Electronically Stored Information in Litigation The Healthcare

Transcription

ACADEMY ISSUE
September 2007 • Volume 7 • Number 9
Editor: Kirk J. Nahra
VIEWPOINT
The Healthcare Privacy Debate Heats Up
Kirk J. Nahra, CIPP
for the healthcare industry
hile Congress and
(and the many others who use
many others conhealthcare information) in the
tinue to discuss
near future. The key questions
the appropriateness of the
will be whether any new rules
current enforcement
will target unregulated particiapproach to healthcare privapants in emerging health inforcy, a broader debate is develmation exchange systems or
oping as to whether the
whether changes will seek to
existing privacy rules are rearegulate further the entire
sonable and effective in
Kirk J. Nahra
healthcare industry.
today’s evolving healthcare
information environment. Several key
Electronic Health Information
recent developments are making this
Exchanges Are Driving the Debate
debate more interesting and more
Much of the current debate is
active — leading to the realistic possibilibeing driven by the extensive discusty that we may see new privacy rules
W
Electronically Stored
Information in Litigation
D
See, Healthcare Privacy Debate, page 3
This Month
J. Trevor Hughes on California’s
Impact on Global Security .................Page 2
Patricia A. M. Vinci
uring the past two decades, privacy professionals have witnessed
technological changes in the way
business records are created, maintained and regulated, requiring adaptations to their privacy management practices. During that time, parties to litigation and the courts have wrestled with
the issues surrounding electronic documents. On December 1, 2006, the
Federal Rules of Civil Procedure were
revised to address specifically, for the
first time, the area known as electronic
discovery. This article provides an
overview of the prominent role electronic data now plays in litigation and the
implications for all data types.
sions about the development of local,
state, regional and perhaps national
health information exchanges. This
debate — encouraged by the Bush
Administration push to develop a fully
inter-operable health information
exchange by the year 2014 — is focusing attention on whether this new integrated environment requires a new set
of healthcare privacy rules — at least
for this environment.
While many groups and entities are
examining the privacy and security
issues presented by health information
Generally
speaking, “discovery” refers to that
part of a legal proPatricia A. M. Vinci
ceeding during
which the parties are required by law to
produce relevant information in their
custody and control. Production of information takes place in many different
legal situations, including civil cases
among companies and individuals;
criminal prosecutions; and government
agency investigations. Production also
may be required in other circumstances.
Internal company investigations, and
IAPP Privacy Academy 2007 Advance:
Privacy Challenges in Latin America .....Page 6
NRC Report: The Future of Privacy
Regulation in the U.S.............................Page 12
Global Privacy Dispatches......................Page 16
Ask the Privacy Expert: Phil Gordon
on Internal Investigations .....................Page 24
Security for Payment Card Data ...........Page 25
Privacy News..........................................Page 29
Certification Graduates ......................... Page 30
Privacy Classifieds .................................Page 32
IAPP in the News ...................................Page 32
The Lighter Side of Privacy ....................Page 33
KnowledgeNet .......................................Page 34
Calendar of Events .................................Page 35
See, Stored Information, page 21
September • 2007
THE PRIVACY ADVISOR
Notes From the Executive Director
Editor
Kirk J. Nahra, CIPP
Wiley Rein LLP
[email protected]
+202.719.7335
California’s Reach and Influence
Managing Editor
Ann E. Donlan, CIPP
[email protected]
+207.351.1500 X109
Publications Manager
Ali Forman
[email protected]
+207.351.1500
The Privacy Advisor (ISSN: 1532-1509) is published
monthly by the International Association of Privacy
Professionals and distributed only to IAPP members.
ADVISORY BOARD
Elise Berkower, CIPP, Executive Vice President of
Privacy Strategy, Chapell & Associates
Keith P. Enright, Director, Customer Information
Management, Limited Brands, Inc.
Philip L. Gordon, Shareholder, Littler Mendelson, P.C.
Brian Hengesbaugh, Partner, Privacy/Information
Technology/E-Commerce, Baker & McKenzie LLP
Todd A. Hood, CIPP, Director, Regional Privacy,
The Americas, Pitney Bowes Inc.
Ben Isaacson, CIPP, Privacy & Compliance Leader,
Experian & CheetahMail
Jacqueline Klosek, CIPP, Senior Associate in the
Business Law Department and member of Intellectual
Property Group, Goodwin Procter LLP
Lydia E. Payne-Johnson, CIPP,
LPJohnson Consulting, LLC
Billy J. Spears, CIPP/G, Senior Manager of Privacy
and Information Protection, Dell, Inc.
Harry A. Valetk, CIPP, Director of U.S. Operations,
MetLife Privacy Office
To Join the IAPP, call:
+800.266.6501
Advertising and Sales, call:
+800.266.6501
Postmaster
Send address changes to:
IAPP
170 Cider Hill Road
York, Maine 03909
Subscription Price
The The Privacy Advisor is a benefit of membership
to the IAPP. Nonmember subscriptions are available
at $199 per year.
Requests to Reprint
Ann E. Donlan
[email protected]
+207.351.1500 X109
W
hile the U.S. Congress has yet to take action
this year to adopt a California-style security
breach notification law, the state’s groundbreaking statute is making a significant global impact as the
UK, Australia, New Zealand and Canada mull notification
mandates similar to SB-1386.
The first of its kind in the U.S. when it was adopted in
2003, the law requires state agencies and private-sector organizations that do
business in the state to disclose the breach of any computerized system that
contains the unencrypted personal information of California residents. As other
countries grapple with security breaches that go unreported in the absence of any
legal requirement, the scope of California’s model statute is becoming evident as
privacy advocates are making their cases for a mandatory breach disclosure
requirement while invoking SB-1386 as the standard.
Australia’s Privacy Commissioner Karen Curtis has urged her country to
consider adoption of a mandatory breach law that models the notification laws
in the U.S. To bolster the case for a law that mirrors SB-1386, a Gartner analyst
recently commented during the company’s IT Security Summit in Sydney that a
proliferation of security breach notification laws in nearly 40 states has compelled
many U.S. organizations to improve security, according to ZDNet Australia
coverage of his remarks. In the past year, large-scale breaches that have reached
around the globe have led parliamentary committees in the UK and Canada to
recommend mandatory breach laws. New Zealand’s Privacy Commissioner Marie
Shroff last month announced a draft guide for the management of security
breaches, which is setting the stage for a full-scale discussion about the need for a
data breach disclosure law there.
California’s impact is well-established in the arena of consumer protection
and privacy. As other countries grapple with the inevitability of data breaches,
California’s global reach and influence is omnipresent. In the heart of this state
that has generated precedent-setting privacy legislation as well as some of the
leading innovators in our information economy, the IAPP will host privacy pros
for the IAPP Privacy Academy 2007, Oct. 22-24, at The Westin St. Francis in
San Francisco. The Academy will combine these forces for a provocative brew of
privacy, stirred by leading privacy thought leaders, California privacy advocates
and corporate influencers in the privacy profession.
And in keeping with the IAPP’s tradition of serving as the conduit for
privacy pros everywhere, I want to invite you to join in social networking —
privacy-style — by taking advantage of an IAPP presence on Facebook, another
innovation based in California.
See you in San Francisco!
Copyright 2007 by the International Association of
Privacy Professionals.
All rights reserved. Facsimile reproduction, including
photocopy or xerographic reproduction, is strictly
prohibited under copyright laws.
2
www.privacyassociation.org
J. Trevor Hughes, CIPP
Executive Director, IAPP
THE PRIVACY ADVISOR
Healthcare Privacy Debate
continued from page 1
exchanges, two groups stand out that
have issued important recommendations.
The AHIC Confidentiality, Privacy and
Security Workgroup
One of the potentially influential
groups dealing with health information
exchange privacy and security issues is
the Confidentiality, Privacy and Security
Workgroup (CPS Workgroup) of the
American Health Information
Community (AHIC). AHIC is a federal
advisory body chartered in 2005 to
make recommendations to the
Secretary of Health and Human
Services on how to accelerate the
development and adoption of health
information technology. The workgroup
was formed in May 2006; its members
include representatives of both public
and private entities. I chair this workgroup, which is tasked with making
recommendations for privacy and
security rules in this integrated
environment. Recently, the CPS
Workgroup issued two key recommendations that relate to how these rules
should move forward.
First, a recommendation made to
and adopted by AHIC in its June 12,
2007 meeting, would require:
All persons and entities, excluding
consumers, that participate directly
in, or comprise, an electronic health
information exchange network,
through which individually identifiable health information is stored,
compiled, transmitted, modified,
or accessed should be required
to meet enforceable privacy and
security criteria at least equivalent to
any relevant HIPAA requirements.
This recommendation focuses on
one of the key differences between this
health information exchange environment and the original HIPAA environment, a recognition that there are significant participants in health information
exchanges who are not covered, either
appropriately or at all, by the current
HIPAA rules. Primarily, this recommendation would have an impact on:
• Healthcare providers who are not
covered entities because they do not
bill electronically for their services;
• Personal health records providers who
provide services directly to patients,
and therefore typically are not covered
by the HIPAA rules at all; and
• Regional Health Information
Organizations (RHIOs) and other “networks” that play a central role in these
efforts, and typically are, at most, considered “business associates” under
the HIPAA rules.
Our workgroup was concerned that
these players are central to the operation
of health information exchanges, and are
important elements of emerging health
information technologies. But due to the
odd quirks in how the HIPAA rules were
passed (focusing on healthcare portability and electronic transactions), they are
not subject to the existing privacy and
security rules. This recommendation is
designed to bring within the regulated
community such participants in the
exchange of healthcare information.
A second part of our recent recommendation was designed to create a
“level playing field” for all participants in
these exchanges. The recommendation
is as follows:
Furthermore, any person or entity
that functions as a Business
Associate (as described in 45 CFR
§160.103) and participates directly
in, or comprises, an electronic
health information exchange network should be required to meet
enforceable privacy and security
criteria at least equivalent to any
relevant HIPAA requirements, independent of those established by
contractual arrangements (such as
a Business Associate Agreement as
provided for in HIPAA).
170 Cider Hill Road
York, Maine 03909
Phone: +800.266.6501 or +207.351.1500
Fax: +207.351.1501
Email: [email protected]
The Privacy Advisor is the official monthly newsletter of the
International Association of Privacy Professionals. All active
association members automatically receive a subscription to
The Privacy Advisor as a membership benefit. For details
about joining IAPP, please use the above contact information.
BOARD OF DIRECTORS
President
Kirk M. Herath, CIPP/G, Associate Vice President,
Chief Privacy Officer, Associate General Counsel,
Nationwide Insurance Companies, Columbus, Ohio
Vice President
Sandra R. Hughes, CIPP, Global Privacy Executive, Procter
& Gamble, Cincinnati, Ohio
Treasurer/Past President
Chris Zoladz, CIPP, Vice President, Information Protection
& Privacy, Marriott International, Bethesda, Md.
Assistant Treasurer
David Hoffman, CIPP, Group Counsel and Director of
Privacy & Security, Intel Corp., Germany
Secretary
Jonathan D. Avila, CIPP, Vice President - Counsel, Chief
