Privacy and Security Litigation in 2006

Transcription

February 2006 • Volume 6 • Number 2
Editor: Kirk J. Nahra
Privacy and Security Litigation in 2006: Is the Tide Turning?
Kirk J. Nahra
ne of the key open questions for
the privacy and security community in the past few years has
been “where are the lawsuits?” Despite
the enormous volume of new state and
federal laws and regulations, the amount
of litigation related to privacy and security issues has been much smaller than
was predicted by most “experts.”
O
Why Hasn’t there been More
Litigation?
This is the $64,000 question. With
the flurry of privacy and security rules in
the past decade, creating new kinds of
statutory obligations for virtually every
business that compiles, uses or main-
vate claim, even if a “HIPAA
violation” appears to have
been alleged.
tains personal information,
why hasn’t there been more
litigation?
Three major reasons
stand out.
• While there has been a
flood of new privacy obligations, most new laws
have been passed without
any obvious private right of
Kirk J. Nahra
action. So, under HIPAA
and Gramm-Leach-Bliley,
for example, there are no clear paths
for bringing a suit, even if a potential
claim surfaced. Courts have rejected
efforts to put a HIPAA label on a pri-
Coordinating Cookie Compliance
• Within the limited range
of suits that have been
brought, there is a reasonable trend that makes
proof of damages exceedingly difficult. One key
case to remember —
Smith v. Chase
• Manhattan Bank, 741
N.Y.S.2d 100 (App. Div.
2002).
See Litigation, page 3
This Month
Ben Isaacson
onsumers are becoming increasingly skeptical of the Internet’s use
of persistent cookies and are now
taking action. Recent consumer surveys
from companies, such as Jupiter
Research, showed that up to 40 percent
of Internet users delete cookies on a
monthly basis.
Even more relevant is a recent
BURST! Media
survey showing
that 35 percent
of respondents
believe that
personal information is unsafe
as a result of
cookies on their
Ben Isaacson
C
computers. These attitudes clearly
indicate a need to increase transparency
and trust with all types of cookie usage.
In order to accomplish this goal, Web site
owners are encouraged to focus on
technology implementations, value
propositions, enabling choice and policy
disclosures.
Transparency Begins With
Technology
The issue of governmental cookie
use was highlighted recently in a recent
CNET investigation. The results were
alarming because executive and
congressional branch offices were using
them in violation of their privacy poli-
J. Trevor Hughes on the Need for
a Proactive Privacy Strategy.............Page 2
Message from
the IAPP President ...........................Page 7
Ask the Privacy Expert ......................Page 8
Electronic Monitoring
in the Workplace...............................Page 9
Interview with Dr. David Brailer,
IAPP National Summit 2006
Keynote Speaker...............................Page 13
Internet Alliance:
Recent State Action ..........................Page 14
Privacy Enhancing Technologies.......Page 16
Web Watch: Privacy and Security
Predictions for 2006 ..........................Page 18
Privacy News ...................................Page 19
See Cookie Compliance, page 5
February • 2006
THE PRIVACY ADVISOR
Editor
Kirk J. Nahra
Wiley Rein & Fielding, LLP
knahra@wrf.com
+202.719.7335
Managing Editor
Ann E. Donlan
ann.donlan@privacyassociation.org
+207.351.1500 X109
The Privacy Advisor (ISSN: 1532-1509 )
is published monthly by the International
Association of Privacy Professionals and
distributed only to IAPP members.
ADVISORY BOARD
Elise Berkower, CIPP, Senior Privacy Compliance Officer,
DoubleClick Inc.
Keith P. Enright, Director, Customer Information
Management, Limited Brands, Inc.
Philip L. Gordon, Shareholder, Littler Mendelson, P.C.
Brian Hengesbaugh, Partner, Privacy/Information
Technology/E-Commerce, Baker & McKenzie LLP
Todd A. Hood, CIPP, Director, Regional Privacy,
The Americas, Pitney Bowes Inc.
Ben Isaacson, CIPP, Privacy & Compliance Leader,
Experian & CheetahMail
Jacqueline Klosek, CIPP, Senior Associate in the
Business Law Department and member of Intellectual
Property Group, Goodwin Procter LLP
Lydia E. Payne-Johnson, CIPP, Executive Director,
Chief Privacy Officer, Morgan Stanley
Billy J. Spears, CIPP/G, Director, Privacy Education
and Training, Department of Homeland Security
Harry A. Valetk, CIPP, Director, Privacy Online,
Entertainment Software Rating Board
To Join the IAPP, call:
+800.266.6501
Advertising and Sales, call:
+800.266.6501
Postmaster
Send address changes to:
IAPP
266 York Street
York, ME 03909
Subscription Price
The The Privacy Advisor is a benefit of
membership to the IAPP. Nonmember
subscriptions are a vailable at $199 per year.
Requests to Reprint
Ann E. Donlan
ann.donlan@privacyassociation.org
+207.351.1500 X109
Copyright 2005 by the International Association of
Privacy Professionals.
All rights reserved. Facsimile reproduction, including
photocopy or xerographic reproduction, is strictly
prohibited under copyright laws.
2
Notes from the Executive Director
t has been nearly a year since ChoicePoint Inc. announced
that personal information belonging to 145,000 people was
in the clutches of criminals who duped the company into
turning over the sensitive data.The incident seemed to touch
off an avalanche of subsequent breaches that ultimately led last
year to scores of new state laws and several bills in Congress.
Last month, the Federal Trade Commission (FTC)
announced a proposed $15 million settlement with
ChoicePoint — including a $10 million fine, the largest civil
penalty the FTC has levied in its history. Undoubtedly, the
FTC settlement sends a stark message that the price will be high for companies that
fail to adopt data security policies that effectively protect the privacy of consumers’
personal information. And ChoicePoint is not alone.The security breach landscape is
dotted with incidents from DSW, Bank of America,T-Mobile, CardSystems Solutions,
Lexis-Nexis, BJ’s Wholesale Club, numerous colleges and universities — even the U.S.
government.
While the impact of a record fine is evident on a company’s bottom line, the
damage done to its reputation and brand is more elusive. Rather than injecting privacy
and data security into the company’s consciousness, firms that adopt inadequate policies
and procedures — or worse, none at all — stand to lose control of their destiny. Part of
the FTC settlement requires ChoicePoint to undergo independent audits every two
years for the next 20 years.
The FTC alleged that ChoicePoint violated consumers’ privacy and broke federal laws.
ChoicePoint did not admit to any of the FTC’s charges, but stressed that it was happy to
leave the debacle behind and move forward with the changes already under way.
However, those of us committed to privacy and data security know we must
continue to anticipate the challenges ahead of us that change continuously as
technology and innovation thrives in the marketplace.We know that serving customers
and shareholders will require an enduring commitment as we strive to foster a
proactive, model privacy strategy in our workplaces.
Privacy experts have lauded the FTC settlement for serving not just as a
punishment, but for sending companies a clear warning about the seriousness of
privacy and data security: play or pay. Next month, the IAPP will offer privacy pros an
opportunity to hear directly from a FTC commissioner when we gather in Washington,
D.C., for the IAPP National Summit 2006, March 8-10.
Given the stakes for companies facing a growing body of differing state or
provincial laws, the specter of new federal laws and scrutiny from regulators, I urge
privacy pros not to miss the exciting opportunity to expand and share your expertise
next month during the largest and most anticipated privacy conference.The IAPP’s
comprehensive agenda offers education in various disciplines, at various levels.We have
sessions on ID theft, genetic privacy, international and domestic privacy and
outsourcing — to name a few.The Summit offers the unique opportunity to network
with public policymakers, regulators and Capitol Hill contacts. An investment in the
Summit will be money well-spent — 2006 has already demonstrated that security
breaches will remain a front-burner issue in board rooms, living rooms and on the
floors of our lawmaking bodies.
Please join me and the IAPP staff at the Summit next month as we celebrate an
IAPP milestone — our 5th anniversary.We’ve come a long way, but we hope you will
join us for the ongoing journey.
I
J.Trevor Hughes
Executive Director
THE PRIVACY ADVISOR
Litigation
continued from page 1
In Smith, a bank promised its
customers that it would not sell their
personal information to third parties.
Instead, the suit alleged, the bank did sell
customer lists to third parties, including
a telemarketing firm. Moreover, the bank
allegedly received a percentage of the
products sold as a result of these telemarketing services. A class of bank customers sued, alleging that the bank violated its obligations to the plaintiff class.
Despite this egregious set of
allegations, the court’s decision is
startling. The court dismissed the complaint, finding no allegations of actual
damages. Instead, the court said that
“the ‘harm’ at the heart of this purported
class action, is that class members were
merely offered products and services
which they were free to decline. This
does not qualify as actual harm.”
