I was discussing an upcoming story with one of our freelancers the other day. Andrew Allentuck is a kind man who loves dogs and is an experienced writer on technology and business issues.
Andrew’s writing a feature on the legal consequences of lost or misused customer data, and the standards
to which companies are to be held for the protection of that data. (Don’t worry, Andrew, I’m not giving away the whole story.
As privacy laws are applied and a body of precedent evolves, it’s clear that companies will be held to a high standard for the conduct of their customers’ information. If a company doesn’t take every reasonable measure – emphasis on every, rather than reasonable – to protect customer information, they will be risking substantial damage awards and even criminal liability.
But what constitutes “every reasonable measure”? What, explicitly, is the standard these companies will be held to? And do you mind that I ended that last sentence with a preposition?
Between the pair of us, the analogy of gun control – specifically, Canadian gun control – bubbled up.
(Let’s not get into the debate over whether Canadian gun controls laws are overkill or overly lax. It’s not my place. Believe what you want, but don’t point that thing at me.)
You are a firearm owner. Someone, somehow, gets hold of one of your guns. Someone else gets hurt. Are you liable?
Fortunately, Canadian law is very explicit when it comes to your responsibility as a firearm owner with respect to the storage of those weapons. They’re stored in a locked cabinet; they’re trigger-locked; and the ammunition is stored in another locked compartment. Follow those rules, and you’ve demonstrated adequate care. This might not absolve all liability, but it establishes that you were not reckless or irresponsible in the storage of your guns.
This is the kind of precise standard that has to be applied to care of customer data. Legislation and/or regulation must specify what constitutes “every reasonable measure,” because if it doesn’t, precedent will.
And what’s wrong with that?
Judges are very learned people whom I respect very much, Your Honour, as I hope my conduct in your courtroom has demonstrated. (Sorry. Knee-jerk reaction.) However much I respect the robe and the gavel, though, the first person I’d call to configure a storage network would not be a Supreme Court justice.
The risk is that precedent might evolve under the direction of well-meaning people whose expertise is not in the application of technology. While the decisions will most often be of the big-picture variety, it only requires one specific – a declaration that x level of encryption is inadequate and that y level of encryption is reasonable, for example – to set a standard that is unreasonable to attain, or even worse, to lower the bar to the point that lax security is legally “adequate.”
The law must be explicit about controls on access to customer data; safeguards against using data collected for one purpose in another application; physical security of media containing customer data; and a minimum level of encryption protecting stored data.
I can hear the complaints. It’s too onerous; I can’t apply this to data on my laptop or PDA; what, we’re made of money all of a sudden? But the truth is if you don’t stickhandle the debate – if the technologically savvy don’t have input into these standards – then someone else will.
Dave Webb really does respect judges. Honest, Your Honour.