Regulatory Full-Court Press on Phone Call Records The IAPP`s

March 2006 • Volume 6 • Number 3
Editor: Kirk J. Nahra
Regulatory Full-Court Press on Phone Call Records
Amy E. Worlton
store call records — are
rotecting the privacy
facing a full-court press from
and security of call
government authorities.
records is the regulatory focus of the moment.
FCC Moves Toward
Congress, the Federal
Tougher Security Rules
Communications
This month, the FCC
Commission (FCC), the
launched a proceeding that
Federal Trade Commission
may result in tougher security
(FTC) and agencies of various
standards for call records kept
states are inquiring into
Amy E. Worlton
by telecom carriers, known as
alleged unauthorized access
Customer Proprietary Network
to personally identifiable call records.
Information (CPNI). CPNI includes data
Consequently, telecommunications carconcerning a subscriber's phone usage,
riers — the entities that collect and
P
The IAPP's National Summit 2006
Brings Together 800 Privacy Pros in
Washington, D.C.
Dynamic Keynote Speakers, Focused Session Programming,
and Largest-Ever Certification Testing Class Combine for a
Successful Event at the Omni
Ann E. Donlan
WASHINGTON, D.C. - Accolades continue to pour in after
800 privacy professionals joined the IAPP for our National
Summit 2006 — an event that drew attendees and speakers
from 11 countries and many different industry sectors.
“I had trouble deciding between the different sessions
— so many good ones to choose from,” remarked one IAPP
member. Added another attendee, “You did a great job. I’m
new to this genre, but not new to conferences. This conference was of the highest quality.”
See IAPP National Summit 2006, page 4
The IAPP welcomes its attendees to the IAPP National Summit 2006, March 8-10,
at the Omni Shoreham in Washington, D.C. The successful event drew 800 attendess
and speakers from 11 countries — the largest conference in the IAPP's 5-year history.
including incoming and outgoing calls.
In the case of wireless service, CPNI
also can include information about the
location of the individual end-user.
Section 222 of the Communications Act
protects individually identifiable CPNI by
generally prohibiting disclosure absent
customer consent.
In August 2005, the Electronic
Privacy Information Center (EPIC), a
non-profit advocacy organization, petitioned the FCC to investigate whether
See Cell Phone Records, page 3
This Month
J. Trevor Hughes on the Strategic
Partnership Between the U.S.
and Canada .....................................Page 2
Data Retention —
Implications for Business..................Page 8
Sidebar: New Data Retention
Rules in Europe.................................Page 10
Ask the Privacy Expert —
Harry Valetk ......................................Page 12
Interview: FTC’s New Division of
Privacy and Identity Protection.........Page 13
Viewpoint: Binding Corporate
Rules and the Bottom Line............... Page 15
IAPP in the News ............................Page 16
Privacy News .......................Page 17 and 18
Calendar of Events ...........................Page 19
March • 2006
THE PRIVACY ADVISOR
Notes from the Executive Director
Editor
Kirk J. Nahra
Wiley Rein & Fielding, LLP
[email protected]
+202.719.7335
P
Managing Editor
Ann E. Donlan
[email protected]
+207.351.1500 X109
The Privacy Advisor (ISSN: 1532-1509 )
is published monthly by the International
Association of Privacy Professionals and
distributed only to IAPP members.
ADVISORY BOARD
Elise Berkower, CIPP, Senior Privacy Compliance Officer,
DoubleClick Inc.
Keith P. Enright, Director, Customer Information
Management, Limited Brands, Inc.
Philip L. Gordon, Shareholder, Littler Mendelson, P.C.
Brian Hengesbaugh, Partner, Privacy/Information
Technology/E-Commerce, Baker & McKenzie LLP
Todd A. Hood, CIPP, Director, Regional Privacy,
The Americas, Pitney Bowes Inc.
Ben Isaacson, CIPP, Privacy & Compliance Leader,
Experian & CheetahMail
Jacqueline Klosek, CIPP, Senior Associate in the
Business Law Department and member of Intellectual
Property Group, Goodwin Procter LLP
Lydia E. Payne-Johnson, CIPP, Executive Director,
Chief Privacy Officer, Morgan Stanley
Billy J. Spears, CIPP/G
Harry A. Valetk, CIPP, Director, Privacy Online,
Entertainment Software Rating Board
To Join the IAPP, call:
+800.266.6501
Advertising and Sales, call:
+800.266.6501
Postmaster
Send address changes to:
IAPP
266 York Street
York, ME 03909
Subscription Price
The The Privacy Advisor is a benefit of
membership to the IAPP. Nonmember
subscriptions are a vailable at $199 per year.
Requests to Reprint
Ann E. Donlan
[email protected]
+207.351.1500 X109
Copyright 2006 by the International Association of
Privacy Professionals.
All rights reserved. Facsimile reproduction, including
photocopy or xerographic reproduction, is strictly
prohibited under copyright laws.
2
rivacy pros who attended the IAPP National Summit 2006
in March in Washington, D.C., were part of a notable
gathering of our international community. During three
intensive days that drew 800 privacy professionals, including
attendees and speakers from 11 countries, to the IAPP’s most
successful conference in our 5-year history, there was no doubt
that privacy is indeed a profession in our marketplace today. I
want to thank all of our attendees and speakers for your
continued support and dedication to the IAPP’s enduring
mission. One of the great strengths of our organization is the
involvement of committed privacy pros with vast experience, drawn from their work in
diverse industries.
Privacy and data security continue to be among the most urgent and relevant
global issues we face today.The information economy and other economic factors have
promoted global relationships among businesses in different countries, often leading to
legal and cultural conflicts that require solutions to avoid undermining the mutual
benefits derived from these essential relationships.
Nowhere is that more evident than the crucial bond between the U.S. and Canada.
We have shared a rich history as crucial trade partners — the largest trade relationship
in the world.The U.S. and Canada also are devoted allies, which is physically evident in
that we share the longest friendly and undefended border in the world.
As a Canadian living and working in the U.S., I’m looking forward to exploring
the global issues we face in the areas of data transfer and privacy protection as the IAPP
plans to hold our fall Academy Oct. 18-20 in Toronto. It is entirely fitting that the IAPP
would choose Canada to hold its first conference outside the U.S. A recent review of
clips in the IAPP’s daily email newsletter,The Daily Dashboard, clearly demonstrates
how entwined our goals are as privacy professionals confronting privacy and data
security challenges that permeate our border.
Consider the response to a high-profile story in Maclean’s, Canada’s weekly news
magazine, which exposed how easy it is to buy a consumer’s land-line and cell-phone
records online from a U.S. data broker — even if she is Jennifer Stoddart, Canada’s privacy commissioner.The U.S. media took note of the compelling phone records story, and
not long afterward, newspapers and TV stations on this side of the border were exposing
how quickly and easily they were able to buy telephone records online — including the
sensitive call records of law enforcement officers and even former General Wesley Clark.
The legislative response has been swift, with federal and state lawmakers considering bills
to ban the practice and criminalize efforts to fraudulently obtain the records to sell them.
Another recent example of our shared experience on these issues is the objections
generated by the collection of a fingerprint scan for law school applicants taking the
LSATs. Law school professors and others have expressed concern about the privacy
implications for Canadians whose personal information is held in the U.S. because of
powers afforded to authorities by the USA Patriot Act.
The U.S.-Canadian border is a physical manifestation of division. However, our
information economy makes that border largely invisible, highlighting that as privacy
professionals, we embrace similar approaches to data privacy. So please, mark your
calendars now to join us in Toronto, where attendees will again experience the IAPP’s
new networking, education and certification offerings, including a keynote address
from Canada’s federal Privacy Commissioner, Jennifer Stoddart.
J.Trevor Hughes
Executive Director
THE PRIVACY ADVISOR
Cell Phone Records
continued from page 1
telecom carriers are doing enough to
safeguard CPNI from unauthorized disclosure. EPIC presented evidence that
more than 40 Web sites sell CPNI
records, apparently without the consent
of persons who are the subjects of such
records. Some data brokers even
offered to track the location of wireless
phone users. EPIC alleged that Web
sites obtained such CPNI through
“pretexting,” the practice of falsely
representing one's identity to a carrier in
order to obtain a customer's records.
Carriers apparently require a Social
Security number, mother's maiden
name or date of birth as identification.
EPIC asserted that this practice actually
provides little security because unauthorized third parties easily can obtain such
identifiers. According to EPIC, private
investigators and data brokers could also
be obtaining CPNI by hacking customers‘ online accounts with carriers, or
receiving data from dishonest carrier
employees. Aside from the illegality of
unauthorized CPNI access in its own
right, unauthorized disclosures potentially could lead to identity theft, stalking,
industrial espionage and other violations
of privacy and security.
Coinciding with Congressional focus
on CPNI security, the FCC acted on
“Aside from the illegality
of unauthorized CPNI
access in its own right,
unauthorized
disclosures potentially
could lead to identity
theft, stalking, industrial
espionage and other
violations of privacy
and security.”
EPIC's petition in February 2006, releasing a Notice of Proposed Rulemaking
(NPRM). The Commission already regulates carriers‘ disclosures of CPNI. In
this proceeding, security and disclosure
requirements could be substantially
heightened, although the agency has
offered few specific proposals to date.