Moreover, “[t]he complaint does not
allege a single instance where a named
plaintiff or any class member suffered
any actual harm due to the receipt of an
unwanted telephone solicitation or a
piece of junk mail.” Accordingly, the
court found that the complaint was
appropriately dismissed for failure to
state a cause of action. This means that
the court found that no claim existed on
“In many arenas,
successful class action
litigation follows
significant government
enforcement activity. In
the privacy and security
realm, government
enforcement obviously
has been limited and,
in some cases, almost
non-existent.”
the facts as they were alleged, not that
the allegations were wrong.
Smith is the clearest enunciation of
the “no damages” theory — but not the
only one. Clearly, with other fish
to fry, the plaintiffs’ bar has not been
impressed by the potential “pot of gold”
related to privacy litigation. Nor, despite
the increase in litigation in 2005, is there
any particular reason to think that courts
are in any way more sympathetic to
claims of damages in connection with
potential privacy and security harms.
In many arenas, successful class
action litigation follows significant government enforcement activity. In the privacy and security realm, government
enforcement obviously has been limited
and, in some cases, almost non-existent.
So, whereas there are virtually automatic
lawsuits filed when the SEC takes
enforcement action against a publicly
traded company, there have been few
“lead events” by the government
enforcement agencies that have led to
follow-on class action litigation.
2005 Recap
So, what were we starting to see in
2005?
First, we did see the start of some
more aggressive enforcement activity,
particularly by the Federal Trade
Commission. The FTC’s action in the
BJ’s Wholesale matter, for example, has
led to more litigation that virtually all of
the other enforcement actions taken
together. The recent Do Not Call
settlement with DirectTV — including a
whopping $5.3 million dollar penalty —
has shattered the bar for privacy-related
settlements.
Second, we are starting to see highly publicized events — mainly security
breaches — where visibility and potential
harm combine to create a higher
likelihood of litigation. The plethora of
publicity related to the infamous
ChoicePoint breach, for example (the
first major security breach of 2005), led
to a significant volume of class-action
and even securities litigation (although,
interestingly, none of these cases have
266 York Street
York, ME 03909
Phone: +800.266.6501 or +207.351.1500
Fax: +207.351.1501
Email: information@privacyassociation.org
The Privacy Advisor is the official monthly newsletter of the
International Association of Privacy Professionals. All active
association members automatically receive a subscription to
The Privacy Advisor as a membership benefit. For details
about joining IAPP, please use the above contact information.
BOARD OF DIRECTORS
President
Kirk M. Herath, CIPP/G, Chief Privacy Officer,
Associate General Counsel Nationwide Insurance
Companies, Columbus, Ohio
Vice President
Sandra R. Hughes, CIPP, Global Privacy Executive, Procter
& Gamble, Cincinnati, Ohio
Treasurer
Becky Burr, CIPP, Partner, Wilmer Cutler Pickering Hale
and Dorr LLP, Washington, D.C.
Secretary
Dale Skivington, CIPP, Chief Privacy Officer, Assistant
General Counsel, Eastman Kodak Co., Rochester, N.Y.
Past President
Chris Zoladz, Vice President, Information Protection,
Marriott International, Bethesda, Md.
Executive Director
J. Trevor Hughes, CIPP, York, Maine
Jonathan D. Avila, Vice President, Chief Privacy Legal
Officer, The Walt Disney Co., Burbank, Calif.
John Berard, CIPP, Managing Director,
Zeno Group, San Francisco, Calif.
Agnes Bundy Scanlan, Esq., CIPP, Counsel,
Goodwin Procter LLP, Boston, Mass.
Peter Cullen, CIPP, Chief Privacy Strategist,
Microsoft Corp., Redmond, Wash.
Dean Forbes, CIPP, Chief Privacy Officer,
Schering-Plough Corp., Kenilworth, N.J.
Kimberly Gray, CIPP, Chief Privacy Officer,
Highmark, Inc., Pittsburgh, Pa.
Jean-Paul Hepp, CIPP, Chief Privacy Officer,
Pfizer Inc., New York, N.Y.
David Hoffman, CIPP, Group Counsel and Director of
Privacy, Intel Corp., Germany
Barbara Lawler, CIPP, Chief Privacy Officer, Intuit,
Mountain View, Calif.
Kirk Nahra, CIPP, Partner, Wiley Rein & Fielding LLP,
Washington, D.C.
Nuala O’Connor Kelly, CIPP/G, Chief Privacy Leader,
General Electric Company, Washington, D.C.
Harriet Pearson, CIPP/G, Vice President Corporate Affairs,
Chief Privacy Officer, IBM Corporation, Armonk, N.Y.
Jules Polonetsky, CIPP, Vice President,
Integrity Assurance America Online, Inc., Dulles, Va.
Lauren Steinfeld, CIPP, Chief Privacy Officer,
University of Pennsylvania, Philadelphia, Pa.
Zoe Strickland, CIPP/G, Chief Privacy Officer,
U.S. Postal Service, Washington, D.C.
Amy Yates, CIPP, Chief Compliance Manager,
Hewitt Associates, Lincolnshire, Ill
GENERAL COUNSEL
Jim Koenig, Pricewaterhouse Coopers, Philadelphia, Pa.
See Litigation, page 4
3
February • 2006
Litigation
settled, and the litigation is proceeding
very slowly). While government enforcement often is a precursor to private litigation, media reports (such as a quick drop
in stock price) often lead to suits as well.
We are starting to see this “prompt”
private response to these kinds of media
stories, even in the absence of government action.
Third, we started to see an interesting set of “follow-on” cases. Rather than
starring injured consumers as the plaintiffs, corporate entities are starting to
sue, basing their claims on out-of-pocket
costs to prevent or mitigate identity theft
concerns, as a result of someone else’s
security breach. Putting aside the question of whether corporate America wants
to start this fight, certain entities, primarily banks or others that incur costs
when there is an identity theft problem,
have been initiating lawsuits. Clearly,
these cases involve specific out-of-pocket costs — such as the costs of replacing credit cards or reimbursing for fraudulently obtained purchases. Causation
obviously will be an issue (is the company whose security was breached really
the responsible party for fraudulent purchases?). But these cases are being
brought by (often deep-pocketed) companies, with an eye toward re-allocating the
costs of privacy and security breaches.
“Rather than starring
injured consumers as
the plaintiffs, corporate
entities are starting to
sue, basing their claims
on out-of-pocket costs
to prevent or mitigate
identity theft concerns,
as a result of someone
else’s security breach.”
4
Fourth, plaintiffs struggled — and
often failed — to fit their privacy
concerns into a framework that allowed
them to bring a case. For example, in
the JetBlue saga, a nationwide class of
airline passengers sued JetBlue, based
on the company’s alleged transfer of
data to a third party government contractor. This complaint was dismissed, with
the court rejecting the plaintiffs’ assertion that JetBlue had violated the
Electronic Communication Privacy Act.
Interestingly, relying in part on the
Smith case, the court also rejected the
argument that the plaintiffs could assert
actual damages under various causes of
action. In connection with a breach of
contract claim, the court stated that “the
sparseness of the damages allegations
is a direct result of plaintiffs' inability to
plead or prove any actual contract damages. As plaintiffs' counsel concedes,
the only damage that can be read into
the present complaint is a loss of privacy.” Moreover, the court found that the
passengers “had no reason to expect
that they would be compensated for the
‘value’ of their personal information. In
addition, there is absolutely no support
for the proposition that the personal
information of an individual JetBlue
passenger had any value for which that
passenger could have expected to be
compensated.”
Last, in connection with a “trespass
to chattel” claim, the court again rejected any assertion of actual damages,
stating that “[t]he only type of harm
plaintiffs allege anywhere in the
Amended Complaint is harm to their privacy interests, and even if their privacy
interests were indeed infringed by the
data transfer, such a harm does not
amount to a diminishment of the quality
or value of a materially valuable interest
in their personal information.”
Fifth, privacy issues and laws are
involved in a wide variety of cases, even
if the case is not “about” privacy. An
Ohio Court (in Grove v. Northeast Ohio
Nephrology Associates) evaluated the
question of whether an Ohio statute
over-rode HIPAA to protect certain thirdparty medical records in a case involving
allegations about a medical facility’s stan-
“As security breaches
continue to resonate in
the public eye and with
the media, we also can
expect more fingerpointing — resulting in
commercial litigation.
Was it the software
company’s fault? Or the
vendor that helped
implement a new
security system?”
dard of care. A Minnesota court (in
Johnson v. Parker Hughes Clinic) rejected efforts by a widow to seek access to
her husband’s medical records, relying
on the fact that HIPAA does not create a
private cause of action.
What can we see on the horizon?
Litigation over identity theft: One real
harm that has resulted in many security
breach situations involves identity theft.
