Enabling Data-Centric Security Merchants Can No Longer Ignore

Transcription

March 2007 • Volume 7 • Number 3
Editor: Kirk J. Nahra
Merchants Can No Longer Ignore the
PCI Data Security Standard
Reece Hirsch
redit card data is a primary target
for identity thieves because it is
easily exploited in fraudulent
transactions and it is often all-too-accessible. In the absence of a U.S. law that
imposes a general obligation on businesses to safeguard credit card information and other sensitive customer data,
the credit card associations took matters
into their own hands by adopting the
Payment Card Industry (PCI) Data
Security Standard (DSS) in 2005. In
recent months, support for the PCI Data
Security Standard appears to be gaining
momentum with the issuance of an
updated version of the standard.
C
an updated version of
On September 7, 2006,
PCI DSS.
the five major credit card
Visa implemented
companies announced the
PCI’s predecessor standard,
formation of a new organizathe Cardholder Information
tion to improve and impleSecurity Program (CISP), in
ment the PCI standard, mark2001. MasterCard and Visa
ing the first time that the five
introduced the PCI Data
major brands (American
Security Standard (PCI DSS)
Express, Discover Financial
in 2004, and it took effect
Services, JCB, MasterCard
By
Reece
Hirsch
June 30, 2005.
Worldwide and Visa
The PCI Data Security
International) have agreed to
Standard has prompted relatively little
a single, shared framework. The new
action by merchants. Visa recently
group, known as the Payment Card
International Security Standards Council,
took its first action by issuing PCI 1.1.,
See, PCI Data Security Standard, page 3
Enabling Data-Centric Security
Luther Martin
than traditional encryption
technologies.
Forget Conventional
So how exactly did
Wisdom. Modern
encryption earn its reputation
Encryption Technology
for being too difficult and too
is Ideal for Privacy
costly for widespread use?
Applications. Here’s Why.
Let’s take a quick look at
encryption’s evolution, review
our organization needs
the difficult early years and
to comply with privacy
examine how today’s IBE
regulations. Your board
Luther Martin
approach solves the problems
of directors knows the busifrom yesteryear.
ness needs to protect sensitive informaIn a 1995 Carnegie-Mellon
tion as it moves among business partUniversity study (popularized in the
ners, mobile users and your enterprise.
paper, “Why Johnny Can’t Encrypt”),
Yet security technologies such as
sending and receiving encrypted email
encryption are far too complex and far
proved to be too hard for 75 percent of
too difficult to deploy on a broad scale.
the study’s participants. Fast forward 10
Actually, that is no longer the case.
Leveraging identity-based encryption
(IBE) is far easier and more scalable
See, Data-Centric Security, page 5
Y
This Month
J. Trevor Hughes on the Inaugural
European Delegate Tour..............Page 2
India and Outsourcing ........................Page 7
Ask the Privacy Expert........................ Page 10
Privacy Classifieds ............................ Page 11
Regulator Chat .................................. Page 12
IAPP in the News................................Page 14
Update: Statutory Review of PIPEDA.Page 15
Certification Graduates...................... Page 17
Privacy News .................................... Page 18
Calendar of Events ........................... Page 20
March • 2007
THE PRIVACY ADVISOR
Editor
Kirk J. Nahra, CIPP
Wiley Rein LLP
[email protected]
+202.719.7335
Managing Editor
Ann E. Donlan, CIPP
[email protected]
+207.351.1500 X109
Publications Manager
Ali Forman
[email protected]
+207.351.1500
The Privacy Advisor (ISSN: 1532-1509) is published
monthly by the International Association of Privacy
Professionals and distributed only to IAPP members.
ADVISORY BOARD
Elise Berkower, CIPP, Executive Vice President of
Privacy Strategy, Chapell & Associates
Keith P. Enright, Director, Customer Information
Management, Limited Brands, Inc.
Philip L. Gordon, Shareholder, Littler Mendelson, P.C.
Brian Hengesbaugh, Partner, Privacy/Information
Technology/E-Commerce, Baker & McKenzie LLP
Todd A. Hood, CIPP, Director, Regional Privacy,
The Americas, Pitney Bowes Inc.
Ben Isaacson, CIPP, Privacy & Compliance Leader,
Experian & CheetahMail
Jacqueline Klosek, CIPP, Senior Associate in the
Business Law Department and member of Intellectual
Property Group, Goodwin Procter LLP
Lydia E. Payne-Johnson, CIPP,
LPJohnson Consulting, LLC
Billy J. Spears, CIPP/G, Senior Manager of Privacy
and Information Protection, Dell, Inc.
Harry A. Valetk, CIPP, Director, Privacy Online,
Entertainment Software Rating Board
To Join the IAPP, call:
+800.266.6501
Advertising and Sales, call:
+800.266.6501
Postmaster
Send address changes to:
IAPP
266 York Street
York, ME 03909
Subscription Price
The The Privacy Advisor is a benefit of membership
to the IAPP. Nonmember subscriptions are available
at $199 per year.
Requests to Reprint
Ann E. Donlan
[email protected]
+207.351.1500 X109
Notes from the Executive Director
A
s part of the IAPP’s international commitment, we are
proud to announce the launch of our inaugural European
delegate tour. While details are still in the works, the
delegate tour is a unique opportunity for IAPP members to
participate in a series of special events in London, Paris and
Berlin. Scheduled for June, the tour is expected to give privacy
pros an opportunity to compare notes with our European
colleagues in each city during KnowledgeNet meetings,
workshops with data protection authorities and networking
opportunities.
The first European delegate tour would not be possible without the generous support
of Microsoft and Ernst & Young. The IAPP is excited about this tour as we continue our
efforts to broaden our mission to promote the privacy profession globally. We eagerly look
forward to learning from and collaborating with international privacy pros.
And now for the good news! IAPP members will have the opportunity to attend
these exciting events — at no additional cost. All we ask is that members cover the cost of
their travel expenses and hotel stay. The IAPP will provide all the programming, including
networking meetings and workshops, in each city. This spectacular networking
opportunity has to be one of the best values — and we are thrilled to offer our members
the chance to take part in what is sure to be a memorable tour. Members who are
interested in participating in this unique privacy programming are encouraged to
contact Kimberly MacNeill, the IAPP’s Member Networking Manager, at
[email protected]. Please note there may be some space limitations.
Let me take a moment to also update you on another IAPP global privacy effort.
Peter Kosmala, the IAPP’s Assistant Director, recently returned from a week in Singapore,
where he spoke at an online privacy conference co-sponsored by the IAPP and LexisNexis,
and met with privacy leaders across the private and public sectors in Singapore. These
included KK Lim, CIPP, Chief Privacy Officer-Asia Pacific, IMS Health; Lawrence Tan,
CIPP/G, Senior Consultant, IDA-Infocomm Development Authority of Singapore; Jeff
Bullwinkel, Director of Corporate Affairs-Asia Pacific, Microsoft, Singapore; and Wee
Choo Hua, Corporate Attorney, Microsoft, Singapore, among many others.
With more than 6,000 multinational corporations based in the country, 106,000
working IT professionals, and a growing community of privacy professionals, Singapore
is a hotbed for innovation and ripe this year for legislative action in the data protection
arena. Peter’s trip is a follow-up to the IAPP’s Asia Pacific Tour last year, when we took
our signature privacy networking program on the road, holding KnowledgeNet meetings
in Sydney, Singapore and Tokyo. While it is unclear at this juncture what specific
developments are likely from the IAPP’s collaboration with privacy leaders in Singapore,
the IAPP definitely will continue our activity and coordination in the Asia Pacific Region
in the months ahead — so stay tuned!
On the domestic front, look next month for coverage of the IAPP Privacy Summit
07 in Washington, D.C., an enormously successful conference lauded by privacy
professionals from near and far.
Copyright 2007 by the International Association of
Privacy Professionals.
All rights reserved. Facsimile reproduction, including
photocopy or xerographic reproduction, is strictly
prohibited under copyright laws.
2
J. Trevor Hughes, CIPP
Executive Director, IAPP
THE PRIVACY ADVISOR
continued from page 1
estimated that only 22 percent of the
largest merchants (those that handle
more than 6 million credit card transactions per year) are PCI-compliant today.
But it expected that number to climb
dramatically by the end of 2006. Visa
also has estimated that 72 percent of
the largest merchants have conducted
an initial PCI audit, identified their deficiencies and have a remediation plan in
place to achieve full compliance.
Merchants ignoring the growing
adoption of the PCI DSS do so at their
peril because the penalties for noncompliance are severe. Noncompliant merchants and payment processors can
face as much as $500,000 in fines per
incident if cardholder data is compromised. Visa has reported that it imposed
$4.6 million in fines against banks in
2006, up from $3.4 million in 2005.
Even more devastating than fines,
credit card companies also may revoke
the right of a merchant to process credit
card transactions, a virtual death
sentence for many businesses.
Carrots and Sticks
On December 12, 2006, Visa
announced a new program, known as
the “Visa PCI Compliance Acceleration
“Merchants ignoring the
growing adoption of the
PCI DSS do so at their
peril because the penalties for noncompliance
are severe. Noncompliant
merchants and payment
processors can face as
much as $500,000 in fines
per incident if cardholder
data is compromised.”
Program,” which seeks to create financial incentives to encourage PCI compliance. Under the program, Visa has committed $20 million to offer financial
incentives to banks that process credit
card transactions if they can demonstrate that the merchants they deal with
are PCI-compliant. A Visa spokesperson
has stated that the new program is
intended to supplement the “stick” of
noncompliance penalties with a “carrot”
in the form of financial incentives.
