Are privacy, security concerns putting use of Big Data on borrowed time?
Big Data defies global privacy norms by its nature, requiring companies to take special care when it contains personal information, according to Lisa Sotto, chair of the privacy and cybersecurity practice at Hunton & Williams LLP.
Sotto told the attendees of Advisen’s Predictive Modeling Insights Conference in New York that the sheer quantity of data involved in this field makes giving notice and choice to individual subjects virtually impossible, with the result that the concept underpinning privacy law is already “out the window.”
The Fair Information Practice Principles, an accepted framework for privacy law the world over, call for notification when personal information is being used, why it’s being used, to whom it’s being disclosed, and for how long, she said.
Because compliance is impractical with vast data sets, companies are under more pressure to observe applicable policies. To do this, they need to know where their data sets come from and which restrictions apply. Is an opt-in by the subject required in this jurisdiction? Is the use allowed? What are the company’s contractual limitations–has it stated that it will keep the data for a limited time only, for example, and is it complying?
Even this is harder than it sounds, given the lack of an overarching privacy policy in many countries, Sotto said.
In the US, privacy policy can be regulated by sector (HIPAA is one such case), with a layer of individual states’ laws on top. Industry standards may also apply, and there is no one definition of what constitutes personal information.
But since “anonymizing” the data has so far been shown to be impossible, she said, companies must find ways to comply.
As Sotto sees it, the four privacy risks that companies face in relation to Big Data are:
Sotto said an active plaintiffs bar has already sprung up around claims that involve companies using data one way when they said they would use it another and companies holding data too long.
But while businesses comply with whatever regime there is for their own protection, data security is key to the continued uses of Big Data. This requires protecting personal information from loss or breach and, in the US at least, notifying subjects as required by state laws.
“I dread the day there is a massive security event” tied to Big Data, Sotto said, because the reaction is likely to be restrictive. Companies must protect their data sets as if their “life depended on it.”
