Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

FTC QUESTION 1: RISKS

Original Question

What risks, concerns, and benefits arise from the collection, sharing, and use of consumer information? For example, consider the risks and/or benefits of information practices in the following contexts: retail or other commercial environments involving a direct consumer-business relationship; data broker and other business-to-business environments involving no direct consumer relationship; platform environments involving information sharing with third party application developers; the mobile environment; social networking sites; behavioral advertising; cloud computing services; services that collect sensitive data, such as information about adolescents or children, financial or health information, or location data; and any other contexts you wish to address.

Response: The FTC should develop a methodology/metrics for measuring the risk of improper use of Personally Identifiable Information (PII).

There are two areas of risk in considering the exposure of Personally Identifiable Information (PII): planned risks and unplanned risks. Planned risks are the risks associated with the intentional and agreed-to (implicitly or explicitly) sharing, collection, storage, archiving, and destruction of PII by the parties. The parties to such planned risks are the Subject of the PII, Relying Parties, and Identity Providers. Unplanned risks stem from the misuse/abuse of PII in ways not sanctioned by the agreeing parties (particularly the Subject) at the time they enter into an agreement.

Planned risks fall into the domain of contract law, and, as noted in our response to Questions 2 and 3, there is much room for improvement in the current legal regimes that cover this domain.

Unplanned risks more typically emanate from illegal activity. These are the subject of this response.
In order to properly regulate the handling of PII, it is necessary to understand the impacts of mishandling this information.

The impacts of improperly handled PII potentially include the following:

.* Physical harm (e.g., from government or rebel groups)
.* Financial harm (e.g., from governments, criminals)
.* Reputational harm
.* Duress and mental anguish (e.g., from abusive ex-partners or bullies)
.* National security.

The measurement of these impacts must consider individual data items and not merely PII as a class. To develop a proper assessment of the risk associated with each data item, an analysis of both the impact and the likelihood of worst-case scenarios must be considered. For example, certain data items that suggests an individual

  • No labels