Data privacy lawyer explains 'data by design'

Data privacy lawyer Jeff Kosseff discussed the current state of data privacy law as it applies to big data at the Big Data Tech Con in Boston.

If big data is ever ill-defined in the eyes of IT pros, it's even more ambiguous in the eyes of the law. But that may be changing, according to Jeff Kosseff, an associate attorney with Covington & Burling, LLP. Kosseff specializes in data privacy law, and he spoke on that topic at the Big Data Tech Conference in Boston. We caught up with Kosseff ahead of the conference to ask him a few questions about big data, data privacy, and the law. (sSQ): What's the current state of data privacy law?

Jeff Kosseff: In the U.S., the data privacy issues with big data are covered by the same data privacy law as all data right now. It's just a bigger issue, with more visibility when we're talking about bigger sets of data. That means there's more liability under the same laws for big organizations.

The big concern is Personally identifiable information. The definitions of personally identifiable information are a little technical and hazy at times, but the gist is that information that can identify individual users is personally identifiable.

The highest priority in personally identifiable data is called sensitive data. That includes information about health records, finances, social security numbers and other uniquely identifiable information like that. After that comes data like names, addresses and consumption habits. These things can also present liability issues to enterprises that store and transmit this data. Another step down from that is data that could be tied to a user in a round-about way. That's a big step down, though, compared to personally identifiable information.

sSQ: What are the things enterprise application developers should be watching out for today?

Kosseff: Companies can definitely face liability suits for data breaches within their applications. If, for example, Company ABC transmits data to Company XYZ and Company XYZ suffers a data breach, Company ABC may be liable. Data breaches are a huge legal problem for companies that fail to abide by the promises they make in their own privacy policies and live up to the legal requirements set out for them. It depends a lot on the contracts involved between the two companies. So it's really important to carefully review all those contracts and see who bares the risk in the event of a data breach.

Jeffrey Kosseff, Associate privacy lawyer, Covington & Burling LLP

Lawmakers are focusing more on data privacy in the past few months than I've ever seen before. There's a solid push to ensure that customer data is not getting compromised. Up until recently, these cases were handled on a case-by-case basis; but now there are companies whose data affects so many people that it's become a much more formal concern for regulators. There's no new data privacy law lined up yet, but any company that works with big data should be aware of the coming changes.

sSQ: What might those changes look like? What are the leading ideas on data privacy law?

Kosseff: The White House has recently reintroduced the Consumer Privacy Bill of Rights Act. This is a general bill covering consumers' rights when it comes to the information that businesses gather about them. It puts limits on the ways businesses can reuse data, encourages more transparency about how data is stored and shared, and gives individuals more access to their information. Many countries in the EU, for example, have similar data privacy laws already on the books. They're not about big data specifically, but big data is not excluded.

In the U.S., there is no blanket data privacy law that covers all data. Instead, data is covered by a patchwork of particular case laws. For example, there's a federal data privacy law that prohibits disclosing an individual's video purchase or rental history, and HIPAA covers how health information can be handled.

The Federal Trade Commission can and does step in when businesses are abusing customer data, but unfortunately there's not a lot of clarity in what constitutes unfair business practices.
Jeffrey Kosseff, Covington & Burling LLP

sSQ: What about a widget manufacturer and their customer records?

Kosseff: Right now, that would be regulated by the Federal Trade Commission. The Federal Trade Commission Act puts a blanket ban on unfair business practices. So the Commission can and does step in when businesses are abusing that data, but unfortunately there's not a lot of clarity in what constitutes unfair business practices. There's a large grey area where two reasonable observers could come to opposite conclusions. Even businesses that are making good faith efforts to protect data privacy might not be compliant.

sSQ: What's your advice for application developers to support data privacy?

Kosseff: I recommend what I call "privacy by design." It's about building privacy into every aspect of the development process -- starting from the initial brainstorming and keeping on all the way through deployment and maintenance. Introduce privacy requirements early and ensure that you document your privacy efforts so you can prove data privacy is a primary concern if you should ever be involved with a data breach.

Even if there is never a data breach -- and focusing on data privacy should increase the chances that there won't be -- taking a focus on privacy by design helps build reputation and create business opportunities. When partners and customers know that sensitive data is safe with your applications they'll naturally be more likely to do business with you. A lot of companies have really grown their Web presence by focusing on data privacy as a selling point.

Next Steps

Learn more about big data opportunities

Think about big data ethics with this podcast

Have you heard of Data Privacy Day?

Dig Deeper on Topics Archive