Embed Size (px)
Citation preview
Across-border regulatory conflicthas developed over the past yearthat has left companies in a
classic Catch-22. The vexing dilemmabetween the U.S. legal requirementsunder the Sarbanes-Oxley Act (SOX) aswell as other U.S. rules that require theestablishment of corporate complianceor whistleblower hotlines (helplines),and non-U.S. data protection and relatedlaws that restrict the collection of per-sonally identifiable information about for-eigners through such helplines, has
mired companies in a regulatory abyss.The conflict was crystallized in May2005 when the French data protectionauthority (CNIL) determined thathelplines operated on behalf of two U.S.public companies had violated Frenchdata-protection law.
The CNIL decision has sparked asignificant amount of concern amongU.S. public companies with multinationaloperations (public companies), that havewrestled with important questionsabout how to respond — should we
suspend our helpline in France?Suspend it in other countries? Takesome “middle-ground” approach? Willwe still be in compliance with U.S. lawsand New York Stock Exchange listingrequirements? To date, there have beenno easy answers, and all the optionshave involved significant regulatory risk.
In November 2005, in an apparentattempt to assist U.S. public companieswith the cross-border conflict, the CNIL
The Conflict Between U.S. Whistleblower Helplines and
Non-U.S. Data Protection Requirements: Do the New French
Guidelines Provide the Solution?
Brian Hengesbaugh and Carrie J. Di Santo
See CNIL Guidelines, page 3
January 2006 • Volume 6 • Number 1
Editor: Kirk J. Nahra
J. Trevor Hughes on the need to invest in Privacy Pros....................Page 2
Questions and Answers on Microsoft’s Call for Privacy Legislation ..............Page 6
Transferring Personal Data Outside of Europe .............................Page 9
KnowledgeNet Meetings held in Denver and Tokyo..........................Page 11
Update on Working Groups ..............Page 12
Kudos to our New CIPP and CIPP/G Grads.....................................Page 13
Federal Security Breach Legislation ........................................Page 14
State Legislation 2006......................Page 16
IAPP in the News .............................Page 17
Privacy News ...................................Page 18
This Month
The IAPP kicked off 2006 with an unveiling of our newly redesigned Website. The site is at the same domain, www.privacyassociation.org, but ithas an entirely new look! We urge members to visit the site today to
experience firsthand theenhanced navigation, newand improved content andmember benefits.
The new site offersaccess to certification testing and trainingresources, new searchcapabilities of pastAdvisors and the most efficient and quick way toregister for our confer-ences.
Rebranded IAPP Web Site Unveiled
IAPP Staff
See IAPP Web site, page 5
THE PRIVACY ADVISOREditorKirk J. NahraWiley Rein & Fielding, [email protected]+202.719.7335
Managing EditorAnn E. [email protected]+207.351.1500 X109
The Privacy Advisor (ISSN: 1532-1509 ) is published monthly by the InternationalAssociation of Privacy Professionals anddistributed only to IAPP members.
ADVISORY BOARDElise Berkower, CIPP, Senior Privacy Compliance Officer,DoubleClick Inc.
Keith P. Enright, Director, Customer InformationManagement, Limited Brands, Inc.
Philip L. Gordon, Shareholder, Littler Mendelson, P.C.
Brian Hengesbaugh, Partner, Privacy/Information Technology/E-Commerce, Baker & McKenzie LLP
Todd A. Hood, CIPP, Director, Regional Privacy,The Americas, Pitney Bowes Inc.
Ben Isaacson, CIPP, Privacy & Compliance Leader,Experian & CheetahMail
Jacqueline Klosek, CIPP, Senior Associate in theBusiness Law Department and member of IntellectualProperty Group, Goodwin Procter LLP
Lydia E. Payne-Johnson, CIPP, Executive Director,Chief Privacy Officer, Morgan Stanley
Billy J. Spears, CIPP/G
Harry A. Valetk, CIPP, Director, Privacy Online, Entertainment Software Rating Board
To Join the IAPP, call:+800.266.6501
Advertising and Sales, call:+800.266.6501
PostmasterSend address changes to:IAPP266 York StreetYork, ME 03909
Subscription PriceThe The Privacy Advisor is a benefit of membership to the IAPP. Nonmembersubscriptions are a vailable at $199 per year.
Requests to ReprintAnn E. [email protected]+207.351.1500 X109
Copyright 2005 by the International Association ofPrivacy Professionals.
All rights reserved. Facsimile reproduction, includingphotocopy or xerographic reproduction, is strictly prohibited under copyright laws.
As we start 2006, the privacy community understands that weare immersed in one of the most fundamental issues of our
times. Privacy pros have emerged as integral to a company’s financial success.After a year marred by an onslaught of securitybreaches that were costly for both companies and consumers, weremain uncertain whether our efforts will pay off enough in 2006to thwart this surging trend.
What we do know is that the price has been steep after2005’s record-number of data breaches.The Federal TradeCommission estimates that identity theft has whacked consumersfor $5 billion while businesses have suffered an astounding $48 billion in losses.The lurking damage to a company’s brand and the inevitable undermining of consumer confidence are enough to keep any executive awake at night.
These damaging blunders and the specter of new state laws — as well as the potentialfor federal legislation — have swelled into the perfect storm for companies. It is not surprising then, that a recent survey shows that IT professionals have elevated data securityand protection to the top of the spending list for 2006, according to a recent survey of 1,700readers of Network Computing. Another survey of 1,131 Intelligent Enterprise magazinereaders found that IT professionals planned to increase spending by 51.2 percent on security,privacy and identity management — which topped the list of 2006 IT spending priorities.
While it is essential that companies invest in the best encryption technology or intrusion- detection systems to prevent the leak or loss of personal information, hardware and software upgrades are not enough to balance the privacy- and data-security equation.Companies also must commit to making a comprehensive investment in the privacy professionals who will complement the technology and promote the data-security mission.Many companies already understand this partnership. However, as companies gear up tospend millions this year on new technology, their operations would be well-served by anequal devotion to hiring the privacy professionals who will foster the synergy betweenemployees and technology.
One investment that companies should not overlook is the opportunity to send theirprivacy pros to the IAPP National Summit 2006, March 8-10, in Washington, D.C.Thelargest and most anticipated privacy conference, the Summit will feature sessions from theleading privacy experts and leaders in the areas of ID theft, generational privacy, genetic privacy, international and domestic privacy and outsourcing, among other topics.
We have an impressive lineup of keynotes speakers:Dr. David J. Brailer, National Coordinator for Health Information Technology, U.S.Department of Health and Human Services, who heads President Bush’s efforts to deploywidespread health-information technology within the next 10 years.
Christophe Pallez, Secrétaire général de la CNIL, France.
Brad Smith, Senior Vice President and General Counsel, for Microsoft Corp., who helpedspearhead the company’s global campaigns to bring enforcement actions against those responsible for illegal spamming, virus creation and software counterfeiting.
Jonathan Zittrain, Co-Founder of the Berkman Center for Internet & Society, at Harvard Law School.
We look forward to a productive and exciting year as we continue to serve our growingmembership with the most beneficial support available to privacy pros in the U.S., Canadaand internationally as well. See you at the Summit!
