governance

Ship engine trottle, full speed aheadNews reports today indicate that Verizon is pushing ahead with its purchase of Yahoo’s core internet business, despite Yahoo’s massive data breaches.  Yahoo suffered a breach of 500 million user accounts in 2014, on the heels of a one billion account compromise in 2013 (names, telephone numbers, birth dates, passwords, and security questions), reputedly the largest data breach in history.

Speculation swirled for months about whether Verizon would simply walk away from the deal, originally set at $4.83 billion, or would proceed with a drastically reduced acquisition price.  And the result, as of today’s announcement?  Full speed ahead, after lowering the purchase price by $350 million.

Verizon will gain personal data on Yahoo’s over one billion users, which will no doubt boost its digital media and targeted advertising revenues, and the deal will help Verizon expand beyond the crowded market for wireless services.  So, the value of user information is not in doubt.  But what about the value of privacy?

$350 million is a lot of money.  And apparently Verizon and Yahoo will share certain costs related to governmental investigations and breach litigation, with Yahoo remaining on the line for SEC and shareholder litigation fallout.  But still, the results of simple division are stark – $350 million against up to 1.5 billion affected persons … yielding 23 cents.
Continue Reading What’s our privacy worth? According to the Verizon/Yahoo deal, about 23 cents.

television addict man watching tv holding remote control mesmerizedOn Monday the Federal Trade Commission announced a $2.2 million settlement with VISIO, one of the world’s leading providers of smart TVs.  The deal settles charges by the FTC and New Jersey’s Attorney General that VISIO collected data from 11 million consumer TVs, without consumers’ knowledge or consent.  According to the complaint, the secretly collected data included second-by-second viewing data and IP addresses, to which data aggregators added demographic information, including age, sex, income, marital status, household size, education, home ownership, and household value – a covert data cornucopia, tailor-made for targeted advertising.

But in her concurring opinion, Acting Chair Maureen Ohlhausen (recently appointed by President Trump to lead the FTC) signaled a retreat from FTC enforcement based on unfair practices.

So, while we’re watching our TVs, and our TVs are “watching” us, who’s watching out for our privacy & security interests with the Internet of Things?


Continue Reading Me, my TV, IoT, and the FTC – who’s watching whom?

Chained wallet. Conception of blockchain, finance security and protection

I had been thinking about writing a post on Blockchain when I happened across the Washington Post’s In/Out List for 2017, and that sealed the deal:

Out:  Not being able to explain Bitcoin.

In:     Not being able to explain Blockchain.

So, feeling up to the challenge, here goes.

Blockchain is really just a distributed, shared database technology. Its use demands that multiple, untrusted entities (such as different companies in a supply chain) write transactions to multiple, duplicate copies of the database that propagate through peer-to-peer protocols.  Each node (or copy) of the database verifies the transaction independently by requiring the transaction to be confirmed in a blockchain.  The blockchain is chronological, and the database can only be changed when there is consensus among the participants.  Most important for the discussion here, however, is that the transactions and the distributed database are claimed to be immutable and permanent.  And that’s a real problem for information governance.


Continue Reading Blockchain – “Shiny Object Syndrome”?