Privacy Officer, The Walt Disney Company, Burbank, Calif.
Executive Director
J. Trevor Hughes, CIPP, York, Maine
John Berard, CIPP, Managing Director,
Zeno Group, San Francisco, Calif.
Malcolm Crompton, Managing Director, Information
Integrity Solutions Pty Ltd., Chippendale, Australia
Peter Cullen, CIPP, Chief Privacy Strategist,
Microsoft Corp., Redmond, Wash.
Peter Fleischer, Global Privacy Counsel, Google,
Paris, France
Dean Forbes, CIPP, Senior Director Global Privacy,
Schering-Plough Corp., Kenilworth, N.J.
D. Reed Freeman, Jr., CIPP, Partner, Kelley Drye Collier
Shannon, Washington, D.C.
Kimberly Gray, CIPP, Chief Privacy Officer,
Highmark, Inc., Pittsburgh, Pa.
Jean-Paul Hepp, CIPP
Jane Horvath, Chief Privacy and Civil Liberties Officer,
U.S. Department of Justice
Barbara Lawler, CIPP, Chief Privacy Officer, Intuit,
Mountain View, Calif.
Kirk Nahra, CIPP, Partner, Wiley Rein LLP,
Washington, D.C.
Nuala O’Connor Kelly, CIPP/G, Chief Privacy Leader and
Senior Counsel, General Electric Company, Washington, D.C.
Harriet Pearson, CIPP, Vice President Corporate Affairs,
Chief Privacy Officer, IBM Corporation, Armonk, N.Y.
Lauren Steinfeld, CIPP, Chief Privacy Officer,
University of Pennsylvania, Philadelphia, Pa.
Zoe Strickland, CIPP/G, Vice President, Chief Privacy
Officer, Wal-Mart
Amy Yates, CIPP, Chief Privacy Officer,
Hewitt Associates, Lincolnshire, Ill
International Association of Privacy Professionals
3
September • 2007
This recommendation would turn all
of these participants into directly regulated “covered entities.” The goal is a
“level playing field.” Our workgroup
believed that different enforcement
standards (for example, potential civil
and criminal fines vs. breach of contract)
were not appropriate, and that all participants in these exchanges should face
the same rules and enforcement possibilities. This suggestion clearly is not an
attack on the HIPAA requirements themselves (although some workgroup members believe HIPAA doesn’t work appropriately). Instead, this recommendation
reflects a recognition that neither
“industry standards,” “best practices”
nor voluntary compliance are sufficient.
It also is important to recognize that this
is not a recommendation to turn all
HIPAA business associates into covered
entities. Our recommendation relates
only to those entities that participate
directly in health information exchange
4
networks, and would not affect the multitudes of entities that provide services
to healthcare companies without participating in these networks.
This approved CPS Workgroup recommendation also is only a first step —
next we will be tackling two important
questions. First, we will look at what
constitutes a “relevant” HIPAA requirement for particular “direct participants”
in a health information exchange network. Clearly, some persons or entities
may have an appropriate reason for not
needing to meet a particular requirement. The most obvious example
involves the information exchange networks themselves, that typically have no
relationship with an individual patient
and therefore (like healthcare clearinghouses under the current HIPAA rules)
have little reason to provide a privacy
notice directly to individuals.
Second, we will be looking at what,
if any, additional confidentiality, privacy,
or security protections may be needed
beyond those already contained in the
HIPAA Privacy and Security Rules.
Simply translated, our question will be,
“Is the HIPAA standard ‘good enough’ in
this context?” We will be focusing our
attention on whether today’s environment for these information exchanges
has material differences from the
“HIPAA environment” (recognizing the
difficulties in determining exactly what
the HIPAA environment is) to justify
new rules for these health information
exchanges.
National Committee on Vital
Health Statistics
Following closely on the heels of
the CPS Workgroup recommendations,
the National Committee on Vital and
Health Statistics (NCVHS) issued its
own set of recommendations, on a generally similar topic. The NCVHS recommendations focused on both the HIPAA
standards and the scope of coverage
under the HIPAA rules.
NCVHS raised “a significant concern… that many of the new entities
essential to the operation of the
Nationwide Health Information Network
THE PRIVACY ADVISOR
(NHIN) fall outside HIPAA’s statutory
definition of ‘covered entity.’ ” These
include a wide variety of entities that
may or may not be business associates
(along with a wide range of noncovered
healthcare providers). NCVHS concluded
that “business associate arrangements
are not sufficiently robust to protect the
privacy and security of all individually
identifiable health information.”
Accordingly, the NCVHS made the
following recommendation (which is
entirely consistent with the CPS
Workgroup recommendation):
HHS and the Congress should
move expeditiously to establish
laws and regulations that will
ensure that all entities that
create, compile, store, transmit
or use personally identifiable
health information are covered
by a federal privacy law. This is
necessary to assure the public
that the NHIN, and all of its
components, are deserving of
their trust.
NCVHS concluded that
“business associate
arrangements are not
sufficiently robust to
protect the privacy and
security of all individually
identifiable health
information.”
Accordingly, these two recommendations, taken together, raise, for the
integrated health information exchange
community, the need to develop new
privacy and security laws that ensure
that the full range of entities participating in these networks all face the same
rules concerning their use and disclosure of health information. These recommendations reflect a recognition of certain changes in the healthcare landscape
arising from these integrated networks,
and the necessity of ensuring that
healthcare information is protected by a
uniform standard, without some of the
artificial lines drawn by the HIPAA rules.
Potential New Legislation
The next key development, however, takes these recommendations to a
far broader level. Specifically, Sens.
Edward Kennedy, D-Mass., and Patrick
Leahy, D-Vt., have introduced new legislation (S. 1814) designed to revamp,
almost from scratch, the entire landscape of healthcare privacy laws. The
bill responds to the premise that “fear
of a loss of privacy cannot be allowed
to deter Americans from seeking medical treatment.” Without any particular
focus on health information exchanges,
this proposal virtually tosses out the
HIPAA rules, in favor of a far more
restrictive environment with significantly enhanced risks and penalties for
healthcare companies.
5
September • 2007
¡Viva La Privacidad!
Luis Salazar, CIPP
ith so much data privacy
activity focused on the United
States, the European Union
(EU) and Asia, it’s easy to overlook our
neighbors to the south — Latin America.
Ironically, the region has some of the
most unique and diverse privacy laws in
the world, along with a growing need
for more.
With more than half a billion inhabitants, trade between the U.S. and Latin
America surpassed
$500 billion in
2006, while trade
between the EU
and the region surpassed $177 billion
Euros. U.S. businesses invest
more than $350
billion annually in
Latin America, and
Luis Salazar
W
6
EU companies nearly $100 million Euros
and many, if not most, major U.S. corporations and financial institutions have
subsidiaries, back-office, or other direct
operations in one or more Latin
American countries.
Although Latin America still struggles with challenging economic issues,
it expects to have more than 100 million
Internet users by the end of 2007, not to
mention a thriving e-commerce sector.
In Mexico alone, e-commerce exceeded
$38 billion last year, with estimates for
the entire region to reach more than
$100 billion by 2007. In fact, expectations are that a “youth boom” will continue to push this tech savvy growth for
the foreseeable future.
For the data privacy professionals,
Latin America’s biggest challenge is its
balkanization and effectively managing
data flows through 28 countries, with
THE PRIVACY ADVISOR
28 different privacy schemes. At the
upcoming IAPP Privacy Academy 2007, I
have the great pleasure of participating
in and moderating a panel with JoseLuis Piñar Miñas, the former Spanish
Data Protection Commissioner, and Zoe
Strickland, CIPP, the Vice President and
Chief Privacy Officer of Wal-Mart, on
this issue — Managing Data Privacy in
Latin America. Until then, this article
will cover some of the larger issues in
Latin American data privacy law.
Habeas Data
Perhaps no single concept is more
fundamental to understanding Latin
American data privacy law than Habeas
Data. Habeas Data, literally translated as
‘you should have the data,’ is a constitutional right granted individuals in many
Latin American countries and is the
predominant force in the region’s data
privacy law.
The right of Habeas Data appears to
have its origin in certain decisions of the
German Constitutional Tribunal involving
an individual’s data stored third-party in
databases. Although its details vary by
country, Habeas Data is generally the
right of an individual to petition a court
to help it protect his or her privacy,
including his or her image, privacy,
honor and freedom of information. The
action can be brought against anyone
holding information, and it empowers
the complaining party to request a
correction or even destruction of
personal data held by a third party.
Brazil became the first country to
officially enact a Habeas Data law in
“Perhaps no single concept is more fundamental
to understanding Latin
American data privacy
law than Habeas Data.”
1988, when it passed a new constitution
and gave Habeas Data full constitutional
authority. Thereafter, Columbia adopted
the Habeas Data right in its new constitution in 1991; Paraguay in 1992; Peru in
1993; Argentina in 1994; Ecuador in
1996; and Bolivia in 2004. With each
subsequent enactment, Habeas Data
rights became clearer.
In Brazil, the power of Habeas Data
is limited to the right of an individual to
access and correct data, but not to
update or destroy it. A subsequently
enacted Habeas Data-enabling law
granted individuals the additional power
to add an annotation to their data stored
in a database to note that it is under
legal dispute. Enforcement of the
Habeas Data right in Brazil, however,
can be a challenge, because venue for
the action changes depending on the
defendant.
When Paraguay passed its version
of Habeas Data, it enhanced the defini-
See, ¡Viva La Privacidad!, page 8
7
September • 2007
tion and simplified the procedural elements. Its Habeas Data constitutional
provisions not only allow an individual to
access information and data available on
him or herself, but also to know how the
information is used and for what purpose. A petitioner can request that a
court of competent jurisdiction update,
correct or destroy entities if they are
wrong or if they are illegally affecting his
or her rights. Paraguay allows only one
court — the constitutional chamber of
the Supreme Court — to hear and
decide all Habeas Data cases.
The Peruvian Habeas Data provisions are similar to the Paraguayan
ones, but do not allow for the correction
or removal of erroneous data stored in a
database. It does, however, forbid the
broadcast, copy, transfer or distribution
of that erroneous data.
The Argentinean Habeas Data provisions further refined Habeas Data rights.
Actually referred to as an “amparo,” the
traditional label for certain constitutional
guarantees in the Latin American civil
system, the provisions include most of
the previously mentioned Habeas Data
enactments, including the right to
access data, correct it, update it or
destroy it. It also forbids the broadcast
or transmission of incorrect or false
information, but explicitly excludes the
press from such actions.
Traditionally, Habeas Data has been
seen as an individual right that can only
be brought and asserted by the affected
individuals. More recently, Latin
American courts have begun to take a
broader view. For example, the Supreme
Court of Argentina ruled in Urteaga v.
Estado Nacional (1999), that an individual had standing to assert a Habeas
Data claim for information about his
brother, who was killed during
Argentina’s “dirty war.” In subsequent
cases, the court has reinforced this
trend. It may be possible, then, that
Habeas Data will eventually become one
way to seek privacy remedies for groups
or classes of individuals.
It is worth noting that Mexico,
which does have fairly broad constitutional privacy rights, does not have
Habeas Data.
Data Protection Laws
Despite this rich and unusual
Habeas Data tradition, several Latin
American states also have adopted data
protection laws, some based on the
European model. In November 2000, for
example, Argentina passed The Law for
