Different State, Federal Definitions of Sensitive Information Present Conundrum
The emergence of state privacy laws means that there are several standards or policies that companies and businesses must follow when defining and de-identifying sensitive information, said a panel of experts at the American Bar Association's Privacy and Emerging Technology National Institute event Thursday.
Sign up for a free preview to unlock the rest of this article
“Most states have approached the concept of sensitive data as sort of a laundry list,” said Cody Venzke, senior policy counsel at the American Civil Liberties Union. While there's high-level agreement about the concept of sensitive data, “the actual material scope of it can be wildly different from state to state," Venzke added. As such, "a lot of careful attention needs to be paid to what we're seeing.” This is true at the federal level as well, he added.
Deven McGraw, chief regulatory and privacy officer at Citizen Health, mentioned similar issues that arise when de-identifying personal information to disperse for research purposes. “We used to say, 'If it's health data, and you’re HIPAA-covered, just look at the HIPAA standard, and that's all you need to worry about,'” she said. That's no longer true. "You really need to look at what state laws might apply to you.”
The biggest problems ahead, said Nancy Perkins, counsel at Arnold and Porter, are “the nuances of these interpretations ... the [growth and expansion of] state law definitions, the fact that they're not consistent [and] some [are] ... somewhat ambiguous,” on top of how the FTC views things. “Basically anything might be deemed identifiable and linked,” she said.
This can be hard, said Ruth Hill Bro, privacy and cybersecurity attorney, because there is a difference between being identified and being connected. "We want really good service," she said. "We want things that relate to us, but we don't want our privacy invaded."