The FCC asked commenters to consider
EPIC's recommendations that:
• CPNI should be protected by a customer-selected password, rather than
common demographical data such as
Social Security number, date of birth
or mother's maiden name.
• Carriers should keep an audit trail
of CPNI access.
• Carriers should store CPNI in
encrypted form.
• Carriers should be required to give
the FCC and customers notice when
the security of CPNI may have been
breached.
• Carriers should be required to delete
or anonymize call record information
after it is no longer needed for billing
or dispute resolution purposes.
In addition, the Commission asks
whether subscribers should be notified,
perhaps at the phone number associated with the subscriber‘s account, before
their CPNI is disclosed and/or after any
release.
Moreover, the NPRM indicates the
FCC's willingness to re-examine settled
regulatory questions. For example, the
agency asks whether the existing
“opt-out regime” sufficiently protects
CPNI disclosed to a carrier‘s joint
venture partners, and whether a subscriber’s affirmative “opt-in” should
instead be required. Further, the
Commission discusses possible rules to
promote consumers‘ understanding of
current CPNI notices. Finally, the FCC
inquires whether CPNI rules should
apply to VoIP and Internet-based service
providers, although these entities have
never before been considered “telecom
carriers” under the CPNI statute.
266 York Street
York, ME 03909
Phone: +800.266.6501 or +207.351.1500
Fax: +207.351.1501
Email: [email protected]
The Privacy Advisor is the official monthly newsletter of the
International Association of Privacy Professionals. All active
association members automatically receive a subscription to
The Privacy Advisor as a membership benefit. For details
about joining IAPP, please use the above contact information.
BOARD OF DIRECTORS
President
Kirk M. Herath, CIPP/G, Chief Privacy Officer,
Associate General Counsel Nationwide Insurance
Companies, Columbus, Ohio
Vice President
Sandra R. Hughes, CIPP, Global Privacy Executive, Procter
& Gamble, Cincinnati, Ohio
Treasurer
Becky Burr, CIPP, Partner, Wilmer Cutler Pickering Hale
and Dorr LLP, Washington, D.C.
Secretary
Dale Skivington, CIPP, Chief Privacy Officer, Assistant
General Counsel, Eastman Kodak Co., Rochester, N.Y.
Past President
Chris Zoladz, CIPP, Vice President, Information Protection,
Marriott International, Bethesda, Md.
Executive Director
J. Trevor Hughes, CIPP, York, Maine
Jonathan D. Avila, Vice President – Counsel, Chief Privacy
Legal Officer, The Walt Disney Co., Burbank, Calif.
John Berard, CIPP, Managing Director,
Zeno Group, San Francisco, Calif.
Agnes Bundy Scanlan, Esq., CIPP, Counsel,
Goodwin Procter LLP, Boston, Mass.
Peter Cullen, CIPP, Chief Privacy Strategist,
Microsoft Corp., Redmond, Wash.
Dean Forbes, CIPP, Director, Corporate Privacy,
Schering-Plough Corp., Kenilworth, N.J.
Kimberly Gray, CIPP, Chief Privacy Officer,
Highmark, Inc., Pittsburgh, Pa.
Jean-Paul Hepp, CIPP, Corporate Privacy Officer,
Pfizer Inc., New York, N.Y.
David Hoffman, CIPP, Group Counsel and Director of
Privacy & Security, Intel Corp., Germany
Barbara Lawler, CIPP, Chief Privacy Officer, Intuit,
Mountain View, Calif.
Kirk Nahra, CIPP, Partner, Wiley Rein & Fielding LLP,
Washington, D.C.
Nuala O’Connor Kelly, CIPP/G, Chief Privacy Leader,
General Electric Company, Washington, D.C.
Harriet Pearson, CIPP/G, Vice President Corporate Affairs,
Chief Privacy Officer, IBM Corporation, Armonk, N.Y.
Jules Polonetsky, CIPP, Vice President,
Integrity Assurance America Online, Inc., Dulles, Va.
Lauren Steinfeld, CIPP, Chief Privacy Officer,
University of Pennsylvania, Philadelphia, Pa.
Zoe Strickland, CIPP/G, Chief Privacy Officer,
U.S. Postal Service, Washington, D.C.
Amy Yates, CIPP, Chief Privacy Officer,
Hewitt Associates, Lincolnshire, Ill
GENERAL COUNSEL
Jim Koenig, PricewaterhouseCoopers, Philadelphia, Pa.
See Cell Phone Records, page 20
3
March • 2006
IAPP National Summit 2006
continued from page 1
The largest conference in the IAPP’s
5-year history, the Summit’s size underscored how the privacy profession is
firmly established in today’s marketplace.
During his welcoming remarks, the
IAPP’s new president, Kirk M. Herath,
drew a parallel from the growth of the
IAPP’s marquee event to the privacy
profession itself. Motioning to a few
networking tables that bordered the
Regency Ballroom, Herath noted, “That
would have been a really large conference in 1996!”
Other veteran privacy pros, including
J. Trevor Hughes, the IAPP’s Executive
Director, told the attendees gathered to
hear keynote Jonathan Zittrain that he
“remembers when our profession was a
small cadre” of professionals. After witnessing the warm hugs and handshakes
among attendees greeting one another
at the Omni, Hughes observed that “this
professional community has really grown
to become a very close and tight knit
community.” As a profession, Hughes
stressed that privacy pros have obligations and duties.
“I’d like to demand of you today that
as privacy professionals, you have a
responsibility to join, engage and share
with your fellow professionals,” Hughes
told the attendees. “To respond to the
needs of your profession, you must join
the IAPP to support what we do so that
we can support what you do.”
Hughes reminded privacy pros that
one of the IAPP’s “great strengths” is
the knowledge-base they have as a
result of their diverse expertise. Hughes
urged privacy pros to participate and
engage in the IAPP.
Hughes applauded the IAPP’s
departing president, Chris Zoladz, Vice
President, Information Protection,
Marriott International, “for his steady,
savvy leadership as the IAPP has grown
from a small group to a force in the privacy community.” Hughes then welcomed Herath, Chief Privacy Officer,
Associate General Counsel of
Nationwide Insurance Companies, as a
“great leader in the IAPP” who will
serve the growing needs of the IAPP
and its membership.
Zittrain Delights Privacy Pros with
Engaging, Insightful Journey through
Privacy Past, Present and Future
Jonathan Zittrain, co-founder of
Harvard Law School’s Berkman Center
for Internet & Society then took the
Summit stage for a much anticipated
keynote, “Privacy: Past, Present and
Future.” Zittrain won over the audience
early with his entertaining style, joking
that it was “great to see 800 privacy professionals gathered in one place” but he
added that he hoped there were “a couple of privacy professionals squirreled
away in undisclosed locations.” On a
more serious note, he added, “It’s a testament to the work of the IAPP that so
much of this new and emerging profession is represented here today.”
Zittrain encouraged the attendees to
move from privacy past — during which
privacy pros were called upon after the
breach and then concentrated on “how
to do privacy right” by developing best
practices that are now “so firmly on our
landscape.” But in privacy present, he
advised privacy pros to focus on “privacy
as strategy.” Zittrain added, “I want us to
get out of the mode of thinking of privacy as defense — as something other
than prevention of intrusion.”
Then it was time for the virtual journey through privacy future. Zittrain led
attendees into a virtual exercise by asking them to imagine themselves walking
into a Paris café with a special device
that would melt away the anonymity of
the experience — layer by layer. After
pushing a few keys, a visitor could ask,
“First of all, are any of my friends here?
You can even start to say things like, ‘Are
there people from the IAPP here?
People from Microsoft who worked
there when I did?’ ”
(left) At least 550 attendees filled the Regency Ballroom during the
Thursday, March 9 plenary session to hear keynotes from Jonathan
Zittrain, Co-founder of the Berkman Center for Internet & Society, and
Brad Smith, Senior Vice President and General Counsel of Microsoft.
(above) Brad Smith, Senior Vice President and General Counsel of
Microsoft, gives his keynote address about the need for national
privacy legislation to a capacity crowd in the Omni's Regency
Ballroom on Thursday, March 9.
4
THE PRIVACY ADVISOR
Zittrain added as he strolled across
the podium, “And suddenly the act of
walking into a café is an action of discovery.”
According to Zittrain, Internet users
are already acquiring online reputations
as a result of spending time in virtual
communities that make judgments
about a person’s online behavior and
qualities. As a result, café guests could
suddenly become frosty toward a new
customer, “because maybe it turns out a
lot of people don’t like you so much.” Or
perhaps a user is the opposite — the
“Jimmy Stewart of the virtual world.”
But he added, “This is a world obviously that has privacy implications,
which are collectively generated.” With
the rapid technology innovations, Zittrain
said “our capacity to influence the environment has out-stripped our capacity to
measure what we are doing to it.”
Zittrain ended on an upbeat note,
challenging privacy pros to a call to
action. The choice is between choosing
our destiny rather than simply accepting
the circumstances "where we find ourselves.” Zittrain concluded by saying,
“We don’t want to end up in that
strange world — too early to tell and
too late to do anything about it.” Zittrain
called on privacy pros to join together
to exert “leadership as people who
have identified privacy as one of the
most important aspects of our professional careers.”