It appears that credit card associations may no longer be the only parties
seeking to compel compliance by merchants with PCI DSS standards. In
January 2007, the director of the
Massachusetts Office of Consumer
Affairs and Business Regulation
announced plans to call on merchants to
begin disclosing the extent to which
they comply with the PCI DSS. In
February 2007, a class action claim filed
in Massachusetts federal district court
charged that TJX, Inc. failed to adhere to
PCI standards.
PCI’s Three-Tiered Approach
The PCI DSS applies to three tiers
of entities: the merchant, the acquiring
bank and the credit card associations
that are members of the PCI Security
Standards Council. Merchants are the
first tier because they are on the “front
lines” of credit card transactions. A
merchant, either through a physical
store or a Web site, accepts credit card
payments from the consumer. The PCI
Data Security Standard assumes that
merchants are in the best position to
safeguard credit card information
because they are the point of contact
with the consumer. As a result, merchants bear the brunt of the standard’s
compliance obligations.
The second level is the “acquiring
bank” or “acquirer.” A merchant that
processes credit card transactions must
have a relationship with an acquiring
bank that processes the transaction. The
merchant contacts the acquirer to confirm that the consumer has sufficient
266 York Street
York, ME 03909
Phone: +800.266.6501 or +207.351.1500
Fax: +207.351.1501
Email: [email protected]
The Privacy Advisor is the official monthly newsletter of the
International Association of Privacy Professionals. All active
association members automatically receive a subscription to
The Privacy Advisor as a membership benefit. For details
about joining IAPP, please use the above contact information.
BOARD OF DIRECTORS
President
Kirk M. Herath, CIPP/G, Chief Privacy Officer,
Associate General Counsel Nationwide Insurance
Companies, Columbus, Ohio
Vice President
Sandra R. Hughes, CIPP, Global Privacy Executive, Procter
& Gamble, Cincinnati, Ohio
Treasurer/Past President
Chris Zoladz, CIPP, Vice President, Information Protection,
Marriott International, Bethesda, Md.
Assistant Treasurer
David Hoffman, CIPP, Group Counsel and Director of
Privacy & Security, Intel Corp., Germany
Secretary
Jonathan D. Avila, CIPP, Vice President - Counsel, Chief
Privacy Officer, The Walt Disney Company, Burbank, Calif.
Executive Director
J. Trevor Hughes, CIPP, York, Maine
John Berard, CIPP, Managing Director,
Zeno Group, San Francisco, Calif.
Malcolm Crompton, Managing Director, Information
Integrity Solutions Pty Ltd., Chippendale, Australia
Peter Cullen, CIPP, Chief Privacy Strategist,
Microsoft Corp., Redmond, Wash.
Peter Fleischer, Privacy Counsel – Europe, Google,
Paris, France
Dean Forbes, CIPP, Global Privacy Officer,
Schering-Plough Corp., Kenilworth, N.J.
D. Reed Freeman, Jr., CIPP, Partner, Kelley Drye Collier
Shannon, Washington, D.C.
Kimberly Gray, CIPP, Chief Privacy Officer,
Highmark, Inc., Pittsburgh, Pa.
Jean-Paul Hepp, CIPP, Corporate Privacy Officer,
Pfizer Inc., New York, N.Y.
Barbara Lawler, CIPP, Chief Privacy Officer, Intuit,
Mountain View, Calif.
Kirk Nahra, CIPP, Partner, Wiley Rein LLP,
Washington, D.C.
Nuala O’Connor Kelly, CIPP/G, Chief Privacy Leader and
Senior Counsel, General Electric Company, Washington, D.C.
Harriet Pearson, CIPP, Vice President Corporate Affairs,
Chief Privacy Officer, IBM Corporation, Armonk, N.Y.
Lauren Steinfeld, CIPP, Chief Privacy Officer,
University of Pennsylvania, Philadelphia, Pa.
Zoe Strickland, CIPP/G, Vice President, Chief Privacy
Officer, Wal-Mart
Amy Yates, CIPP, Chief Privacy Officer,
Hewitt Associates, Lincolnshire, Ill
See, PCI Data Security Standard, page 4
3
March • 2007
funds in the consumer’s account and
authorizes payment.
The credit card associations occupy
the third tier. The associations develop
PCI standards and impose them upon
the acquiring banks, which are responsible for implementation of, and compliance with, those standards. The associations do not have a direct relationship to
the merchants, and rely upon the acquiring banks to enforce the PCI requirements with respect to merchants.
Encryption and Compensating
Controls
One PCI standard creating
headaches for merchants is the requirement of database encryption. A covered
entity must render cardholder data
unreadable anywhere it is stored by
using strong cryptography, such as
Triple Data Encryption Standard 128-bit
encryption, or other specified methods.
It appears that even many large processors of credit card transactions have not
yet achieved full PCI compliance due to
the time and cost associated with
implementing database encryption
projects.
The PCI Security Standards
Council’s September 2006 update of
the standards made this requirement
more flexible, providing that if for some
reason a company is unable to encrypt
cardholder data, “compensating
controls” may be employed. The update
provides that compensating controls
may be considered for most PCI DSS
requirements when an entity cannot
meet a technical specification of a
requirement, but has sufficiently
mitigated the associated risk through
other controls.
The PCI Security Standards Council
has issued a PCI DSS Glossary, which
specifies that compensating controls
must: (1) Meet the intent and rigor of
the original stated PCI DSS requirement;
(2) Repel a compromise attempt with
similar force; (3) Be “above and beyond”
other PCI DSS requirements; and (4) Be
commensurate with the additional risk
4
The Digital Dozen
The PCI Data Security Standard
contains basic security
requirements, also known as
the “digital dozen.” The Standard
requires covered entities to:
• Install and maintain a firewall
configuration to protect data;
• Not use vendor-supplied defaults
for system passwords and other
security parameters;
• Protect stored cardholder data;
• Encrypt transmission of
cardholder data and sensitive
information across public
networks;
• Use and regularly update anti-virus
software;
• Develop and maintain secure
systems and applications;
• Restrict access to data by
business need-to-know;
• Track and monitor all access to
network resources and cardholder
data;
• Regularly test security systems
and processes; and
• Maintain a policy that addresses
information security.
Unlike many statutes and
regulations that address data
security, the PCI DSS includes
specific metrics and specifications
for each of the requirements.
Nevertheless, PCI’s digital dozen
generally reflect basic security
principles consistent with
reasonable best practices.
imposed by not adhering to the PCI
DSS requirement.
Clearly, this new flexibility is by
no means an easy out for merchants
seeking to bypass PCI’s encryption
standard or other standards posing
implementation difficulties. Merchants
that fail to encrypt cardholder data must
be prepared to perform a PCI security
audit to demonstrate the presence of
“compensating controls” and “mitigating circumstances.” It also is becoming
apparent that different auditors have
different interpretations of what
“compensating controls” and “mitigating circumstances” are adequate.
Differing interpretations of these critical
terms could lead to significant variation
in implementation of PCI DSS and
“forum shopping” for security auditors
who are perceived to have adopted a
more lenient (and less costly) reading of
the standards.
Penalties for Noncompliance
Although the credit card associations have not been very active thus far
in enforcing the PCI Data Standard, the
potential consequences of noncompliance are severe. Acquiring banks are
responsible for monitoring PCI
compliance and reporting noncompliant
merchants. An acquiring bank may
report a merchant violating PCI to the
Terminated Merchant File or MATCH
list, which is available to other acquirers.
A merchant placed on the MATCH list
will have great difficulty in processing
credit card transactions, and there is no
clear process for a merchant to appeal
the determination.
The most substantial penalties may
be applied if the credit card association
determines that a security breach
occurred and, at the time of the breach,
the merchant was not PCI-compliant. In
such a case, the merchant will be
responsible for a full-scale investigation
of the breach. After the investigation,
the merchant must obtain a PCI compliance certification in order to continue
processing credit card transactions. The
merchant also may be responsible for
any and all charges posted to credit
card numbers obtained through the
THE PRIVACY ADVISOR
“ Merchants should be
proactive and adopt
a diligent approach
to PCI compliance, as
part of an enterprisewide approach to
privacy and security."
breach. As if those consequences
were not dire enough, the acquiring
bank may fine the merchant $500,000
per incident.
Because so many merchants are
currently not in full compliance with
PCI, it is important to understand to
what extent partial compliance may
insulate a merchant from liability. If a
merchant is subject to a security
breach and is not fully PCI-compliant,
do the more substantial penalties
described above automatically apply?
What if the breach occurs with respect
to an aspect of the merchant’s systems that is currently PCI compliant?
These murky issues will hopefully be
clarified as the standards are enforced
by the associations through the
acquiring banks.
Enforcement is another muddled
area of the PCI DDS. The creation of
the PCI Security Standards Council
creates a broader platform for PCI
because all five major credit card
brands are now responsible for
maintaining the standard, not just
MasterCard and Visa. However, each
member credit card that is a member
of the PCI Security Standards Council
remains individually responsible for
enforcing the PCI standard through
acquiring banks. Unless the Council
issues PCI enforcement guidance, it is
unlikely that PCI enforcement will be
uniform or predictable.
Compliance Steps
The PCI DSS program divides
merchants into four levels, based on
the volume of credit card transactions
they process annually. Most merchants
will fall into merchant levels 2 (between
1 and 6 million transactions), 3 (fewer
than 1 million transactions) or 4 (fewer
than 20,000 online transactions).
Merchants in levels 2, 3 and 4 are
permitted to “self-certify” their
compliance with the PCI Data
Standard, rather than obtaining a PCI
audit from an independent vendor. It is
relatively easy for a merchant to selfcertify and take a lax approach to PCI
compliance — but that places the merchant in a very dangerous position if it
experiences a security breach involving
credit card transactions.
