It's time to dig out and dust off your copy of the Privacy and Cybersecurity Today document published in February 2020 from LWV of Oregon! If you did not receive a printed version of the study, it may also be found (along with supporting materials) online at: lwvor.org/studies. The Oregon State Legislature, like other states, is actively addressing privacy and cybersecurity concerns such as identity theft and consumer privacy. The LWVOR conducted a study in 2019 to support League development of a policy position statement. Results of this study will inform League recommendations for voter education, civic engagement and policy advocacy regarding privacy and cybersecurity. With a new legislative session set to begin early next year, it is critical we all lend our thoughts to the development of our state league's policy on this subject. At our first fall membership on September 17 (via Zoom), Jean will offer a brief overview of the issues reviewed in the study. Members are encouraged to read and give thought to the study material, in order to actively participate in the consensus meeting, which will be on the agenda for the October membership meeting. Please also look at the consensus questions on the LWVOR website. Don't worry, the document is really quite easily read and, Jean says, “more interesting and thought-provoking than I had anticipated."
Cybersecurity Consensus Questions
Assign an “importance rating” – Essential, Important, Low importance, No opinion – to each of the following lettered propositions.
PART I: ELECTION SECURITY
a. Replace paperless voting machines with systems that create a voter-verified paper backup of every vote.
b. Replace outdated hardware and software that can no longer be serviced.
c. Upgrade registration databases for better security.
d. Increase cybersecurity expertise for election office staff and volunteers.
e. Develop contingency plans to mitigate potential cyber damage.
f. Check and confirm electronic tallies with post-election audits comparing paper ballots and voting machine totals.
g. Regulate election-related disinformation and misleading political ads.
PART II: PRIVACY POLICY SHOULD BE UNIFORM AND CONSISTENT
1. The scope of the United States’ legal privacy framework should…
a. Define different privacy protections for specific types of data.
b. Tailor specific privacy protections to different types of businesses (tech firms, banking, healthcare, etc.).
c. Define uniform privacy protections for all personal data.
2. The United States’ legal privacy framework should…
a. Assure data transferred to other entities continues to have the same, enforceable privacy pro-tections.
b. Adopt flexible practices capable of addressing emerging concerns like big data, artificial intelli-gence, smart technologies and future innovations.
c. Focus laws and regulations on preventing known harmful uses of sensitive personal data.
d. Redefine legal definitions of data violation ‘harms’ to include certain intangible harms and future risks such as identity theft and fraud.
e. Provide for judicial remedy by granting consumers the right to sue companies that violate their personal information protections.
PART III: INDIVIDUAL AND PERSONAL DATA PROTECTION
a. Define uniform privacy rights for all consumers.
b. Apply privacy protection to all identified and identifiable (with big data analytics) persons.
c. Focus laws and regulations on preventing known harmful uses of sensitive personal data.
d. Redefine legal definitions of data violation ‘harms’ to include certain intangible harms and future risks such as identity theft and fraud.
e. Provide for judicial remedy by granting consumers the right to sue companies that violate their personal information protections.
PART IV: E-COMMERCE DATA PROTECTIONS
a. Require all businesses that process or control personal data to establish effective governance and accountability programs.
b. Require all businesses that process or control personal data to be responsible and accountable for any and all subsequent end uses of personal data, including transferred data.
c. Make third party data processors and data holders responsible stewards of personal information, protecting individual users’ interests and accepting liability for harms to individual users.
d. Require meaningful consent protocols that assure consumers are clearly informed with specific and unambiguous information (including specified purpose and use of data), and that consent is freely given, without coercion.
e. Strengthen Federal Trade Commission authority to require data accountability programs and im-pose substantive penalties for privacy violations.
PART V (Optional): EUROPEAN UNION INDIVIDUAL PRIVACY RIGHTS
The following set of individual privacy rights are current standards in use in the European Union. Some US companies may be required to comply with these standards.
a. Right to be informed about the personal data organizations have about them
b. Right to access personal data
c. Right to rectification –correct errors in personal data or add to incomplete records
d. Right to erasure* (aka,“the right to be forgotten”) [*i.e. create a process for individuals to re-quest that Internet search engines remove certain results]
e. Right to restriction on processing of personal data
f. Right to data portability