the Protection of Personal Data (the
LPDP), which is based on the EU Data
Protection Directive and the Spanish
Data Protection Acts of 1992 and 1999.
The LPDP contains data privacy legal
provisions most privacy professionals
are used to — general data protection
principles, obligations of data controllers, supervisory authority, sanctions
and more. But perhaps most importantly, it bars transfer of personal informa-
See, ¡Viva La Privacidad!, page 10
8
THE PRIVACY ADVISOR
9
September • 2007
tion to countries without legal systems
that “adequately protect” that data. In
fact, the EU has determined that
Argentina meets the requirement of the
EU directive and provides an adequate
level of personal data protection. A bill
proposing a similar data protection
scheme has been proposed and has
been pending in Brazil for several years.
More EU-type data laws may be
coming, as El Salvador and other Central
American countries signed a Political
Dialog and Cooperation Agreement with
the EU and several member states. That
agreement provides that the parties will
work to cooperate and protect the processing of personal data and will work
toward the free movement of personal
data among their jurisdictions. On the
other hand, Mexico has 27 different
statutes that address data privacy, but
no comprehensive data protection plan,
nor immediate plans to enact one.
Chile, which never enacted Habeas
Data, was the first Latin American
country to enact a data protection
statute — The Law for the Protection of
Private Life, passed on October 28,
1999. That law covers the intake and
use of personal data in both personal
and private sectors, as well as the
rights of individuals to access, correct
and control that data. The law covers
the use of financial, commercial and
banking data, and addresses governmental use of private data.
All in all, as data privacy issues
become more complex and numerous,
Latin American countries appear ready
to respond with more comprehensive
data protection laws.
Spam and Internet Regulations
Just like the rest of the world, “El
Spam” drives Latin American Internet
users crazy. A number of Latin American
countries have passed laws to respond to
the spam challenge, with perhaps the
most well-known of these being Section
Privacy and Information Security
Solutions to Fit Your Business
Visit us at Booth #206 at the Privacy Academy to learn how we can
help you comply with the requirements that shape your business.
Awareness and training
Measurement and reporting
Legislative alerts
Multiple languages
Local experts in 26 countries accessing global resources.
Midi and Easy i are proud to be part of the SAI Global Compliance family.
Phone us toll free at 1-877-470-SAIG or visit us online.
www.saiglobal.com/compliance
10
27 of the 2000 Argentinean Data
Protection Law. Among other things, that
law gives recipients the right to opt out of
spam. In a recent case, plaintiffs successfully sued a spammer who did not comply with the law and continued to send
unsolicited emails. The court enjoined the
spammer and awarded damages.
Peru enacted a “Ley AntiSpam”
which was recently the subject of what
most likely will be a precedent-setting
decision fining a Peruvian spammer
$5,458 for repeated violations. Notably,
this successful effort was made possible by the dedication and persistence of
the author of the “Peru Sin Spam” (Peru
Without Spam) blog.
Likewise, spyware is no less a problem in the region than in the U.S. or the
EU. In Argentina, the LPDP makes spyware illegal because it bars the surreptitious collection of data. Enforcement of
these restrictions, however, would likely
be by means of an individual bringing a
Habeas Data action against a spyware
user — probably a fruitless effort. In Chile,
THE PRIVACY ADVISOR
spyware likely would be covered by The
Ley Contra Delitos Informáticos (The Law
Against Information Crimes), which
makes the destruction of a computer or
unlawful access to its contents, a crime
punishable by 1- to 5-year prison term.
Influential Players
There are a number of entities
actively shaping the future of data privacy in Latin America. The Ibero American
Data Protection Network (IDPN), in particular, appears to have the broadest
impact across the region. Founded by
the Spanish Data Protection Agency, and
formerly headed by our panelist Dr. Piñar
Mañas, it conducts various outreach
efforts to promote data protection laws
similar to the EU Directive. Its efforts are
credited with leading to the passage of
Argentina’s LPDP and qualifications as
an acceptable country under the EU
Directive.
The LPDP’s passage also created
another influential body — the
Argentinean Data Protection Agency. It is
charged with enforcement of the law
and is generally thought to have the
potential to take precedent-setting
actions with potentially region-wide
repercussions.
Chambers of commerce and other
business associations also have actively
promoted good privacy principles. In
Mexico, for example, the Mexican
Internet Association (AMIPCI), along
with the Ministry of the Economy and
the Office of the Federal Attorney for
Consumer Protection, introduced the
“AMIPCO” trusted site seal, designed to
identify sites that comply with data privacy regulations, properly use personal
data and reduce bad Internet practices.
Finally, there are a number of private
commentators and critics who champion
data privacy, and closely monitor the
many twists and turns of its development. Perhaps the best known of these
is habeasdata.org and its related statespecific habeas data blogs. These sites
deserve credit for raising the profile of
data privacy throughout the region.
Conclusion
The overview in this article is only
“La punta del iceberg.” Data privacy
impacts so many other areas of the Latin
American economy — money wiring,
mobile phone use and marketing, travel
requirements, bank secrecy laws, labor,
and much more. A more in-depth discussion will be provided on privacy in Latin
America at the Academy, which will feature more than 120 speakers during the
3-day event, Oct. 22-24, at The Westin
St. Francis in San Francisco.
Luis Salazar is a shareholder with the
international law firm of Greenberg
Traurig, and a founding member of its
Data Privacy and Security Law
Taskforce. A Certified Information
Privacy Professional, Luis is also a
member of the firm’s Latin American
Practice Group, and is based in Miami
— The Capital of the Americas. He may
be reached at +305.579.0751, or at
[email protected].
The IAPP would like to thank our sponsors of the
IAPP Academy 2007 in San Francisco, Oct. 22-24:
11
September • 2007
VIEWPOINT
National Research Council Report Discusses Possible
Future of Privacy Regulation in the U.S.
Jacqueline Klosek, CIPP
he prestigious
National
Research Council
(NRC) recently
issued a comprehensive report on
privacy and technology in the digital age. In addition
Jacqueline Klosek
to providing a very
thoughtful and
detailed overview of privacy, the report
outlines the need for a national privacy
commissioner or standing privacy commission to provide ongoing and periodic
assessments of privacy developments.
T
12
Exceeding 450 pages, the report,
“Engaging Privacy and Information
Technology in a Digital Age,” examines
the past present and future of privacy
in great detail. It also provides recommendations on the future of privacy
regulation. While its value as a tool for
prognosticating the near-term future of
privacy remains questionable, it is a
thought-provoking read for individuals
interested in privacy issues.
History of the Report
The NRC, a body organized by the
National Academy of Sciences (NAS) in
1916 to advise the federal government,
assembled a committee of 16 people
with a fairly broad range of expertise,
including senior individuals with backgrounds in information technology; business; government; consumer protection;
liability; economics; and privacy law and
policy. From 2002 to 2003, the committee held five meetings to explore a wide
range of different viewpoints. For
example, briefings and/or other input
were obtained from government officials
at all levels, authorities on international
law and practice relating to policy, social
scientists and philosophers concerned
with personal data collection, experts on
privacy-enhancing technologies, business representatives concerned with
the gathering and uses of personal data,
THE PRIVACY ADVISOR
consumer advocates, and researchers
who use personal data.
recommendations were focused on the
government:
Findings and Recommendations
An overriding theme present in the
findings was that privacy is ever-evolving
and highly contextual. The researchers
contended that one’s view of privacy
and interpretation of its value and importance will often vary, depending upon
the circumstances, including the situation and relationships at hand, the intentions of the parties involved, and other
contextual factors. Despite the contextual factors impacting privacy, the report’s
authors still found that the loss of privacy can, and often does, result in significant harm to individuals and groups.
Ultimately, the report concluded that privacy is an important value that should
be protected.
• Governments at various levels
should establish formal mechanisms for the institutional advocacy
of privacy within government.
The report made the case for the
establishment of a national privacy
commissioner or standing privacy
commission to provide guidance on
privacy developments. While this is a
viable approach in many other countries that have implemented national
privacy commissioners with broad
oversight, it is questionable whether
this well-founded approach has
enough support in the U.S.
Select Recommendations
The report placed a lot of attention
on the role of the government in the privacy equation. As a result, many of the
• The U.S. government should
undertake a broad systematic
review of national privacy laws and
regulations. Privacy advocates have
long criticized the U.S. for having a
piecemeal approach to privacy. For
some time now, many individuals have
contended the sectoral-based
approach to privacy should be replaced
with a system that is much more comprehensive. Back in the late 1990s,
when the main European privacy
directive was coming into force, there
seemed to be a fair amount of
momentum toward enacting a comprehensive privacy law in the U.S.
However, since then, privacy has
taken a large step back, and it seems
there are many reasons to be skeptical
about the passage of a comprehensive
privacy law in the United States any
time soon.
• Government policy makers should
respect the spirit of privacy-related
laws. The report’s authors observed
that various governmental bodies
have important roles to play in protecting individual privacy rights.
However, they concluded that the
existing legal and regulatory frame-
See, U.S.Privacy Regulation, page 14
13
September • 2007
U.S. Privacy Regulation
work surrounding privacy is still a
patchwork that lacks consistency. As
a result, the authors suggested that
policymakers pursue a less decentralized and more integrated approach to
privacy policy and regulation.
• Congress should pay special
attention to, and provide special
oversight over, the government’s
use of private sector organizations
to obtain personal information
about individuals. During the past
few years, increased governmental
demands for data from the private
sector have raised major concerns
among privacy advocates. The authors
recognized this and suggested that
Congress begin to focus more closely
on these issues.
• Governments at all levels should
take action to establish the
availability of appropriate individual
14
“…the lack of sufficient
recourse is a weakness of
the present U.S. system.”
recourse for recognized violations
of privacy. In the report, the experts
observed that the availability of individual recourse for recognized violations
of privacy is an essential element of
public policy regarding privacy. They
contended that the lack of sufficient
recourse is a weakness of the present
U.S. system.
The report also contained a number
of recommendations that are applicable
to the private sector:
• The FTC principles of fair information practice should be extended as
far as reasonably feasible to apply
to private sector organizations. The
principles of fair information practice
for the protection of personal information, first enunciated back in a 1973
report of the U.S. Department of
Health, Education and Welfare, are,
according to the committee, still of
great relevance today. The report suggests that private sector enterprises
should abide by such fair information
principles.
• Organizations with self-regulatory
privacy policies should take both
technical and administrative measures to ensure their enforcement. In
addition, organizations should routinely test whether their stated privacy policies are being fully implemented; produce privacy impact
