Jewish World Review March 15, 2005 / 4 Adar II, 5765

Issac J. Bailey

Issac J. Bailey
JWR's Pundits
World Editorial
Cartoon Showcase

Mallard Fillmore

Michael Barone
Mona Charen
Linda Chavez
Ann Coulter
Greg Crosby
Larry Elder
Don Feder
Suzanne Fields
James Glassman
Paul Greenberg
Bob Greene
Betsy Hart
Nat Hentoff
David Horowitz
Marianne Jennings
Michael Kelly
Mort Kondracke
Ch. Krauthammer
Lawrence Kudlow
Dr. Laura
John Leo
Michelle Malkin
Jackie Mason
Chris Matthews
Michael Medved
MUGGER
Kathleen Parker
Wes Pruden
Sam Schulman
Amity Shlaes
Roger Simon
Tony Snow
Thomas Sowell
Cal Thomas
Jonathan S. Tobin
Ben Wattenberg
George Will
Bruce Williams
Walter Williams
Mort Zuckerman

Consumer Reports


Rethinking the personal data problem: At what cost?


http://www.jewishworldreview.com | The revelation that the private data of hundreds of thousands of individuals was exposed in the ChoicePoint scandal has led to an outcry for new privacy regulation. It's easy to understand the frustration of many Americans who now are at risk of identity theft and other misuses of their data and why they might be amenable to the idea of a new wave of privacy rules. But before we rush to implement new laws, it might be worthwhile to pause, take a deep breath and consider if this is the path that will best serve this country's needs.

The first fact to consider with any new regulation is what are the costs? For instance, a 2001 study estimated that new privacy regulations would add $9 billion to $36 billion a year in additional costs to the American economy.

For a specific case of the costly burden of privacy regulations, one has to look no further than the Health Insurance Portability and Accountability Act. A final rule on privacy regulations, which went into effect in 2003 and is the size of an encyclopedia, spells out in exhausting detail how hospitals and doctor's offices must overhaul their medical practices in order to avoid the privacy police.

For instance, office workers fret over how to hang charts on the walls, guard the fax machine from unwanted visitors and speak in hush tones on the phone. Some health providers have had to remodel offices so that lingering patients won't be able to glance at unauthorized information. The rules are so misguided that if a patient mistakenly chooses a ``do not announce'' status, the hospital may not be able to let a family member know the person was admitted.

What is the cost of the HIPPA regulatory leviathan? A much-criticized HHS study put the number at $17.6 billion over 10 years. An American Hospital Association-commissioned study found that the cost for implementing only part of the regulations could end up costing $22.5 billion over five years just for hospitals. Another study funded by BlueCross BlueShield estimated the cost to be $42.9 billion over five years.

In California, a state known for its aggressive stance on privacy, companies and institutions have felt the economic effect of such regulations. For example, when hackers broke into San Diego State University servers, university officials, in order to comply with California's notification law, had to notify 207,000 students that data such as Social Security numbers may have been compromised even though there was no evidence to suggest this to be true. The effort ended up costing the university $200,000, not including all the negative publicity they received.

Now even if we put aside the extraordinary costs of privacy regulations for a moment, a question we should ask is whether we can effectively protect the personal data of individuals in the first place. More evidence is accumulating every day that suggests that this is becoming increasingly impossible.

The ChoicePoint case generated significant publicity, but this was largely because of the significant number of individuals affected and the fact that the company had been in the crosshairs of privacy advocates for a number of months. ChoicePoint had been the central antagonist in Robert O'Harrow's book ``No Place to Hide.'' But the fact is that this kind of security violation happens on a regular basis; it's just that we don't hear about it because companies outside of California have little incentive to report such breaches.

The fact is that securing databases is becoming an exercise in futility in many ways. For one, due to the needs of the information economy, our personal data are spread across hundreds if not thousands of databases giving thieves an unlimited number of targets. Second, evidence suggests that just about any technology can be cracked given a persistent enough criminal. In the last few weeks we learned that both TiVo and Napster's copy protection technologies were hacked. Just ask Paris Hilton how little security databases offer. Third, one can use social engineering techniques and pose as real businesses to obtain data and avoid security protections altogether, as was the case with ChoicePoint.

Donate to JWR


So if privacy regulations represent a costly burden on companies that probably can't protect their data anyway, why would we want to go down a path that has negative consequences for the economy and little chance for success? I'd suggest that it's because old habits die hard.

Perhaps the time has come to retrain ourselves on how we think about personal data. This would be a paradigm shift that says it's not information that is the problem but how people use it. Instead of focusing on the increasingly difficult task of trying to lock down data behind a dike that has more holes than Swiss cheese, we should focus our energies on making sure data are used appropriately.

For instance, if banks required that applicants for credit apply in person and use a biometric such as a digital picture or fingerprint, the data stolen from a ChoicePoint database would be useless and a major funding source for identity thieves would dry up quicker than a river in the Mohave Desert.

Or if the data are of the kind that could threaten one's position in the workplace, such as the history of a criminal record, Congress can follow one of the better provisions in HIPPA which prevents discrimination based on certain types of information — in HIPPA's case, medical information.

In an open society where information wants to be free, a more enlightened approach is not to try to plug the dike, but to let the river flow and make sure it isn't misused. Now we just need to answer the question of how to spend all the money that would be freed up by fewer privacy regulations and smaller investments in security.



Issac J. Bailey is a columnist for the Myrtle Beach, S.C., Sun News. Comment by clicking here.

Up

01/19/05: Changing of the guard among black leadership
12/09/04: A healthy view on weight
11/30/04: Sports done right is never about sports
11/17/04: Vote, but don't fool yourself
'Good dad' role isn't superhuman
11/02/04: Have faith in having faith
09/29/04: Conditioning doesn't equal racism
09/22/04: My brother belonged in jail
09/15/04: Tiny miracles remind us of life's choices
05/04/04: What about the rights of dads-to-be?


© The Sun News (Myrtle Beach, S.C.). Distributed by Knight Ridder/Tribune Information Services.