This crime is real — with real impact on
specific individuals. It also is true that
many “identity theft” cases actually
involve a security breach of some kind,
where the risk of identity theft is small
or non-existent. Many companies are
confusing a loss of data with an identity
theft scam. If a laptop is stolen, is there
“identity theft” risk, or simply the theft
of personal property? These issues will
remain challenging in 2006 — particularly
as a wave of new security breach notification laws go into effect — but it is
clear that actual and potential identity
theft are driving forces to a new category of privacy litigation.
Litigation related to security breaches:
As security breaches continue to resonate in the public eye and with the
media, we also can expect more fingerpointing — resulting in commercial litiga-
THE PRIVACY ADVISOR
tion. Was it the software company’s
fault? Or the vendor that helped implement a new security system? Or the
management consultant that advised on
efficient payment practices? As enforcement efforts ratchet up, we can expect
companies to do what many do best —
point the blame at others.
or as witnesses — must be prepared to
bring their knowledge of the privacy and
security regime to bear in responding to
subpoenas and other efforts to obtain
personal information. Discovery fights
will be substantial — forcing courts to
navigate the tricky “preemption” waters
involving HIPAA and other privacy rules.
Litigation over the costs of mitigating
security breaches (meaning corporate
parties on both sides): We also can
expect that mitigation-cost litigation will
continue and expand. The test case will
be the wide range of litigation stemming
from the BJ’s Wholesale settlement.
Some of these claims already have been
rejected, but we can expect them to
continue. Companies that incur costs in
connection with identity theft — banks,
credit unions, credit card companies and
others — are watching this case closely
— and will continue to seek means of
recovering costs imposed on them by
the actions of others.
Continued Focus on the Actions of
Third Parties — With Fights Breaking
out Among the Parties: As the
DirectTV case makes clear (along with a
wide variety of privacy problems created
by vendors and other contractors), vendor actions will be attributed to the principal under many laws. Similarly, plaintiffs will look to the deep pocket. So, we
can expect efforts to “blame everyone”
in connection with privacy and security
problems, along with related litigation
and assertions among the defendants as
to overall responsibility. It may be time
for all of the vendor contracts that have
been drafted over the past few years to
start coming into play in litigation (and
should encourage companies to revisit
their overall vendor monitoring and oversight strategy, on both a domestic and
international level).
With all this background, and the
slow but steady increase in litigation
involving privacy and security issues, we
can expect that 2006 likely will be the
year when privacy and security litigation
moves to the front burner.
More Enforcement: We can expect to
see somewhat more enforcement of privacy and security rules in 2006, with
more stringent penalties ahead. The
FTC’s DirectTV case may be illustrative.
While the FTC and FCC have been
actively investigating Do Not Call violations, it takes an egregious case — and
one where behavior is not corrected —
to invoke a large fine. The same
approach seems to be playing out with
the HIPAA rules — but the other shoe
has not dropped yet. Look for the start
of the other shoe dropping in 2006.
More entanglements of privacy rules
in litigation (such as the HIPAA rules
concerning medical records): We also
are seeing a wide range of cases where
various categories of personal information are at issue in litigation matters.
Medical information, for example, is a
critical evidence component in a wide
variety of cases (such as the government’s efforts to obtain certain medical
records in the course of defending the
appropriateness of the partial birth abortion statute). Companies that are
involved in litigation — either as parties
This article was published previously in
Wiley Rein & Fielding’s Privacy in Focus
newsletter (January 2006).
Kirk J. Nahra is a partner with Wiley
Rein & Fielding LLP in Washington, D.C.,
where he specializes in healthcare, privacy, information security and counseling. He is chair of the firm’s Privacy
Practice and co-chair of its Healthcare
Practice. He was elected to the Board of
Directors of the International Association
of Privacy Professionals, and serves as
the Editor of The Privacy Advisor. He is
a Certified Information Privacy
Professional. He can be reached at
+202.719.7335 or knahra@wrf.com.
Cookie Compliance
cies. But the results were alarming for
another reason: The agency’s representatives did not know why the cookies
were used and they clearly did not
understand their true value.
The fact is: a cookie is not a
surreptitious tracking device. Rather,
it is an obvious and identifiable piece
of Web site information that can be
managed easily.
Cookie transparency is applicable
when initially visiting a Web page,
within the browser, and on users’
computers. Since Microsoft’s Internet
Explorer (IE) browser retains the
dominant marketshare, we can point
to their use of the Platform for Privacy
Preferences (P3P), or as they call them
‘compact privacy policies,’ to negotiate
the terms of a cookie’s use during an
initial visit to a Web page which publishes such a policy. Should a user
modify their IE privacy settings above
the default setting, they will automatically identify and block many cookies,
including any cookies that use personally identifiable information (PII) without user consent. Perhaps even more
critical is the fact that if a user
changes their IE privacy settings to
‘high,’ any cookie without a compact
privacy policy will be blocked.
If a cookie is blocked, a user will
know it immediately as the ‘red eye’ is
visible in the lower right-hand corner of
the IE browser. One click on that eye
highlights the Web site Privacy Report
and shows users which cookies are
being utilized as well as those being
blocked. (This can also be referenced
by navigating to ‘View>Privacy
Report.’) The most obvious issue
which appears in the Privacy Report is
which party is utilizing cookies on that
Web page. As noted in the CNET
investigation, the government Web
sites utilizing cookies were not actually
the entities listed within the Privacy
Report, but rather a third party Web
analytics provider. Since cookie
See Cookie Compliance, page 6
5
February • 2006
Cookie Compliance
transparency is directly tied to the
domain name of the utilizing party, then
any third-party use will be clearly visible
to the end user. As a result, Web sites
are encouraged to disclose the types
of third-party relationships which use
cookies on their Web site and more
importantly, require any third-party
cookie to reference a compact policy
that adequately reflects the uses of that
cookie and correlated collected
information.
In addition, online users are becoming more aware and are utilizing tools to
reference cookies on their computer.
Whether they are referenced through
the local hard drive folder or via an antispyware program, cookies are easily
identified and potentially deleted. If the
cookie is being utilized for Web analytics
purposes, then the best practice is to
only use a cookie referenced from the
first party domain name. When considering the use of third party cookies,
Web site owners should be aware of
the domain name the cookie is referencing and whether or not a particular end
user may recognize that name or be
able to reference that domain owner
online for more information. Another
issue which is visible in a local hard
drive cookie reference is the length of
time a persistent cookie is requested to
remain on a user’s computer. While
many Web sites utilize a default
maximum expiration date of 2038, the
apparent longevity of this date may
further aggravate concerned users. As
a result, another best practice is to
consider applying the actual length of
time a cookie should be relevant, such
as the sales cycle of a given product or
average computer life span. There are
few reasons why a cookie expiration
date should exceed five years rather
than the default thirty two.
Proving the Value of Cookies
While the value proposition of a
cookie is clear to online marketers and
publishers, it is less than clear for
online users. If consumers are to better
6
understand the value of cookies, then
Web site owners must correlate the
value of the cookie with the services
rendered through the Web site and in a
highly visible reference point separated
from the privacy policy. Publishers can
reinforce the value of free content,
e-commerce sites can emphasize
merchandizing relevancy and usability
and loyalty programs can spare users
an extra login step. If each of these
categories of Web sites communicates
a simple value proposition at a visible
point of cookie utilization, then most
users would better understand and
(hopefully) increase their support of
cookie uses.
What is perhaps most important is
the disclosure and value proposition of
associating cookies with PII. One consideration for this practice is with the
same disclosures Web sites make when
collecting an email address and an additional disclosure in the utilization of
cookies. Specifically, many Web sites —
when collecting an email address — reference whether or not the information
will be shared with third parties. In most
cases, the company will indicate that it
does not share email addresses. The
same no-sharing language can easily be
stated for the use of cookies and their
“If consumers are to
better understand
the value of cookies,
then Web site owners
must correlate the
value of the cookie
with the services
rendered through
the Web site and in a
highly visible reference
point separated from
the privacy policy.”
first-party-only attributes. Reinforcing
the value of a cookie in conjunction with
PII privacy protections should further
dissuade cookie deletions.
Communicating Choice
In cases where cookie use value
propositions are not as clear, there is
always the option of communicating to
users their ability to exercise choice.
While most Web sites request choice
to be implemented through the browser
software, the process for this either
excludes cookies across their Web
activities or requires a more technical
understanding to apply preferences to
particular Web sites. As a result, one of
the most appropriate methods for Web
sites to consider is the creation of an
‘opt-out cookie.’
When the original authors developed cookies, they enabled an option
for a cookie to be referenced which
would indicate a users’ preference to
disable online behavioral tracking. While
this still requires a cookie to be placed
and referenced, the fact is an opt-out
cookie can easily be offered by any Web
site analytics program or advertising
network. One industry leadership effort
which exemplifies this use of choice is
with the Network Advertising Initiative
and its online advertising network
opt-out cookie management process.
