Nothing Is Private

Experts say it’s time to enact comprehensive consumer privacy legislation in the United States. By Sean Hargadon

Image: Illustrations by Deena So’Oteh

Identity theft can have devastating effects. In one recent example, a retired couple in the Chicago suburbs came within hours of losing their life savings to a sophisticated attack.

The attackers worked for months to gain access to the couple’s retirement accounts. After obtaining one of the individuals’ Social Security numbers from a prior data breach, the attackers contacted the couple’s cellphone company, impersonated one of them, and then diverted text messages and calls to the attackers’ cellphone to intercept multi-factor authentication codes from the couple’s bank.

With help from privacy professionals, the couple was able to recognize the cloning attack and immediately contacted the cellphone carrier and the banks. It was a Friday afternoon, and the attackers had placed an order to sweep the couple’s life savings into a separate account first thing on Monday morning. The couple was able to get the transfer order canceled, but they came within 72 hours of losing much of their retirement savings.

Financial and identity theft is just one of the many dangers of personal information falling into the wrong hands. Location data from your cellphone, even when anonymized, can reveal personally identifiable information that could be used for surveillance, and scammers can piece together bits of information from social media accounts to do online phishing.

Technology has made life undeniably more convenient. But how much has this convenience put our privacy and personal information in peril?

“We’re all generating an exponential amount of data all the time,” says Caitlin Davitt Fennessy ’04, vice president and chief knowledge officer at the International Association of Privacy Professionals (IAPP). The abundance of personal information — and the ability to connect the dots between those bits of data — is cause for concern.

“Anything that allows data to be collated and well organized turns a few incidental web searches here and a few purchases there into knowledge about your personal life that would otherwise be very difficult to obtain,” says professor Matthew Kugler, who teaches a popular course on privacy law at the Northwestern Pritzker School of Law. “If someone put your TikTok history next to your Amazon history next to your Google history, they might be able to learn a lot about you that you didn’t mean to tell them.

“And if I give an app data to provide some basic service … and they sell it, that data could then be used for hundreds of purposes that I can’t even imagine. It is that vast, unknowable possibility that is particularly scary in the privacy space.”

The protection of personal information is a growing concern among Americans. According to a 2019 Pew Research Center survey, 81% of respondents felt they had very little or no control over information about them collected by companies — and a similar percentage were very or somewhat concerned about how that information was used. Other surveys reveal that most U.S. consumers believe companies should take additional steps to protect their privacy. And, importantly, two-thirds of Americans want the government to do more.

“Privacy underpins all that we do and experience in today’s increasingly digital world.” — Caitlin Fennessy

“Organizations and governments are working through how to manage the vast quantity of data that is out there,” Fennessy says. “How do you provide the space for organizations to use it in innovative ways while also preventing and avoiding harmful or surprising uses of data? And how do you erect those guardrails in ways that are manageable both for individuals and for companies?”

Caitlin Fennessy

Fennessy, who lives in Concord, N.H., manages the IAPP’s content and knowledge products, which are shared with more than 75,000 privacy professionals around the world.

Lara Leniton Liss ’99, global chief privacy officer at Walgreens Boots Alliance, manages the Walgreens team responsible for protecting the privacy of hundreds of millions of prescriptions per year as well as customer loyalty programs in the U.S. and the United Kingdom.

Liss is also a member of the IAPP’s educational advisory board. The board helps develop programming for IAPP’s privacy conferences around the world, gathering speakers to educate privacy professionals on the latest threats to privacy, emerging privacy-enhancing technologies and new regulations that require companies to update their compliance frameworks.

“Privacy underpins all that we do and experience in today’s increasingly digital world,” says Fennessy. “How our personal data is handled affects everything from the information we can access online to our personal health to the business model underpinning online services to how freely we express ourselves to the functioning of our democracies.”

Fennessy and Liss are two of several Northwestern alumni working to protect your privacy. They agree that privacy is a serious matter and that comprehensive federal legislation is needed to set reasonable expectations for individual data protection rights and harmonize the growing patchwork of state rules that protect only a subset of the U.S. population.

REPRODUCTIVE HEALTH PRIVACY

The right to privacy is not mentioned in the U.S. Constitution. From a legal standpoint, our idea of a right to privacy has been shaped by the landmark Supreme Court case Griswold v. Connecticut, says Joanna Grisinger, associate professor of instruction and director of legal studies at Northwestern’s Center for Legal Studies. The 1965 ruling overturned a state birth control ban and established a right to privacy within marriage. The notion of privacy in Griswold guided subsequent Supreme Court cases about abortion, contraception and who you can marry or have sex with.

