|
Jewish World Review March 15, 2005 / 4 Adar II, 5765
Issac J. Bailey
Rethinking the personal data problem: At what cost?
http://www.jewishworldreview.com |
The revelation that the private data of hundreds of thousands of
individuals was exposed in the ChoicePoint scandal has led to an outcry
for new privacy regulation. It's easy to understand the frustration of
many Americans who now are at risk of identity theft and other misuses
of their data and why they might be amenable to the idea of a new wave
of privacy rules. But before we rush to implement new laws, it might be
worthwhile to pause, take a deep breath and consider if this is the path
that will best serve this country's needs.
The first fact to consider with any new regulation is what are the
costs? For instance, a 2001 study estimated that new privacy regulations
would add $9 billion to $36 billion a year in additional costs to the
American economy.
For a specific case of the costly burden of privacy regulations, one has
to look no further than the Health Insurance Portability and
Accountability Act. A final rule on privacy regulations, which went into
effect in 2003 and is the size of an encyclopedia, spells out in
exhausting detail how hospitals and doctor's offices must overhaul their
medical practices in order to avoid the privacy police.
For instance, office workers fret over how to hang charts on the walls,
guard the fax machine from unwanted visitors and speak in hush tones on
the phone. Some health providers have had to remodel offices so that
lingering patients won't be able to glance at unauthorized information.
The rules are so misguided that if a patient mistakenly chooses a ``do
not announce'' status, the hospital may not be able to let a family
member know the person was admitted.
What is the cost of the HIPPA regulatory leviathan? A much-criticized
HHS study put the number at $17.6 billion over 10 years. An American
Hospital Association-commissioned study found that the cost for
implementing only part of the regulations could end up costing $22.5
billion over five years just for hospitals. Another study funded by
BlueCross BlueShield estimated the cost to be $42.9 billion over five years.
In California, a state known for its aggressive stance on privacy,
companies and institutions have felt the economic effect of such
regulations. For example, when hackers broke into San Diego State
University servers, university officials, in order to comply with
California's notification law, had to notify 207,000 students that data
such as Social Security numbers may have been compromised even though
there was no evidence to suggest this to be true. The effort ended up
costing the university $200,000, not including all the negative
publicity they received.
Now even if we put aside the extraordinary costs of privacy regulations
for a moment, a question we should ask is whether we can effectively
protect the personal data of individuals in the first place. More
evidence is accumulating every day that suggests that this is becoming
increasingly impossible.
The ChoicePoint case generated significant publicity, but this was
largely because of the significant number of individuals affected and
the fact that the company had been in the crosshairs of privacy
advocates for a number of months. ChoicePoint had been the central
antagonist in Robert O'Harrow's book ``No Place to Hide.'' But the fact
is that this kind of security violation happens on a regular basis; it's
just that we don't hear about it because companies outside of California
have little incentive to report such breaches.
The fact is that securing databases is becoming an exercise in futility
in many ways. For one, due to the needs of the information economy, our
personal data are spread across hundreds if not thousands of databases
giving thieves an unlimited number of targets. Second, evidence suggests
that just about any technology can be cracked given a persistent enough
criminal. In the last few weeks we learned that both TiVo and Napster's
copy protection technologies were hacked. Just ask Paris Hilton how
little security databases offer. Third, one can use social engineering
techniques and pose as real businesses to obtain data and avoid security
protections altogether, as was the case with ChoicePoint.
So if privacy regulations represent a costly burden on companies that
probably can't protect their data anyway, why would we want to go down a
path that has negative consequences for the economy and little chance
for success? I'd suggest that it's because old habits die hard.
Perhaps the time has come to retrain ourselves on how we think about
personal data. This would be a paradigm shift that says it's not
information that is the problem but how people use it. Instead of
focusing on the increasingly difficult task of trying to lock down data
behind a dike that has more holes than Swiss cheese, we should focus our
energies on making sure data are used appropriately.
For instance, if banks required that applicants for credit apply in
person and use a biometric such as a digital picture or fingerprint, the
data stolen from a ChoicePoint database would be useless and a major
funding source for identity thieves would dry up quicker than a river in
the Mohave Desert.
Or if the data are of the kind that could threaten one's position in the
workplace, such as the history of a criminal record, Congress can follow
one of the better provisions in HIPPA which prevents discrimination
based on certain types of information in HIPPA's case, medical
information.
In an open society where information wants to be free, a more
enlightened approach is not to try to plug the dike, but to let the
river flow and make sure it isn't misused. Now we just need to answer
the question of how to spend all the money that would be freed up by
fewer privacy regulations and smaller investments in security.
01/19/05: Changing of the guard among black leadership
|