If a Web site requires a cookie to
be referenced in order to function,
then at a minimum that Web site
should disclose whether behavioral
information could be shared with a third
party, and perhaps offer an option to
disable such information-sharing. The
most relevant example is a publisher
who requires a profile and cookie
reference for their own advertising
uses, yet also works with a third-party
advertising network that may offer an
opt-out cookie of their own.
Educate and Disclose All Policies
and Practices
A final consideration is the cookie
and behavioral tracking disclosures in a
privacy policy. All too often, the information about cookies is buried toward the
bottom of the policy and is a simple
THE PRIVACY ADVISOR
definition of what a cookie does and
whether or not there is PII correlated
with its use. As the many uses of cookies have evolved, so should their related
disclosures in Web site privacy policies.
One consideration is adding a shortform privacy policy landing page. This is
not to replace the existing privacy policy,
but rather compliment the extensive
nature of an existing policy with an easily navigable list of data collections and
uses. The short form could separate
anonymous from identifiable information
collection and uses, and easily disclose
cookie and other online behavior
methodologies in either or both categories. Again, a further delineation of
Web site owner vs. third-party uses
would also be a best practice, and could
be part of a corporate compliance
requirement under California’s SB 27
privacy law.
It is critical for a Web site to disclose whether cookies are correlated
with PII. Oftentimes, as was the case
with the government employees, Web
site owners may not know all of the
uses of cookies. For instance, if a Web
site also offers an email newsletter or
other email communication effort, it is
more than likely that a cookie will be utilized which can correlate with an identifiable email user. In instances such as
this, it is important that the correlation
be properly disclosed, especially if the
third party, such as an email service
provider, references the cookie.
If users are to continue enabling
persistent cookie uses in Web sites,
then the industry needs to increase
transparency through technology, value
propositions, choice and disclosures.
Only then can we have our cookies —
and perhaps eat them too.
Ben Isaacson, CIPP, serves as the
Privacy & Compliance Leader for
Experian & CheetahMail, overseeing all
interactive marketing policy and email
deliverability issues affecting
CheetahMail and Experian's diverse
marketing services client-base. He can
be reached at +714.830.7253 or
ben.isaacson@experian.com
Special Message from the President
Year of the Vendor
I am both honored about assuming the presidency
of the IAPP and excited about where we are headed. The IAPP has come so far in the past few years.
My goal is to help the organization get to the next
level, because I truly believe that the IAPP’s success
will mirror the success of our profession.
A large part of the IAPP’s success to date can
be attributed to my predecessors, particularly Chris
Zoladz, our most immediate past president. Chris
was an extremely effective leader, and he capably
led the IAPP through several major organizational
and financial transitions during his two-year tenure.
I have learned a lot from him and appreciate his friendship. Luckily, Chris
will remain on the Executive Committee, so we will not be losing his
knowledge and advice.
As I look ahead this year, there are a number of issues that privacy pros
will be dealing with, including liability for the actions of third parties, managing
vendors and the increasing risk with all outsourced relationships, identity theft
and the tidal wave of data security breach legislation in the states and
Congress.
After six years, most of us have gotten our own houses in order. Our
programs are more or less mature and we are confident that we have a good
handle on everything under our corporation’s direct control. However, due
to the proliferation of breaches of data in the hands of third parties — not to
mention the sensitivity of the public and policymakers to the issue of
“outsourcing” — 2006 will likely become the “Year of the Vendor” for many
privacy professionals.
Federal and state regulators have taken a keen interest in the third
parties that private companies use to provide products and services to their
customers. Regulators expect us to ensure that data outside of our direct
control is still highly safeguarded. Third parties have the capability of inflicting
severe damage to a firm’s reputation and its bottom line due to damages and
lost customers. CardSystems Solutions is probably the poster child for why
companies need to make sure that their vendors’ operations and systems are
as secure as theirs, but the litany this past year of back up tapes “lost” by
trusted couriers and consultants whose laptops were stolen clearly proves
that risk can also come from less sophisticated processes. Even our trash has
its place in the hierarchy of privacy risk.
I look forward to leading the IAPP for the next year and working with
Trevor Hughes and his capable team. I also am interested in learning your
views and opinions about the IAPP, its services and where our profession and
the IAPP are heading. We want to continue building an organization that
evolves and meets the needs of our membership.
Kirk M. Herath,
President of the Board of Directors, IAPP
7
February • 2006
Ask the Privacy Expert
This is the first of a new monthly feature in The Privacy Advisor. We invite our readers
to submit questions to media@privacyassociation.org. We will tap the expertise of IAPP
members to answer your questions.
Elise Berkower
Q
Under the FTC’s rule, “transactional or
Our company sells gourmet food
relationship” messages include those that,
gift baskets by catalog and at our
“[w]ith respect to a[n] … ongoing
Web site. Sometimes the gift
commercial relationship involving the
baskets contain wine, and someone over
ongoing … use by the recipient of
21 has to be available at the recipient’s
products or services offered by the
location to receive and sign for the wine
sender,” notify “of a change in the
(and the rest of the gift) when it is delivrecipient's standing or status ….” 16 CFR
ered. We ask the gift buyers to provide
§316.3(c)(3)(ii) Alerting a gift recipient to
the email addresses of the gift recipients.
the coming delivery of her/his gift and the
We would like to send emails to the gift
necessity for having someone of at least
recipients, advising them of the delivery
21 years of age available to accept the
date and approximate time so the gifts can
Elise Berkower
delivery could qualify as “[n]otification of
be properly delivered. Can these be
a change in the recipient's standing or
considered “transactional” emails under
status” in an “ongoing commercial relationship involving
CAN-SPAM, if they contain no promotional material, even
the ongoing use by the recipient of products and services
though it was not the gift recipient that entered into the
offered by the sender.”
transaction with us?
Please note that there are currently two states (Utah
and
Michigan)
that have laws that basically create “Do Not
“Please note that there are currently two
Email” lists for children, and that alcoholic beverages are
states (Utah and Michigan) that have laws that
among the categories of products that should not be
basically create ‘Do Not Email’ lists for children, advertised in messages sent to email addresses on these
states’ registries. Although the constitutionality of the
and that alcoholic beverages are among the
Utah law is currently being challenged in federal court,
categories of products that should not be
the law remains in effect. You can find more information
advertised in messages sent to email addresses about these registries at www.utahkidsregistry.com/compliance.html (Utah) and www.protectmichild.com/complion these states’ registries.”
ance.html (Michigan).
A
Both the law and the rules promulgated by the
FTC would permit you to treat the emails notifying
the gift recipients of the impending delivery of
their gifts as “transactional or relationship” messages
even though the recipients themselves did not enter into
the transaction with you. (Please note that under CANSPAM, you could also treat such emails as unsolicited
commercial messages; this would require you to include in
the messages, among other things, a mechanism for the
recipient to be able to stop receiving promotional emails
from you. If you treated these messages as “commercial,”
and a subsequent buyer ordered a gift basket for a recipient that had previously asked not to receive any more
commercial messages from you, you would not be able to
send such delivery notifications to that recipient.)
8
This response represents the personal opinion of our
expert (and not that of his/her employer), and cannot be
considered to be legal advice. If you need legal advice on
the issues raised by this question, we recommend that
you seek legal guidance from an
attorney familiar with these laws.
Elise Berkower, CIPP, Senior Privacy Compliance Officer,
DoubleClick Inc., was this month’s featured expert.
Berkower is responsible for issues of privacy compliance
for the New York-based company, a leading provider of
digital advertising technology and services. Berkower also
is a member of The Privacy Advisor’s Advisory Board.
THE PRIVACY ADVISOR
Prohibiting Porn in Your Workplace is not Enough: New Jersey
Court of Appeals Imposes New Duties on Employers who
Engage in Electronic Monitoring
Philip L. Gordon, Esq.
n a precedent-setting decision, the
New Jersey Court of Appeals held on
the eve of 2006 that employers have a
duty to uncover and stop an employee’s
use of corporate electronic resources for
child-porn activities once the employer
knows, or should know, that an employee is accessing adult pornography. The
court’s holding represents a new highwater mark for the right of employers to
engage in workplace surveillance of
employee email and Internet use. With
this right, however, comes concomitant
responsibilities, and an employer’s failure
to fulfill those responsibilities could support a negligence action against the
employer by the victims of an employee’s criminal conduct.
I
Company Had Notice of
Porn-Surfing but Failed to Act
The case, captioned, Doe v. XYC
Corp. (Doe v. XYC Corp., N.J. Super. Ct.
App. Div., No. A-2909-04T2, 2005 N.J.
