Reports that a vendor to the Boston Medical Center unintentionally published the private records of 15,000 people is just the latest reminder of why privacy matters.
Privacy isn’t merely about protecting what’s personal. It’s also good for business.
As with other local and national breaches of privacy, including the infamous $250 million T.J. Maxx breach in Massachusetts or the more recent Target snafu, the exposure of private information at Boston Medical Center shows why strong, effective privacy protections are important for business. In Massachusetts, where our economy is built on both information technology and biomedical breakthroughs, as well as banking, communications and other fields, data privacy is critical.
As often happens, the BMC breach apparently resulted from “human error,” namely, posting records without password protection. Still, the data spill shows that when private information is exposed, actual living, breathing human beings are exposed, too.
The BMC data breach is a good reminder that companies should only retain data if it is absolutely necessary. Holding on to sensitive information for long periods of time is a recipe for disaster, and not only because of accidental breaches.
Unchecked government demands for personal records also threaten Massachusetts businesses. Over the past decade plus, U.S. and Massachusetts state officials have extended their surveillance capacities in line with technological advances that permit the mass collection, retention and analysis of sensitive records.
At every level of government, officials press corporations to report on the activities of their clients, at an unprecedented pace and scale, often without a warrant. Such pressures take a variety of forms: forcing businesses to turn over their client databases, to gather and store information in ways useful to law enforcement agencies, and to participate in government systems for reporting on individuals who are clients.
Under current law, businesses face a choice: comply with demands, or initiate costly legal proceedings. Privacy laws, meanwhile, lag behind surveillance technology. As a result, local and federal officials are able to coerce companies to comply with these requests even when there is no evidence of a crime or probable cause, and with no judicial oversight.
At the heart of these problems, at the federal level, is the notorious USA Patriot Act. The act authorizes the FBI to use so-called National Security Letters and other tools to demand, from Internet service providers and other communications companies a range of sensitive client information — including websites that people visit, email addresses and the identities of people who have posted anonymous speech on websites.
It’s not just the feds. Here in Massachusetts, local district attorneys use “administrative subpoenas” to disgorge personal information about us from phone, Internet and financial firms. The information must only be “relevant and material” to an investigation — a very low standard. Since no judge reviews or approves these state subpoenas, they are to local prosecutors what prescription pads are to doctors.
Massachusetts is a world leader in scientific, medical and high-tech industries. To remain so, we must pass common sense laws to protect privacy at both the federal and local level.
In several Massachusetts counties, DAs offices expressly instruct businesses not to disclose the existence of the subpoena to the surveillance target — although no law authorizes the DA to impose such gags. Moreover, prosecutors are not required to keep records to track how often they are used or if they actually help to solve crimes — although we do know that the extent of their use varies widely from county to county.
What does this mean for business? For one, it shifts surveillance costs to the private sector. Corporations are forced to support spy programs by creating new infrastructure and hiring additional staff to meet huge information collection and analysis mandates. Companies have to set up employee training programs, create written procedures, conduct annual independent audits and build customer identification programs.
Who ultimately pays this hidden surveillance tax? Presumably, customers and shareholders.
Privatization of surveillance also threatens customer trust and loyalty, two keys to business success. Revelations that the NSA has been working its surveillance ops through private corporations -- including another Massachusetts company, EMC Corp. — has led to public boycotts and contract cancellations. U.S. businesses have been forced to spend billions of dollars to build overseas data centers and take other steps to reassure foreign customers that their information will be safe form the prying eyes of U.S. government officials.
“A lack of confidence in the security of business communications, prompted by the mere threat of governmental surveillance that is unfettered by any particularized establishment of probable cause, will significantly chill American businesses’ communications with their international customers, investors and business partners,” wrote a diverse group of business leaders, including publishing executives, investment advisers, telecommunications executives and others, who joined a 2006 lawsuit by the ACLU and allies against the National Security Agency’s spying program.
More recently, more than 100 companies and groups — including Microsoft, Google, AOL, Dropbox, Ebay and Foursquare — have urged Congress to pass the USA Freedom Act, which would end the bulk collection of Americans' records shared with third parties, and put reasonable limits on Patriot Act powers.
Massachusetts is a world leader in scientific, medical and high-tech industries. To remain so, we must pass common sense laws to protect privacy at both the federal and local level. Protecting personal data with good practices and clear legal standards is the best way to ensure the trust of patients, clients and customers.