Privacy in the Age of the Hacker: Balancing Global Privacy and Data Security Law
Cunningham, McKay, The George Washington International Law Review
The twin goals of privacy and data security share a fascinating symbiotic relationship-too much of one undermines the other. Unregulated Internet monitoring in security's name emasculates privacy, while privacy laws that heavily burden data sharing and processing corrode data security. Both sides to this inverse relationship suffered a multitude of indignities in 2011.
In November 2011, cyber thieves took $2.7 million from 3,400 Citigroup customers after 360,000 accounts were hacked.1 Citigroup could not retrieve the data, which included customers' financial data and other personal information. The customers had not misplaced their credit cards or typed out credit card numbers on untrustworthy websites;2 their only mistake was opening accounts with Citigroup.
Throughout 2011, Saudi Arabia and Israel continued a tit-for-tat school yard scuffle. Instead of trading insults, hackers from the respective nations illegally accessed and published financial and personal information about the other's citizens.3 A nineteen-yearold Saudi posted online personal information, including financial details of six thousand Israelis.4 In retaliation, Israeli hackers covertly obtained credit card and other financial details from thousands of Saudis, threatening public disclosure.5
In April 2011, Sony suffered a massive breach in its video game online network. Volumes of customer data were compromised, including names, addresses, and possibly credit card data associated with over 77 million user accounts.6
While alarmist sentiment threatens more harm than it hastens help,7 the Internet is a rather lawless "place." Cyber threats of almost every ilk are increasing in both frequency and sophistication. 8 Since 2005, an estimated 543 million records have been lost as a result of more than 2,800 data breaches.9 In 2011, data security experts recorded 403 million variants of malware.10 "Scholars, government officials, journalists, and computer scientists all agree that inadequate security is an emerging threat - perhaps a catastrophic one . . . ."11
At the same time, logarithmic increases of information-terabytes of data-course through the web, much of it personal and private. At 487 billion gigabytes, if the world's expanding digital content were printed and bound into books it would form a stack that would stretch from Earth to Pluto ten times.12 As more people log on and join the digital masses for the first time, data flows inevitably expand, as do calls for protecting private data.13 How do we secure data from evolving cyber threats while ensuring that private data is used only by the parties and for the purposes intended?
Where balance is required, unfortunately the international regulatory climate is lopsided. International law tilts unevenly in favor of data privacy. The European Union's Directive 95/46/EC14 (Directive) set the standard for data privacy regulation and facilitated a trend among wired countries toward nationalized data privacy laws. In the less than forty years following the first comprehensive national privacy law (Sweden, 1973), seventy-six countries have followed suit.15 As Professor Graham Greenleaf notes, "[t]he picture that emerges is that data privacy laws are spreading globally, and their number and geographic diversity accelerating since 2000."16
There were seven new national omnibus privacy laws in the 1970s, ten in the 1980s, nineteen in the 1990s, thirty-two in the 2000s, and eight so far in the first two years of this decade.17 At the current rate of expansion, fifty new laws will emerge in this decade. The most economically significant nations notably absent are the United States, China, and Brazil.18 India adopted omnibus data privacy laws in 2011,19 and Brazil is expected to pass such legislation this year,20 leaving only the United States and China.
By design, omnibus data privacy laws restrict data sharing, a fact that inhibits data security providers who increasingly rely on massive amounts of data to identify and neutralize threats like malware, botnets, distributed denial of service attacks, and Trojan horses. …