Super. LEXIS 377, Dec. 27, 2005), to
preserve the anonymity of the parties,
involved allegations by the plaintiff that
an XYC employee — who was her exhusband and the stepfather of her 10year-old daughter — had molested her
daughter at home, taken pictures of the
child partially clad and naked, and transmitted those photographs to child
pornography Web sites, using XYC’s
computer resources. Rather than suing
her ex-husband, the woman claimed that
XYC was negligent for failing to uncover
and stop its employee’s alleged unlawful
conduct and, therefore, XYC should be
held liable for harm to the child.
Between 1999 and the employee’s
arrest in June 2001, XYC was on notice
that the employee was viewing pornography. IT personnel reviewing computer
logs noted that the man had accessed
URLs which suggested adult porno-
graphic sites. A co-worker
the appropriate law
complained to her supervienforcement authorities;
sor that the man — who
and to take effective interworked in a cubicle that
nal action to stop the
was open to public view
employee from accessing
— often blocked or minichild porn at work.
mized his computer screen
The Court of Appeals
when she walked up to
rejected XYC’s assertion
him. XYC’s Director of
that its respect for the
Network and Personal
employee’s privacy rights
Computing Services
justified its failure to invesobserved URLs, reflecting
tigate further. In reaching
Philip L. Gordon, Esq.
adult pornographic sites,
this conclusion, the court
stored in the browser on
relied heavily on XYC’s
his desktop. His direct supervisor made
electronic resources policy, which stated
the same observation and also noted
that all emails created using the compathat one of the sites was called,
ny’s computer system, were XYC’s prop“Teenflirts.org: The Original Non-nude
erty, that emails were not private, and
Teen Index.”
XYC reserved the right to review, audit
Despite these observations, no one
and access the email. The court also
at XYC visited any of the apparently
noted that the policy restricted Internet
pornographic Web sites to check their
access to business purposes only and
content. No one at XYC used the
required employees to report improper
monitoring software that the company
uses of the Internet to the personnel
possessed to more closely examine his
department. Putting aside the policy, the
Web surfing activities. While XYC did
court also found that the employee had
reprimand the employee on two
no privacy interest in his email and
occasions, the company took no further
Internet activity because his cubicle did
disciplinary action after he appeared to
not have a door and was openly visible
stop his porn-viewing activities.
from a hallway.
The Court of Appeals also rejected
The Court of Appeals’ Reasoning
XYC’s argument that the company could
The Court of Appeals found that
not be held responsible for the employXYC “through its supervisory/manageee’s viewing of child pornography
ment personnel, was on notice that
because that conduct was outside the
Employee was viewing pornography on
scope of his employment. The court
his computer and, indeed, that this
invoked the rule that an employer can be
included child pornography.” Given that
held responsible for damages caused by
possession of child pornography is a
an employee’s criminal conduct when
felony under federal and New Jersey
the employee engages in the conduct on
law, the court had little difficulty reaching
the employer’s premises, using the
the conclusion that XYC’s management
employer’s equipment, and the employer
could not turn a blind eye to the employhas the ability to control the conduct and
ee’s alleged criminal conduct. Instead,
knows or should know that there is a
the court ruled, XYC had a duty to investigate further; to report his activities to
See Electronic Monitoring, page 10
9
February • 2006
reason for exercising such control. The
facts of the XYC case fell squarely within
this four-part test.
Implications of the XYC Case for
Employers
Read broadly, the Court of Appeals’
decision, if followed in other jurisdictions, opens the door to a whole new
genre of litigation holding employers
responsible for damages arising from the
criminal conduct of their employees.
Only one element of the four-part test
can even be disputed when an employee engages in criminal conduct using her
employer’s electronic resources, i.e.,
whether the employer knew, or should
have known, of the need to stop the
conduct. However, many employers will
face difficulty defeating this element.
According to a 2005 survey of the
American Management Association, 80
percent of employers monitor their
employees’ email and Internet use. As
the XYC case itself reflects, even the
most minimalist monitoring — checking
URLs listed on computer logs or in the
history folder of an employee’s desktop
browser — could generate sufficient
information to be considered notice to
the employer of the need to exercise
control over the employee’s use of its
computer resources.
“Read broadly, the Court
of Appeals’ decision,
if followed in other
jurisdictions, opens the
door to a whole new
genre of litigation
holding employers
responsible for
damages arising from
the criminal conduct of
their employees.”
10
The Court of Appeals’ opinion is
especially troubling for employers who
monitor employee communications
because the decision strongly suggests
that lawful Internet conduct can constitute sufficient notice of an employer’s
need to act. In concluding that XYC had
sufficient notice of the employee’s activities to impose a duty on XYC to act, the
Court of Appeals relied almost exclusively
on his lawful (albeit inappropriate) viewing of adult pornography. Only one of the
many pornographic Web sites he visited
possibly suggested child pornography
and that Web site was ambiguous, referring to teens and “non-nude” photographs. Viewed from this perspective, the
XYC case arguably provides a foundation
for a lawsuit against an employer by the
victims of a terrorist attack if the employer’s monitoring software reveals that an
employee used corporate electronic
resources to visit a bomb-making Web
site. As another example, an employer
could be held responsible when monitoring software reveals that an employee
used corporate electronic resources to
engage in online shopping, using someone else’s identity. The case might even
provide legal precedent for imposing liability on employers whose employees
download copyrighted songs or videos, if
management is aware that the employee
visited file-sharing sites or blogs, potentially extending to situations where such
material is received via email.
While the XYC case does not
expressly impose on employers a duty
to monitor their employees’ email and
Internet traffic, the case strongly suggests that the large majority of employers who do monitor email and Internet
use must actively review, and, when
necessary, act upon information
obtained through the monitoring program. In the XYC case, the appeals court
determined that it was reasonable to
impose on XYC duties to investigate further and stop the employee’s child
pornographic activities based in part on
the company’s possession of monitoring
software that was capable of tracking his
email and Internet use. The fact that the
company had not implemented the software provided no defense. Similarly, the
“While the XYC case does
not expressly impose on
employers a duty to
monitor their employees’ email and Internet
traffic, the case strongly
suggests that the large
majority of employers
who do monitor email
and Internet use must
actively review, and,
when necessary, act
upon information
obtained through the
monitoring program.”
appeals court chastised XYC for not
opening Web sites visited when the
URLs stored in computer logs and the
browser’s memory suggested pornographic activity. The court also reasoned
that the employer gained notice of
potentially harmful activities when coworkers complained of suspicious cubicle conduct that may have presaged
nothing more than playing computer solitaire. In other words, employers can not
defend against a negligence claim similar
to that asserted in the XYC case by arguing that they did not uncover unlawful
activity because they failed to actively
use their monitoring capabilities.
The XYC case provides yet another
reminder for employers of the importance of adopting and enforcing an effective electronic resources policy.
Following a line of cases, the New
Jersey Court of Appeals unambiguously
held that XYC’s electronic resources policy defeated the employee’s purported
interests in the privacy of his email and
Internet activities. At the same time, the
court emphasized that the failure of sev-
See Electronic Monitoring, page 12
Privacy Advice #71
Bad penmanship is not an
effective encryption solution.
Ernst & Young’s Privacy
Assurance & Advisory
Services will help you
develop appropriate
privacy policies, controls,
and compliance programs.
ey.com/privacy
Audit • Tax • Transaction Advisory Services
© 2006 ERNST & YOUNG LLP
February • 2006
eral managers to report the employee’s
improper conduct to the personnel
department, as the policy required, supported a finding of negligence.
Even if the XYC case ultimately is
read narrowly to impose duties only
when employers are on notice that an
employee is using corporate resources
to view pornography, the case still will
have significant ramifications for employers. A variety of statistics and anecdotal
evidence suggest that viewing erotica at
work is commonplace: 70 percent of
porn is downloaded between 9 a.m. and
5 p.m., according to the porn industry
group SexTracker. Internet Filter Review
reported that 20 percent of men and 13
percent of women surveyed had admitted to accessing pornography at work. A
major U.S. computer manufacturer discovered after installing monitoring software that several employees had visited
more than 1,000 sexually oriented sites
in less than one month.
Finally, employers must tread with
caution when fulfilling their newly minted duty to investigate possible child
pornographic activities. Employers
should warn the employees involved in
the investigation, as well as any involved
in routine monitoring, to avoid accessing
the child pornography themselves so
that these employees do not expose
themselves to possible criminal prosecution for viewing child pornography.
Employers who learn that an employee
has accessed child pornography using
corporate resources should immediately
contact local law enforcement authorities and the FBI. In addition, the suspect
computer should be isolated to avoid the
possible destruction of material evidence
and to prevent any other employees
from viewing the child pornography.
Conclusion
Monitoring employee email and
Internet use can be a double-edged
sword. While the surveillance permits
employers to prevent abuse of
corporate electronic resources, it also
opens the door to claims against
employers by those who are injured
when an employee engages in criminal
conduct using corporate electronic
resources. To reduce the risk of such
liability, employers should implement
policies and procedures to ensure that
the fruits of their electronic monitoring
are routinely reviewed and that the audit
results in further investigation and
disciplinary action, if necessary, when
the monitoring reveals potentially
unlawful conduct.
