A Handful of 2012 Privacy & Security Predictions
Even though 2011 was an extremely active year on the information security and privacy fronts – with a blizzard of proposed legislation, near weekly front page data breaches and the continued full leap into the cloud with its securities issues – I predict that 2012 events across the privacy and data security landscape will make 2011 look like a walk in the park. A handful of thoughts on what 2012 may hold:
- The EU’s on deck Data Protection Regulation promises – or threatens depending on your viewpoint – to significantly revamp the EU’s data protection regimes, adding additional potential uncertainty to the EU arena. The leaked DPR indicated a new broad extraterritorial reach, stronger protections for children under 18, embracing privacy by design and the right to be forgotten, a requirement to designate a privacy officer, and increased enforcement powers and penalties. We’ll see what happens when the rubber meets the road.
- Will the final version of the HIPAA breach notification rule make a long-awaited appearance in 2012, along with guidelines per Stage 2 of the electronic record incentive program within the HITECH Act ? The smart money says yes, especially since Congress recently admonished DHS to hurry up already given that the “interim” rule has been around since 2009.
- The FTC plans to issue in early 2012 its finalized Privacy Report, formally titled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which I believe will have a significant impact on the 2012 privacy/infosec landscape. The draft version, issued a year ago in December 2010, immediately sparked wide-ranging conversations on Do-Not-Track, Privacy by Design, Fair Information Practice Principles, Geolocation and other privacy-related issues, many of which quickly found their way into 2011’s proposed bills. I expect the finalized report to be heavily influential on 2012’s infosec and privacy debates.
- Information security and data protection issues surrounding contracting for cloud services will begin the road to maturity in 2012 as the federal government continues its push of fed agency IT needs into the cloud. The result will help provide guidance on cloud contracting issues addressing audit assurances, cloud security and accreditation, e-discovery issues, security controls and allocation of liability and responsibility for data security, to name but a few.
- Finally, 2012 will unfortunately see no end in sight to advanced attacks resulting in data breaches, with attacks on mobile devices to ramp up significantly. In response the move to Big Data and data hoarding may reverse as companies in specific sectoral areas begin paring back on how much data they retain.
For additional 2012 infosec and privacy predictions, pop over to Christine Marciano of Cyber Data Risk Managers' collection, which includes my views of 2012, at http://www.dataprivacyinsurance.com/wp-content/uploads/2012/01/2012-DATA-PRIVACY-AND-INFORMATION-SECURITY-PREDICTIONS.pdf