Much has been made of the many uncertainties facing businesses and their IT executives in the year ahead, but one area in which there is sure to be movement is data privacy policy. Leaked, stolen and lost data is costing companies their reputations and money, and it is costing consumers their Fourth Amendment rights. The status quo is acceptable to no one aside from some online advertisers.

The Obama Administration last week issued a report (.pdf) calling for a new Privacy Policy Office within the Department of Commerce, which would be dedicated to strengthening privacy policies and coordinating with other countries. The report, authored by the Internet Policy Task Force at the Commerce Department, sets forth 10 areas of recommended policy changes for businesses, lawmakers and regulators to consider.

The task force recommends expanding the Fair Information Practice Principles to establish a baseline commercial data privacy framework. It leaves open the question of whether this should be done through new legislation, new regulations or voluntary adherence to codes. While some stakeholders are calling for greater government enforcement, others want more industry self-regulation. The latter undoubtedly appeals to many businesses in the short run, but in the long run it only means that regulators will revisit the matter with more fodder for the pro-enforcement contingent.

One area of policy in which there seems to be growing consensus is the need for a national security breach notification law. The vast majority of states have put such laws on their books, and the task force recommends a national law that would "track the effective protections" in the state laws. A national law could include incentives for businesses to deploy strict security protocols, the task force suggested. 

The group also recommends that the Administration take a new look at the Electronic Communications Privacy Act in light of burgeoning technologies such as cloud computing and geolocation services. The report notes that the ECPA was passed in an environment of mainframe computing, and its provisions does not necessarily address today's broad use of remote computing resources. The group is asking for any case studies that illustrate the concerns people have about data privacy in the context of cloud computing.

When the new Congress convenes in January, data privacy is expected to be near the top of the agenda, so companies should prepare for the changes ahead. Deploying effective data security measures is costly, but so is the loss of an individual's privacy or a company's reputation. To me, it looks like a matter of paying now or paying more later.

In the meantime, I wish you all happy holidays and a happy new year! - Caron