J.Trevor HughesExecutive Director
January • 2006
Notes from the Executive Director
2
issued guidelines on how to implementhelplines in a manner that complies withFrench data-protection law (CNILGuidelines). The arrival of the CNILGuidelines is good news because theyappear, in principle, to assist public com-panies in addressing the legal require-ments of both the French and U.S. com-pliance regimes. Some thorny issuesmay remain, however. This article brieflyexamines several of the key U.S. legalrequirements that underpin the need forU.S. companies to implement helplines.It also highlights several aspects of theCNIL Guidelines that may be difficult toachieve in light of the U.S. legal require-ments and other practical constraints.
U.S. Laws and Rules
Various laws and rules in the UnitedStates require public companies toimplement anonymous and confidentialmechanisms for employees and othersto report purported improper conductwith respect to accounting, internalaccounting controls, and other kinds offinancial fraud. (Non-public companiesalso may use international helplines aspart of their compliance programs).Several of the key statutes and rulesinclude:
• The Sarbanes-Oxley Act
Section 301 of the Sarbanes-Oxley Act(enacted in section 10A(m)(4) of the1934 Securities Exchange Act) requiresaudit committees of public companies“to establish procedures for: (A) thereceipt, retention and treatment ofcomplaints received by the public com-pany regarding accounting, internalaccounting controls, or auditing mat-ters; and (B) the confidential, anony-mous submission by employees of thepublic company of concerns regardingquestionable accounting or auditingmatters.” Additionally, whistleblowerprotections in SOX Sections 806 and1107 also were designed to encourageemployees to raise concerns (particu-larly involving accounting and auditingmatters, but also relating to other
violations of law) anonymously andwithout fear of retribution.
• NYSE Rules
NYSE Corporate Governance Rule303A.10 requires listed companies toadopt and disclose a code of businessconduct and ethics for directors, offi-cers and employees, and promptly disclose any waivers of the code fordirectors or executive officers. Rule303A.10 does not specifically requireimplementation of a helpline in orderto report code waivers, violations orquestions. However, the rule providesthat: “Each code of business conductand ethics must also contain compli-ance standards and procedures thatwill facilitate the effective operation ofthe code. These standards shouldensure the prompt and consistentaction against violations of the code,”The NYSE requires that, among otherthings, codes must encourage thereporting of any illegal or unethicalbehavior.
• Federal Sentencing Guidelines
Helplines and other compliance mech-anisms also are integral componentsof an effective compliance and ethicsprogram, as defined in § 8B2.1 of theFederal Sentencing Guidelines. As a
266 York StreetYork, ME 03909Phone: +800.266.6501 or +207.351.1500Fax: +207.351.1501Email: [email protected] Privacy Advisor is the official monthly newsletter of the International Association of Privacy Professionals.All active association members automatically receive asubscription to The Privacy Advisor as a membership benefit. For details about joining IAPP, please use theabove contact information.
BOARD OF DIRECTORSPresidentChris Zoladz, Vice President, InformationProtection, Marriott International, Bethesda, Md.
Vice PresidentKirk M. Herath, Chief Privacy Officer &Associate General Counsel, NationwideInsurance Companies, Columbus, Ohio
SecretaryJanet McCoy, Chief Privacy Officer & SeniorVice President, Sovereign Bank, Wyomissing, Pa.
Past PresidentAgnes Bundy Scanlan, Esq., Cambridge, Mass.
Executive DirectorJ. Trevor Hughes, York, Maine
John Berard, Managing Director, PR21,San Francisco, Calif.
Becky Burr, Partner, Wilmer Cutler & Pickering,Washington, D.C.
Peter Cullen, Chief Privacy Strategist,Microsoft Corp., Redmond, Wash.
Kimberly Gray, Chief Privacy Officer,HighmarkInc., Pittsburgh, Pa.
Jean-Paul Hepp, Chief Privacy Officer,Pfizer Inc., Pepack, N.J.
Sandra Hughes, Global Privacy Executive,Procter & Gamble, Cincinnati, Ohio
Barbara Lawler, Chief Privacy Officer, HP,Palo Alto, Calif.
Kevin Levitt, Chief Privacy Officer,EDS, Buscks,UK
Kirk Nahra, Partner, Wiley Rein & Fielding,Washington, D.C.
Harriet Pearson, Vice President, Workforce &Chief Privacy Officer, IBM Corporation, Armonk, N.Y.
Jules Polonetsky, Vice President, IntegrityAssurance, America Online Inc., Dulles, Va.
Dale Skivington, Chief Privacy Officer,Eastman Kodak, Rochester, N.Y.
Lauren Steinfeld, Chief Privacy Officer,University of Pennsylvania, Philadelphia, Pa.
Zoe Strickland, Chief Privacy Officer, U.S. Postal Service, Washington, D.C.
GENERAL COUNSELJim Koenig, Pricewaterhouse Coopers,Philadelphia, Pa.
CNIL Guidelinescontinued from page 1
See CNIL Guidelines, page 4
THE PRIVACY ADVISOR
3
“The arrival of the CNILGuidelines is goodnews because theyappear, in principle, toassist public companiesin addressing the legalrequirements of boththe French and U.S.compliance regimes.”
general matter, the guidelines establishan incentive for organizations to estab-lish and maintain effective complianceprograms, and they reduce the offenselevel should it occur despite the factthat an organization had an effectiveprogram in place. In terms of the defi-nition of an “effective compliance andethics program” in § 8B2.1, the guide-lines require an organization to: “takereasonable steps ... to have and publi-cize a system, which may includemechanisms that allow for anonymityor confidentiality, whereby the organi-zation’s employees and agents mayreport or seek guidance regardingpotential or actual criminal conductwithout fear of retaliation.”
The vast majority of U.S. publiccompanies and other organizations haveresponded to these and other U.S. legalobligations by establishing helplines.
Thorny Issues From a U.S.
Public Company Perspective
Several aspects of the CNILGuidelines may prove problematic forU.S. public companies and organizationsthat maintain helplines, such as the following:
• Narrow Categories of
Permissible Complaints
Under the CNIL Guidelines, helplinescannot allow for the reporting of com-plaints on all substantive areas (i.e.,any concerns about gen-eral compliance with law,work rules or internalrules for professionalconduct), but rather mustbe limited to those com-plaints based on certainregulatory or legalissues, such as financialfraud and bribery. On theone hand, this aspect ofthe CNIL Guidelines ishelpful, because itappears to permit publiccompanies to maintain
helplines as necessary to meet obliga-tions under Section 10A(m)(4) of the1934 Act (i.e., the SOX requirementthat focuses on accounting and otherforms of financial fraud). On the otherhand, narrowing the scope of ahelpline to exclude complaints aboutother types of misconduct may violatecompany policies or limit the effective-ness of the corporate compliance pro-gram. Companies may find there arepractical difficulties with implementinga system whereby a third-partyprovider must efficiently and reliablydecide “on the spot” whether a callrelates to financial fraud or bribery orrun-of-the-mill employee theft or fraud.
• Narrow Categories of
Subjects of Calls
Under the CNIL Guidelines, publiccompanies must precisely define thecategories of managers or otheremployees that may be the subject ofcomplaints. It may be difficult, howev-er, to definitively identify in practice alimited category of individuals thatwould have authority to engage inactivities giving rise to “permissiblecomplaints,” particularly with respectto bribery matters.