Microsoft’s Brad Smith Outlines
the Need for Federal Privacy
Legislation
Brad Smith, Senior Vice President
and General Counsel for Microsoft,
addressed the reasons why the company
is renewing the call for comprehensive
federal privacy legislation, a topic that,
“grows more complicated every year,”
according to Smith. He conceded that
consumer mistrust about the security of
their personal information is “not entirely
misplaced,” adding that this steady
stream of security breaches “does not
help win consumer confidence.”
Smith underscored the importance
in a global economy of harmonizing privacy at the national level. He described
the elements that Microsoft would like
to see in federal privacy legislation: federal preemption; transparency; consumer
choice; reasonable company measures
to ensure the security of personal information; and enforcement.
“We would be the first to say it won’t
be a panacea,” Smith said. “The truth is
that now and probably forever, privacy will
be protected effectively only if there are a
variety of steps taken in this area.”
Consumers, Smith noted, have the
responsibility to use the tools available
to protect their personal information.
“They too, need to take appropriate
steps that are provided to them to protect their personal information,” he said.
Smith stressed the need for a
dialogue among various stakeholders.
But he had a special message for privacy
pros. “If there is any one group of
people who can best think this issue
through, it is the group of people in this
room this morning. There will be different views. There will be different needs.
We certainly look forward to being part
of that conversation too.”
Smith’s keynote served as the
springboard into the lively panel discussion, “The Great Debate: National
Privacy Legislation.” Smith was joined by
Howard Beales from George
Washington University and Jerry
Berman, president of the Center for
Democracy and Technology. Christine A.
Varney, Partner, Hogan & Hartson and a
former FTC commissioner, served as
the panel’s moderator.
Popular Sessions
After the panel and refreshed by
fruit kabobs, the attendees set off for
their preferred sessions, which for the
first time, were designated as containing
“advanced” or “general” content.
See IAPP National Summit 2006, page 6
(above) Jonathan Zittrain, Co-founder of Harvard Law School's
Berkman Center for Internet & Society, opens the Thursday, March 9
plenary session with a provocative and entertaining keynote to an
audience of 600 people who gathered in the Omni's Regency
Ballroom. Zittrain proved to be a popular keynote with the attendees,
who gave him rave reviews.
(right) Joel Tietz, AXA Equitable's Privacy Officer, gives his presentation to at least 100 attendees of the "Governance For Compliance"
session held in the Diplomat Room on Thursday, March 9.
5
March • 2006
IAPP National Summit 2006
continued from page 5
Recent headlines about Google’s
attempts to resist a subpoena from federal authorities seeking access to the
company’s records understandably drew
a capacity-crowd to the session,
“Subpoenas: A Privacy Practitioner’s
Guide.” Other popular sessions were,
“Ethics,” “Rethinking Basic Privacy
Paradigms: Shifting from Control to
Harm-Based Analyses,” “Top 10 Privacy
and Security Developments for the
Insurance Industry,” “Marketing in the
Age of Cascading Trust: Affiliates, CoRegistration, Adware & More.”
After a busy but productive day, it
was time for some hobnobbing during
the Deloitte Reception in the Palladian
Ballroom, which underwent a transformation into an upscale, contemporary
lounge, with the help of gold-colored
draping and a tastefully lit cocktail bar.
Privacy pros had the opportunity to
unwind, talk with old friends and meet
some new ones.
(above) Summit attendees enjoy cupcakes
and icecream in the Exhibit Hall, held in
the Omni’s Ambassador Ballroom, during
a break to celebrate the IAPP’s 5th
Anniversary. Fasken Martineau sponsored
the Friday, March 10, break, which
immediately followed the conclusion of
certification testing and seven working
group sessions.
(left) J. Trevor Hughes, Executive Director
of the IAPP, joins a networking discussion
during a March 9 lunch sponsored by
Watchfire.
Certification Testing — The IAPP
Sets a New Record
The next morning, it was back to
business, as certification test-takers
converged on the Regency Ballroom to
participate in the IAPP’s single largest
testing class to date. Following a wellattended certification training session
held Wednesday, March 8 — which drew
just over 100 students — the certification exam brought 165 examinees to
the Summit classroom — a 10 percent
increase over the 2005 Summit, the previous benchmark.
As hopeful test-takers took the
CIPP and CIPP/G exams, seven working
groups gathered for their sessions — the
largest number convened to date. At
10:30 a.m., the testing and working
group sessions ended — just in time for
a morning break that featured ice cream
and cupcakes to mark the IAPP’s 5th
anniversary.
The morning sessions were then
under way, including “Training — Case
Studies for Success” and “U.S. and
Global Legislative Responses to Data
6
Security and ID Theft,” which drew
more than 100 attendees to each
program.
From the preconference sessions in
which attendees spent their afternoon
hours in one of four sessions, including
Privacy Professional Boot Camp, to the
sessions with more advanced content,
the Summit offered diverse programming for privacy pros — from beginners
to veterans — who eagerly took advantage of the comprehensive offerings.
Closing Keynotes Offer Viewpoints
on International, Domestic
Enforcement
The closing keynote sessions featured Christophe Pallez, the Secrétaire
général de la CNIL, the French data protection authority; Pamela Jones Harbour,
an FTC Commissioner; and Dr. David J.
Brailer, National Coordinator for Health
Information Technology, Department of
Health and Human Services.
Pallez asked his audience to be
patient with his “uncertain English,” and
then gave a brief introduction about the
CNIL’s powers and its structure.
Pallez acknowledged the interest
in international data transfers. “I know
that is a very important question for
you,” he told the attendees in the
Regency Ballroom. Pallez said the
CNIL is eager to see its approach to
international data transfers spread
across Europe. “The European Working
party has published very recently its
opinions, which are very similar to the
guidelines of the CNIL,” Pallez said,
adding that he was meeting the
following week with officials from the
Securities and Exchange Commission
about the issue. “They say to me that
they will at the staff level make an
opinion,” he said. “We are very confident that this opinion will show that our
guidelines meet most of the requirements of the Data Protection Act and
on the other hand, the requirements
of the Sarbanes-Oxley Act.”
THE PRIVACY ADVISOR
(above) Attendees take advantage of
networking opportunities during a
March 9 lunch sponsored by Watchfire.
People gathered in the Regency Ballroom
to network with privacy pros.
(right) Dr. Larry Ponemon, CIPP, and
President of the Ponemon Institute,
discusses Ethics with more than 100
attendees during an afternoon session
on Thursday, March 9.
Photography by Amy Sherwood
Pallez went on to say that while
data breaches are “a hot topic in the
U.S., I must say that it is not exactly the
same situation in Europe.” He added, “I
don’t know exactly why. Maybe it’s a
question of technology, but maybe it also
is a question of legal framework.”
However, France is not without its
problems, he said. “Identity theft — it’s
a real problem because our French passport is really easy to fake. You need
about 50 minutes to make a French
passport.”
Pallez was followed by Harbour, who
began her comments by reminding the
attendees that the “FTC has been very
active in privacy enforcement,” including
key 2005 cases involving BJ’s
Wholesale, DSW Inc., and ChoicePoint,
which was the recipient of the FTC’s
largest civil penalty to date.
“I hope that these settlements will
send a strong message to industry, and
that message is that companies will be
held responsible for providing the care
that consumers reasonably expect in the
handling of their personal information,”
Harbour said.
Harbour urged businesses to “give
consumer data the white-glove treatment” because “building trust, builds
business.”
Dr. Brailer Was in New Orleans
When Katrina Hit
After receiving the Privacy
Leadership Award, Brailer took the podium and declared, “I feel a bit of an
imposter in the privacy community.”
As he strives to complete the mission of creating a national e-medical
records system within 10 years, Brailer
said his goals are to tie doctors, hospitals and patients together electronically
to prevent paper shuffling; get information about patients more quickly to doctors; create more personalized health
records by giving patients control of their
health records; and “modernize the way
we protect against health threats.”
Brailer described some of the steps
necessary before the U.S. achieves
“generalized connectivity among doctors’ offices.” The U.S., he said, “lags
behind many other countries” in that
there is not a single set of information
standards. As a result, a health information technology standards panel is working on that mission, he said.
A group of health It professionals is
working to create standards to certify
vendors that have the right security and
privacy protections to “make sure that
information can’t be stolen or lost,”
Brailer said.
Brailer recalled that he was in New
Orleans when Katrina hit, which allowed
him to see first-hand the difficulties of
treating patients when their medical
history and an inventory of medications
they were taking were unavailable to
doctors. “People were being rescued
from their homes and being taken to
shelters, and the doctors and nurses
there did not know what medications
they were taking.”
Brailer was frank about the road
ahead. “We have a long way to go,” he
said. “I have more questions than I do
answers at this point.”
After Hughes adjourned the group
until the IAPP’s Privacy Academy 2006 in
Toronto, Canada, Oct. 18-20, privacy pros
packed up and left the Omni, which was
paying tribute to its 75th Anniversary
with a window display of famous guests
over the years.
It turns out others who value privacy
have chosen the Omni Shoreham.
“The Beatles called the Shoreham
home during their first public visit to
Washington in 1964,” read one window
display. “To ensure the group’s privacy
and security, an entire wing of one floor
was sealed off for their exclusive use,
and specially designed lapel pins were
issued to the elevator operators and
other hotel employees who worked in
that area during the Fab Four’s stay.”
Ann E. Donlan is the IAPP’s
Communications Director. She can be
reached at [email protected].