Therefore, merchants should be
proactive and adopt a diligent approach
to PCI compliance, as part of an enterprise-wide approach to privacy and
security. Merchants should not shy
away from the more complex aspects
of PCI compliance, such as database
encryption, establishing a security-oriented hiring policy for staff and
contractors, and assigning each person
a unique ID for accessing data. In
addition, covered entities should amend
their contracts with vendors that
access cardholder data to include certain PCI-specific provision, such as the
right to audit to validate compliance
with the PCI standard.
While the PCI Data Standard will
undoubtedly continue to evolve, any
changes are likely to only facilitate
wider adoption of the standard. In
short, the PCI Data Standard is rapidly
becoming an inescapable fact of life for
all merchants that process credit card
transactions.
Data-Centric Security
Reece Hirsch is a partner in the San
Francisco office of Sonnenschein Nath
& Rosenthal LLP specializing in privacy
and data security issues. He can be
reached at +415.882.5040 or
[email protected].
Security expert Dan Geer, currently
the chief scientist of Verdasys, once
conjectured that the cost of using
encryption is roughly the same, no matter what encryption technology you
embrace. If an organization leverages
symmetric encryption (technology that
uses the same key to both encrypt and
A version of this article appeared
previously in BNA’s Privacy & Security
Law Report.
years and there seems to have been little progress in this area, as the title of
the 2006 follow-up paper, “Why Johnny
Still Can’t Encrypt” indicates. If encryption isn’t practical, there’s no point in
doing it.
The high cost of using encryption is
often connected to the cost of public
key infrastructure (PKI). According to the
General Accounting Office, U.S. federal
agencies typically spend more than
$220 per digital certificate during PKI
projects. In a few cases, the cost
exceeded $1,000 per certificate, even
exceeding $46,000 in one case. It’s hard
enough to do a convincing ROI calculation for many security technologies –
imagine how hard it would be to justify
costs like those.
“ IBE leverages a user’s
identity for his or her
key instead of using a
random collection of bits.
This approach eliminates
many of the difficulties
with traditional
encryption and therefore
makes encryption a more
cost-effective solution
for meeting today’s data
privacy regulations.”
See, Data-Centric Security, page 6
5
March • 2007
Data-Centric Security
decrypt), Geer noted that the cost of
granting the keys is high. He also noted
that the cost of using asymmetric
encryption (technology where one key
is used to encrypt and another key to
decrypt) is also high. In this case,
checking keys for validity before they
are used triggers most of the cost.
Geer’s conjecture indicates that
organizations shouldn’t expect to
escape the high cost of encryption,
regardless of our approach.
Turning Point
1n 2001, Professors Dan Boneh of
Stanford University and Matt Franklin of
the University of California, Davis,
invented a new type of cryptography
that violates Geer’s principle.
Specifically, they created the first practical and secure identity-based or IBE
algorithm.
IBE leverages a user’s identity for
his or her key instead of using a random
collection of bits. This approach eliminates many of the difficulties with traditional encryption and therefore makes
encryption a more cost-effective solution for meeting today’s data privacy
regulations.
The benefits don’t end there. IBE is
simpler that PKI, and therefore has a
lower total cost of ownership (TCO). In
fact, IBE is more than six-times less
expensive than PKI alternatives, according to Ferris Research.
Protecting the data instead of the
network is now feasible, and the goal of
eliminating the need to maintain a
strong, well-defined network security
perimeter is a realistic one.
Your Identity, Your Privacy
IBE can use almost anything as a
person’s identity, an email, IP or hardware address — as long as it’s unique.
Today, more than 5 million users worldwide leverage IBE to encrypt email messages, and for most, their email
addresses are their identities.
A big benefit to organizations is
that it is also quite easy to include policy
6
Supporting Structured &
Unstructured Data
“ Clearly, IBE has solved
many of the encryption
challenges that today‘s
enterprises face. By
embedding policy directly
in keys, IBE makes it
easy to enforce policy.
And by leveraging existing IAM infrastructure
to define identities, IBE
easily integrates into
existing infrastructures.”
information in an IBE key. Instead of
encrypting using the identity —
“[email protected],” it’s just as easy to
encrypt using the identity
“[email protected]&classification=PCI.”
The way to calculate an IBE
encryption key is publicly known, and
all IBE-enabled applications can do it.
Data from existing Identity and Access
Management (IAM) systems can define
identities, helping increase the return on
that investment as IBE is used to solve
the problem of managing data privacy.
For decryption to take place using
IBE, a user has to be able to authenticate to a key server. The user who
requests a key needs to prove he or she
are authorized to receive it. If
“[email protected]&classification=PCI”
is used as an IBE encryption key, for
example, a user might have to prove
both that he or she owns the email
account ([email protected]), and that he
or she is entitled access to the PCI
information before the key server grants
the decryption key.
This ability to implement policy
within the keys separates IBE from
other encryption technologies. Further,
IBE can easily implement the type of
complex policies that data privacy
regulations require.
The ease of using IBE to encrypt
data is not affected by the level of structure in it. Traditionally, it has been manageable to encrypt a database, a case
where the data is highly structured.
Encrypting data with less structure, like
email, has been more difficult, which
has limited the adoption of the technology. Even more challenging has been
encrypting unstructured data, like documents and spreadsheets, which can
reside anywhere on a network yet still
contain sensitive information.
IBE resolves these challenges.
Indeed, it makes policy-based encryption very easy to implement by embedding policy in encryption keys and
requiring authentication to get the corresponding decryption keys. The same key
management platform can be used for
all three cases, so IBE can form the
basis for an enterprise-wide key management strategy that can extend easily
to include new applications.
Clearly, IBE has solved many of the
encryption challenges that today’s enterprises face. By embedding policy directly in keys, IBE makes it easy to enforce
policy. And by leveraging existing IAM
infrastructure to define identities, IBE
easily integrates into existing infrastructures.
At long last, encryption will be a key
enabling technology that empowers us
to ensure data-centric security.
Luther Martin is chief security architect
at Palo Alto, CA–based Voltage Security,
Inc. (www.voltage.com). He is the
author of the IETF draft standards on
identity-based encryption algorithms
and their use in encrypted email, and
is a frequent author in the areas of
information security, risk management
and project management. His interests
include pairing-based cryptography,
business applications of information
security and risk management. He
holds a MS degree from The Johns
Hopkins University in Electrical
Engineering. He can be reached at
[email protected].
THE PRIVACY ADVISOR
An Interview with an Expert on India and Outsourcing
Sagi Leizerov, Ph.D., CIPP, is a Senior Manager with Ernst & Young LLP. He helps lead the
firm’s Privacy Assurance and Advisory Services Practice. Leizerov interviews Mark Kobayashi-Hillary, a
London-based advisor, writer and researcher who wrote Outsourcing to India: The Offshore Advantage,
which was first published by Springer in 2004 and then updated to a new edition in 2005. Kobayashi-Hillary
is a board member of the UK National Outsourcing Association with special responsibility for offshoring.
He is a founding member of the British Computer Society working party on offshoring. He also is a visiting
lecturer at London South Bank University where he is focused on contributing outsourcing knowledge
to the MBA program.
Mark: The immediate myth is
that it is 10 times cheaper
than doing work in the United
States or in Western Europe
Sagi: We hear so much
— this idea that you can get
about data leaks and
greater quality/lower price. It
violations related to the use
is kind of sold as a myth that
of information by disgruntled
you can have it all basically.
employees. What is your
You can reduce your running
view?
Mark: To start with, if you are looking at
Sagi Leizerov
costs, you can increase prothe kind of legislative differences and
ductivity, increase efficiency, re-engineer
Mark: In absolute terms there are many
the types of framework that you have,
your processes — and at the same time,
more data leaks from companies in the
that is not in place in India. You don’t
it is cheaper as well. It sounds impossiU.S., the U.K. and European service
have that kind of safety net. There is
ble and really, to be honest, it is. It is
companies than there are from India.
no equivalent of the European Union
true that operating costs are lower in an
Certainly it is a much more interesting
directive on data protection or the U.S.
environment like India, but the whole
story to write about data leaks from
equivalent, the concepts of Safe Harbor.
restructuring of the way that you operate
Indian companies, but I think that there
Even in the most recent information
and the fact that you may need to entireis also a sense that because we are talktechnology legislation — which was
ly re-engineer your supply chain to fit
ing about people who earn a much lower
written in 2000 — the idea of data
your Indian supplier in the supply chain,
wage, essentially the kind of logic goes
protection was not included, so there
or you may need to completely restructhat if we are talking about bribing insidis an immediate difference there in
ture the way you are doing business.
ers to bring data out of a company, then
that you don’t have that legal kind of
essentially it should be much cheaper to
framework around you to start with.
do that. That is the kind of key worry that Sagi: Can you describe NASSCOM
That means that the environment is
and its role?
people have when they look at a place
very much one of the private sector.
like India. But if you wanted to do a
The companies themselves actually
Mark: NASSCOM is the National
run-down of the most data leaks,
have to demonstrate the capability
Association of Software and Service
probably you would find the U.S. at the
rather than there being a law that
Companies, and it is a Chamber of
top anyway.
they’ve got to adhere to.
Commerce. It is representation of the IT
The other sort of real
services industry in India. It’s got more
Sagi: When you talk to
major difference in working in
than 1,000 member companies. They
executives about the
an environment such as India
actually have been around since the
potential or the process of
is you are going to work in a
‘80s, so they are quite well-established,
outsourcing to India, what
developing country. You’ve
and given that their membership is 95
would be some of the
still got quite an extreme polior 96 percent of the Indian high-tech IT
common myths that you
cy in some parts of the counand service industry, they are the voice
hear from them and what are
try, and so what you will actuof the industry. NASSCOM has been
the realistic expectations as
ally see is that the corporathey relate to outsourcing
tions have to build a lot of the
See, India and Outsourcing, page 8
Mark Kobayashi-Hillary business there?
infrastructure required to
Sagi: Can you describe some of the
key differences from a privacy and data
protection perspective that are more
obvious about doing business in the EU,
the U.K. and the U.S. and India? Is there
a specific India risk that we should be
aware of?
deliver the service that they
are doing for you.
