Ten Questions With… Mari Frank (Part One)
added: 01.07.2014, by Mike Spinney
Mari Frank is a passionate crusader in the fight for privacy and protecting consumers from fraud and identity theft. Her work as a lawyer, author, and radio broadcaster has been dedicated to these causes for nearly twenty years—long before most people had heard of the issues.
I first met Mari at a Ponemon Institute conclave and quickly learned not to underestimate her tenacity. Although ebullient in conversations about sailing, her dogs, and matters of spirituality, she is a relentless advocate for consumer privacy protection born of having been a victim at a time when laws and advocates did not exist to protect consumers.
HoGo CEO Hiro Kataoka also had the pleasure of meeting Mari at the 2013 Ponemon RIM Renaissance and was invited to be a guest on Mari’s radio show, Privacy Piracy, so we thought we’d return the favor and invite her to answer Ten Questions With…
HoGo: As a lawyer and privacy advocate, what issues do you find most vexing when it comes to a consumer’s ability to address instances of identity theft and cybercrime?
Mari Frank: Most victims don’t know their rights, and creditors and banks often don’t tell them what they should do. For instance, I have a new client who was out of the country when $200,000 was stolen from his bank accounts and transferred to other accounts. Also his cellular phone was fraudulently used. The bank would not return the money–so he called me. The bank and the cellular company told him that, without a subpoena, he is not entitled to any of the documents showing the fraud.
Under the Fair Credit Reporting Act (FCRA 609e) as well as the Fair and Accurate Credit Transactions Act (FACTA) this just isn’t true. He is entitled to all documents evidencing the fraud, including investigator notes, photos, videos, tapes phone conversations, etc. The bank and cellular company must comply within 30 days of his written request when he attaches a police report, identity theft affidavit, and proof of his identification.
HoGo: On your show Privacy Piracy you talk with a lot of different people who come at the issue of privacy protection and information security from a wide variety of perspectives. What are the common themes you encounter and what are the biggest differences?
Mari Frank: The common theme is that there is no perfect security. Companies large and small must do all that they can to protect customer data, encrypt and be responsible, but nothing is foolproof. The bad guys are very clever and astute, but no matter how small a company, all must be aware of the laws and be vigilant. The bottom line is: don’t collect more than you absolutely need to do the business you do, encrypt sensitive data at rest and in transit, limit access by employees and others who need to see the sensitive data, use audit trails and train your staff on privacy and security measures.
Healthcare is different from financial institutions in that patients want to make sure that their information is shared with those who can help provide them optimal health care. But they don’t want to be marketed to—and that information is not only private, it is confidential. Also I see a big difference when I speak to people in government who believe that security should always trump privacy. Privacy advocates also have a perspective that our personal information is our own and that we should always opt in to when our information can be collected, used and shared. Marketers and big companies believe that consumers have a right to opt out of having their information collected, used and shared and that the information in held in the databases belongs to the company.
The bottom line for me is that we should have respect for people’s personal information and they should have a say in how it is used, collected, used and shared.
HoGo: As a lawyer who lives and works in California, considered to be the innovation lab of privacy law in the U.S., can you talk about some of the things you think California got right, some developments that were less than ideal, and what the current trends are?
Mari Frank: First and foremost is our security breach law (Cal. Civ. Code 1798.82 and 1798.29, which became effective on July 1, 2003) that was the first in the country. It basically says that if any person—even government—has personally identifiable sensitive data (which includes a name plus a social security number, account number, health information, now an e-mail address with password or pin) and that information is not encrypted and it is acquired by an unauthorized person, the entity or person who held the information must disclose the breach and provide information about the nature of the breach to all affected persons. If the entity does not disclose to the affected persons and also the state attorney general (in a large breach it could be public disclosure), that entity may be sued.
Notice that there is a carrot: if you encrypt and the data is lost or stolen, there is no need to disclose. There is also a stick: if you don’t encrypt you must disclose. This is expensive and time consuming and also very embarrassing for the entity. It also subjects that entity to legal exposure.
California got it right with this law that has caught on in one form or another in many states. Also, our identity theft legislation has led to the vast rights for victims across the country, which were incorporated into the federal Fair Credit Reporting Act. This has helped thousands of victims and I am proud to say I helped with the state and federal legislation and testified in congress pressing for victim rights.
California has been a very privacy progressive state and had the first Office of Privacy Protection. Now that office has actually been incorporated into our Office of the Attorney General and provides privacy education, laws and even enforcement.
With the vast and ever changing technology the trends are rapidly changing, but issues of government spying government and commercial drones, Google Glass issues, and other surveillance are hot right now and rightfully so.
HoGo: Much of your work involves consumers, yet you also work closely within the community of privacy professionals. Do you sense, and can you describe, the disconnect with what consumers are experiencing and how the professionals and experts deal with the issue of privacy?
Mari Frank: Consumers—especially young ones who are eager for the technology—are excited to use anything that looks cool. They are often very unaware of the dangers of selfies, sexting, downloads, etc., since the education is not there. The older generation is jumping on the band wagon but a bit more cautiously. The privacy professionals—both advocates and those who are eager to use personal information—are more aware of the insidious use of personal information. We need to provide more realistic education, and unfortunately more laws, to hold companies accountable and to make privacy the default.