7
March • 2006
Cross Border Developments: Data Retention—
Implications For Business
Miriam H. Wugmeister and Karin Retzer
tial basis to support the
of the communication,
n February 21, the European
relevance of such data to
and individual member
Council formally adopted a concriminal investigations or
states can extend the
troversial Directive on the retenfor national security.
retention period up to
tion of communication data that raises
Another concern was
24 months. As a result,
privacy and data security concerns. The
that, due to the sheer
providers operating in
Directive may result in costly investmagnitude of the data
multiple jurisdictions
ments as companies seek to comply
that must be retained
could be subject to a
with the new requirements. Only the
under the new regime,
series of different rules,
Irish and Slovak delegations voted
the investment in equipand different retention
against it. The vote confirmed the
ment and technological
periods could apply to
European Parliament’s earlier decision
expertise for retaining
the very same centralized
on December 14, 2005. Once the
and accessing such data
database. In the end, the
Directive enters into force after the pubwill be significant, and
Parliament and the
lication in the Official Journal (which is
may result in increased
Council departed from
expected to happen soon), member
Miriam H. Wugmeister
communication costs for
the fully harmonized
states will have 18 months to ensure
consumers.
retention times the
national laws comply with it. With
However, the European legislature,
European Commission proposed in the
respect to Internet data, member states
i.e., the European Parliament and the
initial draft.
will have 36 months to transpose the
Council, rejected these concerns. It
The Directive was opposed strongly
Directive into national law.
agreed with Members States’ law
by civil liberties groups, data protection
The Directive requires all “providers
enforcement agencies that broad
officials and service providers alike.
of publicly available communication
retention obligations were necessary for
Currently, communications data generatservices” to store and retain communicriminal and anti-terrorism investigations
ed through communications services
cations data. Under the Directive,
across Europe.
such as landline, mobile and Internet
“providers” may be interpreted to
telephony, data text messaging, voiceencompass telecommunication operaBackground: The Changing Level
mail, call forwarding, instant messaging,
tors, Internet service providers, employLandscape
paging, electronic mail, and other multiers providing employees with email,
Data retention rules have evolved
media services must be erased or made
Internet cafes or hotels allowing guests
over the past decade. The original rules
anonymous at the time the communicato use communications devices, or even
issued in 1997 (Directive 1997/66/EC)
tion is completed, unless the information
universities providing students with
permitted, but did not require, member
is needed for subscriber billing, interconInternet access.
states to impose retention obligations
nection payments, or
The data covered by
on telecom operators for law enforcemarketing, or where
the Directive will include
ment purposes. In 2002, the data retennational law requires the
information on the caller,
tion rules were revised to cover the
retention of certain inforthe subscriber, the date,
entire electronic communications sector,
mation. The Directive
time, and location of the
but retention was still voluntary
marks a dramatic deparcall, including unsuccess(Directive 2002/58/EC). As a result of
ture from the EU’s forful call attempts. The
the discretion given to member states,
merly cautious attitude
data will be made availthere are wide variations among the EU
toward data retention,
able as needed to law
member states. Some have opted not
creating a regime far
enforcement agencies in
to impose retention obligations, while
more intrusive than anythe course of the investiothers require electronic communicathing known in the
gation and prosecution of
tions service providers to retain commuUnited States or Japan.
“serious criminal offensnications data for periods ranging from a
In Europe, communicaes.” The data must be
few months to four years. Under
tions data can now be
kept for a minimum of
Directive 2002/58/EC, national law had
Karin Retzer
held without a substansix months from the date
O
8
THE PRIVACY ADVISOR
to ensure that the data was only
retained for a limited period of time;
retention aimed to achieve specific, enumerated “public order” purposes, and
that the scheme was necessary, appropriate, and proportionate within a democratic society for achieving these purposes, consistent with the European
Convention on Human Rights.
Since 2002, EU law enforcement
agencies have lobbied for broader and
more harmonized retention schemes,
particularly because mobile phone
records were instrumental in tracking
down the perpetrators of the Madrid
bombings of 2004. In the aftermath of
those bombings, the European Council
issued the Declaration of Combating
Terrorism, which among other things,
recommended the introduction of traffic
data retention rules.
In April 2004, France, Ireland,
Sweden and the United Kingdom put
forward a joint proposal on data retention, which was rejected by the European
Parliament in 2005. In its place, the
European Commission launched its own
data retention initiative in close collaboration with the European Parliament. The
current Directive is the result of that
initiative, and member states have 18
months to comply with its provisions.
“The Directive also
requires retention of
data on unsuccessful
calls, defined as ‘a
communication where a
telephone call has been
successfully connected
but it is unanswered
or there has been a
network management
intervention.’ This
provision was controversial because providers
do not currently register
lost calls. Internetrelated data to be
retained is limited to
email and IP-telephone
data — which means
the data on Web pages
visited need not be
retained by providers.”
The Scope
The Directive covers “. . . providers
of publicly available electronic communications service or of public communications network . . .” (Article 3.1). As a
result, all telecommunication and
Internet service providers within
Members States’ jurisdictions must
store communications data. It remains
to be seen how the new retention
regime is applied by national regulators
and courts, and whether, for example,
hotels or apartment owners providing
guests with telephone and email,
Internet cafes, universities allowing students to use Internet and email, or even
private citizens with unprotected wireless LANs, are covered by the regime.
In addition, employers throughout
Europe have been facing the question of
whether they also would be considered
“providers of publicly available electronic
communications services” and thereby
become subject to data retention obligations when they provide Internet access
to their employees. In this respect, a
French appeals court ruled in 2005 that
employers can be required to retain and
hand over all relevant traffic data under
court order. The French court found that
the French data retention regime makes
no distinction between ISPs who offer
Internet access on a commercial basis,
and employers who give Internet access
to staff. It appears, therefore, that the
issue of mandatory retention schemes
for communications data may also be
expanded to encompass a broad range
of different organizations and private
citizens.
While the Directive is not applicable
to data revealing the content of commu-
nications, it does cover a wide variety of
data, including data required to identify
and trace the identity, source, destination, routing, date/time, location, the
communications device and equipment
involved, of every communication. The
categories of data that must be retained
will be revised on a regular basis.
The Directive also requires retention
of data on unsuccessful calls, defined as
“a communication where a telephone
call has been successfully connected
but is unanswered or there has been a
network management intervention.”
(Article 2(2)). This provision was controversial because providers do not currently register lost calls. Internet-related
data to be retained is limited to email
and IP-telephone data — which means
the data on Web pages visited need not
be retained by providers.
Circumstances for Access to
Retained Data
The Directive’s aim is to ensure that
the data is available for the purposes of
investigation, detection and prosecution
of serious crime, as defined by each
member state, in its national law.
Member states must ensure that
data retained in accordance with the
Directive is only provided upon request
from competent national authorities, in
specific cases, and in accordance with
national legislation.
Retention Period
The Directive obliges each member
state to ensure that the relevant data is
retained “. . . for a period of not less than
6 months and for a maximum of two
years from the date of communication”
(Article 7). There is, however, derogation
from the time period for particular circumstances warranting an extension of
the maximum retention period for a limited time. As a result, member states may
expand the time period, and may also
prescribe different periods for different
types of data. Providers operating in multiple jurisdictions could be subject to different retention periods. It is unclear as
to what extent providers could argue that
See Data Retention Implications, page 10
9
March • 2006
Data Retention Implications
continued from page 9
compliance with one set of rules, for
example, the rules applicable at the place
where the database is hosted, suffices.
Data Storage
Each member state will be required
to ensure that communications service
providers respect, as a minimum, certain prescribed data security principles
with respect to data retention. There is a
provision for “effective, proportionate
and dissuasive” penal sanctions for
companies that fail to store the data or
misuse the retained information, and
member states must designate an independent supervisory authority to ensure
compliance with the Directive. Because
these official instances “may be the
same authorities as those referred to in
Article 28 of Directive 95/46/EC”, the
data protection authorities may assume
supervisory authority for compliance
with this Directive as well.
Storage should allow for sharing
with law enforcement authorities without “undue delay.” However, the technical implications will need to be defined
in the implementation legislation. Data
must be destroyed after the period of
retention, except for those data that
have been accessed and preserved.
Reimbursement of Costs
While the original Commission proposal required member states to reimburse providers for the additional costs
of retention, the Directive adopted by
the Council contains no reimbursement
provisions, which leaves it to the discretion of the member states whether or
not to reimburse providers. The cost of
implementing a data retention capability
is estimated to cost millions of euros.
Miriam Wugmeister is a partner in the
New York Office of Morrison & Foerster
LLP. Karin Retzer is Of Counsel in the
Brussels, Belgium office of Morrison
& Foerster LLP. They may be reached
at [email protected] and
[email protected].
10
New Data Retention Rules in Europe:
Privacy Rights At Issue
Jacqueline Klosek
and location data. In imposn the aftermath of terrorist
ing new retention requireattacks in the U.S. and
ments, the Data Retention
Europe, legislators from
Directive will amend
around the world rapidly
Directive 2002/58/EC, also
undertook efforts to adopt
referred to as the Directive
and implement measures to
on Privacy and Electronic
prevent terrorism and capture
Communications.
terrorists. Given the nature of
The Data Retention
terrorism, many of these
Jacqueline Klosek
Directive will cover traffic and
measures included elements
location data transmitted through a
of enhanced powers of surveillance
wide range of communications serviand investigation. Today, continued
ces, including short message service,
concerns about the prevention of terwhich are text messages sent via cell
rorism and the apprehension of terrorphones, voicemail, call forwarding, call
ists are continuing to drive significant
transfer and messaging. Under the
legislative changes and motivate the
terms of the new Directive, covered
expansion of law enforcement powers.