7
March • 2007
India and Outsourcing
that is mine rather than outsourcing my
services to a vendor?
instrumental in actually trying to obtain
changes to the IT Act of 2000. They
have tabled amendments that they
would like to make to the legislation to
improve the situation around intellectual
property and data protection, and it is
true that it is basically sitting with the
government at the moment. It is something that is promised to be introduced.
Mark: That question changes depending
on each company and the exact details
of the type of service they are trying to
offshore. In general, I guess what we
have observed in the marketplace is that
where there is a great deal of personal
data or data that could be utilized in
some way, whether that is personal
data about plants or about the business
that the company performs, quite often
we have seen that offshored rather than
outsourced. I am thinking the best
example is within investment banking,
where you are looking at quite a lot of
banks that have chosen to set up their
own facilities. They have their own office
located in India and they hire their own
staff and put those people on their own
contract.
Sagi: NASSCOM has been pushing for
more self-regulation opportunities for its
constituents. Can you describe some of
the activities and some of the actions
NASSCOM has been taking from a selfregulation perspective for its members?
Mark: India and the high-tech industry
have exploded since the millennium,
and they have embraced data protection. They have taken on this role almost
like policemen of the industry. They have
taken on the role of training the law
enforcement officers in India, so NASSCOM is actually now working its way
through training the police in India to
understand cybercrime and problems
around information technology. More
importantly, they have set up a national
skills registry — which was really a reaction to some of the data leaks that we
have seen. They have tried to create this
idea that people who work in the industry in India want to be trusted. So they
have created a safe harbor where you
can upload your resumé basically, so it
is a complete history of where you have
worked, who you have worked with,
references you can give about the quality of your work. So if you are working
within a BPO company (Business
Process Outsourcing), then it becomes
the de facto standard that the employer
will check this National Skills Registry
and have a look at your verified background before hiring you.
Sagi: If I am a Western company
concerned about privacy and data
protection, does it make more sense for
me to offshore my operations to create
a sub-company or an additional company
8
Sagi: OK, so I have made the decision
to outsource my services to an Indian
company. What kind of steps should I
be taking before I am selecting a vendor
to work with? What would be the type
of due diligence, the type of review, that
I should do when selecting potential
outsourcing companies?
Mark: Make sure that you know who
they are hiring and where they are
coming from so that you can get verified
backgrounds from the NASSCOM skills
registry. If you are going out on the
ground in India, you need to make at
least a couple of visits to each location
where you are considering possibly
using them. The typical kind of visit as a
potential customer will be with the CEO
coming down to welcome you at the
gate and giving you a tour of the
facilities. But I would say that definitely
you should also come back unannounced. Ask to see the boss again the
next day when they are not expecting
you to show up. See if you can still
observe all the same security procedures in place in that environment.
Sagi: Have you been familiar with stories of that type of second unannounced
visit that yielded other information?
Mark: I have certainly shown up at a
couple of BPOs myself. There can be a
difference definitely between the kind of
unannounced visit where you just walk
in, and then where you are actually
greeted at the gate by the head of the
company. At one particular company in
Chennai, I just strolled into the campus.
There was a security guard who was
supposed to be checking for USB keys,
cameras, phones, any kind of recording
device. But I gave him just one item,
which was enough to keep him happy.
I gave the guy my laptop computer,
but I still had a phone in my pocket and
a couple of USB keys. You need to
make sure that there is not just a
façade of security and that it is actually
a reality. The only way you can really do
that is just to test them out yourself.
Don’t miss Part 2 of this Q&A next
month in the Advisor. The entire interview is available for sale on the IAPP’s
Web site, www.privacyassociation.org.
© 2007 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative.
Privacy.
It’s your business.
Privacy and data governance
can be a compliance cost
or a business enabler. KPMG
helps our clients understand,
prioritize, and control the risks
associated with the use, transfer, storage, or management
of critical information assets.
Our global team provides a
full range of privacy advisory
services with a multidisciplinary
approach that uses formalized
regulatory, forensic, and technology methodologies. It’s a
valuable combination that
can help your business.
For information, contact
Doron Rotman, National Privacy
Service Leader, IT Advisory
at 650-404-4176, email
[email protected].
www.us.kpmg.com
March • 2007
Ask the Privacy Expert
Readers are encouraged to
submit their questions to
[email protected].
We will tap the expertise of
IAPP members to answer your
questions.
Elise Berkower, CIPP
Q
A
Do any laws cover the sending
of marketing messages to cell
phones?
In the U.S. there are some
statutory and regulatory restrictions on sending promotional
messages to cell phones and other
wireless devices. (Much of the impetus
for regulation arose from the fact that
consumers have to pay to receive these
messages.) The laws and rules that
intersect in this space are CAN-SPAM
(Controlling the Assault of Non-Solicited
Pornography and Marketing Act) (15
USC §§7701-7713) and the Federal
Communications Commission’s (FCC)
Wireless Email Rule (64 CFR §64.3100),
which was promulgated pursuant to
CAN-SPAM and covers “mobile service
commercial messages”; and the
Telemarketing and Consumer Fraud and
Abuse Prevention Act (TCFAP) (15 USC
§6101-6108), the Telephone Consumer
Protection Act (TCPA) (47 USC §227),
and the Telemarketing Sales Rule (TSR)
(16 CFR §310.1 et seq.) along with
the national Do Not Call registry that
the Federal Trade Commision (FTC)
maintains (www.donotcall.gov). Some
states also have their own Do Not Call
registries, so telemarketers have to be
familiar with those laws, too.
The easiest way to figure out
which laws and rules apply to a promotional message is to look at the destination to which the message is being
sent. If the destination is an email
address — with a “@” and a domain —
10
scriber’s signature and the
CAN-SPAM and the
electronic mail address to
FCC’s wireless email rule
which MSCMs may be
apply. If the destination is
sent. Senders who choose
a telephone number, then
to obtain authorization in
the TCFAP, TCPA and
oral format also are expectTSR apply.
ed to take reasonable steps
CAN-SPAM covers
to ensure that such authoritraditional email meszation can be verified.
sages, as well as text
Because the consent
(also known as SMS or
standard for sending Mobile
Short Message Service)
Elise Berkower, CIPP
Service Commercial
messages, and MMS
Messages is so high, the usual practice
(Multi-media Messaging Service) mesis for commercial emailers and Email
sages that contain graphics, video and
Service Providers (ESPs) to block all
audio components. These formats all
emails going to the domains listed on
fall within the FCC’s definition of a
the FCC’s Wireless Domain Registry.
“Mobile Service Commercial
But, in its “Primary Purpose” Rule
Message” (MSCM), assuming that the
(16 CFR §316.3), the FTC recognized
primary purpose of the message is
that emails can contain mixed content,
commercial.
i.e., both commercial content and
Under CAN-SPAM, wireless servcontent that is not commercial. If an
ice providers were supposed to create
analysis of a message intended to be
special domains for their customers to
sent to an email address that contains
use for sending and receiving “mobile
a domain listed on the FCC’s Wireless
service messages.” These specific
Domain Registry concludes that the
domains are required to be listed on
primary purpose of a mixed content
the FCC’s Wireless Domain Registry
message is NOT commercial, then the
(available at www.fcc.gov/cgb/policy/
sender doesn’t need the recipient’s
DomainNameDownload.html).
If the primary purpose of a “mobile express consent to send it. It should
be noted that the “express consent”
service message” is commercial, the
requirement does not pertain to forsender needs “express prior authorizawarded messages, unless there’s an
tion” from the recipient to send it.
inducement or consideration offered
“Express prior authorization” can be
for forwarding the message.
obtained by oral or written means,
The TCPA and TSR also cover teleincluding electronic methods. A sender
marketing SMS (text) as well as voice
may obtain the subscriber’s express
messages.
prior authorization to transmit MSCMs
The TCPA was enacted in 1991
to that subscriber in writing. Written
to address certain telemarketing
authorization may be obtained in paper
practices, including calls to wireless
form or via an electronic means, such
telephone numbers, which Congress
as an electronic mail message from the
found to be an invasion of consumer
subscriber. It must include the sub-
“As marketers seek to utilize new technologies to promote
their products, they need to become familiar with existing laws
under which their activities may fall, as well as to keep abreast
of new legislation that may affect the ways they interact with
their existing and prospective customers.”
THE PRIVACY ADVISOR
Privacy Classifieds
privacy and even a risk to public safety. The TCPA specifically prohibits calls
using an automatic telephone dialing
system or artificial or prerecorded
message “to any telephone number
assigned to a paging service, cellular
telephone service, specialized mobile
radio service, or other common carrier
service, or any service for which the
called party is charged.” (47 USC
§227[b][1][A][iii]). The TCPA defines an
“automatic telephone dialing system”
as “equipment which has the capacity
(A) to store or produce telephone
numbers to be called, using a random
or sequential number generator; and
(B) to dial such numbers.” (47 USC
§227[a][1]) The CAN-SPAM Act provides that “[n]othing in this Act shall
be interpreted to preclude or override
the applicability” of the TCPA. (15
USC §7712[a]).
In 2003, the FCC released a
Report and Order in which it reaffirmed that the TCPA prohibits any call
using an automatic telephone dialing
system or an artificial or prerecorded
message to any wireless telephone
number. This includes both voice calls
and SMS text messaging calls to
wireless phone numbers.
