US federal privacy laws don’t adequately protect sensitive information and need updating to keep pace with technology, according to the Government Accountability Office (GAO). Recently congressional hearings were held to help Congress understand the inadequacies of current federal legislation around privacy and security of personal information held by the government.
Federal agency collection or use of personal information is governed primarily by two laws: the Privacy Act of 1974 and the privacy provisions of the E-Government Act of 2002. The Privacy Act places limitations on agencies’ collection, disclosure, and use of personal information maintained in systems of records. It describes a record as any item or collection of information about an individual that is maintained by an agency and contains his or her name or another personal identifier. It defines a “system of records” as a group of records under the control of any agency where information is retrieved by the name of the individual or by an individual identifier.
The E-Government Act of 2002 enhanced the protection for personal information in government information systems or information collections. Each government agency must protect its information technology systems to ensure no unauthorized use of personal information.
Both of these acts have not kept up with current technology and the ease of accessing private data. For example, they don’t address information shared through systems not in control of the federal government, such as social media sites, like Facebook and Twitter. Many people also share information through blogs and the proliferation of mobile devices makes it difficult to lock things down.
As the US federal government works to update data security laws, most states in the US have developed their own legislation governing data breaches and privacy issues. These not only cover information held by the government, but any organization that maintains Personally Identifiable Information (PII) and does business in their state.
A recent law passed in Connecticut updates the definition of a breach of security and strengthens penalties from failure to comply with the law. The law states:
” … unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable …”
It goes on to say that failure to comply with the law constitutes an unfair trade practice enforced by the Attorney General. This hits businesses in the pocketbook and shows that Connecticut takes this seriously. If an organization encrypts its documents and databases, the information becomes unusable to unauthorized people, and it’s loss is not considered a breach of security.
Some organizations, including the US government, are looking at ways to eliminate or reduce the amount of PII they gather and store. The less you have, the less there is to lose. For those businesses that need to keep personal information about employees and customers, your best approach to prevent a breach of security is to encrypt any files that contain PII. This ensures that only authorized people can read the information inside. If you have a breach, you are safe and don’t need to worry about reporting it to the state or federal government.
Data breaches are serious and legislation is slowly catching up to reality. Whether you do business in the US or elsewhere, you are or will be affected. Encrypting your documents is the best insurance against legal and financial trouble.
Photo credit JakBet