assessments when they are appropriate; strengthen their privacy policy by establishing a mechanism for
recourse if an individual or a group
believes they have been treated in a
manner inconsistent with an organization’s stated policy; and establish
an institutional advocate for privacy.
THE PRIVACY ADVISOR
While acknowledging that companies
operating in the privacy sector can
develop and implement self-regulatory
regimes for protecting personal data,
the authors also expressed concern
that self-regulation is limited as a
method for ensuring privacy. At the
same time, however, they did
acknowledge that self-regulation does
provide some level of protection that
might not otherwise be available to
the public.
• Where policy decisions require that
individuals shoulder the burden of
protecting their own privacy, law
and regulation should support that
goal. In order to enhance privacy, individual, organizational and public policy
actors have roles to play. Individuals
can take a number of steps to enhance
the privacy of their personal data as
well as to become better informed
about the extent to which their privacy
has been compromised, although the
effectiveness of these measures is
bound to be limited.
Likely Impact of the Report
The report is comprehensive, but it
has been subject to a fair amount of criticism. For one, it contains so many recommendations, which waters down the
report’s value. Instead, the report’s
authors may have been better-advised to
focus on a smaller number of critical
issues. In addition, there are real questions about the practical value of many of
the recommendations. This may be due in
part to the fact that many of the report’s
authors were academics. Arguably, it
would have been more advantageous to
have more practitioners and privacy advocates on board. Finally, and, perhaps most
significantly, there seems to be very little
political will for movement on these
issues at this time. Indeed, all indications
suggest that the present administration is
of the view that privacy should take a
backseat to expansive information collection efforts that are even tangentially connected to the ongoing War on Terror. At
the same time, while there has been a
fair amount of attention on discrete
aspects of privacy and data security, in
particular, the legislative response to data
security breaches, there has not been a
lot of serious focus on efforts to enact a
comprehensive federal practice law. In
sum, although the report is an interesting
read, there is little reason to hope that it
will actually lead to significant changes in
privacy regulation.
Jacqueline Klosek is Senior Counsel with
Goodwin Procter LLP, where she specializes in privacy and intellectual property.
She is the author of many publications
concerning privacy law, including the recently published War on Privacy (Praeger,
2006). She may be reached for comment
at: [email protected].
A Free Executive Summary of the Report
on Engaging Privacy and Information
Technology in a Digital Age is available at:
www.nap.edu/catalog/11896.html.
Information about obtaining the full report
is also available on the Web site of the
NAP at www.nap.edu.
ÌiÌÊÃiVÕÀÌÞÊÃÌ>`>À`ÃÊ>`Ê`ÃVÃÕÀiÊ>ÜÃÊÜÊ«>VÌÊÛÀÌÕ>ÞÊ
iÛiÀÞÊLÕÃiÃÃÊ>VÀÃÃÊiÛiÀÞÊ`ÕÃÌÀÞ°Ê/iÊ/>LÕÃÊ
ÌiÌÊÃÃÊ*ÀiÛiÌÊ-ÕÌiÊvÊ
«À`ÕVÌÃÊ>ÀiÊ«ÀÛiÊÌÊLiÊÌiÊÃÌÊivviVÌÛiÊÃÕÌÊvÀÊÌÀ}Ê>`Ê«ÀÌiVÌ}Ê
Ài}Õ>Ìi`ÊVÌiÌ°ÊÊ/>LÕÃÊÃÕÌÃÊi>LiÊiÛiÊÌiÊ>À}iÃÌÊ}L>ÊÀ}>â>ÌÃÊÌÊ
µÕVÞÊ`ÃVÛiÀÊÌiÀÊÃÌÊÃiÃÌÛiÊvÀ>Ì]ÊÀii`>ÌiÊÃiVÕÀÌÞÊÃÃÕiÃ]Ê>`Ê
ivviVÌÛiÞÊ`iÃÌÀ>Ìi`Ê>`Ê`VÕiÌÊV«>ViÊÌÊ>Õ`ÌÀÃÊ>`ÊÀi}Õ>ÌÀÃ°
6ÃÌÊÕÃÊ>ÌÊÌiÊ*ÀÛ>VÞÊV>`iÞÊÊ->ÊÀ>VÃV]ÊLÌÊ£ä£
15
September • 2007
Global Privacy Dispatches
AUSTRALIA
By KK Lim
Government to Provide Single Source
of Biometric Identification
Biometric data
of foreigners entering Australia will be
stored in a central
repository for identification, verification
and cross-checking
by departments of
the Australia
Government. The
KK Lim
Department of
Immigration and Citizenship (DIAC) is
expected to provide a single source of
identification for all DIAC clients. The 3year management strategy is covered
under the Migration Legislation
Amendment (Identification and
Authentication) Act of 2004 and will
16
employ facial, iris scanning and fingerprinting for foreigners entering Australia.
DIAC reports that identify fraud cost
Australia about $1 billion per year.
Search of Homes, Computers
Draws Opposition
“Sneak and peek” laws enabling
federal police to search homes and
computers without notification, planting
listening devices and reducing oversight
on undercover operations that involved
“DIAC reports that identity
fraud cost Australia about
$1 billion per year.”
police officers, are opposed by lawyers
and other concerned civil liberty groups
on the basis that such powers should
be used only for terrorism and
organized crimes.
Australia Moves Toward Security
Breach Notification Law
A security breach notification law is
likely to be recommended by the
Australian Law Reform Commissioners
in their discussion paper to be released
soon, with the final report to be submitted to the Federal Attorney General early
next year.
Breach notification laws require
companies to inform their customers
of a security breach involving their
THE PRIVACY ADVISOR
customers’ information under certain
conditions.
Meanwhile, Australian Democrat
Senator Natasha Stott Despoja has introduced to Federal Parliament a proposed
amendment to the Federal Privacy Act
that introduces data disclosure laws to
Australia. The Privacy (Data Security
Breach Notification) Amendment Bill
2007 would obligate a corporation or
government agency to inform individuals
affected by any release of personal and
financial data to unauthorized parties.
Update on Workplace Surveillance
Bans
State of Victoria has banned
employers from using listening or optical
surveillance devices such as cameras in
workplace toilets and bathrooms, or
communicating or publishing materials
obtained from such activities.
Surveillance is allowed on grounds of
national security, based on a warrant or
due to licensing requirements. State of
New South Wales allowed surveillance
of workers if notice is given in advance
or on a magistrate’s order to determine
criminal activities by workers.
KK Lim is the Chief Privacy Officer (Asia
Pacific) at IMS Health Inc. He may be
reached at [email protected].
CANADA
“The new breach
guidelines, as well as a
privacy breach checklist,
are available on the
privacy commissioner’s Web
site, www.privcom.gc.ca.”
By Terry McQuay, CIPP, CIPP/C
On August 1, 2007, the Privacy
Commissioner of Canada published
guidelines designed to help privatesector organizations
respond to a
breach of personal
information.
These voluntary
guidelines call on
businesses to notify
people that their
personal information
has been comproTerry McQuay
mised in cases
where the breach raises a risk of harm,
for example, if there may be a risk of
identity theft or fraud in cases where
sensitive personal information has been
lost or stolen.
The guidelines were developed by
the privacy commissioner with participation from the Offices of the Privacy
Commissioners of British Columbia and
Alberta, private-sector businesses and
business associations, and consumer
advocacy organizations.
See, Global Privacy Dispatches, page 18
17
September • 2007
The guideline provides for the
following four steps:
Step 1: Breach Containment and
Preliminary Assessment — includes
guidance regarding:
- Professional or regulatory bodies;
“The Visa Information
System will store data on
up to 70 million people,
and will become the
largest 10-fingerprint
database in the world.”
• Containing the breach;
• Designating an appropriate individual
to lead investigation;
• Determining the need to assemble a
team, including representatives from
appropriate business areas;
• Determining who needs to be aware
of the incident and escalate as appropriate;
• Notifying police, if the breach appears to
involve theft or other criminal activity;
• Taking care not to compromise the
ability to investigate the breach.
Step 2: Evaluate the Risks Associated
with the Breach — provides guidance
in determining the:
• Nature of the personal information
involved;
• Cause and extent of the breach;
• Individuals affected by the breach;
• Foreseeable harm from the breach;
Step 3: Notification — provides
guidance regarding:
• Notification to affected individuals —
considering:
- Legal or contractual obligations;
- The risk of humiliation or damage to
reputation;
- The ability of the individual to avoid
or mitigate possible harm.
• When to notify, how to notify and who
should notify:
- When — as soon as possible, unless
a delay is requested by law enforcement authorities;
- How — preferred method is direct
(i.e. phone, letter, email) but indirect
may be appropriate in some circumstances;
- Who — generally, the organization
that has a direct relationship with
the customer (including when a
breach occurs at a third-party service
provider).
• What should be included in the
notification, for example:
- Information about the incident;
- What personal information was
affected by the breach;
- What the organization is doing
to assist individuals and what
individuals can do to mitigate
potential harm;
- Contact information of person(s)
within the organization and for the
appropriate privacy commissioner(s)
- The risk of harm;
- Where “reasonable” risk of identity
theft or fraud exists;
- The risk of physical harm;
18
• Others to contact, such as:
- Privacy Commissioners;
- Police;
- Credit card companies, financial
institutions or credit reporting
agencies;
- Other internal or external parties
such as third-party contractors,
labour unions, etc.
Step 4: Prevention of Future
Breaches — provides guidelines
concerning:
• Investigating the cause of the breach
and consider whether to develop a
prevention plan;
• Consideration to include a requirement
for an audit to ensure that the prevention plan has been fully implemented.
The new guidelines, as well as a
privacy breach checklist, are available on
the privacy commissioner’s Web site,
www.privcom.gc.ca.
Terry McQuay, CIPP, CIPP/C, is the
Founder of Nymity, which offers
Web-based privacy support to help
organizations control their privacy risks.
Learn more at www.nymity.com.
EU
By Shannon Ballard, CIPP/G, and
Lauren Saadat, CIPP/G
The EU recently
agreed upon legal
texts governing the
Visa Information
System (VIS) and the
exchange of data
between member
states on short-stay
visas and visa applications from thirdShannon Ballard
country citizens who
wish to enter the
EU’s Schengen area. The VIS is composed of a European central database,
which is connected to the national systems to enable competent member
THE PRIVACY ADVISOR
state authorities to
enter and consult
data on visa applications and related
decisions. The personal data from visa
applications stored
in VIS will include
biometrics (photographs and fingerLauren Saadat
prints) and written
information such as the name, address
and occupation of the applicant, date
and place of the application, and any
decision taken by the member state
responsible to issue, refuse, annul,
revoke or extend the visa. The Visa
Information System will store data on
up to 70 million people, and will become
the largest 10-fingerprint database in
the world.
The new legal texts define the
purpose, functionalities, and responsibilities for the VIS, and establish the conditions and procedures for the exchange
of visa data between member states. It
also describes certain safeguards, in
relation to the fair information principles, to protect personally identifiable
information.
Shannon Ballard, CIPP/G, and Lauren
Saadat, CIPP/G, are Associate Directors
of International Privacy Policy at the U.S.
Department of Homeland Security. They
can be reached at [email protected]
and [email protected].
MALAYSIA
Credit Reporting Company Faces
Lawsuits
Lawsuits rained on a credit reporting company in Malaysia due to outdated credit reports issued to banks’
prospective customers. Credit Tip Off
Service (CTOS) was slapped with a
number of lawsuits from people who
“Lawsuits rained on a
credit reporting company
in Malaysia due to
outdated credit reports
issued to banks’
prospective customers.”
were denied credit cards and loans from
banks based on their credit reports.
Other complaints against the company included allegedly failing to update
their records, delays in reacting to complaints and feedback, and selling information to an ex-spouse of a complainant. Calls have been made by
members of the Parliament to implement data privacy law to prevent such
See, Global Privacy Dispatches, page 20
19
September • 2007
“According to recent
incidents. Banks have been directed by
the government to seek permission
from borrowers before assessing their
credit histories from third parties.
— KK Lim
guidance from the
Information
Commissioner’s Office,