But the 2022 case Dobbs v. Jackson Women’s Health Organization changed that notion of privacy. As a result of Dobbs, the Supreme Court indicated that abortion is no longer a private matter, says Grisinger, who teaches courses on U.S. constitutional law. This new holding means that some personal information — including browser search history, health app summaries and location data — could potentially be used “to penalize pregnant people who are getting abortions,” she says. “What about their metadata? What about apps that track fertility or menstruation? What about apps that track movement, because people might want to leave the state to get access to abortions?”

The Dobbs decision “has shined a light on the huge amounts of information that is not typically considered protected health information [under the Health Insurance Portability and Accountability Act] but could put an individual’s health privacy at significant risk,” says the IAPP’s Caitlin Fennessy.

For Grisinger and law professor Matthew Kugler, the Dobbs decision portends even bigger changes to come regarding a right to privacy, with new limits seemingly on the horizon for sexual privacy, personal identity and autonomy privacy. “The Court seems to be tap, tap, tapping at the foundation of the right to privacy as a whole,” says Grisinger.

WHO’S RESPONSIBLE?

“If you wanted to protect your privacy completely, you would have to opt out of large parts of the modern information economy,” says Kugler. “To get rid of every data tracker, every last company trying to invade your privacy, would involve drastically changing your life.”

Most privacy protection protocols rely on “notice and consent” policies, which require notification and approval for the organization to collect and utilize an individual’s personal data.

“How many years would it take you to read all of the privacy notices that you receive in your day-to-day life?” asks Liss, who lives in the Chicago area and is also an MBA student at the Kellogg School of Management. “Research that came out a decade ago showed that it would take the average person roughly a month each year to read all the privacy notices they were receiving at that time. That’s simply not practical. Given advances in technology in the last decade [and the growing number of] internet-connected devices in our homes and workplaces, the number of privacy policies the average person encounters in a year has increased as well.”

She says the government “has a role to play in establishing clear baseline protections for everyone and providing standards that are easily actionable for consumers.”

New statewide data privacy regulations in California, Colorado, Connecticut, Utah and Virginia — with more likely on the way in the next legislative cycle — are moving away from notice and consent toward an individual rights model, which provides a legal framework that all companies must follow to safeguard all personal data. The European Union’s General Data Protection Regulation (GDPR), which went into effect in 2018, is one such example; it requires organizations to have processes in place for the handling and storage of such data. Brazil, China, India and several other countries have recently proposed or enacted data privacy laws as well. (The ever-changing regulatory and legal landscape has increased the size of the privacy workforce. See “Consider a Career in Privacy,” below.)

The new U.S. state laws focus, in part, on data lifecycle management. “You have to understand the inventory of data and the flow of data in order to be able to comply with state laws that are giving individuals the right to ask, ‘Where is my data? Who has my data? Please delete my data or correct my data,’” says Sheila Phillips Hawes ’76, ’79 JD, vice president, associate general counsel and chief privacy officer at AmerisourceBergen Corp. Hawes, who lives in Philadelphia, oversees global compliance with international privacy laws for the 42,000-employee pharmaceutical distributor, which operates in more than 60 countries.

“If you wanted to protect your privacy completely, you would have to opt out of large parts of the modern information economy.” — Matthew Kugler

Some federal legislation already protects personal information in the U.S. The Health Insurance Portability and Accountability Act (HIPAA), for example, provides a national standard to protect patients’ personal health information, and the Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. But the nation lacks a comprehensive federal privacy law.

“We have a fragmented, industry-by-industry, state-by-state system,” says Mitchell Granberg ’90, chief privacy officer at Optum, an information- and technology-enabled health services business. Granberg, who lives in Minneapolis, oversees Optum’s privacy program and is responsible for developing policies, ensuring members’ and patients’ privacy rights, and handling privacy issues.

“I don’t think anyone is happy with the piecemeal approach,” says Kugler. “Privacy advocates, concerned that people in some states have more privacy rights than others, would like everyone to have a greater level of privacy. Those seeking to comply with the law — companies and law firms — are concerned about the complexity of these different state law regimes.