• Notification to Subjects As Soon
As Complaint Recorded
Under the CNIL Guidelines, individualswho are the subject of a helpline callmust be notified that their personaldata has been collected through thehelpline, as well as the nature of thecomplaint and other details (not includ-
ing the caller’s identity).The purpose of the notifi-cation is to provide thesubject with an opportuni-ty to object to the pro-cessing of his personaldata. The notification mustbe made “promptly” bythe public company,unless delay is necessaryto prevent the destructionof evidence. Whether thisaspect of the CNILGuidelines is problematicwill depend on how strict-
ly it is interpreted and how much timeis allowed prior to notification. In par-ticular, corporations conducting internalinvestigations, as well as SEC andcriminal investigators, may be moreeffective in gathering information (andpreventing information from being lostor destroyed) if investigations are“secret” and the subject does notknow he is being investigated. In fact,after requesting information in connec-tion with investigations, law enforce-ment agents typically request that theinvestigation be kept confidential (SECinvestigations often are referred to as“non-public investigations”).
• Limited Storage of Personal Data
The guidelines appear to require thatpersonal data obtained through ahelpline call must be promptlydestroyed if the data is deemed to be“unsubstantiated.” Frequently, com-plaints of financial fraud or bribery maybe based on discreet pieces of infor-mation, which, if viewed in isolation,might be considered “unsubstantiat-ed” and therefore require promptdestruction. Destruction of evidenceposes the risk that corporate officersand directors would not be given rele-vant information relating to improperconduct that would enable them todetermine whether a more thoroughinvestigation is warranted. As withother points discussed above, a keyissue is whether the CNIL and otherdata protection authorities permit aflexible interpretation of this provisionto allow for the retention of such infor-mation in appropriate circumstances toallow corporations to adequatelyrespond to allegations of misconduct.
• Cross-Border Personal Data Transfers
The CNIL Guidelines specify thatcross-border transfers of complaints toa parent company or affiliate in theUnited States, where permitted, mustproperly address the requirementsunder Articles 25 and 26 in theEuropean Data Protection Directive(95/46/EC) to provide “adequate pro-tection” for such data. Companies alsomust confirm that any transfers to
January • 2006
CNIL Guidelinescontinued from page 3
4
Brian Hengesbaugh
third-party serviceproviders in the UnitedStates also are subjectto “adequate protec-tion.” This aspect of theCNIL Guidelines ismerely a reiteration ofthe well-establishedrestrictions on cross-border data transfers inEU data protection laws.However, for U.S. publiccompanies that have notyet established a reliableapproach to these cross-border data transfer restrictions,the CNIL Guidelines generally willrequire additional due diligence toselect and implement a suitable cross-border data transfer solution.
• Prior Approval
Helplines will be subject to a priorapproval process by the CNIL. This maybe an expedited process if the compa-ny’s helpline meets the requirementsin the CNIL Guidelines. However, theexistence of a prior approval processwill require U.S. public companies toexamine the CNIL Guidelines carefully,and confirm that they have properlyaddressed each of the specificrequirements before approaching theCNIL for authorization. Moreover, U.S.public companies should be preparedto answer other questions, includingquestions about global data-protectionpractices, that the CNIL may raise atthe time the company seeks approvalfor its helpline.
The Road Ahead: UPDATED
Compliance Programs and More
Regulatory Guidance
The CNIL Guidelines may not bethe end of the road on this issue, butperhaps the beginning of a broader conflict surrounding this and relatedissues. It is expected that the Article 29Committee of European Union data-pro-tection authorities will issue a collectiveopinion on helplines in the comingweeks or months. Also, because of theproliferation of EU-style data protectionand privacy laws in other regions around
the world, further guid-ance (or at least similar issues) will arise in those jurisdictions aswell. U.S. public compa-nies should therefore beprepared to develop andimplement policies andprocedures that canaddress requirementssuch as those in the CNILGuidelines, and be flexibleenough to implementcountry-specific variationsin these rules as they are
announced. In addition, due to theheightened scrutiny that may befocused on existing data-protection pro-grams, U.S. public companies shouldalso confirm that they have their “housein order” with respect to global dataprotection matters.
Brian Hengesbaugh, is a Partner,Privacy/Information Technology/E-Commerce, with Baker & McKenzieLLP, and a member of The PrivacyAdvisor’s Advisory Board. Hengesbaughspecializes in regulatory and transactional issues including privacyand data protection, data security, digital and electronic signatures, cyber crime and jurisdiction and theenforcement of foreign judgments. He may be reached at [email protected].
Carrie J. Di Santo, is a Partner, in Baker& McKenzie LLP, who specializes inCorporate Compliance. Di Santo advises publicly held companies andother organizations on legal complianceissues, particularly relating to theForeign Corrupt Practices Act (“FCPA”)and non-U.S. anti-corruption laws, anti-money laundering, the Patriot Act,and the Sarbanes-Oxley Act. She hasrepresented companies and individualsin criminal investigations and internalcorporate investigations relating to theFCPA and accounting fraud, and inother related criminal and commerciallitigation. She may be reached at [email protected].
THE PRIVACY ADVISOR
5
To better serve the needs of ourgrowing organization and profession,the IAPP launched a project last yearto overhaul our Web site. We areproud to serve our members with anew site that offers one-stop shoppingto renew or update your membershiponline, search for that new privacy jobin 2006 or order CDs of our popularaudio conferences. We especially areexcited to offer a completely newresource — the monthly IAPP podcast, which features an in-depthinterview with privacy leaders andexperts on a timely topic.
Members not only will haveaccess to past issues of The PrivacyAdvisor — this valuable member bene-fit will be searchable for the first time.The ability to search this monthly publi-cation will provide our members with aquick way to access the treasure troveof domestic and international privacyinformation contained in our Advisorlibrary. And that’s not all! Our entiresite it now searchable — another major improvement for our members.
IAPP members also will have the opportunity to join and participatein a working group (see more on Page 12), RSVP to a KnowledgeNetevent and download past conference presentations.
Your member number is all that is needed to access all of these greatbenefits.
As the world’s largest privacyassociation that represents more than2,000 privacy professionals in 23 countries, we are devoted to offeringour members the best networking,education and certification needs. Weexpect that these new Web siteimprovements will make it easier forour members to stay informed andinvolved in the dynamic privacy arena.
As always, our Web site offers the latest information on our upcomingconferences. If you haven’t already,check out the IAPP’s Web site for infor-mation on the IAPP National Summit2006, March 8-10, in Washington, D.C.
IAPP Web site continued from page 1
Carrie J. Di Santo
Trevor: Peter, tell us about this announce-ment and exactly what Microsoft is proposing or supporting here.
Peter: In our view, privacy abuses —both online and off-line — have becomea real growing concern among con-sumers, Internet users, businesses andgovernments. And with that as a back-drop, we felt that fear over these issuesis affecting online behavior. We believe amuch more comprehensive, federalapproach to privacy is needed to giveconsumers strong privacy and securityprotection and businesses a clear set ofstandards.
Trevor: What would a broad-based privacy law provide to the marketplace?
Ari: There are a few areas where there isan agreement among a lot of playersthat we could bring a level of trust to theInternet, to new technologies, that wedon’t have today. We could bring kind ofa safety net to those kinds of transac-tions, so that consumers really do have alevel of trust at the beginning of a newtechnology rather than having to learneach new technology and each new typeof business. The patchworkof sectoral laws is confus-ing and burdensome toconsumers and industryalike. And we have 50 dif-ferent states (that) have 50different laws — and thatsimply does not work in anInternet world where weare talking about everyonetransacting in the sameway. And lastly, U.S. com-panies — particularly thelarge multinationals — haveto deal with laws all over
the world, and the U.S.law is seen basically asinadequate.
Trevor: Peter, what do youthink of that?