when a school intends
to take fingerprints,
it should inform and
consult pupils about
the use of their
personal information.”
PHILIPPINES
High Court Rejects Petition to
Restrain Implementation of
Anti-Terror Law
The Supreme Court has rejected a
petition by various groups to restrain the
government from implementing an antiterrorist law. These groups claimed that
the law is unconstitutional as it violates
provisions in the Bill of Right of
Individuals such as right to privacy, due
process freedom of expression etc. In
addition, it could be used for political
harassment and persecution. The government’s aim is to use the law against
terrorist groups such as Abu Sayyaf and
Al-Qaeda.
— KK Lim
SINGAPORE
Groups React to Proposal for
Mandatory AIDS Testing
Compulsory testing for AIDs for
high-risk groups in hospitals was proposed by one family-oriented welfare
group, Focus on the Family. This proposal came in response to a report released
by the Ministry of Health on anonymously collected blood samples from
hospitals on 3,000 persons.
The report revealed that 0.28 of
those who thought they are free, are
HIV positive. This works out to one in
every 350 hospital patients who are HIV
positive, posing a threat to health workers attending to them. Since 2004, pregnant women in Singapore have been
subjected to an opt-out HIV test as part
of standard health screening. Groups
like AIDS Business Alliance and Action
for AIDS said the proposal was a violation of privacy, discriminatory and has
20
the opposite effect of helping those
with the disease.
— KK Lim
THAILAND
Anti-Censorship Group Opposes New
Cyber Crime law
Police can seize computers from
businesses and homes under a new
cyber crime law to crack down on
Internet pornography. A maximum 20year prison term is applicable for offenders under the new legislation.
Freedom Against Censorship of
Thailand is opposing the measure, citing
it as invasion of privacy. Censorship is
on the increase since the military coup
last year with the government blocking
sites critical of the King or supportive of
ousted former Premier Thaksin
Shinawatra.
— KK Lim
UK
By Eduardo Ustaran
Jail for Privacy
Regulator
Impersonator
A fraudster
from Chester in
England was
sentenced to 20
Eduardo Ustaran
months in prison after pleading guilty
to fraudulently obtaining more than
£400,000 from a number of businesses
in the area.
Between December 2002 and April
2004, Christopher J. Williams of Hoole
deceived businesses into believing he
was an agent working on behalf of the
Information Commissioner’s Office.
He sent fake forms to companies
requiring them to register under the
Data Protection Act and demanding
they pay him a fee of between £95 and
£135. Unlike most European jurisdictions, making a data protection filing in
the UK is not free. The official fee is
£35. Williams, along with one other
man, ran a number of bogus agencies
which directly targeted businesses.
Guidance for Fingerprinting in
Schools
According to recent guidance from
the Information Commissioner’s Office,
when a school intends to take fingerprints, it should inform and consult
pupils about the use of their personal
information.
A school should explain the reasons
for introducing the system, how personal information is used and how it is kept
safe. Some pupils — because of their
age or maturity — may not understand
the sensitivities involved in providing a
fingerprint. Therefore, where a school
cannot be certain that a child understands the implications of giving their
fingerprint, the school must fully involve
parents to ensure the information is
obtained fairly. In circumstances where
children are not in a position to understand, failure to inform parents and
seek their approval is likely to breach
the Data Protection Act. In addition,
information should be processed on a
suitably designed IT system, in which
templates cannot readily be used by
computers running other fingerprint
recognition applications.
Eduardo Ustaran is a Partner at Field
Fisher Waterhouse LLP, based in
London. He may be reached at
[email protected].
THE PRIVACY ADVISOR
Stored Information
The IAPP Welcomes Our Newest Gold Member
merger or acquisition due diligence, are
two examples. The “electronic” part of
electronic discovery refers to information stored electronically, as opposed to
hard copy (paper). Studies show that
more than 90 percent of new information is now stored on computers and
computer storage media, and in huge
volumes. The term now used in the U.S.
to refer to this data is “Electronically
Stored Information” or ESI, as a result
of the amendments to the Federal Rules
of Civil Procedure. Although this article
focuses on ESI, the principals outlined
here can apply to all forms of
information.
The Fulbright & Jaworski 2005
Annual Trends in Litigation Survey found
that nearly 90 percent of U.S. corporations were engaged in lawsuits with
electronic discovery — the number one
concern of corporate counsel. One of
the reasons that ESI causes such alarm
is its volume. Massive volume is a result
of a number of factors, such as numerous and proliferating sources of ESI;
multiple reproduction of the same item;
ease of creation and retention; and the
relative low cost of storage compared to
the paper volume equivalent. Electronic
discovery is a deceptively simple term
for a complex undertaking that can frustrate lawyers and their clients unprepared to meet the legal obligations of
any ESI production scenario.
By combining their knowledge of
the changing privacy landscape with an
understanding of electronic discovery,
privacy professionals can contribute to
their companies’ electronic discovery
preparedness. One way to understand
the importance of the electronic discovery process and its impact on any participating organization is to start at the end
of the ESI story, when ESI is offered as
evidence. All relevant information
involved in the situations described previously is potential evidence. However, it
will not be useful as evidence unless its
origins can be reliably confirmed, that is,
21
September • 2007
Stored Information
legally authenticated. Electronic evidence, such as email messages, memos
and spreadsheets, must be authenticated to be useful evidence. But ESI is
intangible, despite the fact that we see
portions of it on our computer monitors.
Therefore, knowing the possible end of
the story (ESI as evidence), this article
reviews the process from the perspec-
tive of a company’s counsel charged
with the task of conducting electronic
discovery on behalf of a producing corporate client.
Preservation of ESI
Clients’ and counsels’ discovery
responsibilities may begin even before a
formal notice of legal action. Some jurisdictions require the preservation of
potential evidence when the possibility of
litigation becomes known or can reason-
“Privacy experts within a
company often possess
detailed insight into the
Records Retention Policy
and Procedure, especially
if they have participated
in its creation, revision,
maintenance and/or
oversight.”
ably be anticipated. In the discovery context, preservation of information is the
company’s first and fundamental duty.
The competent fulfillment of that
duty must begin with the company’s
record retention and destruction procedures. Privacy experts within a company
often possess detailed insight into the
Records Retention Policy and Procedure,
especially if they have participated in its
creation, revision, maintenance and/or
oversight. That expertise can prove crucial
to the company when lawyers communicate the requirement of a “litigation hold,”
which is the suspension of routine document retention and destruction policies
for the purpose of saving all potential evidence from destruction or alteration.
”Spoliation” of evidence (its alteration or
destruction) can result in serious consequences to both the company and its
counsel, such as monetary sanctions and
presumptions of law against the company (such as the inference of deliberate
destruction). It is neither enough as a
legal matter, nor as a practical matter, to
tell certain individuals within an organization to “place a hold” on its destruction
schedule. Detailed instructions must be
promptly articulated to everyone in the
company who may have access to relevant information. The definition of relevant will vary from case to case and must
be delineated in several ways.
All possible sources of relevant ESI
must be identified. ESI resides in many
locations, such as: desktop personal
computers’ hard drives; laptop comput22
THE PRIVACY ADVISOR
ers; handheld devices (any personal digital assistant “PDA”; mobile phones);
email systems; servers; backup and
archival tapes and other such media;
CDs; DVDs; disks (e.g. floppies, Jaz, zip);
voice mail files and their back-ups; and
instant messaging records. This step
also requires that key individuals (custodians) in the particular matter are identified and their information is given special
preservation attention. The scope of the
preservation duty is broad. It encompasses information not only known to be
relevant to pending claims and defenses,
but also that which is reasonably calculated to lead to the discovery of admissible evidence, and is reasonably likely to
be requested. The Federal Rules of Civil
Procedure require counsel to “meet and
confer” about their lawsuit’s electronic
discovery and to make detailed disclosures. These mandatory meetings and
disclosures occur very early in the life of
the case. Including an e-discovery consultant sooner rather than later can keep
the focus on the merits of the case and
save the company time and money in
the long run.
needed information must be done in a
forensically sound manner, usually
accomplished by experts, so that no ESI
is inadvertently altered, destroyed, or
missed, and so that the chain of custody
is documented and preserved. Again,
think ahead to the end of the story, when
the company’s attorney needs to use a
particular email message as evidence in
the company’s defense. Success at that
point may turn on proper collection techniques that took place early in the discov-
ery process. Winning pre-trial discovery
disputes may depend upon the effectiveness of the litigation hold and upon the
historic, consistent implementation of
the records retention policy. That policy
must have demonstrated both the
detailed, systematic control of information plus defensible compliance with the
retention and destruction schedule prior
to the start of the litigation hold.
Collection/Acquisition
Collection of the discoverable information is next. The process of acquiring
“The scope of the
preservation duty is
broad. It encompasses
information not only
known to be relevant
to pending claims and
defenses, but also
that which is reasonably
calculated to lead to the
discovery of admissible
evidence, and is
reasonably likely to be
requested.”
VALUE ADDED,
VALUES DRIVEN.®
23
September • 2007
Ask the Privacy Expert
Readers are encouraged to submit their
questions to [email protected].
We will tap the expertise of IAPP members
to answer your questions.
in an employee’s company-provided, Webbased email account? What about work-related email stored on an employee’s personal
Blackberry? When is real-time interception
of email permissible?
Phil Gordon
Vet and Control Your Private Investigators.
Internal investigations have become
Hiring, and contracting with, private
an integral part of managing an
investigators should be subject to the same
organization as employers confront
due diligence and care applied to vendors
an increasingly wide range of employee
entrusted with sensitive consumer informamisconduct. Because investigators often
tion. Hire only those private investigators
surreptitiously collect information which the
whom you are convinced will abide by the
target considers private and the results of
law’s limits. Memorialize the relationship in
which can ruin a career, internal investigations
a written agreement in which the private
Phil Gordon
can expose an employer to civil, and even
investigator, at a minimum, represents and
criminal, liability as well as bad publicity. What are some
warrants that it will use only lawful investigative techniques
of the steps which can be taken to reduce an organization’s
and will indemnify the organization for any damages resultexposure?
ing from a failure to do so. Require that the investigator
describe and obtain approval for all investigative techniques
to be used. Keep in mind that under agency law principles,
Involve both Human Resources and Privacy
your organization can not avoid liability by turning a blind
Professionals in Internal Investigations.
eye to the investigator’s actions.
In many organizations, workplace privacy issues
fall into a chasm between the HR Department, focused on
employee relations but not privacy, and the privacy profesComply With the Fair Credit Reporting Act.
