EPIC invokes the Privacy Act of 1974 as well as the Freedom of Information Act (FOIA), stating that they should be a basis for privacy related to cybersecurity efforts which “may include the collection of personally identifiable information on individuals.” The Privacy Act was passed in an effort to create transparency in terms of what information the government is collecting on individuals and how it’s being used. FOIA, originally passed in 1966, makes government information available to the public and is often referred to as the right-to-know law.
Businesses are also concerned about data privacy and security when it comes to the cybersecurity framework. Lisa Sotto is head of the global privacy and data security practice at law firm Hunton & Williams LLP. She also serves as the chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.
Sotto says the private sector shares the concerns of privacy advocacy groups in some cases, though perhaps for different reasons. “EPIC doesn’t want the private sector to turn over data to the government because they’re afraid the government’s going to use the data for purposes that were not contemplated,” she explains. “Industry doesn’t want to turn data over to the government because they don’t want to be sued, and because there are liability concerns in doing it.” For example, liability is created for businesses when information turned over pertains to an individual, including personally identifiable information like Social Security numbers.
But Sotto adds that privacy considerations have to be balanced against the reality of the threat, which is not going away. She notes that not all businesses are doing enough to combat cyberthreats, making the framework even more crucial in laying out best practices for industry. “Some businesses are hyperaware of the threats, and others are hiding their heads in the sand, hoping that this goes away, and [they] really have no concept of how to manage this threat,” says Sotto. She adds that “it’s a very scary issue [because] it’s a new issue. There’s no playbook on how to deal with cyberthreats.”
Sotto says she thinks the framework will become that playbook for businesses when combating cyberthreats. “The framework is just going to be all-important. It will be viewed in my judgment as the standard of care going forward,” she says, “and to the extent a company is not implementing the framework, there may be lawsuits that follow.” Companies that don’t abide by the framework’s standard of care may be “deemed negligent.”
And that makes it all the more critical to get it right with regard to all the elements—including privacy protections.