Peter: I think Ari has hit ona lot of the key points.What we have learnedfrom working through anumber of issues, forexample, spam, is thatthere really does need tobe a multifaceted approach. Part ofthese issues can be addressed withtechnology, part of it can be helped byproviding guidance to users. But increas-ingly these issues are requiring partner-ships — partnerships with industry, partnerships with groups like CDT andpartnerships with government. So wesee this legislative framework approachas one piece of that all-encompassingpuzzle that can help create that trustedexperience for users. This is why it wasjust a real pleasure to be able to partnerwith CDT in terms of this announce-ment, as well as two other really strongfriends in the industry, Hewlett-Packard
and eBay, which are verylike-minded in terms ofneeding to find solutions totoday’s problems, again,with the goal of increasingthe level of trust for users.
Trevor: So let’s talk aboutthat issue of trust and divea bit deeper into that. Itseems to me that the benefit of trust kind of runstwo ways. It benefits con-sumers for sure, becauseconsumers have something
that is more easily under-stood and they feel moreconfident in their interactionswith their data. But it alsoseems like there may bebenefits for industry if con-sumers are more trusting ofthe various channels thatthey are engaging with businesses through.
Peter: The more trust thatusers have in what a compa-ny offers, the more business,
the deeper the relationship, so there’sjust a tremendous motivation for all businesses to think about how they cancontribute to earning trust. So much ofthis is about what individual companiesdo, but it’s increasingly about what wecollectively all do to help create trust.
Trevor: Let’s talk a little about the U.S.approach versus some of the otherapproaches around the world and howthis proposal fits into that broader pic-ture. Has the U.S. public policy approachto data protection to privacy failed? Hasthat sectoral approach just shown itselfto not work or are we responding toother dynamics?
Ari: I don’t think that the sectoralapproach has failed necessarily. I thinkthat it has become problematic. Some of the breakdowns have been helpful,financial information, medical informa-tion. That is sort of complicated for consumers and (it) can be cumbersomefor companies. But the real problem islawmakers started looking for technologies to regulate. So you havegreater discussions of legislating cookies
January • 2006
6
Microsoft Calls on Congress to Pass Comprehensive
Federal Privacy Legislation
A Q & A about Microsoft’s Support for Federal Privacy Legislation, Featuring: Peter Cullen, Microsoft Corp.’s Chief Privacy Strategist and IAPP board member; Ari Schwartz, Associate Director of the Center for Democracy & Technology; and IAPP Executive Director J. Trevor Hughes
J. Trevor Hughes, Executive Director, IAPP
Peter Cullen, Chief PrivacyStrategist, Microsoft Corp. and IAPP board member See Microsoft, page 8
THE PRIVACY ADVISOR
January • 2006
8
technology, legislating spyware, legislat-ing our RFID technology. The question is— how do we come up with standards,so that when the new technologiescome around it fits in — even if it is notused just within one sector?
Trevor: One of the things that Microsoftdiscussed in announcing this was harmonization, and it would seem thatthe U.S. is in marked contrast to otherprivacy standards in other areas of theworld. How does this proposal providethose harmonization benefits and what’sdriving that?
Peter: Our friends in the EU have oftensaid there is no privacy legislation in theU.S., and quite frankly, what we are talk-ing about is harmonizing just the pletho-ra of privacy-related legislation. There aretwo areas we can look at. One is the EU,which has given us 10 years of experience with a broad, principle-baseddirective — and to be frank about it —the world hasn’t come to a screechinghalt. In fact, there are some benefits to aharmonized approach, not to say the EUis not without its issues and its complex-ities. If we look at the Asia Pacific region,there is an agreed to, principle-based
framework that the AsianPacific countries haveadopted. They are takingthe view that a comprehen-sive, omnibus-type of anapproach is the more effec-tive way to go. It allows forthe free flow of informationwhile ensuring that infor-mation has an adequateprotection, specifically forindividual users. So if wethink about those two biggeographic areas, obviouslytwo huge, big trading part-ners, the EU and the APEC countries, itis just going to become increasinglymore useful if the U.S. is thinking aboutprivacy with some level of consistency.However, the approach that’s requiredfor the U.S. clearly has to meet theneeds of U.S. constituents as well. Sothe proposal that we are suggestingneeds to find the right balance betweenthose two things. I want to stress thatthis proposal is a starting point of thedialogue. We absolutely believe that anumber of other people need to be partof the ongoing discussion.
Trevor: Peter, what has the responsebeen like in the industry to theannouncement?
Peter: We have talked to a number ofother companies, a number of othergroups and most agree the frameworkthat we are currently operating in is notas effective as it needs to be. There is agrowing acceptance that it’s time to lookat a different model. Now to say thatthat’s an easy road would be a grossoverstatement, because of course, thedevil’s in the details. But the atmosphereright now, both within industry, andpotentially on the Hill, is that this propos-al is worthy of a lot more consideration.Today’s reaction is different than whatwould have been experienced three, fouror even five years ago.
Trevor: We obviously have at least acouple of bills on the Hill right now thatrelate to privacy. What is the receptionin Washington on this proposal?
Ari: There are still a lot of people stepping back andwaiting to see how peoplereact. However, there hasbeen a wide range of sup-port from the legislatorswho have been engaged inthe debate for a long time.We have already heard theChairman of the HouseCommerce Committee sayhe wants to have hearingson this as soon as thebeginning of next year.
Trevor: Will we see privacy legislation of the type suggested in this proposal inthe next two years or in the next fiveyears?
Ari: There is a small possibility thatthings could get done as early as nextyear. In reality, we are probably talkingabout the Congress after next. But people who aren’t engaged in thedebate in the coming year are reallygoing to miss out in terms of how wegot from here to there.
Trevor: Peter, what is your thinking on this?
Peter: This is a really important issue. Itis an important issue to solve. It is goingto require a lot of dialogue. And we arecertainly committed to sustaining it overthe long term to get this type ofapproach into place. But it is also impor-tant to say that just passing legislation isnot the silver bullet. It requires enforce-ment. It requires industry workingtogether. It requires lots of investment intechnology, and it requires a lot of helpin the form of guidance to users as well.This is just a piece of the approach thatwe all collectively can take part in to helpensure that the trust in our economy, aswell as the use of the Internet, contin-ues to grow.
This interview is available in its entirety as a podcast on the IAPP’s Web site, under Resources, at https://www.privacyassociation.org/.
Microsoftcontinued from page 6
“…Just passing legislation is not the silver bullet. It requiresenforcement. It requiresindustry working together. It requires lots of investment in technology, and itrequires a lot of help in the form of guidanceto users as well.”
– Peter Cullen, Microsoft
Ari Schwartz, Associate Director of the
Center for Democracy
Since the EU Data PrivacyDirective came into force, thetopic of how to lawfully transfer
personal data outside the EuropeanUnion has been rife with controversyand confusion. Companies doing busi-ness in the EU are often faced with aregulatory conundrum, mainly becausethere is no uniform application in the dif-ferent EU member states of the rulesthat govern outbound transfer.Divergences between the data privacylegislation adopted by the memberstates tend to provoke forum-shoppingfor jurisdictions with permissive transferregimes. In late November, the Article29 Working Party — an advisory body tothe European Commission comprisingmember state data protection officials— adopted guidelines and“best practices” for trans-ferring personal data out-side the EU. The intent ofthese new guidelines wasto bring clarification anddirection to the ongoingdebate.
