ChatGPT and other large language model AI implementation has sharpened the need for more data to train algorithms. As a result, large technology companies are tapping more sources of rich data about individuals.
The US is one of a few advanced economies without a comprehensive federal data privacy law. Many state and industry-specific regulations were written vaguely to address reasonable security measures. Individuals and organizations need to first understand where data exists across their complex corporate structures and vendor networks.
Our cellphones are advanced computing devices and a primary source for this valuable personal data. Applications on our phones collect more information than most people suspect. Research shows almost no one reads privacy policies, and those who do often don’t understand all the ways their data is being used and shared.
Large organizations have a similar problem. Their operations and people produce a tremendous amount of data, which may be stored on centralized servers and employee-owned devices, with cloud service providers, or with vendors such as payroll processing companies.
Companies are obligated to provide reasonable security over their operations and the personal data they store. This problem of understanding where data is stored is creating more risk over time.
Legislation and regulation have traditionally struggled to keep pace with innovation, leading to a privacy environment across the US that isn’t equipped to contend with these risks—from the increased complexity of where data resides and the significantly higher value it holds, to those who would wrongfully access it.
The Organization for Economic and Cooperative Development’s 1980 principles on the privacy protections and transborder data flows still serve as the foundation for regulatory language, despite the technological change of the last near half-century. However, these principles and their explanatory language don’t provide significant guidance on what’s needed to accomplish reasonable security.
Standards organizations, regulatory enforcement, and business best practices have helped fill this void. A clear principle that emerges is recognizing where data exists across complex corporate structures and networks of vendors. This exercise in visibility is often referred to as data mapping, and is the foundation of a reasonable security program.
For decades, companies have built business processes and staffing plans to conduct data mapping exercises, but doing that manually is no longer an effective option for large organizations with the scale of data usage and collection today. Fortunately, innovative AI tools with advanced analytical capability to automate these data mapping functions.
The development of these tools comes just in time for more regulation, such as the Minnesota Consumer Data Privacy Act, which passed in May and becomes the first law to explicitly state the need for organizations to maintain a data inventory. Previous interpretations of legislation would’ve inferred that requirement, but requiring it explicitly makes clear to all organizations the foundational need to understand where data resides and how it’s being used.
Congress has taken similar steps, although no legislation has passed yet. The American Privacy Rights Act, the federal privacy bill proposed in May, also includes a data mapping requirement.
California’s recently passed Delete Act similarly increases the need for organizations to conduct effective data mapping so they will be able to remove data relating to individuals when those people request to opt out of data broker lists. Delete Act provisions also allow the regulatory agency to use the fines it collects to fund increased enforcement.
Regulations should address where organizations store data, how they use it, and how they can delete the data if requested by the individual. And companies of all sizes should take action. The first step is to examine current processes used for data mapping and determine whether new tools are necessary to provide a more complete understanding of the data environment.
Next, companies should evaluate the results of data mapping as part of their periodic risk assessment process, and determine what adjustments need to be made to how data is stored, training of employees, and determination of whether the data stored at vendors is properly protected.
Data is becoming more valuable each year. Companies should act now to secure that valuable asset, and protect the individuals to whom the data relates.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
David Hoffman is professor of the practice of cybersecurity policy at the Sanford School of Public Policy, senior lecturing fellow at Duke Law, and advisory board member of MineOS.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.