A Brief History of Data Liability

Zach Slayton
Carl Ascenzo
Data

Humans have been collecting data since the dawn of time. As far back as 5000 B. C. ancient Mesopotamians made advancements in counting, money, auditing and writing – forming much of the basis for disciplines such as modern-day accounting plus other types of data and its recording. In 2400 B.C. Babylon established libraries to gather large quantities of data and represents our first attempts at mass data storage. It’s also likely that the first data loss precautions were put in place to prevent the unauthorized removal of documents from those libraries.  

A recent article estimated that 90% of all data that exists was created in the last two years and that humans generate 2.5 quintillion bytes of data every day. The staggering volume of and digital access to data and the ease by which it flows creates challenges in ensuring the appropriate use of data today.  

As mentioned in the second installment of this series, Data Liability Protection considers five distinct dimensions: Data Loss, Using Data, Sharing Data, Data Quality and Data Integrity. Each one of the dimensions has liability consequences particularly as it relates to the privacy of individuals data and intellectual property.

While the history of data goes back thousands of years, it is only in the last century or so that we have made significant attempts to regulate data and to formally define its proper use.

Notable, Modern-Day Data Protection Moments in History

In 1890, two prominent U.S. lawyers wrote “The Right to Privacy” which appeared in the Harvard Law Review. This influential article asserted that privacy was necessary for freedom. It was the first major article to advocate the right to privacy of certain personal information.  

Minimal advances were made until the middle of the 20th century when in 1948, the Universal Declaration of Human Rights included the right to privacy as being fundamental. This was followed by the U.S. Freedom of Information Act in 1967 and Privacy Act of 1974 addressing data privacy, access and security. As computers began to be used for government purposes at this time, these addressed potential abuses by the government in handling private information, including social security numbers.

Increases in computing power throughout the latter half of the 20th century drove extreme growth in our ability to collect, process and share data. As businesses found new ways to use data to drive revenue, the privacy of individuals often suffered. Piracy of digitally stored intellectual property also became a concern. This led to a series of legislative solutions designed to first establish guiding principles and more recently to create strict rules with severe penalties for organizations found to have violated these rules.

  • In 1980 the global Organization for Economic Co-operation and Development issued guidelines on data protection.
  • In Europe, the Data Protection Directive was created in 1995, the Directive on Privacy and Electronic Communications adopted in 2002 and the General Data Protection Regulation approved in 2016.  
  • In the U.S., federal regulations include the Health Insurance Portability Act 1996, Gramm-Leach-Bliley Act 1999, and some states have in enacted their own regulations with the most recent being New York 2017 and California 2020.  
  • Other countries continue to introduce new regulations at a growing rate.

In 1890 the authors of “The Right to Privacy” were unaware of future advances in technology such as computers, digital storage and the internet, and the challenges these advances would impose on data liabilities.  

For instance, today a government agency can take pictures of your license plate for automated toll collection on the highway. Using a series of pictures, the speed of the vehicle along its journey can be determined. That information could be shared with law enforcement to issue speeding tickets or with insurance companies to determine risk-based insurance premiums. Most state governments in the United States have created policies defining that automated toll collection is ok but sharing that data for other purposes is a privacy violation. Government agencies must manage the data liability inherent in collecting license plate pictures or be in violation of their own policies.

For a long time, data liability went largely unnoticed but over the past several years concerns have grown to reach a breaking point. Government regulations covering data privacy and other data-related liabilities are expanding to address those concerns and to establish a minimum acceptable baseline to which organizations must strive to comply. On top of that minimum standard, organizations must manage data liability concerns to the extent that is appropriate for their industry and expectations of their customers or they will be subject to financial, legal and reputational losses.  

As the velocity of regulations and compensatory damages continue to increase, executives, boards, managers, staff and business partners must substantially increase their level of attention on data liability to adequately meet the demands of both legislative and de facto standards Increasing regulatory requirements and fiduciary responsibilities are accelerating the need to act now. Failing to do so may result in incidents that at best are embarrassing but at worst can have catastrophic and potentially irreversible consequences including lost value and threats to the viability of the organization as a going concern.  

Given the challenges facing organizations with respect to data liability, the question is not if or when data liability incidents will occur, but rather what kinds, how many and how damaging. It is up to the organization’s leadership to recognize these challenges and take proactive steps to address the risks associated with data liability to continue to maintain the value of their organization’s data assets.