Service Providers will be required to
Such changes are having a profound
retain traffic data and location from six
impact on individual liberties and privato 24 months, depending on the local
cy rights. At the same time, they are
law of the applicable member state.
altering the ways in which many comFurthermore, the Data Retention
panies, especially those that collect
Directive also will afford the governand process data, may do business.
ments of individual member states to
The Proposed Data Retention
exceed that range and impose even
Directive
longer retention requirements. There
While Europe has long been a
has been some speculation that at
leader in working to ensure that its citileast one member state was considerzens enjoy a high level of privacy proing the adoption of a rule that would
tection, Europe also has had to deal
require enterprises to retain such data
with the challenges of striking an
for as long as 15 years. Many industry
appropriate balance between protectgroups have expressed grave concerns
ing its citizens from terrorism and proabout the flexibility that will be affordtecting their human rights and individed to individual member states, arguual liberties. A notable development in
ing that it will result in compliance
this continuing challenge was the
challenges, as well as distortions in
recent approval of a new European
competition, in the marketplace.
directive concerning data retention,
Observers also have noted that
known as the Data Retention Directive. costs will vary from state to state. The
On December 14, 2005, the European
Data Retention Directive will provide
Parliament approved new measures
individual member states the freedom
that will require providers at publicly
to determine what — if any — financial
available electronic communication
assistance they will give to service
service and/or public communication
providers to offset the costs of setting
networks (collectively, service
up data retention systems.
providers) to comply with new requireMember States must transpose
ments regarding the retention of traffic
the Directive into national law by
I
THE PRIVACY ADVISOR
Article 29 Working Party Recommends Data Retention Safeguards
The safeguards identified in the October 2005 Opinion of the Article 29 Working Party can be summarized as follows:
• Data should only be retained to fight
terrorism and organized crime.
• The Directive should provide that the
data will only be given to specifically
designated law enforcement authorities (and a list of those authorities
should be made publicly available).
• Large-scale mining of the data
covered by the Directive should not
be permitted.
• Any further processing of the data
should be prohibited or limited stringently by appropriate safeguards.
Further, access to the data by other
governmental bodies should be
prohibited.
• Any retrieval of the data should be
recorded; but access to the records
would be limited and must be
destroyed within one year.
• Access to data should be authorized
only on a case-by-case basis by a
judicial authority, without prejudice to
countries that allow a specific possibility of access, subject to
independent oversight.
• The Directive should clearly define
which service providers are specifically covered by the retention
requirements.
• It should be clear that there is no
need to identify the customer unless
it is necessary for billing purposes or
some other reason to fulfill the
contract with the service provider.
• Providers should not be allowed to
process data for their own purposes
or any other reasons not specifically
required by the directive.
• The systems for storage of data for
public-order purposes should be
logically separated from systems
used for the providers’ business
August 2007. In the meantime,
member states have the authority to
postpone the implementation of local
data retention measures related to
Internet access, Internet telephone
services and email. However, the
states must apply general requirements of the Directive, including rules
controlling data access and
criminalization of illicit access.
Privacy Concerns Abound
Privacy advocates have been critical
of the new measures. Before the Data
Retention Directive was approved,
opponents’ objections were detailed in
an October 2005 Opinion of the Article
29 Working Party. The Opinion questioned whether the justification for the
data retention requirements were
based on clear evidence and challenged
the proposed retention periods. It also
identified 20 specific safeguards that
member states should establish to minimize the interference with individual
privacy rights.
purposes and protected by more
stringent security measures.
• The Directive should provide for
minimum standards for technical and
organizational security measures to
be taken by the providers, specifying
the general security measures established by the Directive on Privacy in
Electronic Communications.
• The Directive should specify that
third parties are not allowed to
access retained data.
• There should be a clear definition of
the data categories covered by the
retention requirements and a limitation on traffic data.
• The Directive must specify the list of
personal data to be retained.
• Specific guarantees should be
introduced to ensure a stringent,
effective distinction between
content and traffic data.
Efforts were made to address many
of the proposed safeguards in the final
version of the Data Retention Directive.
However, privacy issues still remain a
concern and were further highlighted on
December 19, 2005, when the office of
the European Data Protection
Supervisor (EDPS) issued an opinion
criticizing certain aspects of the
Directive and calling for enhanced privacy protection measures. Specifically, the
EDPS called for the following steps with
regard to the protection of data used by
law enforcement officials:
• The main data protection rules should
cover all police and judicial data (not
just data exchanged between member
states, but also data used within one
country).
• Data on different categories of individuals (such as, criminal suspects, convicted persons, victims, witnesses and
contacts) should be processed with
appropriate conditions and safeguards.
• The principles of necessity and propor-
• The different categories of traffic
data related to unsuccessful communication attempts should not
be included.
• There should be limitations on the
location data that can be stored.
• There should be effective controls on
the original and any further
compatible use of the data by
judicial authorities
• The Directive should include an
obligation to provide citizens with
information regarding all processing
operations undertaken under the
directive.
• The Directive’s provisions regarding
costs should be modified to clarify
that providers would be reimbursed
for investments in the adaptation of
communications systems and for
responding to law enforcement
demands for data.
tionality should reflect the case law of
the European Court on Human Rights.
• The quality of data received from a
third country would need to be
assessed carefully (in light of human
rights and data protection standards)
before used in any manner.
• Specific provisions on automated
individual decisions (similar to those in
the main Data Protection Directive)
should be introduced.
Implications for Service Providers
While privacy issues remain a key
focus, service providers will face the
practical challenges of implementing
measures to comply with the Directive.
Under its provisions, service providers
will be required to capture and maintain
a host of data, including: the source and
destination of a communication; the
date, time and duration of a communication; the type of communication; the
See Data Retention in Europe, page 12
11
March • 2006
Ask the Privacy Expert
Data Retention in Europe
continued from page 11
communication device; and the
location of mobile communication
equipment. It is notable that the
service provider must ensure that
data is retained in an accessible
database to allow businesses to
respond “without undue delay” to
authorities who request information.
Service providers should begin to
examine their current data-retention
systems to ensure that they will be
positioned to meet the legislation’s
new requirements.
Going Forward
In addition to imposing significant new requirements on service
providers, the proposed Data
Retention Directive is notable in
that it represents one of the more
recent developments in what is likely to be a very protracted battle to
balance the need to prevent terrorism while protecting individual liberties, including privacy rights. In the
coming months and years, we are
likely to witness continued developments in this ongoing struggle. In
the short run, service providers in
the European Economic Area
should consider examining their current systems for data retention to
ensure they will be ready to make
the necessary modifications
required by the new Directive.
Jacqueline Klosek, CIPP, is a
Senior Associate in the Business
Law Department and member of
the Intellectual Property Group,
Goodwin Procter LLP. She is the
author of Data Privacy in the
Information Age (Greenwood,
2000) and the forthcoming War on
Privacy (Greenwood, 2006). Klosek
is a member of The Privacy
Advisor’s Advisory Board. She can
be reached by email at
[email protected].
12
Readers are encouraged to submit their questions to
[email protected]. We will tap the expertise of
IAPP members to answer your questions.
Harry A. Valetk
Q
My company employs outside vendors to build and support systems
containing sensitive customer information. We want to be sure we’re
legally protected if any of our vendors lose information or otherwise
experience a data breach. What legal provisions should I try to negotiate in
our contract?
A
In today’s marketplace, virtually all businesses
collect some form of personal information from
their customers, prospects, competitors, and
employees. Many businesses rely on independent
contractors (based here and abroad) to upgrade vital
systems, support critical infrastructure, or manage
promotional campaigns.
To better protect your company in case one of your
vendors experiences a security breach, try to include
language in your contracts that:
Harry A. Valetk
• Limits access to personal information to only those vendor employees who
need to now the information to perform authorized services;
• Provides you with immediate notice of any security breach involving your
customers’ information;
• Requires vendor’s contractors with access to your customers’ personal
information to abide by your company’s confidentiality agreement;
• Covers your out-of-pocket costs of purchasing consumer credit monitoring
services; and
• Covers out-of-pocket costs of assembling and maintaining customer call center.
Few vendors will agree to pay all costs associated with a breach of
personal information, especially since much of injury involves your own
company’s brand. But most will agree to cover reasonable and predictable
costs associated with a data loss. By the same token, expect vendors to
adjust their price to cover these additional costs.
Harry A. Valetk is an attorney in New York City, and a former trial attorney with
the U.S. Department of Justice. He works closely with Web site operators to
establish best consumer practices online, and has written extensively on identity theft, privacy protection, and other Internet safety topics. He is an adjunct
assistant professor of law at the Bernand M. Baruch College, Zicklin School of
Business. Valetk is a member of The Privacy Advisor’s Advisory Board.
This response represents the personal opinion of our expert (and not that of his/her employer), and
cannot be considered to be legal advice. If you need legal advice on the issues raised by this question,
we recommend that you seek legal guidance from an attorney familiar with these laws.
