WASHINGTON -- As data becomes the bedrock for more and more businesses, data security is becoming increasingly important. The sheer amounts of data, coupled with headline-making data breaches, has led the Federal Trade Commission to be more active in the space. FTC Chairwoman Edith Ramirez yesterday took part in a Q&A at the Global Privacy Summit, an event hosted by the International Association of Privacy Professionals here in Washington, D.C., where she talked about a range of topics from de-identification to the need for regulation to international compliance.
1. De-identification
Expect the FTC, 100-years-old this year, to begin working in earnest to develop guidelines for data de-identification. Data collectors often throw around terms like hashing and encryption, tools for stripping personally-identifiable information from consumer data. However, there are no industry standards in place for so-called de-identification, an increasingly necessary process for enabling marketers to employ data while protecting consumer privacy.
"It is still an initiative we're examining," said Ms. Ramirez today. "It's a very fruitful avenue that ought to be pursued," she said.
Elemental to that project is FTC Chief Technology Officer Latanya Sweeney, who in her academic work as Harvard's Data Privacy Lab director focused on issues surrounding de-identification and re-identification, or the ability to decipher an individual's identity despite the fact that de-identification measures have been implemented.
There are limits to the effectiveness of de-identification, said Ms. Ramirez. "I don't believe that de-identification is a cure-all; it's not a panacea, but I do believe it is a potentially powerful tool that can be used and ought to be used."
2. Data Brokers
Expect the FTC to unveil its report on the data-broker industry, the result of a year-long study, in the near future.
While the data-broker business typically is not consumer-facing, said Ms. Ramirez, it's important to ensure consumers maintain control over their personal data, much of which is stored in data brokers' vaults, sold and shared.
An FTC data-broker report "will be coming out soon," said Ms. Ramirez.
Outgoing Senator Jay Rockefeller, D-W.V., introduced a bill in February giving consumers access to data held by data brokers serving the marketing industry, allowing them to correct information or opt-out from use of that data for marketing purposes. If the bill gains traction, anticipate a fight from the marketing and data industries.
3. Data Security
The massive influx of data flowing across servers and borders call for better -- or at least more standardized -- security mechanisms to prevent breaches. So far, corporations aren't doing a good job of securing information, said Ms. Ramirez.
"Companies really are continuing to make very basic fundamental mistakes when it comes to data security," said Ms. Ramirez.
In particular, the FTC wants federal data-security legislation enacted, said Ms. Ramirez. "But we haven't seen any action by Congress," she added, suggesting Target's recent headline-grabbing data breach could be an impetus for legislation.
"This recent Target breach in particular...I really think it has sparked a fruitful discussion on the Hill."
Expect the FTC to push for such a law to award the agency rulemaking authority and enforcement capabilities for data-security rules. "I think it's important that we have the means to ensure that there is appropriate deterrance, and right now we don't have that authority," said Ms. Ramirez.
Industry groups including the Direct Marketing Association last month backed a call by U.S. Attorney General Eric Holder for a national data-security law.
4. Mobile Location Tracking
The FTC -- more recently aggressive than in the past, according to privacy industry observers -- is planning multiple reports to help protect consumer data. Another on mobile-device-location tracking by bricks-and-mortar retailers will be fueled by work conducted in the commission's mobile lab, a testing area for mobile devices and applications.
Researchers in the lab are "trying to replicate the experiences of everyday consumers," said Ms. Ramirez. "We use it as part of our investigative tools."
Though she said retailers typically only analyze non-personally identifiable aggregate data to get a sense of customer footpaths or products they linger near, "it's important that de-identification take place," she said.
5. Data Sharing Across Borders
In a separate press conference today at the IAPP event, Ms. Ramirez sat among officials from the U.S. Commerce Department, Canada and the European Union to announce a tool to help businesses ensure compliance with global data-privacy rules.
Though not directly tied to the Safe Harbor agreement for data transfers between the U.S. and European Union, the initiative reflects what appears to be a stonger commitment to uphold the U.S. end of the bargain. The Safe Harbor deal, in place since 2000, enables more than 3,000 companies from General Mills to Google and Facebook to satisfy EU privacy regulations in exchange for self-certifying that they abide by certain rules.
Amid scrutiny from the EU regarding its approach to monitoring for compliance with Safe Harbor, the FTC acknowledged last year that the system could be improved.
In the first decade the program was in place no referrals regarding incompliance by participating companies were made by the FTC, said Ms. Ramirez. But that's changed. The agency has brought 13 Safe Harbor cases recently, she said.
"We are engaged in what I believe is a really fruitful dialogue" with the EU, she said.