As a security professional, I have monitored privacy laws for the past decade or so. My interest in these laws started long before that when a friend gave me a book about privacy that was prompted by the 1974 Privacy act. One of the things I learned from this book, if it was all true, was our federal government has 4 or 5 databases that gather data about every citizen in the United States.
The Privacy Act of 1974 states that a citizen can request from a government agency the following things about their data in any of these databases. Who has accessed their data, when it was accessed, how many times, what is collected, how often the data is updated, and if it has been modified. This was to give the citizen the ability to ensure the data that is collected is accurate and can be corrected if erroneous.
If you have followed my blogs in the past, you immediately see the dilemma. In let's say 1980, there were 250 million people in the U.S., it would be very difficult for a government agency to respond to a request from a citizen regarding access to their data. Something to remember about the Privacy Act of 1974, the legislation only applies to citizens of the U.S. If someone isn't a citizen, they can't request the access data as described above. One of the reasons the Freedom Of Information Act was enacted is to give non-citizens the ability to request the access information of data collected about them.
All of the above is to give us a starting point for our discussion about privacy laws. Our federal government has attempted to pass a privacy law for many years; they might have be at it for a couple of decades. I along with many security and privacy officers have waited patiently for the U.S. to catch up with Europe or Canada in the protection of private data. There have been several instances in the past where European countries have challenged the U.S. in regards to our privacy laws.
Our federal legislators seem to be leaving the task to other legislation like HIPAA or GLBA to strengthen our position regarding what is to be protected and the methods used to accomplish the task. The problem with this approach is that while these two regulations address personal privacy, it is typically centered on data that is related with the industry that is being regulated.
The protection of our personal data has been relegated to the states for regulation, which can be good in a lot of ways but doesn't protect someone from Florida that has data collected in another state. For example, if a company is based in a state that has less stringent privacy laws than Florida then the residents’ personal data may be at risk. There are a few states that call out penalties for companies that don't protect their residents’ private data, California's SB1386, was the first to include breach notification in their legislation.
As of the writing of this blog, there are four states that have no privacy law on the books. In defense of these states, many of the state privacy laws were passed within the last few years. Of the 46 states that have passed more stringent privacy laws, 23 were passed in 2007-2011 and 17 in 2006. 43 states had no protection for Social Security Number, Credit Card Numbers, Driver's license, or breach notification before 2005.
The protection of Personal Identifiable Information, PII, varies significantly from state to state and can be studied by searching the web for sites that show what each state protects. The states with the strongest privacy laws are in order of when enacted are; California (2003), Florida (2005), Massachusetts (2007) and Maryland (2008). By strength, I refer to the number of items that are protected by the legislation such as medical, SSN, CCN, criminal records, bank records, tax records and school records. As you can see the items I chose for example are items that could be used to steal someone's identity.
While medical records are protected by all states except for two, this may be in part due to HIPAA/High Tech being a driving force to the states. According to my research, all states except one protect social security numbers with many of the states enacting this protection within the last 5 years. As for credit card numbers this is a more hit and miss item, PCI-DSS is attempting to protect that data and there are now states that are embracing these standards. The rest of the items mentioned in the previous paragraph are generally left unprotected for various reasons.
The general position of privacy experts about PII is there are two levels of data that need to be protected. The first level of data usually comprises four items, SSN, Passport number, Drivers license number and vehicle registration. The first three are easy to envision being in the highest level of protection while vehicle registration can be somewhat puzzling. The explanation being that the first level is made up of data alone that can enable someone to steal an identity, which seems intuitive for the first three items. The reason vehicle registration is in this level is due to the amount of personal information associated with registering a car.
We can understand this better by looking deeper into the level two items of PII. Level two has been considered public data for a long time. Examples of what is typically considered public data are; first and last name, address, phone number, and email address. Each in of itself isn't enough to allow identity theft but if all or many level two items are gathered then the task of stealing a person's identity becomes easier. There are other items that fall in this category but it becomes cumbersome to list them all. When looking at the level two items, one can see that a car registration has enormous potential for gathering data about someone's identity.