General Principle
regarding Transfer to
Third Countries
As a general rule, per-sonal data should only betransferred outside the EUif the receiving country inquestion guarantuees anadequate level of data protection. Eachindividual member state is responsiblefor making sure that no personal data issent from its territory in violation of thisrule. Therefore, in some member states,it may be necessary to obtain priorauthorization from the local data-protec-tion authorities before a transfer of per-sonal data to a third country can takeplace. The EU Data Privacy Directiveempowers the European Commission to formally recognize that certain third
countries do offer adequate protection,and that personal data can be exportedto those countries without specificrequirements. However, so far, onlytransfers to Argentina, Canada,Guernsey, Isle of Man, Switzerland or inthe context of the EU/US Safe HarborAgreement, are covered by an adequacydecision from the Commission. TheUnited States, China and Japan — inci-dentally all major trading partners of the EU — are currently considered to have inadequate protection of personal data.
Contractual Derogations
It is possible to transfer personaldata to a country outside the EU thatdoes not ensure an adequate level ofprotection, provided that the data
exporter — as opposed tothe receiving country’sregulator — has put inplace adequate privacysafeguards. To achievethis transfer, the dataexporter usually entersinto appropriate contractu-al clauses or other legalframeworks with its dataimporter(s) outsideEurope. To promote theuse of contractual safe-guards for these trans-fers, the EuropeanCommission hasapproved three different
sets of model clauses. It is the responsi-bility of the data exporters to choose theone that best fits their needs. As analternative to the Commission’s stan-dard contractual clauses, the Article 29Working Party has been promoting theuse of “binding corporate rules,” espe-cially by multinationals that transfer vastamounts of personal data outsideEurope — mostly electronically, andoften on a daily basis. Binding corporaterules are internal codes of conduct that
enable multinational groups to exchangepersonal data internally without furtherrequirements, provided that the dataprotection authorities of the exportingcountries have approved these rules.
Measures of Last Resort
Even if the country of destination orthe data exporter does not guarantee anadequate level of protection, the EUData Privacy Directive provides the pos-sibility to transfer personal data outsidethe EU in exceptional circumstancesonly. These “exceptions to the rule”include the use of ambiguous consent;necessity for contract conclusion/per-formance; public interest grounds orlegal claims; protection of the individ-ual’s vital interest; and public informa-tion transfers. Any of these could alsobe used as a legal basis where thecountry to which the personal data issent ensures an adequate level of protection, but where its adequacy hasnot (yet) been assessed. According tothe Article 29 Working Party, theseexceptions should only be invoked incases where the risks to the individualare relatively small, or where other legit-imate interests override the individual’s
9
“The United States,China and Japan — incidentally all majortrading partners of theEU — are currently considered to haveinadequate protectionof personal data.”
Transferring Personal Data Outside Europe:
the Saga Continues
Wim Nauwelaerts
See Transferring Personal Data, page 10
Wim Nauwelaerts
January • 2006
right to privacy. Therefore, the Article 29 Working Party advocates a strict interpretation of the exceptions, to discourage companies from using themas the preferred option to transfer personal data outside Europe.
Best Practices
The Article 29 Working Party hasdevised a three-step assessment beforetransferring personal data outsideEurope. First, the data exporter shouldconsider whether the country of desti-nation offers an adequate level of pro-tection — and whether the exporteddata will actually be safeguarded in thatcountry. If the country in question doesnot have adequate privacy protection —at least in the view of the EuropeanCommission and national data-protec-tion authorities — the data exportershould consider implementing contrac-tual safeguards. Only if this is genuinelyinappropriate or impossible, should thedata exporter consider relying on one ofthe EU Data Privacy Directive’s excep-tions. The national data-protectionauthorities are expected to interpretthese exceptions narrowly to ensuretheir application does not compromiseindividuals’ privacy rights.
Practical implications
The Article 29 Woking Party’s recentguidance on how to lawfully transferpersonal data outside the EU may
stimulate international businesses toreassess their existing data manage-ment practices. Since the EU DataPrivacy Directive does not specify thatexceptions such as unambiguous con-sent, should only be used as a lastresort, many multinationals previouslyhave relied — and may still rely — onthose exceptions to make significantdata transfers. As most multinationalgroups will be considered to have thenecessary resources for ensuring privacy protection through contractualclauses or binding corporate rules, theymay need to establish an appropriateframework for transferring personal datato their offices in the United States,Japan, etc., instead of processing on the basis of individuals’ consent.
The strict interpretation of theexceptions’ scope of application — asproposed by the Article 29 WorkingParty — may also be an additional incen-tive for companies exporting personaldata outside the EU to revise their trans-fer practices. Consent, for example, willonly constitute a valid basis for transferif it meets several criteria (i.e. it must beinformed, freely given, specific and aclear and unambiguous indication of theindividual’s wishes). Implied consent iswhen an individual has been informed ofa transfer and has not objected to it. Theuse of pre-ticked boxes on consentforms would not be sufficient, accordingto this strict interpretation. Anotherexception often used to export personaldata is the notion of necessity for theconclusion or performance of a contract— either with the individual itself orwith a third party. The Article 29 WorkingParty subjects the use of this exceptionto rigorous conditions: in order to passthe necessity test, the data exporterwould need to establish that there is a“close and substantial connectionbetween the data subject and the pur-poses of the contract.” This necessitytest is rather obscure and prone to dif-fering interpretation. For instance, theArticle 29 Working Party has taken theposition that in a typical employmentcontext, there is no “necessity” totransfer human-resources data outsidethe EU. This strict interpretation may
not sound very realistic to internationalgroups, whose human resources departments cannot be managed effectively without employee-data transfers. Moreover, effective human-resources management usually benefitsemployees as well.
Businesses that frequently transferpersonal data outside Europe will mostlikely appreciate the “best practices”recommended by the Article 29 WorkingParty. However, it is unlikely that theseguidelines will suffice to ensure that inthe future, businesses can transfer per-sonal data more efficiently. A uniformand consistent interpretation by the dataprotection authorities of all memberstates will be key to the guidelines’ success. It can be expected that theharmonization process at the memberstate level will continue to experiencegrowing pains, as the guidelines areapplied in practice.
Wim Nauwelaerts is an attorney in theBrussels’ Office of Hogan & HartsonL.L.P., specializing in EU privacy anddata protection law. He can be reachedat [email protected] or at +32 2 505 09 11.
Transferring Personal Datacontinued from page 9
“…It is unlikely thatthese guidelines willsuffice to ensure that inthe future, businessescan transfer personaldata more efficiently. A uniform and consis-tent interpretation bythe data protection authorities of all member states will be the key to the guidelines’ success.”
“The Article 29 Working Party hasdevised a three-stepassessment beforetransferring personaldata outside Europe.”
10
Privacy prosbraved a fierceColorado
snowstorm last monthto attend the inauguralDenver KnowledgeNet.The meeting wasattended by an inter-esting array of privacyprofessionals fromthroughout the RockyMountain region,including Chief PrivacyOfficers from a finan-cial institution and a large retailer, a State of Colorado employee, a graduate student in information security and others.
Tom Bartel, CIPP, and the Privacy
and ComplianceOfficer for ReturnPath, was the fea-tured speaker. Bartel’spresentation, "TwoSteps to Solving theEmail Identity Crisis:Authentication andReputation," outlinedthe ongoing and esca-lating battle betweenspammers and legiti-mate companies thatrely on email for cus-
tomer transactions. It was a timelytopic for everyone, from both a per-sonal and corporate, privacy perspec-tive. The underlying message of thetalk, that companies gain customer
trust and build reputation through pri-vacy controls, process and technology,resonated with the KnowledgeNetattendees.