THE PRIVACY ADVISOR
The FTC Launches a New Division Focused on
Privacy, ID Theft and Data Security
A Q & A about the FTC’s new Division of Privacy and Identity Protection, Featuring:
Joel Winston, an Associate Director with the FTC who heads the new division,
and Becky Burr, an IAPP Board member and a Partner with Wilmer Cutler & Pickering
in Washington, D.C. Burr is a former FTC employee.
Becky: Can you describe how the various
responsibilities of the Division of
Financial Practices have been divided up?
consolidate the oversight
of the privacy and data
security issues.
be continuing our law
enforcement program
in this area. We have
brought a number of cases
and we have a number of
other cases under investigation. We also will continue our educational and outreach programs.
Becky: You have had a very
Joel: The existing Division of Financial
busy year in 2005 with
Practices, which had primary responsibilsome pretty important and
ity for privacy matters within the FTC, is
groundbreaking cases.
essentially being split into two new diviWhat are you focused on
sions. One division will keep the title of
for 2006?
Division of Financial Practices, but with
Becky: Given that a majorisomewhat different duties. The other
ty of states have approved
Joel: As is often the case
division is the new one that I will be
notification requirements,
in this area, our agenda is
heading up, the Division of Privacy and
Becky Burr
many of us are assuming
driven in significant part by
Identity Protection. The new Privacy and
that there will be federal legislation.
Congress. We have spent the last two
Identity Protection Division will have
years implementing the Fair and Accurate
authority over privacy, data security
Joel: A primary driver of federal legislaCredit Transactions Act of 2003. Those
issues, Gramm-Leach-Bliley issues, as
tion is the fact that the states are jumpare the Fair Credit Reporting Act amendwell as credit reporting issues under the
ing into the void and passing laws which
ments which imposed very extensive
Fair Credit Reporting Act. In addition, the
are inconsistent with each other. These
rule-making obligations on the FTC and
Commission’s identity theft program,
laws obviously create some major
other federal agencies. We will continue
which as you know has been a very
headaches for businesses, so I think
active and successful program within the to be spending time on that. There are a
there will be a push for federal legislanumber of rule-makings and Commission
Commission, is being brought into this
tion. The main area of focus is when
studies that are still due under that
new division of Privacy and Identity
companies should notify consumers
statute. And then, secondly, a lot will
Protection. At the same time, the
when they’ve had a breach and what
depend on what Congress does, if anyDivision of Financial Practices will retain
form that notice should take. There also
thing, on the data security issue. I don’t
its oversight of the lending industry, as
is a lot of interest in imposing a general
think it will come as a surprise to anyone
well as other credit statutes, debt collecrequirement on businesses that retain
that a primary focus of this new division
tion, etc. There are other aspects of the
sensitive consumer information to have
will be on data security. As
Commission’s privacy
safeguards in place to make sure that
we read about the breachagenda that will remain
the information is protected from unaues of sensitive data seemelsewhere. For example,
thorized acquisition, similar to what is
ingly every week in the
our spyware program is
already on the books for financial institunewspapers, there is a lot
generally being run by our
tions. This concept would be broadened.
of concern on the public’s
Advertising Practices
part that their data is not
Division. The Do Not Call
Becky: The hard part is defining when
being kept in a secure way.
registry, which is an
notices should be sent and when it
And again, depending on
important part of our
doesn’t make sense. Consumers could
what Congress does, if it
privacy agenda, is run out
passes legislation, it is likely be alarmed needlessly or overwhelmed
of our Division of
with information in a way that makes
to involve significant
Marketing Practices.
Commission implementaGenerally speaking, this
See FTC Interview, page 14
tion. In any event, we will
new division is designed to
Joel Winston
13
March • 2006
FTC Interview
continued from page 13
them less sensitive to these kinds of
breach notifications. That’s a tough
standard to come up with.
Joel: It sure is. That is one of the biggest
issues that Congress has been struggling with. There is a lot of debate and
acrimony among different players in this
debate about how tight the standards
should be, how flexible they should be.
Some of the states and proposals for
federal legislation are quite specific that
in the case of a breach, there ought to
be notice and that companies should not
be given discretion to decide when the
notice might actually be beneficial to
consumers. But I think what we have
discovered is that there are a lot of
breaches — and they run the gamut
from those that are essentially harmless
to those that clearly pose a risk of identity theft or other sorts of harm to consumers. There needs to be some sort of
discretion given to businesses to make a
determination, hopefully with guidance
and with help from the federal agencies,
to allow these companies to decide in a
particular case whether it is a situation
that raises risks for consumers versus
those when there is really not much the
consumer can do. If you require notice in
the latter situation, you are going to
needlessly alarm consumers, or worse
yet, you are going to cause them to start
ignoring these notices. We think there
needs to be some element of flexibility.
Becky: We are beginning to see the
emergence of an industry standard on
the kind of credit protection offered to
individuals whose sensitive data may
have been disclosed. There are some
consumer protection advocates who
wonder whether in fact consumers are
being well-served by these programs, or
if perhaps other commercial interests
are coming into play.
Joel: Some of the federal legislation that
has been proposed — and some of the
legislation that has passed in the states
— would require the company that suf14
“There is a lot of debate
and acrimony among
different players in this
debate about how tight
the standards should
be, how flexible they
should be.”
— Joel Winston, FTC
fers the breach to provide affected consumers with free credit reports and free
credit monitoring for a period of time,
which at least on the surface, seems like
a good idea. The best way to figure out
whether your identity has been stolen is
to keep a close eye on your credit report.
Some of the companies that have had
breaches and offered credit monitoring
to consumers have told us that a remarkably small percentage of consumers
actually go ahead and order the credit
monitoring.
Becky: Like one in 10.
Joel: Yes, I’ve seen numbers like that
and so what does that mean? Does it
mean consumers aren’t even reading the
notices? Does it mean they are reading
them, but they are not really concerned?
Is there some reason why they are
skeptical about getting credit monitoring? We don’t really know, but it doesn’t
seem to be a panacea. Before legislation
mandating this sort of response is put
into place, we really need to get a better
handle on how useful it is.
Becky: With regard to the major
information security cases brought by
the FTC last year, the BJ’s Wholesale
case was quite interesting. I believe it
was the first time that the Commission
clearly invoked its fairness authority in
the context of data security and privacy.
Joel: Our previous cases in this area had
been on deception theories where companies had made claims, for example,
that they had procedures in place that
they didn’t have. But this was the first
unfairness case, and we have since followed it up with the DSW case, which is
similar. These are companies that didn’t
make specific claims necessarily about
how they safeguarded information, but
created substantial consumer injury by
not having reasonable procedures in
place. The result was that thieves were
able to get into the database, steal the
data and cause a lot of damage. While
these are unique cases in this area, we
think they follow well-established principles about unfairness law. There were a
lot of fixes these companies could have
put in place to prevent this from happening and they were virtually cost free. But
they didn’t do so. When you do that sort
of cost-benefit analysis, you determine
that what they did was not reasonable.
Becky: This is a question that actually
could have very significant implications
in the online world: What obligations
does a company have when it purchases
third-party information technology?
Who is responsible for ensuring that
third-party technology provides adequate
protection for data?
Joel: Well, again, it is a reasonableness
test. There are no hard- and fast-rules
here and certainly if a company, in good
faith, relies on representations made by
a vendor about the operation of software
or hardware that they are buying and
takes appropriate steps to verify that it
does what it says it does, that would
weigh very heavily in the determination
of whether they acted reasonably. Again,
it is not a strict liability standard. On the
other hand, if you look at the BJ’s case
and some of the others, to the extent
that these companies bought software
and used it, we felt that they were
clearly in a position to know about the
limitations of it and really ignored all
the warning signs.
This interview is available in its
entirety as a podcast on the IAPP’s
Web site, under Resources, at
www.privacyassociation.org.
THE PRIVACY ADVISOR
Viewpoint: Binding Corporate Rules are Good
for the Bottom Line
Eduardo Ustaran
hese days, many chief privacy officers at multinational organizations
“To put it in words that the board will understand:
are considering whether to dive
There are tangible commercial benefits in looking at
into the waters of Binding Corporate
Rules — a model that relies on applying
privacy as a strategic issue. Those organizations with
European data privacy standards within
European operations that can address this issue
an organization to obtain the blanket
approval of European regulators for the
by means of a BCR system will benefit.”
global flow of personal information.
General Electric likely has set many
Indeed, one of the reasons why data
On a more sophisticated level, BCR
records during its lifetime. But at the
protection authorities are quickly becomalso
serves
as
a
mechanism
to
analyze
end of 2005, it set another one by
ing so supportive of this idea is the fact
becoming the first company in the world the organization and maximize its
that BCR can help to change many negresources. Those who have looked at
to obtain the official approval of its data
ative perceptions people have about
BCR — as well as the documentation
protection Binding Corporate Rules
data privacy. When you look at this arguthat must be submitted to the regula(BCR). This approval was the first since
ment from the organization’s point of
tors — knows that providing a proper
April 2005 when the Article 29 Working
view, it becomes even more compelling.
description of the uses and flows of perParty, an advisory body to the European
When one examines the BCR
sonal data within the organization and
Commission comprised of member
model closely, the truth is that there is
how the BCR model relates to those
state data protection officials, adopted a
nothing mythical about it. The BCR syspaths, are essential. This is necessary to
pan-European cooperation procedure for
tem will prove in 2006 that it works for
prove to European regulators that the
the authorization of BCR. For GE, it
all types of international organizations in
company realistically will adopt a workseemed to be a clear-cut decision. Yet
many industry sectors. It is imperative
able BCR system. An efficient BCR sysmany other companies are asking this
that companies embrace the concept
tem will make a substantial contribution
critical question: Is the stamina and
that globalization affects all parts of the
to the efficient management of a key
investment required to get BCR off the
business, including the use of personal
asset: a company’s knowledge about its
ground justified by its benefits?
data as well as the basic rules that apply
organization
and
employees.