The Telemarketing and Consumer
Fraud and Abuse Prevention Act
(TCFAP) gave the FTC the authority to
promulgate the Telemarketing Sales
Rule (TSR) (16 CFR §310.1 et seq.).
The TSR prohibits telemarketers from
engaging in various deceptive acts or
practices, and imposes recordkeeping
requirements. One section of the TSR
created the National Do Not Call
Registry (16 CFR §310.4[b][1][iii][B]).
If a wireless telephone number is
listed on the National Do Not Call
Registry, a marketer is prohibited
from calling that number unless it has
an “established business relationship”
with the consumer. An “established
business relationship” is defined as
“a relationship between a seller and
a consumer based on (1) The con-
sumer’s purchase, rental, or lease
of the seller’s goods or services or
a financial transaction between the
consumer and seller, within the
eighteen (18) months immediately
preceding the date of a telemarketing
call; or (2) The consumer’s inquiry or
application regarding a product or
service offered by the seller, within
the three months immediately
preceding the date of a telemarketing
call.” (16 CFR §310.2[n]).
As marketers seek to utilize
new technologies to promote their
products, they need to become familiar with existing laws under which their
activities may fall, as well as to keep
abreast of new legislation that may
affect the ways they interact with their
existing and prospective customers.
Elise Berkower, an attorney and
CIPP, is the Executive Vice President
of Privacy Strategy at Chapell &
Associates, a leading strategic
consulting firm focusing on privacy,
marketing and public policy. Prior to
joining Chapell & Associates, she
served as DoubleClick’s Senior
Privacy Compliance Officer for six
years, helping DoubleClick’s ad
serving, search, Web site analytics,
email and direct marketing clients
address privacy issues. She
participates in many privacy and
technology industry groups, and is a
member of the Advisory Board of The
Privacy Advisor. She can be reached
at [email protected].
This response represents the
personal opinion of our expert
(and not that of his/her employer),
and cannot be considered to be legal
advice. If you need legal advice on the
issues raised by this question, we
recommend that you seek legal
guidance from an attorney familiar
with these laws.
The Privacy Advisor is an excellent
resource for privacy professionals
researching career opportunities.
For more information on a
specific position, or to view all the
listings, visit the IAPP’s Web site,
www.privacyassociation.org.
AVP, PRIVACY INCIDENT RESPONSE
Countrywide
Woodland Hills, Calif.
MANAGER, PRIVACY
Western Union
Englewood, Colo.
CHIEF PRIVACY OFFICER,
SENIOR COUNSEL
Roche Pharmaceuticals
Nutley, N.J.
COMPLIANCE MANAGER
Entertainment Software Rating Board
(ESRB)
New York, N.Y.
SENIOR HEALTHCARE PRIVACY
ANALYST - TMA PRIVACY OFFICE
Axiom Resource Management, Inc.
Falls Church, Va.
CLIENT SERVICES MANAGER
TRUSTe
San Francisco, Calif.
PRIVACY COMPLIANCE SPECIALIST
ATB Financial
Edmonton, Alberta - CANADA
CONSULTANT OR SENIOR CONSULTANT,
PRIVACY
Deloitte
Toronto, Ontario - CANADA
COMPLIANCE ANALYST I
TRUSTe
San Francisco, Calif.
PRIVACY PROJECT COORDINATOR
Allstate Insurance
Northbrook, Ill.
11
March • 2007
Regulator Chat
The Privacy Advisor Interviews Richard Thomas, the UK’s
Information Commissioner and a Keynote Speaker at the IAPP
Privacy Summit 07, about his Priorities and Accomplishments
Internet use. This can often be in ways which
are invisible or not obvious to ordinary individuals as they are watched and monitored, and
the report shows how pervasive surveillance
Thomas: As Information Commissioner my
looks set to accelerate in the years to come.
role is to promote people’s access to official
As ever-more information is collected,
information and protect people’s privacy.
shared and used, it intrudes into our private
On the privacy side my Office enforces
space and leads to decisions which directly
the Data Protection Act and the Privacy and
influence people’s lives. Mistakes can also
Electronic Communication Regulations.
easily be made with serious consequences —
These implement for the United Kingdom
false matches and other cases of mistaken
two European Union Directives which proidentity, inaccurate facts or inferences, suspivide a broadly harmonized approach across
cions taken as reality, and breaches of security.
all 27 EU countries. The Data Protection
At the conference, Data Protection and
Act safeguards the handling of personal
Privacy Commissioners from around the
information and provides important rights. In
Richard Thomas
world agreed on a communiqué that set out
most situations, individuals can find out what
how we will ensure privacy is effectively protected in the
information the state and other organizations hold about
surveillance society. My Office will shortly publish a follow-up
them and get it corrected if that information is wrong. Some
report to identify the next steps we will take as a regulator
22,000 people contact my Office each year because they
in this important area.
feel their privacy and other rights may have been infringed.
My Office also enforces the UK Freedom of Information
TPA: One of your priorities has centered on ‘pre-texting’ or
Act. This is relatively new legislation, but we have already
‘blagging.’ Can you tell us more?
played a major role in ensuring more and more official information is in the public domain, from farm subsidies to travel
Thomas: Yes — in the UK we use the term blagging.
expenses for Members of Parliament.
Personal information is usually obtained by making payments
to staff or impersonating the target individual or another offiTPA: Your Office recently published a well-publicized report
cial. Some victims are in the public eye; others are entirely
on a Surveillance Society. Can you describe the report?
private citizens.
Last year, I urged the UK Government to amend the
Thomas: In November I was delighted to host the 28th
Data Protection Act and introduce a jail term for those conInternational Data Protection and Privacy Commissioners’
victed of obtaining and selling personal information.
Conference in London. I called for a public debate on the
We uncovered an existence of a widespread industry
implications of living in a surveillance society and I gave a
devoted to illegally buying and selling people’s personal inforserious warning that we are waking up to a surveillance socimation. I issued a special report to the UK Parliament, ‘What
ety. The theme struck a chord within the UK and worldwide.
Price Privacy?’ which explained how some individuals trade
To coincide with the conference, we published ‘A
people’s personal information, such as current addresses,
Surveillance Society’ — a detailed report on surveillance now
details of car ownership, ex-directory telephone numbers or
and projections for what our society might be like in 2016. It
records of calls made, criminal records and bank account
describes a surveillance society as one where technology is
details. Private investigators, tracing agents and their operaextensively and routinely used to track and record our activitives — often working loosely through several intermediaries
ties and movements. This includes systematic tracking and
— are the main suppliers.
recording of travel and use of public services, automated use
The ultimate buyers of illegally obtained personal inforof CCTV, analysis of buying habits and financial transactions,
mation include journalists, financial institutions and local
and the workplace monitoring of telephone calls, email and
The Privacy Advisor (TPA): What are your
responsibilities in the UK?
12
THE PRIVACY ADVISOR
authorities wishing to trace debtors; estranged spouses
seeking details of their ex-partner’s whereabouts or finances;
and criminals intent on fraud or witness or juror intimidation.
The report arises from investigations carried out by my
Office, sometimes using search warrant powers. Documents
seized during one raid revealed evidence of a large scale
market in the trading of personal information. However, the
existing penalties are low and do not have a deterrent effect.
One major case resulted in conditional discharges for the
perpetrators.
To highlight the extent of this illegal trade, I also recently
published a league table of media publications showing
which are the most prolific buyers of unlawfully obtained personal information. The list is based on evidence found in just
a single raid that my Office carried out at the premises of a
private investigator.
Recently the government confirmed that it will amend
the UK Data Protection Act. I am delighted the Government
has now decided to adopt my proposals to introduce tougher
penalties to deter people from engaging in the deliberate
misuse of personal information.
TPA: What are you doing to help the British people look after
their personal information?
Thomas: New figures we released in January revealed
Britons are leaving themselves vulnerable to identity theft by
not taking enough care to protect their personal information.
In fact, a fifth believe they have been a victim of identity
crime. We conducted a nationwide survey uncovering how
easy Britons make it for criminals to steal their identity. A
third of those surveyed admitted to throwing away personal
documents such as bank statements and receipts without
shredding or destroying them, a quarter of people do not
routinely check bank statements for unfamiliar transactions
and almost half of those surveyed use the same PIN and
password across different accounts.
The research was published to coincide with the launch
of a personal information toolkit, aimed at helping individuals
protect their personal information more easily. We are
encouraging people to use the personal information toolkit
which provides individuals with advice and tips on protecting
their information.
“Britons are leaving themselves vulnerable
to identity theft by not taking enough care
to protect their personal information. In fact,
a fifth believe they have been a victim of
identity crime.”
TPA: And what is the UK government doing?
Thomas: Privacy issues are now high on the news agenda in
the UK. I used my annual report last year to highlight that
data protection provides a valuable framework for sharing
personal information across the public sector, and should not
be seen as a barrier. This issue is now central to many high
profile UK government initiatives, such as identity management, health and education.
There are clear benefits to sharing more information —
safeguarding the public, improving services and reducing
costs. However, I have stressed that government and other
public bodies must retain public trust and confidence, and will
only achieve this if they share personal information in a
secure, lawful and responsible way. I do not want data protection to be wrongly blamed for preventing sensible information sharing, for example to detect crime, protect children at
risk or prevent fraud. Electronic government initiatives which
improve public services, such as online car tax renewal, show
that information can be shared in entirely acceptable ways.
But as more and more information is passed from one
database to another, it is important to get the basics right.
Trust and confidence will be lost if information is inaccurate
or out of date, if there are mistakes of identification, if information is not kept securely or if reasonable expectations of
privacy are not met. There must be clarity of purpose — not
just sharing because technology allows it. And people must
be told how their information is being shared and given
choices wherever possible.