Bartel’s informative programsparked a lively Q&A and networkingsession. Attendees were excited tohave a local forum to connect face-to-face with others in their field. Privacypros who attended expressed greatenergy and interest in attending subsequent Denver KnowledgeNetmeetings.
John D. Lilly, Senior Staff Engineer,Sun Microsystems, is the co-chair ofthe Denver KnowledgeNet. He maybe reached at [email protected].
THE PRIVACY ADVISOR
11
The Second KnowledgeNet Tokyo Conference was held atErnst & Young ShinNihon Office
in Hibiya, Tokyo, Japan, in November.More than 40 privacy professionalsrepresenting various Japanese,American and European organizationsin the public and private sectorsattended the session.
Hideo Kimura of Ernst & YoungShinNihon gave opening remarks.Andrea Steinberg of Daimler Chrysler Japan then kicked off his presentation, “Daimler Chrysler’sApproach to Personal InformationProtection.” Daimler Chrysler, as aglobal enterprise, maintains comprehensive privacy policies andpractices, which comply with the regulatory requirements of regional
and local economies. The core of the
company’s privacy policyis comprised of conductfor customer/suppliers,integrity code and infor-mation security policy —all of which is in full compliance with individuallocal privacy law and regu-lations. Steinberg went onto explain the organiza-tional structure of Daimler Chrysler.
Daimler Chrysler supports ongoingpersonal information protection effortsworldwide, including regional opera-tional sites, such as Europe/Africa,North America, Asia/Pacific, and others.Steinberg also detailed the regulatoryenvironment surrounding privacy
protection in Germany. He gave a basicoverview of OECD Guideline, EU DataProtection Directives as well as thePersonal Information Protection Law of Germany, enacted in 2001. His thorough presentation provided the
Japan’s KnowledgeNet Discussion
Draws More Than 40 Privacy Pros
Isao Idota
Inaugural KnowledgeNet Blows Into Denver
John D. Lilly
See Japan’s KnowledgeNet, page 12
knowledge net
Members of Tokyo’s KnowledgeNet gather for presentations by Andrea Steinberg of Daimler ChryslerJapan; Daiya Watanabe of NEC NextSolutions, Ltd.;Robert Samson of Marriott Vacation Club and SagiLeizenkov of Ernst & Young.
The photo shows, from left toright, Tom Bartel of Return Path,the KnowledgeNet speaker; John D. Lilly, Senior Staff Engineer,Sun Microsystems and RosaOlveda of First Data Corp., theDenver KnowledgeNet co-chairs.
January • 2006
12
The IAPP announces the newest Working Groups'communication tool for its members!
We are happy to announce the online launch of the IAPP Working Groups’ List Serve. We expect that the toolsprovided to members through the site will create a vibrantand valuable dialogue. We encourage you to explore all that we have to offer!
On the IAPP site (www.privacyassociation.org), you will find informationfor each of our Working Groups:
Perhaps more importantly, you will find sign-up options for List Serve for each of these groups. The List Serve will allow members to ask questions, share case studies, best practices, war stories, legislativedevelopments and more. But the value of the List Serve is directly related to your participation — so visit the site and sign up today!
Please note that the List Serve are only available to IAPP members.
TO JOIN
Click on the “Networking” tab on the IAPP Web site and select “Working Groups” from the drop-down menu. Select your area of interestand follow the instructions for List Serve sign-up on the site.
You may also join by contacting Bethany Moulton, Conference Coordinatorand Working Groups Manager: [email protected]
We hope that you will take advantage of this new membership benefit!
audience with an insightful perspec-tive on how a multinational corporationshould approach the vital issue of privacy protection.
The next presenter was DaiyaWatanabe of NEC NextSolutions, Ltd.,who gave a presentation titled, “Roleand Responsibility of the PrivacyOfficer and Enhancement ofGovernability of Personal PrivacyProtection.” With the full enforcementof the Japanese Personal InformationProtection Act, more and moreJapanese organizations are creatingnew management-level positions forprivacy officers. Watanabe emphasizedthat privacy protection is not solely alegal, technical or administrative issue.It is a fundamental business issue andmust be integrated into the very fabricof an organization’s culture and intoeach business process.
Watanabe also went over, itemby item, the details of the JapanesePersonal Information Protection Act,and its impact on Japanese business-es as well as its potential implications.All of the audience members foundhis detailed presentation extremelyvaluable.
In the last KnowledgeNet Tokyoconference presentation, RobertSamson of Marriott Vacation Club andSagi Leizenkov of Ernst & Young dis-cussed the American perspectives ofprivacy protection, which also werewell-received. The audience can hardlywait for the next KnowledgeNet con-ference after having experienced aprogressive and dynamic exchange ofEuropean, American and Japaneseperspectives.
Isao Idota is the Executive Director ofthe Japan Engineers Federation andthe TRUSTe Japan Program.
Japan’s KnowledgeNetcontinued from page 11
knowledge net
Members of theHealthacare/Pharma IAPP working group, includingKimberly Gray, Chief PrivacyOfficer for Highmark Inc. and an IAPP board member, meetat the IAPP Privacy Academy2005 in Las Vegas last fall.IAPP members can now take advantage of the newWorking Groups' List Serveavailable on the IAPP's newlyredesigned Web site,www.privacyassociation.org
• Health Care/Pharma
• Consumer Marketing
• Higher Education
• Financial Services
• International
• Human Resources
• Government
Working Group Update!!
The individuals below successfully completed the IAPP privacy certification programs as hosted at the recent IAPP Privacy Academy in Las Vegas and Infosecurity New York. They join an inaugural class of
more than 500 professionals certified by the IAPP in 2005.
