Too much responsibility for protecting personal data falls on individuals, says David Hoffman, an expert in cybersecurity and privacy law.
“It is impossible to fully protect yourself because you don’t know all of the companies who have your data, and you don’t have enough legal rights to demand that they delete the information,” he said.
Data companies “need to act as fiduciaries,” said the Duke Law alumnus. Law and policy should require companies to act in the best interests of the individual to protect the privacy and security of data. In an environment where “data breaches are inevitable” the best protection is minimizing the entities that have data relating to individuals and then incentivizing those remaining companies to invest in privacy and cybersecurity.
Hoffman has been serving as associate general counsel and global privacy officer at Intel Corp. for over twenty years. He now joins the core faculty at the Sanford School as the Steed Family Professor of the Practice of Public Policy.
“My entire career has been about creating environments that allow for the innovative and ethical use of information. There is a great opportunity for Duke to be impactful, especially in devising better ways to use technology with health care data,” he said.
Revise the policy framework
Currently, privacy laws restrict the use of health data. The laws were created because of past abuses in human subject research, but however beneficial they are, they also can prevent data being used in ways that could advance research and improve health outcomes.
“We need to revise the policy framework,” Hoffman said.
Hoffman has been working in both the corporate and academic realms since 2013, when he began teaching as a senior lecturing fellow at Duke Law School and more recently as an adjunct at Sanford.
With Christopher Schroeder, professor of law and public policy, Hoffman has taught a class in information privacy and surveillance, and a class in federal policymaking with the Duke in DC office. Being on the Sanford faculty gives him “the opportunity to teach undergraduate students,” Hoffman said. He wants students to understand that they can make a difference on these issues, as individuals now and from the very beginning of their careers.
His group at Intel has always combined technical staff along with lawyers and policy experts. He hopes to make those same connections at Duke.
“I believe the perspective I can bring to students from my work at Intel can prepare them for important cyber policy roles after graduation. The U.S. has a skills gap for cyber professionals, and Sanford is the perfect hub to connect students from engineering, computer science, law and business. All of those disciplines are aided by a deep understanding of the implications from and how to influence public policy.”
“That’s the role I want to fill, to be a mentor and help develop the next generation of cyber policy leaders” he said.
Hoffman elaborated, “Seeing what Duke undergraduates have the capacity to accomplish is inspiring.”
In his fall PubPol 290 class Introduction to Cyber Policy, his teaching assistant, Duke senior Justin Sherman, is already a highly respected cyber policy rising star in his role as Fellow at the think tank the Atlantic Council. In that class, several students’ projects had an impact beyond the classroom, realizing the vision that Terry Sanford had for public policy at Duke. Carter Forinash and Jake Satisky, both juniors majoring in public policy, worked on the podcast “So, Bob …”, run by journalist and author Bob Sullivan. They interviewed people about privacy law and data brokers, and their work has been part of episodes 8, 9, and 10 of the No Place to Hide series. Becca Diluzio PPS’20 worked on a pamphlet on cyberstalking for the Duke Women’s Center, which will be printed and distributed by the center and sent to other universities.
Hoffman brings a wide range of expertise to his classes and research. At Intel, he has overseen a public policy team covering data policy, cybersecurity and artificial intelligence. He created and led the company’s privacy compliance team for 15 years. He advised the U.S. Department of Homeland Security and the National Security Agency on the creation of their privacy organizations. His advisory work includes other countries, such as Japan, India and the European Union. He has spent considerable time in China understanding the unique cyber policy challenges and perspectives of the Chinese government.
Hoffman also serves on several advisory boards. At the federal level, he chairs the U.S. National Security Agency Advisory Director’s privacy and civil liberties panel. He is a member of the Future of Privacy Forum and chairs the board of the Center for Cybersecurity Policy and Law. In North Carolina, he founded the Triangle Privacy Research Hub, which fosters academic collaboration on the issues of ethical and innovative use of data.
In March 2019, Hoffman testified before the U.S. Senate Judiciary Committee about the need for strong federal privacy legislation. Among his recommendations were legislation that enables ethical and innovative data use, with meaningful privacy protection for citizens, and empowers the Federal Trade Commission with enforcement powers and resources to oversee data practices under a single national standard.
These are currently two draft Senate bills, one from a Republican and one from a Democrat, that incorporate many of his recommendations.
At Sanford, Hoffman is kicking off a research project examining supply-chain cybersecurity. Any information system has components from multiple vendors. Organization need to be able to trust this hardware and software and yet currently governments do not have effective public policy frameworks to allow for this evaluation of trust.
As to the security of his data at the university, Hoffman has more confidence. “Duke has a tremendous IT organization, just as good any I have seen in the private sector,” he said. Tracy Futhey, Duke’s chief information officer, and Richard Biever, chief information security officer, are “world class IT leaders,”he said.
Hoffman is also planning to bring several speakers to campus in the spring, including David Medine, former chair of the Privacy and Civil Liberties Oversight Board, Bob Sullivan, one of the founders of MSNBC and host of the “So, Bob …” technology policy podcast, Ari Schwartz, former Cyber policy official in the Obama administration, and Alex Niejelow, senior vice president for cybersecurity coordination and advocacy at Mastercard.
Hoffman and his wife live in Durham. They have two boys, the oldest of whom is a freshman at Duke this year, and his younger brother is already a successful cyber entrepreneur.