sionals, focused on consumer data protection. While HR
If your organization relies upon a private investigator to
professionals have become increasingly sensitized to privacy
conduct an internal investigation of suspected misconduct
issues, they may not have the in-depth knowledge and “gut
related to employment, your organization must comply with
instincts” about privacy of a privacy professional. Having the
the Fair Credit Reporting Act (FCRA) before taking adverse
input of both of these branches of the organizational chart
action based, in whole or in part, on the investigator’s
will help to reduce risk.
report. Under the FCRA, the report can be disclosed only
to the employer and its agents, government agencies,
Determine How Your Organization Will Lawfully Examine pertinent self-regulatory bodies and as required by law. In
addition, the employer must provide the subject of the
the Target’s Email Without the Target’s Express Consent.
report with a summary of the nature and substance of the
Unconsented review of email is a staple of internal investireport. The sources of information in the report, however,
gations. Email stored on the organization’s own servers
need not be disclosed.
generally is fair game provided that the organization has
implemented and enforced a carefully drafted electronic
resources policy which puts employees on notice that their
stored email is subject to review in the organization’s sole
Philip Gordon is a shareholder in Littler Mendelson's Denver
discretion. Members of the investigative team should be
office and chairs the firm's Privacy and Data Protection
ready to raise red flags, and involve knowledgeable legal
Practice Group. He also authors the blog, "Workplace Privacy
counsel, in more complex situations which inevitably will
Counsel" (www.workplaceprivacycounsel.com). He can be
arise. For example, can the organization review email stored
reach at [email protected] or +303.362.2858.
Q
A
“In many organizations, workplace privacy issues
fall into a chasm between the HR Department,
focused on employee relations but not privacy,
and the privacy professionals, focused on consumer data protection.”
24
This response represents the personal opinion of our expert
(and not that of his/her employer), and cannot be considered
to be legal advice. If you need legal advice on the issues
raised by this question, we recommend that you seek legal
guidance from an attorney familiar with these laws.
THE PRIVACY ADVISOR
New Liability Under State Law Stresses Need for
Strong Data Security for Payment Card Data
Heidi C. Salow, Jim Halpert and David Lieber
erchants striving to comply
with the Payment Card
Industry Data Security
Standards (PCI DSS) now have additional reason to focus on the security of
payment card data. In late May,
Minnesota became the first state to
hold merchants strictly liable for costs
incurred by financial institutions who
assist consumers following the discovery of a security breach.
This new Minnesota security breach
law codifies one aspect of the PCI DSS
by prohibiting entities conducting business in Minnesota from retaining credit
or debit card security code data, PIN verification codes, or the full contents of
any track of magnetic stripe data for
more than 48 hours after the authorization of a transaction. The credit and debit
card data retention provisions became
M
effective on August 1, 2007. The retailer
liability provisions become effective on
August 1, 2008.
Similar Data Security Measures Are
Being Championed in Other States
Similar measures are being championed by community banks and credit
unions in a variety of other states. They
complain that they incur significant costs
when they have to close customer credit
and debit card accounts in the wake of
security breaches.
On June 5, the California Assembly
passed by a 58-2 vote a more far-reaching codification of several PCI requirements. The measure passed despite
broad industry opposition and is now
pending in the California Senate. Similar
legislation recently was introduced in
New Jersey. A bill to codify all the PCI
Rules died in the Texas Senate last
month after passing the Assembly, but
will likely be considered again in Texas
next year. In Congress, House Financial
Services Chairman Barney Frank,
D-Mass., has expressed support for the
idea of holding merchants liable for
expenses financial institutions incur
responding to security breaches.
Merchants Face Potential Strict
Liability for Costs Associated With
Security Breaches
Under the new Minnesota law,
financial institutions that issue payment
cards may sue merchants conducting
business in Minnesota for reimbursement associated with undertaking reasonable actions in the wake of data
See, Payment Card Data, page 26
Avoid becoming the next headline...
Companies and public sites are falling victim to privacy breaches at an alarming rate. You need a Web privacy
compliance plan in place to avoid online risk by keeping your Web users’ information safe and keep your company
out of the headlines. HiSoftware’s automated Web privacy monitoring solutions can help.
HiSoftware provides software, services and on-demand solutions that test, repair, monitor and enforce Web content,
quality and regulatory compliance. Our solutions empower content developers, Web site architects and management to
work collaboratively to create and manage organizational Web standards for accessibility, privacy, security, search
engine optimization (SEO), site quality and more. Visit HiSoftware at the IAPP Privacy Academy in October and learn
how our automated content compliance solutions can help keep your organization out of the headlines.
www.hisoftware.com
[email protected]
Americas 888 272 2484, +1 603 578 1870
Europe, MiddleEast & Africa +33 (0) 6 72 51 95 21
25
September • 2007
Payment Card Data
security breaches involving their
payment cards that result in the loss
of computerized personal data. Such
actions include, but are not limited to,
the following:
• Cancelling existing debit or credit cards
and the replacement of such cards.
• Closing any financial accounts affected by the breach, as well as actions
undertaken to stop payments or block
transactions with respect to the financial accounts.
• Opening or reopening any financial
accounts affected by the security
breach.
• Issuing refunds or credits to cardholders to cover the costs of unauthorized
transactions related to the breach.
26
“Many businesses are still
not in full compliance with
the PCI DSS, although the
original version was issued
in December 2004.”
• Notifying cardholders affected by the
breach.
This financial reimbursement provision imposes a strict liability standard on
merchants — i.e., merchants’ liability is
not limited to security breaches attributable to negligence or poor information
security practices. Thus, a merchant
who suffers a security breach can apparently be held strictly liable for the costs
incurred by financial institutions, even
when the merchant was in full compliance with the PCI DSS requirements or
industry best practices for data security.
Law Codifies One of the PCI Data
Security Standards
The PCI DSS were developed by
the major payment card networks to
create uniform data security standards
for payment card data. The standards —
which apply to the entire system of
merchants, acquiring banks, and credit
card associations that are members of
the PCI Security Standards Council —
regulate the storage, processing, or
transmission of a credit or debit card
number. Version 1.0 of the PCI DSS
went into effect on June 30, 2005; a
revised version (1.1) was released in
September 2006 principally because of
confusion regarding the requirements
and deadlines in the original version.
The PCI DSS already impose rigorous requirements upon all businesses
that accept credit or debit cards for payment. The standards set forth detailed
technical mandates for compliance,
which are divided into twelve broader
requirements.
THE PRIVACY ADVISOR
In general, merchants and
service providers are required
to build and maintain a secure
network, protect cardholder
data while storing it, maintain
a vulnerability management
program, implement strong
access control measures,
regularly monitor and test
networks, and maintain an
information security policy.
Many businesses are still not
in full compliance with the
PCI DSS, although the original
version was issued in
December 2004.
One of the PCI standards
prohibits the storage of
sensitive authentication
data, such as magnetic stripe
data, credit card security
code numbers, or debit card
PIN authentication numbers.
The Minnesota law essentially codifies this prohibition by
requiring the destruction of
such data within 48 hours
after a transaction is
authorized.
with the PCI DSS at the time
of the breach, an affected
credit card company may
impose a fine of as much as
$500,000 per incident plus
payment of costs associated
with the breach. Other fines
and restrictions may be
imposed, as well.
Heidi C. Salow
Jim Halpert
What Can You Do As a
Merchant or Service
Provider?
• Review the progress of your
PCI compliance efforts and
ensure that your information
security program adequately
addresses PCI compliance
requirements, as well as the
requirements of new statutes
such as the Minnesota law.
Consider engaging your inhouse or external counsel to
assist with the review of
these efforts so as to preserve attorney-client privilege
for documents created during
the compliance review
process.
• Ensure that your PCI
Penalties for Noncompliance team task force
Compliance
has adequate resources and
As a general rule, the PCI
David Lieber
buy-in throughout your
DSS assumes that merchants
organization.
are in the best position to safeguard
credit card data because they have a
• Determine specifically whether you
direct relationship with the customer.
destroy magnetic stripe, credit card
Accordingly, compliance requirements,
security code, and PIN authentication
dates for compliance, and penalties are
numbers, as required by Minnesota’s
set by individual credit card issuers.
new law.
Financial institutions play an active role
in monitoring PCI DSS compliance and
• Pay particular attention to the security
reporting non-compliant merchants. For
of payment card data in your possesexample, a financial institution can
sion, to reduce the likelihood of a
report a non-compliant merchant to a
security breach involving such data
list which is available to other financial
and to mitigate those risks.
institutions that issue credit or debit
cards. A merchant on such a list will
• Review your contractual relationships
find it difficult to process credit card
with third parties with which you
transactions.
share, or to which you grant access
Additional penalties can be
to, your payment card data, so as to
imposed if there is a breach of credit
properly allocate the risks and liabilicard data. For example, if a merchant
ties associated with such a breach in
suffers a credit card data breach and
light of this new legislation.
the merchant was not in compliance
Heidi C. Salow is Of Counsel with DLA
Piper US LLP. She handles cutting-edge
issues involving privacy and data security, intellectual property, and e-commerce and has been involved in legislative advocacy, commercial transactions,
regulatory compliance and litigation, and
identifies successful legal solutions for
high-tech businesses. She is an expert
on a wide-range of federal and state privacy, data security and e-commerce
laws. Prior to joining DLA Piper, Salow
was Senior counsel and Director for
Sprint Nextel Corporation, where she
handled a wide range of privacy, data
security, mobile content, and e-commerce matters. She can be reached at
[email protected].
Jim Halpert is co-chair of the
Communications, E-Commerce and
Privacy practice of DLA Piper LLP, a
global law firm. He practices in the
firm’s DC office. Halpert counsels software developers, e-commerce companies, service providers, financial services companies, IT and content companies on a broad range of legal issues
relating to new technologies, including
Internet gambling, privacy,
spyware/adware, cyber-security, government surveillance standards, consumer
protection, intellectual property protection, spam, Internet jurisdiction, online
contract formation, content regulation
and First Amendment law. He may be
reached at [email protected].
David Lieber is an Associate in DLA
Piper's E-Commerce & Privacy group.
Lieber counsels clients on complying
with federal and state electronic privacy
and security laws. He has counseled
clients in the aftermath of security
breaches, as well as advised clients on
ways to enhance data security practices. Prior to joining DLA Piper, Lieber
served as a Legislative Assistant on the
Senate Judiciary Committee to Senator
Dick Durbin (D-IL), where he handled
privacy, data security and electronic
commerce issues.