Kimberly Addicott, CIPP Sameer Ansari, CIPPGuido Appenzeller, Ph.D., CIPPMarti Arvin, CIPP/GGeorge G. Balint, CIPPKarl S. Barrios, CIPPElise Berkower, CIPPDeborah S. Bernhardt, CIPPKristi L. Berry, CIPPSusan A. Blair, CIPPEllen E. Cannon, CIPPMarlene Carey, CIPPPerry D. Carpenter, CIPPMaureen H. Cheheyl, CIPP/GKenneth A. Clark, CIPPJohn Wyatt Collins, CIPP/GJon B. Comstock, CIPPCarole Coplan, CIPPGreg Corlis, CIPPBarbara Cousins, CIPPCynthia C. Crawford, CIPPKristy A. Crawford, CIPPScott Crosby, CIPP/GTony Dang, CIPPKen DeJarnette, CIPPChristopher DeNezza, CIPPJ. Brooks Dobbs, CIPPJean L. Domico, CIPPMatthew F. Druzba, CIPPDarlene D. Dymond, CIPPMiles B. Edmundson, CIPPDean Forbes, CIPPRebecca Finnin, CIPPPhllip B. Fishgold, CIPPTramond Lorenzo French, CIPPLaurie A. Fulton, CIPPEllen M. Giblin, CIPPJoseph Giblin, CIPPRosemary Gigante, CIPPJeffrey Gill, CIPP
Irina Giller, CIPPCherri Gillmore, CIPPDaniel J. Goldstein, CIPPScott D. Goss, CIPPRobert Gratchner, CIPPCarolyn J. Greathouse, CIPPKim P. Gunter, CIPPSascha Hanke, CIPPKim Hargraves, CIPPCoralee Harris, CIPPGlen A. Hathaway, CIPPTodd A. Hood, CIPPMitchell Rex Hoppenworth, CIPPCheryl K. House, CIPPJames B. Huddleston, CIPPHeather L. Humphrey, CIPPSallie H. Hunt, CIPP/GBenjamin Grange Isaacson, CIPPRise F. Jacobs, CIPPSherry M. Jacques, CIPPSantiago Jaramillo, CIPPJohn Thomas Jensen, CIPPAlexander W. Joel, CIPP/GWesley Johns, CIPPLydia Paynes Johnson, CIPPJigar Ajit Kadakia, CIPPMichael Kazmierczak, CIPPRobert J. Kennedy, CIPP/GDonald Knips, CIPPBob Unti Koshy, CIPPStacey Kovoros, CIPPEric Langheinrich, CIPPKara Laeser, CIPPSusan Lau, CIPPVirginia Lee, CIPPMatthew P. Leonard, CIPPJohn D. Lilly, CIPPBrien J. Link, CIPPJody A. Little, CIPPDavid M. Lorenz, CIPP
Alice Ludwig, CIPPGail A Magnuson, CIPPPaula L. Mango, CIPPDawn Mann, CIPPMagnolia Mansourkia, CIPPAmelita G. Martin, CIPPWilliam Creigh Martson, CIPPDale Masi, CIPPKathleen Matyola, CIPPBrian McCarty, CIPPJulie A. McGhghy, CIPPBrian McKeen, CIPPTerry McQuay, CIPPCharles R. Miller, CIPPLori Linn Mininger, CIPP/GRichard E. Mitchell, CIPPLinda S. Monk, CIPP/GPatrick Michael Mooty, CIPPJohn Gregory Morin, CIPPScott B. Moritz, CIPPJames F. Myers, CIPPJeffrey P. Nicol, CIPPGail M. O’Brien, CIPPEdward Jeffrey Oshinskie, CIPPErtem Osmanoglu, CIPPAnatoly Ostrishko, CIPPSandy Ford Page, CIPPKeith R. Pajonas, CIPPCarol Paret, CIPPGordon Lawrence Parsons, CIPPErica Gene Perel, CIPPStephanie Phillippy, CIPPLawrence D. Pixa, CIPP/GJerry L. Porter, CIPPPamela R. Poucher, CIPPJohn Pryde, CIPPSherry L. Ramsey, CIPPJames Austin Richards III, CIPP/GBrian Roberts, CIPP/GDoron Rotman, CIPP
Subhashini Santhanam, CIPPVincent Edward Scanlan, CIPPJeanne M. Scanlon, CIPPRic Schaefer, CIPPLes Seagraves, CIPPNancy L. Shelledy, CIPPRobert Shullich, CIPPDaniel F. Sinni, CIPPBeth A. Sipula, CIPPLynn Ann Siverd, CIPPAndre L. Smiley, CIPPChadwick Smith, CIPPRussell E. Smith, CIPPPhil Sodoma, CIPPKok Pheng Tan, CIPPLawrence Tan Meng Kat, CIPP/GA. J. Taylor, CIPPJoanna M. Taylor, CIPPPeter Taylor, CIPPRobert M. Thibault, CIPPPatricia Tooley, CIPPTeresa A. Troester-Falk, CIPPStuart M. Tyler, CIPPHarry A. Van Court, CIPPAnthony P. Vannelli, CIPPCheryl Walton, CIPPDebra Weatherford, CIPP/GRaymond Weeks, CIPPChristopher G. Weinstock, CIPPMary Gay Whitmer, CIPP/GRob Wigley, CIPPJeffrey S. Williams, CIPPSara Wood, CIPPMary L. Hirsch Woolley, CIPPMatthew Wright, CIPPJiyeon Yang, CIPPOmid K. Yazdi, CIPP/GTimothy C. Zevnik, CIPP/G
Congratulations, Certified Professionals!
13
Congress continues to spend significanttime reviewing
numerous pieces of pro-posed legislation directedat creating a federal rule fornotification of securitybreaches (and a variety ofother information security-related issues). Pressure ismounting for legislation atsome point and significantfederal legislation in 2006appears increasingly likely.
While this debate continues, somecritical issues remain open for thoseaffected by security laws — primarilythose involving preemption of state law,the standard for consumer notificationand the types of harm that will trigger anotification obligation.
Progress to Date
At least five different congressionalcommittees — three in the Senate andtwo in the House — are focusing signifi-cant attention on security breaches.
The Senate Judiciary Committeewas the first committee to begin evaluation of proposed legislation, but ithas been slowed somewhat by consid-eration of Supreme Court nominees.The Judiciary Committee has approvedS. 1326, the proposed Personal DataSecurity Act, which would require com-panies to notify consumers about asecurity breach that poses a "significantrisk" of identity theft. The Committeealso is considering — but has not yetacted on — a broader proposal intro-duced by the Committee Chairman,Senator Arlen Specter (R-PA).
The Senate Commerce Committeealso has reported a legislative proposal,S. 1408. This bill requires consumer notification when there is a “reasonablerisk of identity theft.” In addition, theSenate Banking Committee (chaired bySenator Shelby (R-AL), a longtime
activist on privacy issues)has asserted its jurisdic-tional reach over identitytheft, although thisCommittee has not yetapproved legislation onthese issues.
The presumption isthat no measure will betaken up by the full Senateuntil each of these threecommittees has had achance to approve its own
version of this proposal. On the House side, the Financial
Institutions Subcommittee of theFinancial Services Committee has intro-duced H.R. 3997 and held one legisla-tive hearing on November 9, 2005, butthis subcommittee has indicated publiclythat there is no consensus among itsmembers on the provisions of the legis-lation and that more aggressive effortsto mark-up the legislation likely wouldnot take place until 2006.
The House Energy and CommerceSubcommittee on Commerce, Trade,and Consumer Protection has passedH.R. 4127 (introduced by RepresentativeCliff Stearns (R-FL), who chairs the subcommittee on Commerce, Trade, and Consumer Protection). The Stearns proposal requires notification whenthere is a “reasonable basis to concludethat there is a significant risk of identitytheft.” This bill will be taken up by thefull committee in the future.
The House Judiciary Committeealso is reviewing potential identity theftlegislation (although this effort so far hasbeen focused on criminal penalties foridentity theft rather than security breachnotification per se).
The Key Issues
As various committees debatethese proposals and jockey for legisla-tive position, what are the primary questions they are reviewing?
Preemption
The first issue — and the criticalissue for many potentially affected enti-ties — is whether the proposed federallaw will preempt the numerous statelaws establishing specific and varyingnotification obligations. Many federal privacy-related statutes (such asGramm-Leach-Bliley and HIPAA) create a federal “floor” for privacy protectionbut do not preempt more stringent statelaws. Divergent requirements have cre-ated enormous confusion for entitiesfacing both state and federal responsibil-ities, and, in many circumstances, haveled to substantial compliance costswithout producing additional meaningfulprotections for personal information.