PRIVACY TIPS FROM OUR EXPERTS

Create complex, unique passwords for each account and device, and USE A PASSWORD MANAGER. “One of the most common problems is the recycling of passwords,” says Lara Liss, global chief privacy officer at Walgreens Boots Alliance. “And then, when one website has been compromised, those usernames and passwords can be available on the dark web for others to use in an account takeover attack.”

TURN ON MULTI-FACTOR AUTHENTICATION wherever it is available to help keep your data safe even if your password is compromised.

BEWARE OF EMAIL AND TEXT SPAM that can download malware to your phone or other device: “Often the attackers use the psychological impact that something is time bound. Any time you [feel] a sense of urgency, be very careful not to click on those links,” Liss says. And learn how to identify phishing messages sent by email, text or direct message. The Federal Trade Commission website offers training on how to spot phishing attacks.

BE SKEPTICAL OF FREE SERVICES. “A free online service has to make money somewhere,” law professor Matthew Kugler says, “and that ‘somewhere’ is probably collecting, analyzing and marketing your data. … So, if you’re not paying for the product, you are the product.”

CONSIDER USING A PHYSICAL SECURITY KEY, also called a token device, to log into important financial accounts, such as retirement accounts. This may be especially helpful if you are aware that your Social Security number has been compromised in a prior data breach. Popular in the early 2000s, a physical security key is a small electronic device that generates a new, unique code every 30 seconds to provide account access. This prevents account takeover attacks, where a recycled password is obtained via a different data breach and used to access the account, as well as phone cloning or email takeover attacks, in which the attackers intercept multi-factor authentication codes. Keep the security key in a secure place, such as a safe-deposit box or home safe.

“Having said that, the reason we have these different state regimes is because of the difficulty of passing a federal law. … Fundamentally, there is a split on what kind of rights should be granted and on how easy it should be for people to sue to enforce those rights, because companies are terrified of privacy laws that have a strong enforcement mechanism. And if you have a privacy law giving people a lot of rights, it will be easy for companies to make mistakes.”

Lara Liss

U.S. companies that operate across international borders are building compliance programs in response to foreign data protection laws such as GDPR, Fennessy says. “And a lot of those programs are quite strong, but that doesn’t necessarily provide rights to millions of Americans who are asking, ‘Where are my protections in this space?’ But as more and more states pass laws, it becomes harder to take a holistic approach. … It feels, frankly, shocking that we don’t have a national privacy law yet.”

In 2022 the U.S. House of Representatives considered the American Data Privacy Protection Act (ADPPA), which aimed to provide consumers with foundational data privacy rights. While ADPPA stalled in the House in fall 2022, “we actually saw the most significant coalition of interests come together to support passage of a national privacy law that we’ve seen in two decades,” says Fennessy.

That coalition includes privacy advocates, academics and some of the largest companies in the world who view comprehensive federal privacy law — and a single national standard for how consumer data is treated in the U.S. — as an important development for the global economy. In 2018, for example, Business Roundtable, an association of chief executive officers of the United States’ leading companies, issued its proposed framework for federal privacy legislation.

Liss partners with Walgreens’ government relations team to meet with federal and state regulators and legislators to advocate for consumer privacy laws. “Over the past three years, we have met with congressional staffers to talk through proposed comprehensive federal consumer privacy legislation and how it will benefit the American public and business community,” Liss says. “I am hopeful that within the next three to five years we will see comprehensive federal privacy legislation in the U.S.”

Sean Hargadon is editor in chief of Northwestern Magazine.

CONSIDER A CAREER IN PRIVACY

The international focus on privacy compliance and enforcement has created a booming market for privacy professionals.

A recent global survey by the IAPP and the consulting firm EY found that the size of the average corporate privacy team grew by 12% over the course of 2022, as thousands of workers entered the profession. A 2022 survey by TRU Staffing Partners reported a 30% year-over-year increase in data privacy jobs, and privacy professionals have seen a 22% increase in pay.

“We see the need for more than a million privacy professionals over the next several years,” says IAPP’s Caitlin Fennessy, who says the field needs people with legal and technical backgrounds. “I think universities that recognize the growth of the field and its hybridized nature can develop programs that connect the dots and help educate the next generation of privacy professionals.”

Reader Responses

Not enough on preventative functions. Too much verbiage on problems.

—Jack Erickson ’72 Naples Fla., via Northwestern Magazine

Submit a Response

Response

Name

City, State (Country if not U.S.)

Email (will not be published)