To
put
it
One can simply look at BCR as a
to that use. Chief privacy officers would
simply, BCR equals efficiency and effimatter of consistency of approach.
be wise to argue in favor of BCR on the
ciency equals profits.
Many privacy professionals belong to
grounds of its consistency, cost-efficienOne aspect of BCR that GE has
organizations that devote considerable
cy, legal certainty and user simplicity. To
championed is the fact that the system
management resources to get privacy
put it in words that the board will underturns data privacy obligaright. Those organizations
stand: There are tangible commercial
tions into user-friendly lanhave left behind a reactive
benefits in looking at privacy as a strateguage for data handlers
strategy in favor of proacgic issue. Those organizations with
and employees. For examtive privacy management.
European operations that can address
ple, a set of BCR that talks
They don't just fire-fight
this issue by means of a BCR system
about “data controllers,”
data privacy issues. They
will benefit. GE has shown that it can be
“data subjects” and “filing
look at privacy managedone. Many others are right behind.
systems” is poorly drafted
ment as a critical ingrediand inadequate. The point
ent of success. For those
of the BCR model is to
companies, implementing
translate it into language
Eduardo Ustaran is a data privacy speBCR is a consistent way
that
is
understood
easily
cialist at London law firm Field Fisher
to roll out and publicize
across ranks and jurisdicWaterhouse and can be reached at
established business practions. Data protection law
[email protected]. For further
tices, while earning the
was meant to be transparinformation on the BCR model, visit
regulators’ blessing during
ent and give people rights.
www.privacyandinformation.com.
the process.
Eduardo Ustaran
T
15
March • 2006
IAPP in the News
Privacy & Security Law Report Covers the IAPP’s
Genetic Privacy Audio Conference
NA staff correspondent Christopher
Brown covered the IAPP’s “Genetic
and Health Privacy: Policies, Practices
and Safeguards to Foster Consumer
Trust,” held Feb. 16.
Brown’s article appeared in the
Feb. 27 issue of the Privacy & Security
Law Report. In the article, Brown noted
that privacy experts said consumers’
fears about the possible misuse of
genetic information would have to be
addressed before scientific breakthroughs can be achieved through the
use of genetic research.
Despite the promise of genetic
research to help find new drugs and
therapies to treat diseases and to
develop tests to determine a patient’s
risk of acquiring a certain disease,
researchers are finding that patients
are reluctant to participate in clinical trials, said Timothy Leshan, chief of policy
B
” Surveys have demonstrated the high level of fear
among patients who worry that insurance companies
would use the genetic information to deny them coverage.”
and program analysis at the National
Institutes for Health. Surveys have
demonstrated the high level of fear
among patients who worry that
insurance companies would use the
genetic information to deny them
coverage, Leshan pointed out.
Leshan added that 41 states have
laws that to protect consumers from
discrimination in the insurance market
based on genetic information; 33 have
laws to protect against workplace
discrimination on the basis of genetic
information.
IAPP board member Harriet
Pearson, IBM’s Vice President of
Corporate Affairs, and Chief Privacy
Officer, outlined the company’s muchpublicized announcement in October
2005 that it would not use its workers’
genetic information to make employment decisions.
IBM, Pearson said, formed a task
force to look into genetic privacy to
ensure that the company was “doing
the right thing.” The task force review
resulted in the company’s policy on
genetic privacy. Pearson said the task
force’s work led the company to add
guidelines in genetic information to its
privacy policy, according to Brown’s
article.
The IAPP’s New President gets a lot of Ink
was focused on Herath’s
irk M. Herath, the
assessment of data
IAPP’s new board
breach notification legislapresident, and Associate
tion in the U.S.
General Counsel and
Herath said his
Chief Privacy Officer for
privacy philosophy
Nationwide Insurance
centers on the belief
Companies, has been
that “privacy should not
tapped as a privacy pro in
be viewed as a one-time
the know for recent privaproject but as programcy coverage.
matic management
Dubbed an “everywithin the enterprise.”
day compliance hero”
Herath was again the
by ITCi reporter Peter
Kirk M. Herath, IAPP, President
expert
privacy pro
Buxbaum, Herath was
of the Board of Directors
featured in a Feb. 8 proComputerworld reporter
file about his work as a privacy pro.
Jaikumar Vijayan turned to for a March
The article pointed out that Herath’s
2 story on breach notification laws.
accomplishments include his leaderIn that story, Herath stressed that
ship of the IAPP. Much of the article
companies “clearly have a responsibili-
K
16
ty to safeguard customer information.”
If a company loses that information,
“it’s our responsibility to inform consumers because that’s the only way
they can protect themselves.”
But Herath stressed that he favors
a disclosure requirement of a “clear
risk of danger or harm to the consumer.”
And Herath’s view was shared by
another fellow privacy pro and IAPP
board member, Kirk J. Nahra, Partner,
Wiley Rein & Fielding LLP, who agreed
that little is gained by “overnotification” of consumers.
Nahra, who serves as The Privacy
Advisor’s editor, noted that some laws
“would require notice in ridiculous
situations.”
THE PRIVACY ADVISOR
Privacy News
IAPP National
Summit 2006 Draws
Coverage from
Trade, Mainstream
Reporters
Washington Post columnist who
attended the recent IAPP National
Summit 2006 in Washington, D.C.,
spent some time between sessions
with the IAPP’s Executive Director, J.
Trevor Hughes. In an item in the
Sunday Washington Post’s Business
Section on March 19, reporter Don
Oldenburg plucked some information
about default boxes from his interview
with Hughes. The column noted that a
study, conducted by Eric Johnson at
Columbia University’s Business
School, has shown that subscription
rates increase by a 2-to-1 factor when
the box is already checked for a user.
The column also mentioned that the
IAPP “held a summit of 800 privacy
experts here a week ago.”
The Metro Herald, based in
Alexandria, Va., ran an article in
advance of the Summit noting that
the world’s largest association of
professionals in the privacy industry
was holding its National Summit
March 8-10 at the Omni Shoreham in
Washington, D.C. The article noted
that the Summit would offer attendees an in-depth focus on domestic
and international privacy issues,
including keynotes from Jonathan
Zittrain, Co-founder of the Berkman
Center for Internet & Society at
Harvard Law School; Brad Smith,
Senior Vice President, General
Counsel, for Microsoft; Dr. David J.
Brailer, National Coordinator for Health
Information Technology, U.S.
Department of Health and Human
Services; and Christophe Pallez,
Secrétaire général de la CNIL, France.
A
HP and Hitachi to Collaborate on
Security and Privacy Research
esearchers from HP Labs Bristol, UK, and Princeton, N.J., and the Hitachi
Systems Development Laboratory, will conduct joint work on key security
and privacy issues.
The research will focus on authenticating users and devices to improve
security inside networks and the use of digital signatures to guarantee the
authenticity of document content.
“This collaboration highlights HP Labs and Hitachi Labs’ common interest
in security research and our aim to bring about secure systems and infrastructure technologies for modern enterprise needs,” said Dick Lampman, Senior
Vice President of Research, HP, and director, HP Labs. “HP and Hitachi have
had technology alliances that have spanned 16 years, and this is an extension
of our partnership to further leverage our research and development.”
Network security and authentication has been stimulated by the constant
threat to IT infrastructures from, among many others, impersonation, computer viruses and worms. To combat these threats, HP and Hitachi researchers
are investigating how to ensure that computers used to access corporate networks remotely — from home or from a hotel room, for instance — are appropriately authorized. The researchers are interested in developing technologies
for a secure infrastructure that manages communications based on the
authentication of the integrity of both the PC and the user.
The team’s other focus is content security research to address the problem of how to guarantee the integrity of documents and data by using digital
signatures while allowing changes. For example, it may be necessary to delete
sensitive data such as names and company secrets from a document for reasons of privacy or confidentiality, yet show that the visible portion of the document is authentic. This process is applied regularly to documents affected by
the U.S. Freedom of Information Act and similar laws in other countries. This
type of technology also would help ensure the authenticity and integrity of
audit trails, an important issue for companies complying with legislation such
as the Sarbanes-Oxley Act.
“Hitachi and HP both recognize the increasing importance of security,”
said Dr. Akira Maeda, General Manager of Systems Development Laboratory.
“This collaboration is expected to contribute to a dramatic increase in
customer satisfaction by delivering entirely new security backbones.”
R
17
March • 2006
Privacy News
Ponemon Institute Names Most Trusted
Retail Banks
he Ponemon Institute has released
its 2006 Privacy Trust Study for
Retail Banking.
Sponsored by Vontu, the study
gauges how privacy issues affect retail
banking relationships and which banks
consumers identified as the most
trustworthy in protecting their
personal information.