Philip L. Gordon is a shareholder in the
Denver office of Littler Mendelson, P.C.
He is an employment litigator with a
specialty in workplace privacy and data
security issues. He can be reached at
pgordon@littler.com or +303.362.2858.
TO MISS IT WOULD BE A
SECURITY LAPSE
Privacy and security law is rapidly evolving.
To keep up, read the
DWT Privacy & Security Law blog:
www.privsecblog.com
Lawyers
Toll Free
1-877-398-8417
www.dwt.com
A N C H O R AG E
12
■
BELLEVUE
■
LO S A N G E L E S
■
N E W YO R K
■
PORTLAND
■
S A N F R A N C I S CO
■
S E AT T L E
■
SHANGHAI
■
© 2006 Davis Wright Tremaine LLP.
All rights reserved.
WA S H I N G TO N D. C .
THE PRIVACY ADVISOR
An Interview with Dr. David Brailer,
IAPP National Summit 2006 Keynote Speaker
Noted healthcare information expert Dr. David J. Brailer discusses his experience with
health information technology as well as the recent imperatives in electronic healthcare
records. See Dr. Brailer speak in person at the IAPP National Summit 2006, March 8-10, in
Washington, D.C.
The Privacy Advisor (TPA): Can you
describe your mandate from President
Bush regarding the widespread deployment of health information technology?
Dr. Brailer: It comes down to four
things. Doctors should have electronic
health records so that they can have the
ability to order the appropriate tests;
prescribe without errors; get information
about patients in real time; and have
personal health records available to
every member of the public. Our sense
is that these information tools in the
hands of doctors are powerful. But putting them into the hands of consumers
is really a breakthrough. All of our work
is organized around these four components.
TPA: What are the benefits of creating a
nationwide e-health records system?
Dr. Brailer: They’re big. Many people
believe that more than 100,000 people
die every year from medical errors and
another 100,000 die from preventable
infections every year in hospitals and
nursing homes. Physicians using computerized order entry can know whether
two drugs have a dangerous interaction.
A lot of people die because they are taking one drug and the doctor gives them
another one, and they have a fatal reaction to that. It cuts the death rate way
down. Secondly, we do way too many
procedures on people — often because
we don’t know what somebody’s lab
result was, and so we do it over. We
see a lot of duplicative tasks and a lot of
unnecessary hospital admissions. The
third benefit is that it’s a much lower
tals and doctors collabohassle for the consumer
rate and co- invest in
and they are in control.
health IT. The whole goal
They don’t have to fill
is to have information
out the same paperwork
that is patient-centric so
time after time after
that we can know what
time. Let’s say they
is really going on with
have an abnormal mamthe patient. The estimogram. They can find
mate is, on average, it
out about it at the same
costs doctors $30,000 a
time as the doctor does.
year to have an elecIndependent
tronic health records
experts have published
system in place. While
papers that have put the
Dr. David Brailer
government funds will
savings at somewhere
support the developbetween $100 billion
ment of a certification process, we don’t
and $300 billion a year. There’s a lot of
want the government to pay for the
waste and inefficiency, and I think most
(system) because using tax dollars is a
people believe — and I certainly do —
very inefficient way to do this. We want
that the first $100 billion will be very
these processes to become self-sustaineasy to get.
ing so that we have a functioning marketplace for health information
TPA: Many doctors' offices have yet to
exchange.
adapt to the electronic medical records
system, citing the high cost of converTPA: Will Congress need to pass
sion. What is the proposed cost of a
legislation to create this system?
nationwide system and who will
assume those costs?
Dr. Brailer: Right now we are acting as
if Congress doesn’t need to act. The
Dr. Brailer: We're not going to have a
president started this through an execugovernment-run system, first of all. We
tive order. There’s going to come a time
want to help doctors make their choice
when there will be legislative changes.
of the right system. We are providing a
One of the areas is going to be in privacertification process that helps them
cy and security because the privacy
buy the right product and it helps them
rules that we have today are not really
lower cost. There are certain incentives
designed for the electronic era of health
for doctors to use electronic health
care information. So there are a lot of
records through pay-for-performance
gaps. I’ve got a group that’s coming
based on their patient's health status
together. We’ve got to understand what
rather than just paying a doctor to see a
the policy changes are and it may
patient. That gives them a big incentive
for health IT. Thirdly, we are pursuing
See Dr. Brailer Interview, page 14
some policy changes that will let hospi13
February • 2006
Dr. Bailer Interview
include statutory changes at some
point.
TPA: You are one of the IAPP's keynote
speakers for the IAPP National Summit
2006. Can you preview what you plan to
talk about before the gathering of privacy
pros in Washington, D.C.?
Dr. Brailer: Simply put, I think privacy
professionals largely speaking, are still
fighting an old battle — and that’s not to
say those battles aren’t worth fighting.
The HIPAA rules raised a lot of issues
that are still being fought about. But
everyone is still so focused on looking
back at old fights. We need the privacy
industry at the table to start moving forward — to really begin thinking about
what the world looks like. It will take
years to address some of these policies
and laws. We're opening a whole new
era of opportunity and issues that really
need to be discussed — and I'm going
to be calling on your group to help us
think about them.
David J. Brailer, M.D., PhD., was appointed the first National Health Information
Technology Coordinator by Health and
Human Services Secretary Tommy G.
Thompson on May 6, 2004. Dr. Brailer's
duties as National Coordinator are to
execute the actions in President George
W. Bush's Executive Order, issued on
April 27, 2004, which called for widespread deployment of health information
technology within 10 years. Dr. Brailer
holds doctoral degrees in both medicine
and economics. He is a recognized
leader in the strategy and financing of
quality and efficiency in healthcare, with
a particular emphasis in health information technology and health systems management.
Dr. Brailer will appear as the closing
keynote speaker at the IAPP National
Summit 2006 on Friday, March 10. Don't
miss the opportunity to see this exciting
presentation — and become part of the
largest privacy gathering of the year!
14
Close Up On…
Child Registry, Data Security, RFID Bills
Dominate State Legislative Agendas
Overview
The following 38 legislatures convened their 2006 sessions in January:
Alabama, Alaska, Arizona, California,
Colorado, Delaware, District of
Columbia, Georgia, Hawaii, Idaho,
Illinois, Indiana, Iowa, Kansas,
Kentucky, Maine, Maryland,
Massachusetts, Michigan,
Mississippi, Missouri, Nebraska,
New Hampshire, New Jersey,
New Mexico, New York, Ohio,
Pennsylvania, Rhode Island, South
Carolina, South Dakota, Tennessee,
Utah, Vermont, Virginia, Washington,
West Virginia and Wisconsin.
Connecticut and Oklahoma are
scheduled to convene during the first
two weeks in February. Although the
Florida Legislature is not scheduled to
officially convene its regular session
until March 7, committees have been
meeting to discuss and advance
specific bills since late 2005.
No-Spam List/Child Registries
Georgia and Illinois are the latest
states considering bills that would
establish a so-called “child protection
do-not email registry” despite the
Federal Trade Commission (FTC)
conclusions that lists of children's
email addresses could be vulnerable
to pedophiles.
The sponsors of Georgia SB 425
and Illinois HB 572 say they want to
use the registries as a way to stop
spammers from “bombarding children
with inappropriate adult content.” The
bills would require the state to set up
a registry whereby parents and
schools could register children's emails
as a way to ensure that the content
they receive is appropriate and legal
for their age. The bills are similar to
those enacted
in Utah and
Michigan last
year.
In November
of 2005, the FTC
warned lawmakers in Illinois that
“because such a
registry cannot
Emily Hackett
be effectively
monitored for
abuse, it may have the unintended
consequence of providing spammers
with a mechanism for verifying the
validity of email addresses." The FTC
went on to say that "this consequence
may actually increase the amount of
spam sent to registered children's
addresses in general, including spam
containing adult content."
The Georgia bill would allow individuals to sue violators for $5,000 per
email, up to $250,000 for each day the
violation occurs. It also would make
sending email to registered addresses
a felony punishable by up to five years
in prison and maximum fines of
$200,000.
Already in Utah and Michigan,
marketers pay to submit their marketing lists to the state. The lists are then
compared with the state registry and
email addresses contained on the
state registry are removed. Utah
currently charges $5 per thousand
addresses screened. Michigan charges
$7. Marketers could pay as much as
$10 per thousand addresses under the
Georgia bill, which proposes a ceiling
of one-cent per email. It is unclear
what the Illinois bill would charge.
The child registry bills are being
pushed by Unspam, the company that
was hired to manage the registries for
THE PRIVACY ADVISOR
Utah and Michigan. Unspam also
is attempting to get bills introduced
in California, Connecticut and
New York.
The Free Speech Coalition sued
Utah last November claiming its
registry law violates the Can-Spam act,
which overrides state anti-spam laws.
The group also claims that Utah's law
unconstitutionally interferes with
interstate commerce. The group also is
expected to sue Michigan.
RFID
The Washington House
Technology, Energy and
Communications Committee held a
hearing but took no action this month
on HB 2521, a bill proposing to ban
identification documents from
containing a “contactless integrated
circuit or other device that can
broadcast personal information or
enable personal information to be
scanned remotely.”
The bill defines "identification
document" as a driver’s license,
employee identification, health insurance and library cards. The bill also
allows a person to file a lawsuit against
anyone using radio waves to remotely
scan their identity without their
knowledge. The person could seek
actual damages, including damages for
mental pain and suffering, liquidated
damages computed at the rate of $100
per day for each violation (capped at
$1,000). The bill is similar to legislation
pending in California.
The Washington Department of
Transportation, AEA, and the
Washington Food/Retail Association all
testified against the bill.
So far this year there are 17 bills
pending in nine states that propose to
restrict or ban the use of RFID technology: Alabama, Florida, Illinois,
Massachusetts, Missouri, New
Hampshire, New York, Tennessee and
Washington.
“So far this year there are 17
bills pending in nine states
that propose to restrict or ban
the use of RFID technology:
Alabama, Florida, Illinois,
Massachusetts, Missouri, New
Hampshire, New York,
Tennessee and Washington.”
Spyware
Legislators in the Hawaii House
and Senate introduced bills proposing
very different solutions to spyware. HB
2256, introduced by Rep. Alex Sonson,
D-Honolulu, is modeled after the
California deceptive intent law and SB
2019, introduced by Sen. Shan
Tsutsuis, D-Maui, is a hybrid
spyware/adware bill containing language from the California law, and
bills pending in Michigan and
Congress.
HB 2019 would make it illegal to
knowingly distribute adware or spyware to a user’s computer that would
deceptively collect personal information, alter software settings, record key
strokes or open multiple, sequential or
stand-alone ads. Violators could be subject to a fine of $100,000 per offense
and/or a 10-year prison sentence.
Bills proposing new spyware laws
or amending existing laws are pending
in 18 states: California, Delaware,
Hawaii, Iowa, Illinois, Kansas,
Massachusetts, Maryland, Michigan,
Missouri, Nebraska, New York,
Oklahoma, Pennsylvania, Rhode
Island, Tennessee, Virginia and
Vermont.
Data Security
The Vermont Senate Finance
Committee advanced SB 284, a data
security notification bill that also proposes to regulate the use of Social
Security numbers and document
destruction. The bill would require businesses to notify customers when their
personally identifiable information has
been breached. The bill would require
specific notification requirements.
A customer notice would not be
required if the business decides that
the misuse of the personal information
is not reasonably possible.
However, the business would then
have to justify to the Attorney General
each time it decides a notice is not
necessary.
The Indiana Public Safety and
Homeland Security Committee passed
HB 1101, a data security notification bill
that also regulates disposal of unencrypted, unredacted personal information. The bill would permit the
Consumer Protection Division to establish and maintain a program to officially
notify a consumer credit reporting
agency that a person has been the victim of identity deception.
So far this year 23 states are considering bills that propose restrictions
that go beyond the California data
security law passed last year: Alaska,
Alabama, Arizona, DC, Delaware,
Georgia, Hawaii, Illinois,
Massachusetts, Maryland, Michigan,
Minnesota, Missouri, Nebraska, New
Hampshire, New Jersey,
Pennsylvania, South Carolina, Utah,
Virginia, Vermont, Wisconsin and
Wyoming.
Emily Hackett is Executive Director of
the Internet Alliance, the leading
Internet trade association operating in
the states. The IA represents a broad
spectrum of Internet users, including
marketers, content providers, ISPs and
consumers. She can be reached at
+202.861.2476 or by email at
emilyh@internetalliance.org.
15
February • 2006
Using Privacy Enhancing Technologies (PET)
for Compliance and Value Creation
Steve Kenny
What is PET?
The origin of PET can be traced
back to initiatives from the Dutch Data
Protection Authority and the Ontario
Privacy Commissioner in the mid-1990s.
The insights gained — that technology
could be used to represent the concept
of privacy — resonated in the late 1990s
with a select group of small companies
such as Zero Knowledge Systems.
These companies associated privacy
with anonymity by aligning politically liberal ideology, emergence of the Internet
and astonishing cryptology. However,
these initial PET types also failed to
address principle areas such as
terabyte-sized back-office databases.
Today, anonymity arguably is dead.
PET — in its most intuitive sense —
concerns the use of technology to create — or at least strengthen —‘privacy.’
Presently, privacy is understood by
some companies as a strategic, intangible asset. The asset is created by information management practices derived
from law, ethics and consumer behavior,
and defined by the values of a legal
entity processing personally identifiable
information. Those values are set out in
a company’s privacy policy and
demonstrated by the attestation to its
provisions. Today, PET can be best
described as the creative use of
technologies to manage privacy policy
requirements in light of a company’s
business drivers, principles and market
positioning.
How does PET relate to
Privacy Risk?
Technology choices invariably have a
manifest impact upon an organization’s
management of privacy risk because IT
systems process personal data. The
implication is that different technologies
have different impacts on an organization’s privacy compliance and strategic
risk positions. While some technologies
16
These are CEO-relevant
are privacy-enhancing, such
issues that privacy
as anonymous knowledge
professionals need to
discovery, others are privaembrace and then
cy-neutral. Still others, such
demonstrate the value to
as ‘spyware,’ can actually
CIOs and CMOs to counter
destroy privacy trust and
the perception of their role
cannibalize value. In Europe,
as the privacy police agent.
the implications go a step
further, as it is the technoloConclusions
gy deployer rather than the
Steve Kenny
While it is fair to say
technology provider or
that privacy technology must be
integrator that is accountable for privacy
considered in an integrated fashion with
compliance.
procedural process and governance, it
For organizations grappling with
is also fair to say that PET can directly
privacy as a strategic asset, the implicaaffect an organization’s management of
tions on the buy-side of technology can
privacy risk.
be immense. The attainment of compliWhen companies source software
ance and strategic privacy objectives
and services, competing solutions
can be partly determined by technology
provide differing degrees of alignment to
choices and the capability to integrate
privacy compliance and strategic objecand control those choices. As such, PET
tives. Technology buy-side organizations
has a direct and primary relationship to
must develop the skills to ascertain the
privacy risk.
differing privacy implications of competing choices, and how those implications
What are the potential
benefits of PET?
relate to other decision drivers, such as
Some organizations understand that
cost and functionality.
privacy is a strategic opportunity as well
as a compliance issue. Considering technology as a tool to help achieve compliSteve Kenny is Privacy Services Leader
ance and facilitate realization of strategic for KPMG in the U.K. KPMG is the
opportunities are starting points for
global network of professional services
demonstrating PET’s potential benefits.
firms that provide audit, tax and
From a compliance perspective,
advisory services. KPMG LLP operates
information governance determines an
from 22 offices across the U.K. with
organization’s policy conformance, and
more than 9,000 partners and staff.
technology plays an essential role. PET
He has previously worked as a PET
yields the promise of radical increases
specialist for the Dutch Data Protection
in the level of compliance and public
Authority and for European Commission.
confidence in the organization. PET can
Kenny is also co-chair of the IAPP
be used to catalyze business models
Benelux KnowledgeNet chapter.
that are stifled seemingly by legislation,
regulation and policy rules. It allows
If you wish to receive a copy of a
companies to achieve and improve
KPMG white paper please on PET
compliance to allow business models to
please contact:
realize their full potential. PET not only
UK: steve.kenny@kpmg.co.uk
makes ROI happen, but can be a tool to
NL: ronald.koorn@kpmg.nl
actually define strategic opportunities.
USA: drotman@kpmg.com
THE PRIVACY ADVISOR
February • 2006
Web Watch
What’s Ahead for Privacy and Security? Top Predictions for 2006
Michael Weider
Introduction of the PCI
omputer and industry
Data Standard - The
experts alike called 2005
onslaught of highly publithe worst year ever for
cized online breaches and
known privacy and security
identity theft scams
data breaches. According to
prompted credit card commedia reports, there were at
panies to insist on measleast 130 reported breaches
ures to help ensure the
in 2005 that exposed more
security and privacy of their
than 55 million Americans to
members’ confidential inforpotential ID theft. In fact, an
mation and comply with the
adviser for the Treasury
Michael Weider
Payment Card Industry (PCI)
Department's Office of
Data Security Standards, which offer a
Technical Assistance estimated that
single approach to safeguarding sensicybercrime proceeds in 2004 were $105
tive data for all card brands. Failure to
billion, greater than those of illegal
comply with these security standards
drug sales.
may result in fines, restrictions or
Highlighted in this article are trends
permanent expulsion from card
and events we thought raised the bar
acceptance programs.
for public awareness, shaped the
security and privacy compliance market
Phishing Attacks Soared - Phishing
in 2005 and what we can expect to see
attacks reached a new high at the end
more of in 2006.
of 2005 after growing steadily all year.
According to reports the number of
Landmark Cases Driving Change brands targeted also increased by nearly
2005 saw some very public and
50 percent over the course of 2005,
landmark privacy and security cases,
from 64 to 93. And attacks are becomincluding BJ's Wholesale Club Inc.
ing increasingly sophisticated with a
reaching a settlement with the Federal
quarter of all phishing Web sites hosting
Trade Commission. Under the settlekeylogging malicious software.
ment, BJ's agreed to “implement a
Meanwhile, phishing attacks
comprehensive data-security system
reached a new high at the end of 2005
and undergo bi-annual security audits
after growing steadily all year, according
for the next 20 years.”
to a new study. The number of unique
email-based fraud attacks detected in
Growth of Disclosure Laws November 2005 was 16,882, almost
The ChoicePoint breach that affected
double the 8,975 attacks launched in
more than 140,000 people in early
November 2004.
2005 prompted other states to follow
suit with legislation similar to
Privacy Became a Key Driver for
California’s Senate Bill 1386 (SB 1386),
Businesses - 2005 illustrated what
the Security Breach Information Act.
businesses have been talking about for
SB 1386 mandates public disclosure of
a long time — that trust is a vital
computer-security breaches in which
component in customer loyalty and
confidential information of any
brand strength. Several surveys and
California resident may have been
reports highlighted that it only takes a
compromised.
C
18
single privacy or security breach to
destroy the customer relationship.
What’s in store for 2006? In a
Computerworld survey of more than
300 IT executives, security initiatives
ranked above all other project priorities
for 2006. A recent survey also estimated that total costs to recover from a
data breach averaged $14 million per
company. Given the growing privacy and
security challenges facing companies,
there are likely many more breaches to
come this year.
Compliance Will Continue to Drive
Security Spend - The growing number
of global regulations — and the consequences of not complying with them —
will continue to encourage companies
to invest in security software that will
help ensure they are in compliance with
new legislation. However, the focus of
spending strategies will likely shift from
just getting compliant to doing so more
efficiently. Using technology and
automation to drive down the cost of
compliance will be an important focus.
Increased Awareness of Internal
Security and Privacy Risk - Despite the
serious risk of unauthorized employee
access to confidential internal files,
most companies spend a fraction of the
security and privacy resources on their
internal Achilles heel, the intranet.
Intranets have grown to be thousands
and even millions of pages distributed
globally, and given their size and scope,
face similar risk and compliance challenges of public facing sites. It is imperative that internal data be properly managed and protected.
Two-Factor Authentication Will
Become More Mainstream - Banks in
the United States are working to imple-
THE PRIVACY ADVISOR
Privacy News
ment two-factor authentication by the
end of this year in which users must
enter two forms of identification to
access their banking details.
Motivation to implement two-factor
systems will be driven by regulatory
needs but also by the increased trend
to make security a differentiator for
winning business.
Application-level Vulnerabilities
Will Grow - Using past years as a
baseline, security threats show no
sign of slowing down and will likely
multiply in the coming year as more
hackers become proficient. Attacks
will be more complex, hit faster and
with less warning. A dangerous new
attack called “spear phishing” is on
the horizon, and there will likely be
even more attacks against a new
range of applications, including new
uses for cross-site scripting, SQL
injection as a way for traditional and
Web-based worms to help execute
phishing and other attacks.
Security and privacy will continue
to feature prominently on the compliance landscape in 2006. Although
online adoption may not slow down,
breaches will continue to erode trust in
the Internet and expose organizations
to significant fines, customer churn
and severe brand erosion if they aren’t
proactively addressed. Smart organizations will get ahead of the competition
by making security a differentiator
versus a cost of doing business.
Michael Weider is the founder and
chief technology officer of Watchfire.
Founding Watchfire in 1996, Weider
has led the company to a leadership
position in the online risk and
compliance management software
market. As chief technology officer,
he is responsible for product strategy,
engineering, technical support and
customer service.
IAPP Board Member Barbara Lawler
Leaves HP for New Privacy Post
he IAPP congratulates Board Member Barbara Lawler,
who recently became Intuit’s first Chief Privacy Officer.
Lawler, who most recently served as HP’s Chief Privacy
Officer after a 24-year career with the company, said she
is thrilled to join Intuit, the makers of specialized financial
software for consumers, taxpayers and accounting
professionals. The California-based firm has more than 7,000
Barbara Lawler
employees with major offices in 13 states, offices in Canada
and the United Kingdom, as well as customers around the world.
“The company is truly committed to having a strategic privacy program,
starting with CEO Steve Bennett,” Lawler said.Lawler will be leading the
Intuit privacy team, and is responsible for setting privacy strategy, policy,
regulatory analysis and implementation to deliver the best experiences to
customers and employees.
T
Watchfire’s AppScan® Secures
Two Finalist Positions for the 2006
SC Magazine Awards
atchfire, a leading provider of software and services to automate
Web application security testing, will be recognized as a finalist
during the U.S. Awards ceremony at the RSA Conference on Feb. 14 at
the Fairmont in San Jose.
Watchfire’s AppScan® was selected as a finalist in two categories,
Best Enterprise Security Solution and Best SME Security solution. AppScan
scans Web applications within an organization’s infrastructure, tests for
security issues and provides actionable reports and recommendations.
“SC Magazine is one of the security industry’s leading publications and
is well respected by security professionals across North America, Europe
and Asia,” said Michael Weider, founder and CTO of Watchfire. “We are
extremely honored that its readers have recognized Watchfire’s AppScan as
a finalist in two categories. Web applications pose some of today’s most
serious security and compliance threats and are a critical component to
managing overall enterprise security. This recognition is further validation
that our Web application security testing solution AppScan is market leading
and is a testament to its ability to improve the ease and speed by which
users are able to understand, prioritize and remediate critical Web
application security issues.”
The SC Awards are the world’s leading awards program for the
information security industry, with more than 1,300 product and service
nominations from at least 330 competing companies globally. The SC
Awards program spans the U.S., Asia and the UK. The SC Awards are
composed of the Professional awards judged by a panel of the industry’s
top talents as well as the Reader Trust Technology Awards, voted on by SC
readers in each region and the SC Awards Council, a group of senior CSOs.
W
19
February • 2006
Calendar of Events
MARCH
APRIL
MAY
8-10 IAPP National Summit 2006
Omni Shoreham Hotel,
2500 Calvert Street NW
Washington, D.C. 20008
+202.234.0700
Register at www.privacyassociation.org.
9-11 NATIONAL HIPAA SUMMIT 12
Hyatt Regency Capitol Hill
400 New Jersey Avenue NW
Washington, D.C.
+202.737.1234
2-5
8
IAPP Certification Training
(CIPP and CIPP/G)
8 a.m. — 6 p.m. Eastern Time
Diplomat Room
10
CIPP and CIPP/G Exams
IAPP Certification Testing (CIPP/CIPP/G)
8 a.m. — 11 a.m. Eastern Time
Grand Ballroom
7
IAPP Certification Training
(CIPP and CIPP/G)
8 a.m. — 6 p.m. Eastern Time Hyatt
Regency Capitol Hill (Room TBD)
Washington, D.C.
7
IAPP Certification Testing
(CIPP and CIPP/G)
9 a.m. - 12 p.m. Eastern Time
Hyatt Regency Capitol Hill (Room TBD)
Washington, D.C.
The 16th Annual Conference
on Computers, Freedom and
Privacy
The theme is “Life, Liberty and
Digital Rights.”
L’Enfant Plaza Hotel
Washington, D.C.
More details and registration
information can be found at
www.cfp2006.org.
To list your privacy event in the The Privacy Advisor, email Ann E. Donlan at ann.donlan@privacyassociation.org.
PRESORTED
FIRST CLASS
U.S. POSTAGE
PAID
E. HAMPSTEAD, N.H.
PERMIT NO. 65
20

Privacy and Security Litigation in 2006

Transcription

Similar documents

PIPEDA 101 PowerPoint (Done by Communications)

PIPEDA 101 PowerPoint (Done by Communications)

pri·va·cy - Dictionary.com

DIVO Record Sheet

Harborstone Credit Union

Today`s Date: File #. Child`s Name: Child`s Nickname: u Boy u Girl

New Patient Packet - Neurosport Rehabilitation Associates

What are we talking about?!? The online privacy landscape

User instructions for the BCNA Online Network