Proposed “Consumer Privacy Bill of Rights” Could Protect Businesses Using Cloud Computing, but Also Makes Them Accountable to Employees

'White House 06.02.08' by Юкатан (Own work) [Public domain], via Wikimedia CommonsThe Obama administration announced its proposal for a “Consumer Privacy Bill of Rights” on February 23, 2012 amid a variety of concerns about the security of consumers’ personally identifiable information (PII). The Government Accountability Office (GAO) offers a useful, if broad, definition of PII as:

any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

This covers most information collected from individuals when signing up for an internet-based service or making an online purchase. It may also cover information stored or transmitted by businesses that use cloud-based services for business activities. The proposed “bill of rights” protects the data of individuals. This is undoubtedly a good objective, but it means that companies conducting risk assessments of their cloud computing activities must consider their obligations to their own officers and employees, who may put their own PII at risk on behalf of the company.

The “bill of rights” lists seven key rights of individual consumers that companies handling PII must respect:

– Individual control over one’s own PII;
– Transparent, easily understood information about PII practices;
– Use of PII strictly for the purpose(s) for which it is collected;
– Secure, responsible PII management;
– Ability by the consumer to access PII and correct inaccuracies;
– Reasonably focused collection of PII that is strictly needed by the company; and
– Accountability to consumers for violations of these rights.

Although the White House has called on Congress to pass legislation giving this “bill of rights” the force of law, for now it remains a set of non-binding guidelines. As cloud computing evolves and businesses develop sets of best practices, protections such as these may become the norm.

The “companies” addressed by these guidelines mostly include online service providers like Google and Facebook, but they also apply to any business that routinely collect consumer data online. The consumers protected by the guidelines are the individuals entering their personal data. This puts companies that use cloud-based services somewhere in the middle, as the company’s employees are the ones entering the data, and the company may have PII for both its employees and its customers stored in the cloud.

Companies that use cloud-computing services must therefore consider the potential liabilities they have to both their own staff and their customers when developing a cloud-computing strategy. For now, PII security is governed by existing rules of confidentiality for customer data, which varies depending on the type of business in which a company is engaged. The same may be said for officer or employee PII stored in the cloud, which may be protected by existing privacy laws. Since many existing laws came about when privacy largely involved securing data in locked file cabinets, businesses must take care with their digital PII.

Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today.

Web Resources:

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (PDF file), National Institute of Standards and Technology, April 2010

PRIVACY: Alternatives Exist for Enhancing Protection of Personally Identifiable Information (PDF file), U.S. Government Accountability Office, May 2008

More Blog Posts:

Texas Workers Comp: DWC Accepting Comment on Proposed Rules, Prism Risk Management Blog, November 8, 2011

Risk Management 101: What Makes Something Insurable by Property & Casualty Insurance? Prism Risk Management Blog, October 27, 2011

Intern Hazards, Prism Risk Management Blog, July 7, 2011

Photo credit: ‘White House 06.02.08’ by Юкатан (Own work) [Public domain], via Wikimedia Commons.

This entry was posted on Monday, May 14th, 2012 at 1:25 am and is filed under internet. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment