A few weeks behind the likes of Microsoft, Ask.com, and well behind many large corporations who have decried the need for a global privacy standards for years, Google has now suggested that a global privacy standard is necessary. This of course in theory is a great idea for corporations, it will make doing business at the international level easier and make regulations consistent around the world. But right now we’ve got a long way to go because almost every country in the world has a different (or as of yet undefined) understanding of what privacy means for their citizens.
They have also highlighted the idea of considering actual harm when regulating privacy. At first glance this does seem like a good idea, no harm no foul right? But the trouble arises when clever thieves often hold onto the information they’ve stolen (or bought from someone else) and use it months or years later when the victim may no longer be on their guard. Therefore it’s very tricky to link actual consumer harm to a particular theft. In the end, it’s the consumer who again ends up with the short stick, and no way to prove which company lost their information to cause this particular theft.
Of particular interest in this arena, is the upcoming California bill which requires the "breached entity reimburse affected banks and credit unions for all costs incurred when alerting customers of the breach and reissuing cards." California is the leader in data breach notification legislation — if this bill passes I would expect the same requirements to pass in other states and again become a defacto national standard. This legislation, unlike the idea of harm, puts the blame and the costs back on the breached party where the costs are usually deserved. This may only be reasonable in the short term though because as security and privacy protections improve, companies that have truly followed best practices will be unlucky victims rather than easy targets. When and if we reach that day of superior data protection, insurance to protect against theft may be the only recourse as corporations, banks and consumers are all victims. But we’re certainly not there yet.