Data protection should be seen as part of the solution,
not as the problem. The eight core principles that underpin
the Data Protection Act provide a widely supported framework to make sure personal information is collected in ways
which are necessary, justified and proportionate. Getting it
right — at both design and operational levels — is vital to
ensure the public trust and confidence which is needed to
deliver the benefits of information sharing.
My Office intends to contribute constructively to government thinking and feed in data protection expertise. It is our
job to promote good practice and we will be exploring ways —
for example through information-sharing guidelines and promoting statutory codes of practice — to bring greater certainty
and clarity to help government achieve the right balance.
TPA: And what about Freedom of Information — is it working?
Thomas: Since I have been Commissioner, we have seen
the introduction of the Freedom of Information Act. The
See, Regulator Chat, page 20
13
March • 2007
IAPP in the News
Harriet Pearson, IBM’s CPO, Testifies
in Support of Bill Banning Genetic
Testing Discrimination
IAPP Welcomes Our Newest
Corporate Members
arriet Pearson, CIPP, VP of Corporate Affairs &
Chief Privacy Officer, IBM Corporation, and
an IAPP board member, recently testified before a
House subcommittee during a hearing on
“Protecting Workers from Genetic Discrimination.”
In October 2005, under Pearson’s guidance,
IBM became the first major corporation to add
genetics to its discrimination policy, prohibiting “
current or prospective employees’ genetic information from being used in any employment decisions.”
Harriet Pearson
IBM supports federal legislation preventing
discrimination based on genetic information. The bill, which has passed
the Senate twice in the past, was reintroduced in the House in January
with bipartisan support. If passed, it would give genetic information
the same confidentiality as medical records, and make it illegal for
employers and insurance companies to use individuals’ genetic
information when make hiring or coverage decisions.
Pearson’s testimony generated media coverage, including a CNET
News piece.
H
Current and Former IAPP Board Members Appointed
to TRUSTe Board of Directors
Appointed along
RUSTe, an online
with Polonetsky to the
privacy certification
TRUSTe board were two
organization, recently
other new members:
appointed Jules
Jonathan Hart, a memPolonetsky, CIPP, Chief
ber in the Media and
Privacy Officer and
Information Technologies
Senior Vice President of
group at the law firm
Consumer Advocacy at
Dow Lohnes PLLC, and
AOL, and former IAPP
Donald Whiteside, Vice
board member, to its
President of the
board of directors.
Jules Polonetsky
Peter Cullen
David Hoffman
Corporate Technology
Polonetsky joins other
Group and Director of
IAPP board members
TRUSTe’s board of directors
Technical Policy & Standards at Intel.
on the TRUSTe board, Peter Cullen,
consists of 11 members selected for
TRUSTe is an independent,
CIPP, Chief Privacy Strategist at
their strong backgrounds in a variety
nonprofit organization that identifies
Microsoft Corporation, and David
of industries relating to online privacy,
trustworthy online organizations
Hoffman, CIPP, Group Counsel and
trust and business. The board
through its Web Privacy Seal, Email
Director of Privacy at Intel Corp.
oversees the nonprofit’s long-term
Privacy Seal and Trusted Download
Hoffman is Assistant Treasurer of the
strategy
and
programs.
Programs certifications.
IAPP Board.
T
14
THE PRIVACY ADVISOR
UPDATE: Statutory Review of PIPEDA — Interview By Nymity
Background: The Standing Committee on
Access to Information, Privacy and Ethics
is currently conducting interviews in
preparation for a report to Parliament on
changes to Canada’s Personal Information
Protection and Electronics Document Act
(PIPEDA). Nymity, on behalf of The
Privacy Advisor, recently interviewed
Tom Wappel, MP, Scarborough
Southwest, who also serves as Chairman
of the Standing Committee on Access to
Information, Privacy and Ethics.
The Privacy Advisor (TPA): How does
the regulatory review of PIPEDA process
work? What are the goals?
Wappel: The act mandated that a
Parliamentary Committee review the
operation and effectiveness of the act,
five years after it came into force. This
review was referred to our committee by
the House of Commons. Our committee
decided to hear from interested stakeholders, the public, the Minister of
Industry and, of course, the Privacy
Commissioner. The goals are to try to
identify if there are any shortcomings in
the act, based on the experience since it
came into force, and make recommendations to the Minister on how to improve
the act.
exchange information if it is in
furtherance of potential fraud
or other criminality; that it be
easier for potential purchasers
to obtain relevant information
from sellers prior to purchase
of the business; and that there
be some recognition of the
speed of development of the
information highway; the
Tom Wappel
potential exploitation of children on the Internet; and the internationTPA: What have been the key areas of
al aspects of the Information Age. That is
concern by presenters so far?
just a short synopsis of some of what
we have heard so far.
Wappel: Some presenters have felt that
the act is more or less fine the way it is.
TPA: What are the key areas of concern
Others have suggested that the Privacy
for the committee?
Commissioner have order-making powers; that there be a definition of “work
Wappel: The key concern of the commitproduct” contained in the act; that there
tee is to ensure that all those who wish
be some sort of mandatory security
breach notification mechanism; that
See, PIPEDA Review, page 16
there be the ability to more readily
broadcast for interested parties to indicate to the clerk
their interest in either
appearing before the committee or submitting a written brief. Respondents also
were considered by the
steering committee. The goal
was to have a broad and
diverse group of interveners.
TPA: Who is on the committee?
Wappel: The Committee is composed
of 12 Members of Parliament: 5
Conservatives, 4 Liberals, 2 Bloc
Quebecois and 1 NDP member. As you
can see, the opposition members outnumber the government members. This
is reflective of a minority Parliament.
TPA: Who is presenting to the committee and how were they selected?
Wappel: The committee, through its
Steering Committee, in consultation
with the Clerk of the Committee and the
committee’s research staff, decided on
a list of witnesses, representative of the
various groups. An invitation also was
15
March • 2007
PIPEDA Review
to present either do so, submit a brief or
have their concerns aired by others. We
want to try to make sure that the act will
operate in the fairest and most efficient
way possible into the future.
TPA: What happens after the review is
complete? What are the steps to amend
PIPEDA?
Wappel: Upon the completion of the
hearing of evidence, the committee will
draft a report to the government. We
hope it will be unanimous, but it may not
be. There may be concurring reports with
additional comments, or there may be
dissenting reports, however, there will
certainly be a majority report. Once the
report is finalized and passed by the
committee, it is presented to the House
of Commons, for the attention of the
government. The usual practice is for the
relevant ministry to consider the report
and draft a response for approval by its
minister, who will then have Cabinet
approve the final response, which will be
tabled in the House of Commons. This
may take up to 180 days approximately.
The response usually contains a detailed
list of the recommendations of the committee which the government will accept,
or reject, with the reasons why.
TPA: What happens if an election is called?
Wappel: If an election is called before
the committee issues its report, the
work of the committee is effectively lost.
A new Parliament will decide how it
wants to deal with the fact that a report
on PIPEDA has not been submitted to
Parliament, despite the clear wording of
the act. Usually, but not always, the new
committee would adopt the evidence
heard by our committee. But depending
on the results of the election and the
composition of the new committee, it
could be “back to the drawing board.“ If
an election is called after the committee
reports but before the government
response, we would expect that the
newly constituted committee would
16
adopt the previous committee’s report,
resubmit it to the new House and
request a response from the new government. However, there is nothing this
committee can do to bind a future committee to a particular course of action. If
an election is called after the government
issues its response, but before any recommendations are implemented, the
newly elected government is not bound
to follow the response of the previous
government.
TPA: When would we expect PIPEDA to
be amended?
Wappel: It is only a guessing game as
to when amendments to PIPEDA would
be forthcoming. I would expect that,
before any major recommendation were
implemented, the ministry would hold
consultations with stakeholders to discuss how most efficiently to implement
the changes.
TPA: In what form would PIPEDA be
modified? Could the Canadian Standards
Association principles be modified?
Wappel: It is too early to comment on the
form of modifications to PIPEDA, if any, as
we are still hearing evidence and have not
yet begun to discuss our draft report.
TPA: Have there been any concerns
relating to Quebec’s constitutional
challenge of PIPEDA?
Wappel: The issue of Quebec’s constitutional challenge to PIPEDA has been
raised by some witnesses and committee members. As far as we can tell, the
matter is stalled in the courts. Until the
courts advise otherwise, we have to
assume that the act is constitutional.
happen. The committee has requested
the Minister of Justice to appear before
the committee this month, to discuss this
issue further. The committee is also
aware that the Privacy Act is in need of
review and modernization.
Party: Liberal
Political Experience: First elected to
the Parliament of Canada for the Riding
of Scarborough West in November 1988
and again in October 1993. Elected to
the Parliament of Canada for the Riding
of Scarborough Southwest in June 1997,
November 2000, June 2004 and
January 2006.
Chairman, Standing Committee on
Access to Information, Privacy and
Ethics, Past Chairman of the Standing
Committee on Fisheries and Oceans,
Member, Subcommittee on the Review
of the Anti-Terrorism Act of the Standing
Committee on Public Safety and
National Security, Past Member and
Past Chairman of the Subcommittee
on National Security of the Standing
Committee on Justice, Human Rights,
Public Safety and Emergency
Preparedness, Member, Past Chairman
and Past Vice-Chairman of the Joint
House of Commons and Senate
Standing Committee on the Scrutiny
of Regulations, Co-Chairman of the
Canada-China Legislative Association
and Chairman of the Canada-Hungary
Parliamentary Friendship Group.Past
Member of the Standing Committee
on Citizenship and Immigration,
Education: University of Toronto, 1971
(B. Arts) (Pol. Sci.); Queen's University,
1974 (L.L.B.); Called to the Bar of
Ontario, April 8, 1976
TPA: In closing, what else is on the
agenda for the committee?