T
“It is interesting to note that since
our last study in 2004, there has been
an 8 percent decline in the number of
THE FIVE MOST TRUSTED BANKS
FOR PRIVACY IN 2006
1. National City and U.S. Bank
(tied for first place)
2. Fifth Third Bank
3. Wachovia
4. PNC Bank
5. Washington Mutual
respondents who said their level of
confidence in their retail bank was
‘very high’ or ‘high,’ ” said Dr. Larry
Ponemon, chairman and founder of the
Ponemon Institute. “This can probably
be attributed to the number of wellpublicized security breaches in the
banking and financial services industry
and the sharp increase from 5 percent
to 12 percent in the number of respondents who reported receiving a notification of a privacy breach.”
Consumers who participated in
the study were asked to identify the
primary institution they currently use
for retail banking services from a list of
the 25 largest U.S. banks. If their primary bank was not listed, consumers
could add it to the survey form. The
participants were asked to answer
questions focused on their bank’s privacy and data protection practices.
18
“Preventing data breaches has
become a top priority for banks, partly
due to state notification laws, but
primarily because customer loyalty
depends upon it,” said Joseph
Ansanelli, chairman and CEO of Vontu.
“The new Ponemon Institute study
clearly demonstrates how much
banking customers care about data
loss prevention.”
According to the survey:
• 12 percent of respondents have
received notification of a privacy
breach within the past 12 months,
up from 5 percent in 2004.
• 68 percent of respondents are
confident that their bank would inform
them if a privacy breach resulted in
the leakage of their personal
information.
• 34 percent want to be notified by
telephone of a security breach and
30 percent prefer written notice. Less
popular are emails and Web postings,
15 percent and 16 percent,
respectively.
• 63 percent of respondents who
bank online are as confident that their
personal information is protected as
when they bank at their local branch
office. Since the 2003 study, this level
of confidence has declined 11 percent.
The survey also found that the
three most important factors in
boosting customer trust and confidence in their banks are not sharing
or selling personal information to
other organizations; not engaging in
aggressive marketing tactics; and
keeping consumers informed about
the bank’s practices and policies.
More information about the study is
available at [email protected].
Schwab
Announces Security
Guarantee
he Charles Schwab Corp. is offering its customers a guarantee
covering 100 percent of any account
losses that arise from unauthorized
account activity. The guarantee took
effect immediately in mid-February
when the company made the
announcement.
“It has always been our practice
to make clients whole in cases of
unauthorized account activity,” said
Charles R. Schwab, founder and
CEO. “Our new security guarantee
turns that historic practice into a
public promise. We have a broad
array of internal security systems
and measures in place that protect
the safety of client accounts at
Schwab. Given the rising public
concerns over identity theft and
cyber-fraud, we think adding a clear
and simple guarantee will contribute
to even greater peace of mind for
our clients.”
The company encouraged its
clients and consumers to review
privacy and security tips on
www.schwab.com to learn what
steps they can take to ensure safe
transactions online or through more
traditional channels.
The Charles Schwab Corp. is a
leading provider of financial services,
with more than 325 offices, 7.1 million client accounts and $1.25 trillion
in client assets. Through its operating
subsidiaries, the company provides a
full range of securities brokerage,
banking, money management and
financial advisory services to
individual investors and independent
investment advisors. Details about
the guarantee are available at
www.schwab.com/guarantee.
T
THE PRIVACY ADVISOR
Calendar of Events
APRIL
Privacy Classifieds
The Privacy Advisor is an excellent
resource for privacy professionals
researching career opportunities.
For more information on a specific
position, or to view all the listings,
visit the IAPP’s Web site,
www.privacyassociation.org.
19
Chicago
IAPP KnowledgeNet
Speaker: John Loft, Principal
Scientist Director, Research
Triangle Institute International
(RTI International),“Health Information
Security and Privacy Collaboration”
25
Keeping Information Safe
7:30 to 9:30 a.m. PST
The Regency Club
Westwood, CA
An information privacy seminar hosted
by Citadel Information Group, MRE
Enterprises and PossibleNOW. Eligible
for IAPP and California state MCLE
continuing education credits. Register
now at www.mre-ent.com
CORPORATE ANALYST
Sony Corporation of America
New York, NY
VICE PRESIDENT
ENTERPRISE PRIVACY
Countrywide Financial Corp.
Plano, Texas
27
SPECIALIST, PRIVACY
ANALYSIS AND SUPPORT
Countrywide Financial Corp.
Plano, Texas
PRIVACY OFFICER
CMP Media
Manhasset, NY
MAY
2-5
MANAGER OF PRIVACY
TECHNOLOGY
Carolinas HealthCare System
Charlotte, NC
DATA PRIVACY/
COMPLIANCE EXPERT
Sterling Commerce
Dublin, Ohio
SENIOR PRIVACY SPECIALIST
T-Mobile
Bellevue, WA
SR. MANAGER, BUSINESS
DEVELOPMENT FOR GLOBAL
NETWORK PRIVACY & POLICY
American Express
New York, NY
Los Angeles
IAPP KnowledgeNet
Speaker: Reece Hirsch, Partner,
Sonnenschein Nath & Rosenthal LLP,
”Data Security Law — The Emerging
Standard”
5-6
The 16th Annual Conferece
On Computers, Freedom
and Privacy
L’Enfant Plaza Hotel
Washington, D.C.
“Life, Liberty and Digital Rights,”
Registration: www.cfp2006.org.
Data Protection and Security:
A Transnational Discussion
Seminar presented by the Association
International Des Jeune Advocats (AIJA)
(the global association of young lawyers)
M Street Hotel
1143 New Hampshire Ave., NW
Washington, D.C.
+202.775.0800, More Information:
www.aija.org/uploads/events/events_
pdf/washington_08.pdf
8
Sydney, Australia
IAPP KnowledgeNet
Speakers: J. Trevor Hughes, CIPP,
Executive Director, International
Association of Privacy Professionals,
“The Emergence of the Global Privacy
Profession”; Peter Cullen, CIPP, Chief
Privacy Strategist, Microsoft Privacy
and Data Governance, “A Privacy Sector
Perspective”; Sagi Leizrov, CIPP, Ernst
& Young, Privacy and Data Governance
Issues “Top Ten Global Challenges”
10
Singapore
IAPP KnowledgeNet
Speakers: J. Trevor Hughes, CIPP,
Executive Director, International
Association of Privacy Professionals;
Peter Cullen, CIPP, Chief Privacy
Strategist, Microsoft; Sagi Leizrov,
CIPP, Ernst & Young
12
Tokyo, Japan
IAPP KnowledgeNet
Speakers: J. Trevor Hughes, CIPP,
Executive Director, International
Association of Privacy Professionals,
“The Emergence of the Global Privacy
Profession”; Peter Cullen, CIPP, Chief
Privacy Strategist, Microsoft Privacy
and Data Governance, “A Privacy
Sector Perspective”; Sagi Leizrov,
CIPP, Ernst & Young, Privacy and Data
Governance Issues, “Top Ten Global
Challenges”
OCTOBER
18 – 20 IAPP Privacy
Academy 2006
The Westin Harbour Castle
Toronto, Canada
More information is available at
www.privacyassociation.org.
To list your privacy event in the
The Privacy Advisor,
email Ann E. Donlan at
[email protected].
19
March • 2006
Cell Phone Records
continued from page 3
Congress Gets in the Game
Pretexting in order to acquire phone
records soon may become a specific
criminal offense. At the time of writing,
several bills that would criminalize pretexting are before the House and
Senate Judiciary Committees, as well as
the House Energy and Commerce
Committee. These bills generally enjoy
bipartisan support.
The FCC and FTC were held to
account for their respective roles in protecting call records during an early
February 2006 hearing before the House
Energy and Commerce Committee.
Chairman Kevin Martin of the FCC
described his agency's investigation of
data brokers and telecom carriers. In
response to formal Letters of Inquiry
from the FCC, carriers have made
detailed disclosures concerning their
CPNI safeguards. In addition, the
Chairman reported threatened $100,000
fines against both Alltel and AT&T for
failure to produce adequate CPNI compliance certifications. Jon Leibowitz,
Commissioner of the FTC, reported that
his agency, in coordination with the
FCC, is pursuing vigorously those who
sell call records obtained through pretexting. In addition, the FTC is using its
statutory authority to demand reasonable security practices of companies
subject to FTC jurisdiction that store
sensitive consumer information.
this time, lawyers may feel the heat.
EPIC has written to state professional
responsibility boards urging them to prohibit attorneys from purchasing illegally
obtained call records.
Amy E. Worlton is an associate with
Wiley Rein & Fielding LLP in Washington,
DC. She specializes in privacy, security,
telecommunications, international trade,
Internet and e-commerce issues. Worlton
can be reached at +202.719.7458 or
[email protected].
States Also in Play
State attorneys general in Florida,
Illinois, Missouri, Arizona and elsewhere
have launched investigations of suspected pretexters, as well as inquiries into
the practices of telecom carriers.
Reportedly, the state and federal
full-court press against sellers of call
records already has driven many of
these Web sites to close up shop. But
EPIC is keeping up the pressure, and
© 2006 Wiley Rein & Fielding LLP.
Reprinted with permission, Privacy
in Focus, February 2006. This is a
publication of Wiley Rein & Fielding
LLP providing general news about
recent legal developments and should
not be construed as providing legal
advice or legal opinions. You should
consult an attorney for any specific
legal questions.
PRESORTED
STANDARD
U.S. POSTAGE
PAID
E. HAMPSTEAD, N.H.
PERMIT NO. 65
20