Security Privacy

Some organizations have legal requirements to protect the customer data they collect and store, but the laws may be more limited than you think. The Gramm-Leach-Bliley (GLB) Act, passed by Congress in 1999, protects consumer financial data stored by financial institutions, which are defined as banks, securities firms, insurance companies, and organizations that provide financial advice, prepare tax returns, and provide similar financial services.

The Privacy Act of 1974 provides protections to individuals regarding records maintained by the U.S. government, and the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 gives individuals the right to access health data created by doctors and other health-care providers. HIPAA also sets rules and limits on who can read and receive your health information. The law is stronger in other countries. In Australia, for example, the Privacy Principles of the Australian Privacy Act of 1988 govern not only government and health-care data, but also records maintained by businesses with revenues in excess of AU$3 million.

To understand the importance of the limitations, consider online retailers that routinely store customer credit card data. Do Dell, Amazon.com, the airlines, and other e-commerce businesses have a legal requirement to protect their customers' credit card data? Apparently not-at least not in the United States. The activities of such organizations are not governed by the GLB, the Privacy Act of 1974, or HIPAA. Most consumers would say, however, that online retailers have an ethical requirement to protect a customer's credit card and other data, and most online retailers would agree.

Or at least the retailers would agree that they have a strong business reason to protect that data. A substantial loss of credit card data by any large online retailer would have detrimental effects on both sales and brand reputation. As discussed in Chapter 6, data aggregators like Acxiom Corporation further complicate the risk to individuals because they develop a complete profile of households and individuals.

And, as stated in Chapter 6, no federal law prohibits the U.S. government from buying information products from the data accumulators. But, let's bring the discussion closer to home. What requirements does your university have on the data it maintains about you? State law or university policy may govern those records, but no federal law does. Most universities consider it their responsibility to provide public access to graduation records. Anyone can determine when you graduated, your degree, and your major.

(Keep this service in mind when you write your resume.) Most professors endeavor to publish grades by student number and not by name, and there may be state law that requires that separation. But what about your work? What about the papers you write, the answers you give on exams? What about the emails you send to your professor? The data are not protected by federal law, and they are probably not protected by state law. If your professor chooses to cite your work in research, she will be subject to copyright law, but not privacy law.

What you write is no longer your personal data; it belongs to the academic community. You can ask your professor what she intends to do with your coursework, emails, and office conversations, but none of that data is protected by law. The bottom line: Be careful with your personal data. Large, reputable organizations are likely to endorse ethical privacy policy and to have strong and effective safeguards to effectuate that policy. But individuals and small organizations might not. If in doubt, ask

Discussion Questions

1. As stated in the case, when you order from an online retailer, the data you provide is not protected by U.S. privacy law. Does this fact cause you to reconsider setting up an account with a stored credit card number? What is the advantage of storing the credit card number? Do you think the advantage is worth the risk? Are you more willing to take the risk with some companies than with others? Why or why not?

2. Suppose you are the treasurer of a student club, and you store records of club members' payments in a database. In the past, members have disputed payment amounts; therefore, when you receive a payment, you scan an image of the check or credit card invoice and store the scanned image in a database.

One day, you are using your computer in a local wireless coffee shop and a malicious student breaks into your computer over the wireless network and steals the club database. You know nothing about this until the next day, when a club member complains that a popular student Web site has published the names, bank names, and bank account numbers for everyone who has given you a check.

What liability do you have in this matter? Could you be classified as a financial institution because you are taking students' money? If so, what liability do you have? If not, do you have any other liability? Does the coffee shop have a liability?

3. Suppose you are asked to fill out a study questionnaire that requires you to enter identifying data as well as answers to personal questions. You hesitate to provide the data, but the top part of the questionnaire states, "All responses will be strictly confidential." So, you fill out the questionnaire. Unfortunately, the person who is conducting the study visits the same wireless coffee shop that you visited (in question 2), and the same malicious student breaks in and steals the study results.

Your name and all of your responses appear on that same student Web site. Did the person conducting the study violate a law? Does the confidentiality assurance on the form increase that person's requirement to protect your data? Does your answer change if the person conducting the study is (a) a student, (b) a professor of music, or (c) a professor of computer security?

4. In truth, only a very talented and motivated hacker could steal databases from computers using a public wireless network. Such losses, although possible, are unlikely. However, any email you send or files you download can readily be sniffed at a public wireless facility. Knowing this, describe good practice for computer use at public wireless facilities.

5. Considering your answers to the above questions, state three to five general principles to guide your actions as you disseminate and store data. They must consider the factors listed and take cost-effective actions to reduce probable losses, despite the uncertainty. The next sections discuss safeguards. We begin with technical safeguards, then data safeguards, then human safeguards, and, finally, safeguards against natural disasters.