Wappel: The committee’s first report of
this Parliament called upon the Minister
of Justice to prepare and submit to
Parliament a new Access to Information
Act, by December 15, 2006, for consideration by the committee. This did not
Nymity (www.nymity.com) provides
Web-based privacy management
support solutions that help organizations
manage the risks that lead to a data
breach, a privacy complaint and to
non-compliance or over-compliance with
privacy laws.
Congratulations, Certified Professionals!
The following individuals successfully passed the CIPP, CIPP/G and/or the CIPP/C exam.
Please join the IAPP in saluting these graduates!
CIPP
Amy R. Adams, CIPP
Jennifer Albornoz Mulligan, CIPP
David G. Allen, CIPP
Terri L. Barrett, CIPP
Joseph P. Beckman, CIPP
Heidi K. Berger, CIPP
Sol Bermann, CIPP
Sonia Bhaskar, CIPP
Lynn A. M. Bunn, CIPP
Cecil Douglas Burden, CIPP
Peggy A. Byrne, CIPP
Ryan M. Calo, CIPP
Jeffrey M. Camiel, CIPP
William G. Canellis, CIPP
Michael C. Carey, CIPP
William E. Carter, CIPP
Helen Hoi Lam Chan, CIPP
Andersen (Chi-Cheng) Chu, CIPP
Frank J. Cindrich, CIPP
John Charles Clark, CIPP
Nicole Crawford, CIPP
Bob F. Dey, CIPP
Jacqueline Dixson, CIPP
Troy A. Donnelly, CIPP
S. Alice Duke, CIPP
Stephen Luke Durkee, CIPP
Svetlana Earhart, CIPP
Jess C. Edwards, Jr., CIPP
Christos Ekonomidis, CIPP
Margaret Ann Evered, CIPP
Lindsey Finch, CIPP
Kevin Fitzgerald, CIPP
Aaron Fontenot, CIPP
Sarah B. Foster, CIPP
Mari J. Frank, CIPP
Nancy J. Frazee, CIPP
Susan Fricks, CIPP
Mary C. Gardner, CIPP
Jennifer Harkins Garone, CIPP
Malcolm L. Gilmore, CIPP
Richard P. Goh, CIPP
Miguel A. Gonzalez, CIPP
Joseph P. Griffin, CIPP
John G. Haley, CIPP
Della Rose Hareland, CIPP
Gregory P. Harry, CIPP
William T. (Tony) Higgins, CIPP
Brian C. Hobbs, CIPP
Eva Hui, CIPP
Harvey Jang, CIPP
Ingrid Renee Jones, CIPP
Max Kelly, CIPP
Linda G. King, CIPP
Phyllis R. King, CIPP
Richard H. King, Jr., CIPP
Aaron Gordon Kirby, CIPP
Anna Leena Korhonen, CIPP
Catherine Kurtz, CIPP
Manuj Lal, CIPP
Michael Scott Lamberth, CIPP
Marion R. Lang, CIPP
Steven Poh Heng Lee, CIPP
Susan N. Lewis, CIPP
Christopher M. Lewis, CIPP
Allen Lichtenstein, CIPP
Melissa M. Lippay, CIPP
Mark D. Lock, CIPP
Ray William London, CIPP
Edward R. Mallozzi, CIPP
Jan McCorstin, CIPP
Sally Machiko Miyashita-Garman, CIPP
Stephen Lee Mohr, CIPP
Joy A. Nelson, CIPP
Andy Ng, CIPP
Darla Nykamp, CIPP
Paul Pascalis, CIPP
Mary E. Ranalla, CIPP
Christine Reynon Ravago, CIPP
Peter J. Reid, CIPP
Geoff Richards, CIPP
Nancy Elizabeth Richman, CIPP
Eileen Marie Rico, CIPP
Christine K. Sadlouskos, CIPP
Pamela H. Sanchez, CIPP
Victoria J. Sayer, CIPP
Jose Antonio Sesin, CIPP
Kamilah H. Shepherd, CIPP
Satnam Singh, CIPP
Alice Bradley Snowden, CIPP
Marcela Samudio Price Souaya, CIPP
Michael Edward Spaulding, CIPP
Jacob Gregor Springer, CIPP
David Andrew Stampley, CIPP
Stephen L. Thomas, CIPP
Joel Ford Tietz, CIPP
Richard Uku, CIPP
Mary S. Violi, CIPP
Bobby Whitaker, CIPP
Guy Williams, CIPP
Anne E. Wolfe, CIPP
Janet B. Wright, CIPP
Ruth M. Zikaris, CIPP
Sylvanus Arnold Zimmerman, CIPP
CIPP/G
Margaret Louise Alston, CIPP/G
Aldo Francisco Castaneda, CIPP/G
Rebecca Farr, CIPP/G
Laura Helen Gilbert, CIPP/G
Victor A. Loy, CIPP/G
Judy Macior, CIPP/G
Joseph Sabriam Marsh, CIPP/G
Adegbola Ajibade Odutola, CIPP/G
Annette C. Orr, CIPP/G
Larah D. Payne, CIPP/G
CIPP/C
Edmund Jason Albert, CIPP/C
Barbara Heather Bain, CIPP/C
Parvathi Belur, CIPP/C
Shannon Branton, CIPP/C
Nicole Breeze, CIPP/C
Nigel Brown, CIPP/C
Susan Elizabeth Buchanan, CIPP/C
Alec Campbell, CIPP/C
Abigail Carter, CIPP/C
Yim Chan, CIPP/C
Chris Close, CIPP/C
Don Lloyd Cook, CIPP/C
Laura Davison, CIPP/C
Samuel Domski, CIPP/C
Fraser Duff, CIPP/C
Francis Duffy, CIPP/C
Andreas Faruki, CIPP/C
Douglas Fawcett, CIPP/C
Anita Fineberg, CIPP/C
Michael Edward Fliegel, CIPP/C
Marnie Fletcher, CIPP/C
Anick Fortin-Cousens, CIPP/C
Christyne Gauthier, CIPP/C
Mark Desmond Gilligan, CIPP/C
Charles Calogero Giordano, CIPP/C
Robin Gould-Soil, CIPP/C
Keren Groll, CIPP/C
Katherina Groves, CIPP/C
Jeff Green, CIPP/C
Gail Guimont, CIPP/C
Tanmay J. Gupta, CIPP/C
Karina Guy, CIPP/C
Moyra Jean Hamilton, CIPP/C
Steven J. Heck, CIPP/C
Andre Hiotis, CIPP/C
Esther Hoh, CIPP/C
Mitchell Rex Hoppenworth, CIPP/C
Johnathan W. Hunt, CIPP/C
Constantine Nicolas Karbaliotis,
CIPP/C
Cynthia E. Kenny, CIPP/C
Sylvia B. Kenyon, CIPP/C
Jennifer Alexis Kerr, CIPP/C
Johnna Koso, CIPP/C
Anne-Marie Latulippe, CIPP/C
Paul Lewis, CIPP/C
Sanda M. Lobo, CIPP/C
Jay Loder, CIPP/C
Karen Marie Massie, CIPP/C
Judy Macior, CIPP/C
Drew McArthur, CIPP/C
Terry McQuay, CIPP/C
Lorene Novakowski, CIPP/C
Isabelle Ouellet, CIPP/C
Anna Paton, CIPP/C
Jill A. Phillips, CIPP/C
William Rea, CIPP/C
Nancy Rector, CIPP/C
Alain Rocan, CIPP/C
Franice Rousseau, CIPP/C
John Kilian Searle, CIPP/C
Della Shea, CIPP/C
Anna Sheehan, CIPP/C
Donald E. Sheehy, CIPP/C
David T. Shuen, CIPP/C
Lynn Ann Siverd, CIPP/C
Jo-Ann Smith, CIPP/C
Sandra O. Smith-Frampton, CIPP/C
Jane Stubbington, CIPP/C
Kerry-Ann Sween, CIPP/C
Barbara M. Switzer, CIPP/C
Richard G. Taylor, CIPP/C
David J. Todd, CIPP/C
Henry Tom, CIPP/C
Catherine J. Travers, CIPP/C
Stephen Turnbull, CIPP/C
Peter Viveiros, CIPP/C
Ron Wadey, CIPP/C
Jean-Francois Willis, CIPP/C
Bernard Woo, CIPP/C
Carolyn C. Worthington, CIPP/C
Stenly Yuen, CIPP/C
17
March • 2007
Privacy News
Survey Reveals Lack of Medical Identity Theft Awareness
esults of a survey
sponsored by
EpicTide, a provider
of security solutions
for the healthcare
industry, yielded some
interesting findings about consumer
awareness of medical identity theft and
patient safety concerns.
The survey questions were
designed to elicit information from consumers about the rate of medical identity theft; understanding of their patient
rights; and perceptions regarding the
ability of healthcare organizations to
protect patient records, ensure patient
safety and report security breaches.
One of the key findings, according
to the survey, is that nearly half of the
survey participants had never heard of
medical identity theft — despite the
increase in medical ID theft and recent
media coverage. Consumers also are
mostly unaware of the consequences
associated with medical identity theft,
the survey found. Although respondents
were somewhat able to identify examples of medical ID theft, the survey
R
Consumer responses to a survey asking whether they believe their healthcare
providers know when someone accesses their medical records
• One in two consumers believe their healthcare provider does not know
when someone accesses their medical records.
• 39.9 percent of consumers feel confident that their healthcare providers
are able to secure their medical records and personal information.
• 50.1 percent feel their healthcare providers are effective in protecting their
medical records.
Source: EpicTide
concludes that additional consumer
education is needed.
