Unsurprisingly, privacy as a concept dates back to early human history, beginning in earnest with philosophical arguments put forth by Aristotle relating to the “public” and “private” spheres of life. Much later on, the Fourth Amendment to the U.S. Constitution recognized the importance of privacy by providing for “The right of the people to be secure in their persons, houses, papers, and effects”. However, it wasn’t until 1890, with the publication of “The Right to Privacy” by Louis Brandeis and Samuel Warren in the Harvard Law Review, that a strong basis for information privacy in the U.S. was established. At the time during which this article was written, the advent of the camera and tabloid journalism had begun to threaten the private lives of individuals in new and unprecedented ways. Likewise, the importance of the internet and other forms of information technology in our daily lives makes an understanding of privacy and a discussion of its legal regulation more important than ever.
Companies manage a tremendous amount of information that can be compromising on an individual basis, including health records and financial information. However, this is not the only potentially dangerous information out there, nor is all of it information that is released by the individual to whom it pertains. In fact, a great deal of it is generated through the tracking of browsing and social media behavior. Collecting and processing these small pieces of information can lead to results that the individuals who released the information (with or without their knowledge) had not intended; for example, researchers recently determined that they can reasonably predict gender, sexual orientation, race, drug and alcohol use, relationship status, parental divorce, and political and religious affiliations simply by analyzing the Facebook likes of the individual under analysis.
Given the sensitivity of all this information, how should it be handled? What are the legal and professional obligations that businesses have when using the information of others? In general, U.S. law is guided by the concept of “reasonable expectation of privacy”, an objective determination of in what situations privacy can be expected and in what situations it cannot be. However, legal guidelines in the U.S. with respect to privacy are rather complicated; the U.S., unlike other entities like the EU and Argentina, has no unifying privacy law, but rather a series of laws that have been developed when necessary and over a great deal of time.
Certain kinds of information are broadly protected by a single piece of legislation. For example, Protected Health Information (which not only includes health information itself, but other data like payment history) is covered by the Health Insurance Portability and Accountability Act. Generally speaking, though, the Federal Trade Commission’s Fair Information Practices, published in 1998, serve as a guideline to businesses and lawmakers (indeed, these guidelines were later adapted and modified by other countries and international organizations). While these guidelines are non-binding, strictly speaking, they were the result of negotiations between the U.S. government during the Clinton administration and industry representatives, and so there is a certain expectation of self-regulation. While abiding by these guidelines is advisable and certainly a good first step, it is still nonetheless very important to research and abide by all applicable laws on the local, state, and federal level. For more information on the danger in holding this information and the reasoning behind making laws to regulate it, refer to our e-book about Cyber Insurance.
In our next blog post, we will address some of the implications of the current legal situation and the cultural differences in perceptions of privacy. We’ll also address some additional actions you can take with respect to insurance and risk management, above and beyond those covered in the guidelines discussed above.