© DLA Piper US LLP 2007. All rights
reserved.
27
September • 2007
28
THE PRIVACY ADVISOR
Privacy News
UK Information
Commissioner
Launches New Data
Protection Strategy
he Information Commissioner’s
Office (ICO) is launching a consultation on its new Data Protection
Strategy, which sets out how the ICO
intends to achieve its task of minimizing data protection risk. The strategy is
concerned with maximizing the ICO’s
long-term effectiveness in bringing
about good practice. It explains how
the ICO will focus its data protection
resources where there is the greatest
risk of harm through improper use of
personal information.
Organizations processing people’s
personal details must comply with the
T
Principles of the Data Protection Act.
Failure to comply with the act means
there is a greater risk that individuals’
personal information is not held securely, is inaccurate or out of date. The ICO
will focus its attention on situations
where there is a real likelihood of serious harm. This could be harm caused
to individuals or to society as a whole.
This risk-based approach is in line with
good regulatory practice.
According to David Smith, Deputy
Commissioner, “Building public confidence in data protection is key in our
approach. We protect people not just
information. Public confidence
depends on us taking a practical, down
to earth approach — simplifying and
making it easier for the majority of
organizations who seek to handle personal information well, but making it
tougher for the minority who do not.”
10 Companies Win
Contracts to Encrypt
U.S. Government Data
he Office of Management and
Budget, U.S. Department of Defense
(DoD) and U.S. General Services
Administration (GSA) recently awarded
10 contracts for blanket purchase agreements (BPA) to protect sensitive, unclassified data (called Data at Rest [DAR])
residing on government laptops, other
mobile computing devices and removable storage media devices. These BPAs
could result in contract values exceeding
$79 million, according to the GSA.
Awardees are MTM Technologies
Inc., Rocky Mountain Ram LLC,
Carahsoft Technology Corp., Spectrum
Systems Inc., SafeNet Inc., Hi Tech
Services Inc., Autonomic Resources
LLC, GovBuys Inc., Intelligent Decisions
Inc. and Merlin International.
Additional information will be available at www.esi.mil and
www.gsa.gov/smartbuy.
T
29
September • 2007
Congratulations,
Certified Professionals!
The IAPP is pleased to announce the latest graduates of our privacy certification programs. The
following individuals successfully completed
the CIPP examinations held in August 2007:
John Joseph Callaghan, CIPP
Robert Henry Mannal, CIPP
Robert J. Coughlin, CIPP
Peter McDonald, CIPP
Sean Francis Donahue, CIPP
Michael McGurkin, CIPP
Jessica Farnham, CIPP
Catherine O’Rourke Becotte, CIPP
Denny Fitzgerald, CIPP
Kenneth Allen Perkins, CIPP
Christopher Ford, CIPP
Nina Y. Piccinini, CIPP
Alison J. Forman, CIPP
Paul Robert Pilotte, CIPP
Erika Goldwater, CIPP
Eric Neal Rohrer, CIPP
Rich Green, CIPP
Peter Joseph Savin, CIPP
Vincent Grimard, CIPP
Cortney L. Sawyer, CIPP
Megan Marion Harvick, CIPP
Brian A. Schultz, CIPP
Gregg Harrison, CIPP
William Strogis, CIPP
Daniel K. Hedrick, CIPP
Robert F. Sullebarger, CIPP
Jeff C. Kim, CIPP
Joseph B. Swan III, CIPP
Patricia J. Lambert, CIPP
Wes Umemura, CIPP
Nicholas B. Lanzer, CIPP
Stephen J. Verrilli, CIPP
Kimberly Rhoades MacNeill, CIPP
Rick Wurm, CIPP
Periodically, the IAPP publishes the names of graduates from our various privacy credentialing programs.
While we make every effort to ensure the currency
and accuracy of such lists, we cannot guarantee that
your name will appear in an issue the very same
month (or month after) you officially became certified.
If you are a recent CIPP, CIPP/G or CIPP/C graduate
but do not see your name listed above then you can
expect to be listed in a future issue of the Advisor.
Thank you for participating in IAPP privacy certification!
30
Privacy News
Vericept Demonstrates Commitment
to Privacy and Compliance Through
IAPP Certification Initiative
APP Silver Corporate
member, Vericept, a
leader in Data Loss
Prevention solutions,
recently sponsored a
special company-wide
CIPP certification initiative in which more than
30 Vericept employees in
Vericept CIPP blitz — These are among
the areas of sales and
the Vericept employees who took the
technical support earned
CIPP exam in Denver in August.
their Certified
Information Privacy
Professional (CIPP) credential.
To demonstrate its
commitment to the profession and the value of
CIPP certification,
Vericept took a first-of-itskind step in meeting all
of the necessary requirements for preparing and
These are among the Vericept employees
who took the CIPP exam in Waltham in
sitting for the exam
August.
including engaging IAPP
Executive Director J.
Trevor Hughes to provide training Webinars for employees to help
them prepare for the CIPP exam.
“With more than 30 employees designated as CIPPs, Vericept
has made a strong commitment to CIPP certification in a single
effort,” said Hughes. “This initiative clearly demonstrates Vericept’s
ability to recognize the importance and value in understanding privacy requirements when assisting organizations looking to deploy
a Data Loss Prevention solution and we applaud them for their
efforts. We hope other companies will follow Vericept’s leadership
in recognizing the value the CIPP brings to an organization’s commitment to privacy protection.”
Vericept employees in the company’s Denver, Colo. and
Waltham, Mass. locations took the CIPP exam in early August.
“CIPP certification sets the bar for demonstrating a comprehensive understanding of privacy and compliance implications for
our clients,” said Bob Sullebarger, Vericept’s Vice President of
Marketing and Product Management. “By requiring our employees
to earn a CIPP designation, it underscores our commitment to fostering the responsible use of sensitive data.”
I
THE PRIVACY ADVISOR
Privacy Pro Receives Accolades for Facebook’s Privacy Features
hris Kelly, CIPP, a long-time IAPP member, was
recently featured in a New Zealand Herald news
story highlighting Facebook’s efforts to protect
users’ privacy. Kelly, Chief Privacy Officer for the
social networking site, said in the article that users
don’t expect total privacy, but rather want greater
control over who sees their personal information.
“Privacy, as anonymity, is declining, but privacy, as
control, is on the rise,” he said.
Facebook’s success depends on striking the right
balance between privacy and openness, according to
the article. Kelly told the New Zealand Herald, “We
have tried to take a very control-based approach for
our users, so Facebook information doesn’t leak out
on the web in general.”
Read the complete article at www.nzherald.co.
nz/section/6/story.cfm?c_id=6&objectid=10451811.
C
Chris Kelly
IAPP Member Charlene Brownlee Coauthors Privacy Law
esearch and Markets, an international market research
and market data firm, has announced the addition of
Privacy Law to its offerings. Written by IAPP member
Charlene Brownlee, Partner, Davis Wright Tremaine LLP, and
Blaze D. Waleski, Special Counsel with Sullivan and
Cromwell LLP, the book covers current law and emerging
issues in-depth, offering essential guidance on the privacy
policies and practices organizations need to adopt to ensure
compliance and the duty to notify employees and customers
R
in the event of privacy breaches.
Beginning with the constitutional foundation of privacy
rights, Privacy Law examines the impact of the laws, industry standards and consumer expectations regarding personal
information and privacy in a variety of contexts, including:
healthcare, financial institutions, the workplace, international
business, e-commerce and corporate transactions.
More information is available at www.researchandmarkets.com/reports/c62687.
31
September • 2007
Privacy Classifieds
IAPP in the News
The Privacy Advisor is an excellent
resource for privacy professionals
researching career opportunities.
For more information on a
specific position, or to view all the
listings, visit the IAPP’s Web site,
www.privacyassociation.org.
IAPP Privacy Academy 2007 Offers Answers,
Discussion of Privacy Past and Future
CONSULTANT
Anzen Consulting Inc.
Toronto, Ontario or Ottawa, Ontario - CANADA
PRIVACY DIRECTOR
Capital One
Richmond, Va.
PRIVACY MANAGER
Capital One
Richmond, Va.
DIRECTOR OF PRIVACY ONLINE
Entertainment Software Rating Board
New York, N.Y.
PRIVACY SPECIALIST
SAIC
Washington D.C.
SENIOR PRIVACY PROJECT MANAGER
T-Mobile USA
Bellevue, Wash.
PRIVACY DIRECTOR
Wal-Mart Stores, Inc.
Bentonville, Ark.
PRIVACY CLIENT RELATIONSHIP
MANAGER, SENIOR
Booz Allen Hamilton
McLean, Va.
INFORMATION ASSURANCE PRIVACY
CONSULTANT, SENIOR
Booz Allen Hamilton
McLean, Va.
INFORMATION ASSURANCE PRIVACY
CONSULTANT, MID
Booz Allen Hamilton
McLean, Va.
32
ne of the world’s preeminent futurists, Paul Saffo, author and information
architect, Alex Wright, and Scott Charney, Corporate Vice President of
Microsoft’s Trustworthy Computing Group, will deliver keynotes at the IAPP
Privacy Academy 2007, Oct. 22-24, in San Francisco.
A complement of provocative privacy thought leaders, Saffo and Wright
will deliver a full-spectrum view of information privacy by providing a historical
journey through the information age, augmented by forward-looking analysis of
the implications of emerging trends and new technologies.
Saffo is a distinguished futurist, thought leader and prescient provocateur
with more than two decades of experience in exploring
long-term technological change and its practical impact
on business and society. He currently serves as a
Consulting Associate Professor at Stanford University,
and is on a research sabbatical from the Institute for
the Future.
With his recently published book, GLUT, Mastering
Information Through the Ages, Wright is uniquely positioned to take privacy pros on a journey through the history of the information age. Wright has led projects for
The New York Times, IBM, Microsoft, Harvard University,
Paul Saffo
Yahoo! and Sun Microsystems, among others.
Charney brings to the Academy a wealth of
computer privacy and security experience in both the
government and the private sector. As Corporate Vice
President of Microsoft’s Trustworthy Computing (TwC)
Group within the Core Operating System Division,
Charney offers a rare perspective on collaboration
between the computer industry and the government
to increase public awareness, education and best
practices.
“The IAPP will offer attendees an unparalleled
array of educational programming about their chosen
Alex Wright
profession, from its historical underpinnings to the
future innovations and challenges inherent in our ever-
O
“The IAPP Privacy Academy 2007
is the ideal milieu for privacy pros
to assess our progress and plan
for the future.”
— IAPP Board President Kirk M. Herath, CIPP/G
Scott Charney
THE PRIVACY ADVISOR
Be Part of the 2007-2008 IAPP Membership Directory!
changing marketplace,” said IAPP
Board President Kirk M. Herath,
CIPP/G, Associate Vice President,
Chief Privacy Officer, Associate
General Counsel, Nationwide
Insurance Companies. “The IAPP
Privacy Academy 2007 is the ideal
milieu for privacy pros to assess our
progress and plan for the future.”
The Academy also will draw
together a leading panel of privacy
advocates who will provide privacy
pros with practical tips on how to
engage advocates — and learn from
them — despite obvious differences
in their positions on privacy legislation and regulation. The advocates’
panel will be comprised of:
The IAPP is compiling the 2007-2008 IAPP Membership Directory for
publication this winter. With over 3,700 active members worldwide, the
Membership Directory is one of the IAPP’s
most coveted and widely used
networking member benefits.
• Chris Jay Hoofnagle, Senior Staff
Attorney to the Samuelson Law,
Technology & Public Policy Clinic
and Senior Fellow with the
Berkeley Center for Law &
Technology. From 2000 to 2006,
he was Senior Counsel to the
Electronic Privacy Information
Center (EPIC) and Director of the
organization's West Coast office;
Sponsorship and advertising opportunities are still available for the
directory. For information, please contact [email protected].
Only IAPP members who opt-in will
have their names and contact information
included in the 2007-2008 edition.
Signing up for membership does not automatically
include your name in the Directory — you must opt-in
if you wish to be included.
Don’t miss out on your chance to be listed in this valuable networking
resource! To opt-in, please email [email protected].
The deadline for inclusion is October 31, 2007.
• Jim Dempsey, Policy Director,
Center for Democracy &
Technology, who will serve as
moderator;
• Beth Givens, Founder and Director,
Privacy Rights Clearinghouse; and
• Ken McEldowney, Executive