Another critical finding of the survey is that there is a great deal of confusion among participants as to their privacy rights. Although all doctors’ offices,
pharmacies and medical organizations
require patients to sign a HIPAA notice,
only 53 percent of survey respondents
reported being asked to sign a notice of
their HIPAA rights at a doctors’ office,
hospital, pharmacy or other medical
organization. Additionally, half of the participants responded that they did not
Consumer Beliefs Regarding the Consequences of Identity Theft
• 92.7 percent of respondents associate receiving bills for medical care that
they did not receive as a possible consequence of medical identity theft.
• 83.5 percent of respondents associate increased cost of medical insurance
as a possible consequence of medical identity theft.
• 82 percent of respondents associate increased cost of overall medical care
as a possible consequence of medical identity theft.
• Only 75 percent of respondents associate altered medical records such as
allergies or blood type or severe medical errors, complications or death as
possible consequences of medical identity theft.
• 70.8 percent of respondents agree that medical identity theft is a cause of
rising healthcare costs.
Source: EpicTide
18
“The majority of survey
respondents do not feel that
healthcare providers are diligent
about informing patients of
suspected security breaches.”
read the HIPAA notices that they have
been asked to sign.
The survey goes on to reveal that
the greatest misperception reported in
regard to patient rights is that participants believed that “employees of
healthcare organizations may legally
access or view their records without
written consent for reasons other than
providing care or medical goods, or for
billing/payment purposes.”
The survey also asked participants
a series of questions regarding the
responsibility of healthcare organizations in reporting security breaches.
While just more than 98 percent
responded that healthcare providers
should be accountable for informing
patients if they suspect patient records
have been accessed or compromised
without authorization, 70.8 percent do
not believe that healthcare providers
are diligent about informing patients of
suspected security breaches.
More information on accessing the
survey is available at www.epictide.com.
THE PRIVACY ADVISOR
A Day in the Life of an Entrepreneur:
Nymity’s Terry McQuay
VeriChip
Completes IPO
T
eriChip, which
develops,
markets and sells
radio frequency
identification, or
RFID, systems used
to identify, locate and protect people and
assets, recently announced the pricing
of its initial public offering.
The company is offering 3,100,000
shares of its common stock at $6.50
per share, before underwriting discounts
and commissions. VeriChip’s common
stock will be traded on the NASDAQ
Global Market under the symbol “CHIP”,
according to a company news release.
Merriman Curhan Ford & Co. is the
book-running manager for the offering
and C.E. Unterberg, Towbin and
Kaufman Bros., L.P. are co-managers.
In addition to the shares being
offered by VeriChip, Applied Digital
Solutions, Inc., the company’s largest
shareholder, has granted the underwriters a 30-day option to purchase up to
an additional 465,000 shares of the
company’s common stock to cover overallotments, if any.
The offering of these securities is
made only by means of a prospectus,
copies of which may be obtained from
Merriman Curhan Ford & Co., 600
California St., San Francisco, Calif.,
94108 (telephone 415-248-5600 or fax:
415-248-5690).
he Toronto Star
recently caught
up with Terry
McQuay, CIPP,
CIPP/C, founder of
Nymity, a startup
information technology company
providing online
Terry McQuay
risk management
solutions related to privacy issues and
regulatory compliance.
After being tapped by The Star as
a finalist in its “2007 Build a Business
Challenge,” Nymity was approached
by venture capital firm, Ventures
West, which saw an opportunity in
Nymity, especially given the growth
of privacy legislation and a newly
implemented Canadian law requiring
companies to have a privacy officer.
The Star profiled McQuay as he sat
down with Robin Axon of Ventures
West and explained the origin of
Nymity and its growth. The article
follows McQuay through a bevy of
meetings on topics ranging from
revamping Nymity’s Web site, to analyzing its pricing strategy to identifying a spokesperson for the business.
The full article is available at
www.nymity.com/about_us/TheStar.asp.
Cavoukian Calls for Privacy
Legislation in Ontario
ntario Information and Privacy
Commissioner Ann Cavoukian
again pushed for privacy legislation in
the province in reaction to comments
from Government Services Minister
Gerry Phillips. Phillips has called upon
the Canadian government to force
banks and retailers to notify customers about privacy breaches, but
Cavoukian is in favor of provincial legislation addressing breach notification
and other privacy issues.
Ontario is the only one of Canada’s
four largest provinces that does not
O
currently have private-sector privacy
legislation. B.C.,
Alberta and Quebec
currently have legisAnn Cavoukian
lation in place.
In a news release issued by her
office, Cavoukian stated, “Instead of
pointing to Ottawa, Ontario should be
taking responsibility for bringing in its
own legislation (like the three provinces
cited), that will address Ontario’s privacy needs, including a key provision to
require breach notification.”
Americans Vote USPS
#1 for Privacy
he United States Postal Service was rated the number one
agency Americans trust to protect their privacy, according
to the “2007 Privacy Trust Study of the United States
Government” conducted by The Ponemon Institute LLC.
This is the third year in a row that the USPS held the top spot,
attaining a privacy trust score of 83 percent. Results also
T
V
showed that the USPS increased customer
satisfaction and trust scores from last year.
The study, which surveyed more than
7,000 people, identified 10 key factors — from
a sense of security when providing personal
information to Web site security to access to
personal information — when ranking 60 federal agencies. The
purpose of the study is to gauge Americans’ confidence level in
the government agencies that routinely collect and use citizens’
personal information.
19
March • 2007
Calendar of Events
MARCH
6-9
19
IAPP Privacy Summit 07
Renaissance Washington DC Hotel
More information is available at
www.privacysummit.org.
6
IAPP Certification Training
CIPP/G and CIPP/C Part I: 2 p.m.
7
CIPP: 8 a.m.
CIPP/C Part II: 1 p.m.
9
IAPP Certification Exams
CIPP and CIPP/C exams: 7:15 a.m.
CIPP/G exam: 10:30 a.m.
13
IAPP KnowledgeNet —
Toronto, Canada
Speaker: Dr. Ann Cavoukian, Ontario
Information and Privacy Commissioner
Can You Read Me Now? The Privacy
Implications of RFID.
23
Australian Law Reform
Commission (ALRC) Public
Forum
Is Privacy Good Business Sense?
Sydney Masonic Centre
Sydney, Australia
More information is available at
www.alrc.gov.au/inquiries/current/
privacy/syd.htm.
Seattle, Wash.
Speakers: Lynn Majors, CIPP, Principle
Privacy Officer, T-Mobile, Debra Overlin,
Director-HR Data Privacy, Boeing Corp.,
and Rob Gratchner, Director of Privacy,
aQuantive, Inc.
Implementing a Privacy Training Strategy.
26-27 14th National HIPAA Summit
Hyatt Capitol Hill
Washington, D.C.
To list your privacy event in the The
Privacy Advisor, email Ann E. Donlan
at [email protected].
26
8 a.m.
27
IAPP Certification Exams
2 p.m.
Regulator Chat
public has a right to know what is done in their name
with their taxes. This is a hugely important piece of
legislation and is opening up more and more information
to public scrutiny.
My Office has published some powerful rulings on a
wide range of issues including the cost of identity cards,
Legionnaires disease, academic standards and salaries of
senior officials. It is extremely encouraging to see the positive impact the Freedom of Information act is having on individuals. A great deal of information has been released since
the introduction of the act, which would not otherwise have
been in the public domain. I was delighted that Parliament’s
Constitutional Affairs Select Committee concluded that freedom of information was proving to be a significant success.
Since the Act came into force, the ICO has received
some 5,000 complaints and closed around three quarters of
these cases.
TPA: What are some of the privacy issues on the horizon
from your perspective?
20
29
Washington, D.C.
Speaker: Hugo Teufel III, Chief Privacy
Officer, Department of Homeland Security
APRIL
4
Boston, Mass.
Joel Winston, Associate Director,
Division of Privacy and Identity
Protection, Bureau of Consumer
Protection, Federal Trade Commission
4
Minneapolis/St. Paul, Minn.
Paul H. Luehr, Managing Director, Stroz
Friedberg, LLC
Responding to Data Breaches: A Forensic
Perspective.
11
New York, N.Y.
Speaker: Gary Kibel, Attorney for
Davis & Gilbert
Privacy, Social Media and User
Generated Content.
Thomas: There is no doubt that privacy issues continue to
rise fast up the agenda — politically and commercially — in
the United States and worldwide. People want their privacy
and personal information properly respected. Businesses and
governments want to get it right. Computing power gets
ever-stronger. There can be very difficult balances to draw,
especially where there may be tensions with the battles
against terrorism and serious crime.
My Office’s overall approach is to take a practical and
down-to-earth approach — simplifying and making it easier
for the majority of organizations that seek to handle personal
information well, but tougher for the minority who do not.
One of the major hot topics is the current lack of synergy
between privacy laws around the world. As pressures build
for a clearer legal framework within the U.S., I want to
remind everyone of the benefits of maximum global harmonization. Equally, I recognize that the EU Data Protection
Directive is widely seen as excessively bureaucratic and prescriptive, not always concentrating on the priority real risks to
individuals. There are current initiatives in Europe to make
data protection more effective and better communicated in
practice. We may not yet meet in the middle, but how much
scope is there to move closer?

Enabling Data-Centric Security Merchants Can No Longer Ignore

Transcription

Similar documents

Newsletter 7 1984 - Tools and Trades History Society

Form 990 for GLADWYNE MONTESSORI SCHOOL (23

PIPEDA 101 PowerPoint (Done by Communications)

PIPEDA 101 PowerPoint (Done by Communications)

View the presentation

pri·va·cy - Dictionary.com

LeadManager

DIVO Record Sheet

STATEMENT OF PATIENT PRIVACY RIGHTS