Privacy Risk Assessment

Convener: Jeff Stollman

Notes-taker: Steve Holcombe

Tags: Privacy, Risk, FTC, regulation

Discussion notes:

The FTC will soon be holding hearings regarding the risks (physical, financial, reputational) to consumers of data elements (e.g., firstname, lastname, email, birthdate, socialsecuritynumber, etc,) stored by retail companies and/or online search companies. Risks of data breaches to national security may also be considered.

Questions:

Global ramifications of data breach exposure? What is low risk in one country may be high risk in another country?

Should there be U.S. laws limiting retailers to certain storage/usages of data and prohibiting others?

Should liability risks be legislated regarding certain data elements? Certain aggregations of low risk data elements that may become riskier by their aggregation?

Should the FTC establish and assess fines for data breaches calculated by loss of high risk, medium risk, and low risk data?

Kantara will be proposing to the FTC a data breach risk assessment based upon (a) risks assigned to specific data elements and/or (b) aggregation of data elements of varying risks.

Final comment: Privacy risk regulations may support large data storage utilities (who can afford legal staff to meet regulations) because of costs to storing certain data of varying FTC assigned risks that smaller businesses will not be able to meet.