Director, Consumer Action.
The Academy is expected to
draw more than 800 privacy
professionals from around the world
for three days of comprehensive
discussion and debate, and feature
about 120 leading privacy and
security thought leaders and experts.
Visit www.privacyacademy.org to
reserve your space.
Reprinted with permission from Slane Cartoons Limited.
33
September • 2007
knowledge net
‘World’s Oldest Living Privacy Bureaucrat’ Details History
of Privacy Legislation to Twin Cities KnowledgeNet
on Gemberling, the former Director of the Information
Policy Analysis, Division of the State of Minnesota
Department of Administration, made a presentation to the
Twin Cities KnowledgeNet on July 18 at the Ernst & Young
offices in Minneapolis. Before his retirement in 2005,
Gemberling was often introduced as the “world’s oldest living privacy bureaucrat” because of his work with the development and administration of the Minnesota Government
Data Practices Act, the nation’s first combined fair information practices and freedom of information statute. The following is a summary of his remarks:
Developments in the late 1960s and early 1970s,
including large-scale government surveillance of citizens,
misuse of federal government information, increased
collection of personal information by both government and
the private sector, and the advent of the first large- scale
computing devices, led to increased attention to what
came to be called “data privacy.” Many citizens concerned
about privacy quickly reached a strong consensus that
individuals had little or no legal rights or recourse when
personal information about them was collected, even in situations where the information was seriously misused.
In reaction to these developments, a variety of individuals and institutions began looking at ways of dealing with
the “data privacy” problem. At the federal level, Elliot
Richardson, then Secretary of the Department of Health,
Education and Welfare, created the Secretary’s Advisory
Committee on Automated Personal Data Systems (the
HEW Committee). In 1972, he charged the committee with
looking at ways to address increased personal data collection and particularly to focus on lack of protections afforded
to individuals when information about them was being
abused and misused.
During the same time period, Minnesota State Rep.
John Lindstrom presented “data privacy” legislation in the
1973 legislative session. Lindstrom’s bill, strongly opposed
by the media and law enforcement, passed the House
D
“ Many citizens concerned about privacy quickly
reached a strong consensus that individuals
had little or no legal rights or recourse when
personal information about them was collected,
even in situations where the information was
seriously misused.”
34
during that session. The Minnesota Senate did not act on
comparable legislation.
In the summer of 1973, two major developments
occurred. The HEW Committee completed its work and
published its findings and conclusions in a report titled,
“Records, Computers and the Rights of Citizens.” Among
other things, the committee called for the establishment of
what it called a “Code of Fair Information Practices” based
on five principles developed by the committee. The committee’s work, in part, contributed to the passage of the
U.S. federal Privacy Act of 1974.In Minnesota, the
Intergovernmental Information Systems Advisory Council
(IISAC), a group composed of state and local officials working to coordinate public information system developments,
created an advisory committee on Security and Privacy.
Membership of this committee included government officials, attorneys, the media and law enforcement
(Gemberling began his career with data privacy by staffing
this committee). The committee decided its primary task
would be to work to improve Lindstrom’s bill by addressing
a variety of concerns.
In the 1974 legislative session in Minnesota, Sen.
Robert Tennessen introduced legislation, drawn from and
based on, the recommendations of the HEW Committee.
Eventually, one of his bills was combined with the original
Lindstrom legislation and recommendations from the IISAC
Security and Privacy Committee. This bill was passed by
both houses of the Legislature and signed by the governor.
The legislation became the country’s first “data privacy” or
“fair information practices” statute.
Since 1974, this statute has been the subject of much
discussion, controversy and amendment by the legislature.
In 1979, in response to years of media concern, lawmakers
amended the statute by adding language to increase and to
protect public access to government data, most often
referred to as “freedom of information legislation.” At that
time, the statute acquired its official title of the “Minnesota
Government Data Practices Act” (MGDPA).
The next meeting date for the Twin Cities KnowledgeNet
has not been determined yet. Adam Stone, Chair of the
Twin Cities KnowledgeNet, is accepting ideas for the
next meeting (November is a likely date). Please
contact Adam directly at +651.735.4888 or email at
[email protected].
THE PRIVACY ADVISOR
Stored Information
Calendar of Events
practices and strengthen their network.
Four Women of Influence awards will
be co-presented by Alta Associates and
CSO Magazine.
For more information or to register
visit: www.infosecuritywomen.com.
SEPTEMBER
11
12
12
12
IAPP Certification Testing –
Boston
CIPP, CIPP/C and CIPP/G
examinations
9 a.m. – 1 p.m.
Ernst & Young
John Hancock Tower
Boston, Mass.
New York
CIPP, CIPP/C and CIPP/G
examinations
9 a.m. – 1 p.m.
Ernst & Young
5 Times Square
New York, N.Y.
IAPP KnowledgeNet –
San Francisco Bay Area
11:30 a.m. – 1 p.m.
Speaker: Joanne McNabb, CIPP/G,
Chief of the California Office of
Privacy Protection
Identity Theft: What We Know — and
Don't Know — About Identity Theft
Southwest Ohio/Tri-State Area
11:30 a.m. – 1 p.m.
Speaker: Kirk Herath, CIPP/G, Chief
Privacy Officer and Associate General
Counsel, Nationwide Insurance
Companies
Tracking Legislation Across 50 States
19-21 5th Annual Executive
Women's Forum
Hyatt Regency Scottsdale Resort &
Spa, Scottsdale, Ariz.
The Executive Women’s Forum on
Information Security, Risk Management
and Privacy gathers over 200 of the
most influential female executives
together September 19 - 21, Hyatt
Regency Scottsdale Resort & Spa,
Scottsdale, Arizona to discuss best
25-28 29th International Conference
of Data Protection and
Privacy Commissioners
Le Centre Sheraton Montreal Hotel
Montreal, Québec - CANADA
More information is available at
www.privacyconference2007.gc.ca
25
Charlotte
11:30 a.m. – 1 p.m.
Speaker: Kim D’Arruda, Assistant
Attorney General in the Consumer
Protection Division of the North
Carolina Attorney General’s Office
North Carolina Attorney General Roy
Cooper’s Identity Theft Initiatives
25
IAPP Certification Training –
Montreal
CIPP/C and CIPP training only
9 a.m. – 5 p.m.
28
Montreal
CIPP/C examinations (CIPP and
CIPP/G also available)
1 – 4 p.m.
OCTOBER
22-24 IAPP Privacy Academy 2007
The Westin St. Francis
San Francisco, Calif.
More information is available at
www.privacyacademy.org
To list your privacy event in the The Privacy Advisor, email Ann E. Donlan
at [email protected].
Culling, Processing, and Reviewing
These steps are best accomplished
by using the consulting, processing
services, and tools offered by electronic
discovery experts who have the knowhow to manage large volumes of ESI as
potential evidence and can deliver many
types of ESI in a format that counsel
can review before producing to a
requesting party.
A Starting Point
Privacy professionals can enhance
the company’s readiness strategy with
their specialized knowledge in areas
such as information security, privacy,
and data transfer. The benefits of anticipating and preparing for ESI discovery
are many and include: future cost savings; process efficiency; minimal business interruption; litigation control;
avoidance of sanctions and the resulting
publicity; and risk management and
assessment. Unprepared organizations
may indeed look back upon the experience as overwhelming, when the company and its people were drowning in
massive, disorganized amounts of data,
searching for information with possible
relevance. However, armed with the
knowledge of what to expect, any company can both do business and be litigation-ready at the same time.
Patricia A. M. Vinci, Esq. is Counsel,
Pitney Bowes Litigation and Document
Services, part of Pitney Bowes Legal
Solutions. PBLS is a leading single
source provider of litigation and document services for law firms and corporate clients. Vinci’s responsibilities
include electronic discovery law, corporate contracts, and records retention.
She can be reached at [email protected].
This article should not be construed as
providing legal advice or legal opinions.
You should consult an attorney for any
specific legal questions.
35
September • 2007
• Authorization for enforcement by state
attorneys general;
Among the most substantial components of the Kennedy-Leahy bill:
• Creation of a private right of action for
individuals.
• Abandonment of the Office of Civil
Rights as an enforcement agency, in
favor of a new Office of Health
Information Privacy;
This proposal faces a significant
uphill battle. While questions persist
about the current enforcement approach
to the healthcare privacy rules, there
does not appear to be any pattern of
actual events that indicates a need for
new regulatory requirements governing
the wide range of practices covered by
healthcare privacy rules today. In fact,
particularly in the private sector, the
healthcare privacy rules seem to be
working remarkably well. While security
breaches are a daily occurrence in many
industries, the healthcare industry has
faced only modest problems, almost all
of them related to “security” rather than
privacy, and most on a relatively small
scale (other than the prominent breach
concerning the Department of Veterans
Affairs). Accordingly, the new proposed
legislation presents the certainty of disrupting existing operations and creating
• Creation of an extensive new notice
requirement, including a new variety
of “opt-out” rights;
• A requirement that companies publicly
identify their agents and subcontractors;
• Creation of new “informed consent”
procedures, even for treatment and
payment uses and disclosures;
• Requirement for authorizations for a
wide variety of other disclosures
(where none is required today), particularly healthcare operations;
• Expansion of civil and criminal penalties;
enormous new costs for the healthcare
industry, without any demonstrated
basis for forcing such change.
Conclusion
The debate over healthcare privacy
is just beginning. Clearly, there is an
emerging consensus that there should
be some new rules for the health information exchange environment, mainly
designed to ensure that all participants
are meeting a set of consistent legal
requirements. There is no consensus on
whether these new rules should be
tougher than HIPAA; moreover, there is
no consensus whatsoever that the
HIPAA rules are not “good enough” for
the rest of the healthcare industry. There
also is no obvious set of facts demonstrating that companies currently covered by HIPAA are ignoring their responsibilities or that personal privacy in the
healthcare environment is not appropriately protected. Accordingly, while the
Kennedy-Leahy bill clearly signals the
start of an important debate, it seems to
be a significant over-reaction designed to
create disruption and expense, without
any clearly demonstrated need.
Kirk Nahra, CIPP, is a partner with Wiley
Rein LLP in Washington, D.C., where he
specializes in privacy and information
security litigation and counseling. He is
chair of the firm’s Privacy Practice. He
serves on the IAPP Board of Directors
and is the Editor of The Privacy Advisor.
He is the Chair of the Confidentiality,
Privacy and Security Workgroup, a panel
of government and private sector privacy and security experts advising the
American Health Information
Community (AHIC). He may be reached
at [email protected] and at
+202.719.7335.
© 2007 Wiley Rein LLP. Reprinted with
permission, Privacy in Focus, Sept. 2007
ed. This is a publication of Wiley Rein LLP
providing general news about recent
legal developments and should not be
construed as providing legal advice or
legal opinions. You should consult an
attorney for any specific legal questions.
36

Electronically Stored Information in Litigation The Healthcare

Transcription

Similar documents

Newsletter 7 1984 - Tools and Trades History Society

Form 990 for GLADWYNE MONTESSORI SCHOOL (23

fsource.org

FOIPPA Toolkit

Restraining Order Against Sam Lufti

PIPEDA 101 PowerPoint (Done by Communications)

PIPEDA 101 PowerPoint (Done by Communications)

Data Privacy and Security Training Guide

View the presentation

pri·va·cy - Dictionary.com