The question of compliance costswas addressed by a “Cost Estimate”report issued by the CongressionalBudget Office. In assessing the costimplications of S. 1408, one of the billsunder consideration, the CBO estimatedthat “the total direct cost of mandatesin the bill” (primarily the costs of securi-ty standards and notification require-
January • 2006
14
Federal Security Breach Legislation Progresses (but Slowly)
Kirk J. Nahra
Kirk J. Nahra
“While this debate continues, some criticalissues remain open for those affected by security laws — primarilythose involving preemption of state law, the standard forconsumer notificationand the types of harmthat will trigger a notification obligation.”
ments imposed on a large number ofprivate sector entities) would exceedthe cost thresholds established in the“unfunded mandates” law, meaningthat the costs “would exceed” $123 million on an annual basis.
Many of the pending legislative proposals in fact do preempt all relevantstate notice laws. In recent weeks,there have been some “bends” in thisposition, and the question of preemp-tion is very much still in play in the leg-islative debate.
Breach Reporting Standard
After preemption, perhaps the mostsignificant substantive issue involves thestandard for the reporting of breaches.There is substantial concern, expressedby the Federal Trade Commission andothers, about the risks of “over-notifica-tion.” Moreover, a wide variety of activi-ties that could technically be classifiedas security breaches (e.g., erroneousmailings, etc.) are small mistakes thatdo not present realistic risks of any significant harm.
Accordingly, the various committeesare struggling over whether the relevantstandard for notifying customers shouldbe (1) “any” breach, (2) any breachunless the relevant business determinesthrough an appropriate investigation thatthere is no reasonable risk of identitytheft, or (3) only those breaches wherethere is a realistic risk of identity theft.Obviously, these three standards createvery different notice obligations andwould lead to wide variations in the volume of security breach notices. Thestandard also will play into any subse-quent litigation over these breaches tothe extent that companies are suedbased on the “risk” of identity theft.
Relevant Harms
At the same time that the commit-tees are evaluating the notice standard,Congress also is considering whetherthe laws will respond only to one kind ofprivacy harm — potential identity theft— or will encompass other kinds ofpotential harms as well. For example,there is ongoing debate about whether
health information disclosure will beencompassed within the scope ofpotential harms that must be evaluatedin connection with a breach notification.Typically, disclosure of health informa-tion would not lead, by itself, to a rea-sonable risk of identity theft. A securitybreach that discloses substantial healthinformation could lead to other kinds ofprivacy harm (embarrassment, reputa-tion injury, etc.), but these risks are farremoved from the identity theft issuesthat have driven the attention to thispotential legislation.
Security Practices
In addition to providing for securitybreach notification, most of the relevantpieces of legislation also include legalrequirements for companies — in allindustries — to develop appropriate secu-rity practices related to the protection ofconsumer data. Most of the proposedlegislation would require entities to:
• Develop, implement and maintain aneffective information security programfor sensitive personal information.
• Develop procedures for verifying thecredentials of any third party seekingto obtain the sensitive personal infor-mation of another person.
• Develop disposal procedures to be followed by covered entities that (a)dispose of sensitive personal informa-tion or (b) transfer sensitive personalinformation to third parties for disposal.
These requirements mirror the“standard” security obligations imposedunder the Gramm-Leach-Bliley Act forfinancial institutions and will have (1)major effects for companies outside of the industries currently regulated onsecurity practices (e.g., banking andhealthcare); with (2) minor effects, mainly in terms of emphasis, on entities already regulated.
Scope of Other Issues
There also is a significant debate asto the scope of “other” issues that maybe covered in this legislation. SenatorSpecter's bill, for example, addresses awide variety of additional provisionsbeyond the security practices andbreach notification issues. The SenateJudiciary Committee has indicated thatit is not yet prepared to reach a consen-sus on whether these additional issuesshould be included. Accordingly, whilethe focus still remains on security prac-tices and breach notification, affectedentities will need to be aware ofwhether bills receiving serious consider-ation will address other practices orimpose potential obligations related toprotection of personal data.
Data Brokers
The current attention on securitybreaches was driven — at least in thefirst instance — by the widely publicizedsecurity breach involving ChoicePoint.This incident attracted much attentionsince, for the most part, ChoicePoint isnot regulated as to security breachesunder current law. Accordingly, one keyissue is whether proposed legislationwill create specific requirements for“data brokers,” a term defined by sever-al legislative proposals. Some of theearly bills, now largely superseded,focused attention almost entirely on
THE PRIVACY ADVISOR
15
See Breach Legislation, page 20
“After preemption, perhaps the most significant substantiveissue involves the standard for the reporting of breaches.There is substantialconcern, expressed bythe Federal TradeCommission and others, about the risksof “over-notification.”
January • 2006
16
State legislators have grappled historically with how tocraft laws that target cyber criminals without inhibiting
innovation and the free flow of information, unnecessarilyregulating legitimate business or running afoul of the FirstAmendment. That struggle will continue in 2006. The leadingInternet and ecommerce issues to be debated in state legis-latures this year include:
After a series of data breaches last year and spurred by apublic outcry, legislators introduced a flurry of bills requiringthem to notify affected customers when data has beenaccessed or obtained inappropriately. At the end of 2005,lawmakers introduced a total of 156 breach bills in 40 states.Most of the proposed legislation required companies to noti-fy customers of security breaches that may have resulted inthe release of their personal and financial information.
Data security clearly was, and will continue to be, theNo. 1 Internet- and information-industry issue debated instate legislatures in 2006.
The 26 “patchwork quilt” state data security breach lawsthat passed in 2005 include a tough New York law that willrequire businesses to notify customers even if the breach isunlikely to result in identity theft. Another law in Floridarequires businesses to notify customers within 30 days ofdiscovering the breach. These varying multiple laws may spurpassage of a federal law that preempts state legislation. Infact, a handful of bills were debated in Congress, but no datanotification bill passed, partly because of growing concernsthat the bills would actually take a step backward from exist-ing state laws.
There are more than 100 data breach bills that have beenprefiled or are pending that could be debated in 2006 inabout 20 states. We expect every state will have debated theissue before the end of the biennium.
States will continue to introduce bills aimed at crackingdown on computer and online crimes, as both the frequencyof phishing attacks and their sophistication increase dramati-cally. Scams aimed at stealing consumers' personal identitydata and financial account credentials surged even before the2005 holiday season began. Financial services continues tobe the most targeted industry sector with scam attemptsgrowing to 86.9 percent of all computer attacks at the end of2005. The Gartner Group estimates that direct phishing-relat-
ed losses to U.S. banks and creditcard issuers in 2003 alone, wasmore than $1 billion.
On an average day, about 94million American adults use theInternet. About 25 million peoplehave sold something at one time or another online. As consumersbecome more inundated with spyware, adware and pop-ups, law-makers will continue to look forways to regulate the technologiesthat make it possible to market online. Already, there are 34spyware bills filed or carried over that could be debated in 12states in 2006. This includes a bill prefiled in Florida. The billwould make it a felony to transmit material deemed harmfulto minors via unsolicited electronic mail or a computer pop-up, when the person “knew or reasonably should haveknown” that they were transmitting the material to a minor.The bill would exempt subscription-based transmissions,such as list servers.
Regulating the online dating industry was discussed butnot passed in eight states in 2005. Most recently, a Floridalawmaker introduced a bill requiring all dating services topost on their Web sites whether or not they conducted back-ground checks on their members. Other state legislators willlikely return to this issue with renewed vigor in 2006. Thisissue can have a broader impact on the Internet and con-sumers because the definitions of dating contained in thelegislation have historically captured online activities likeInstant Messaging and chat rooms.
Voice over Internet Protocol (VoIP) attracted considerableattention in the business community, the media and amongpolicymakers. Last year, a federal judge barred the MinnesotaPublic Utilities Commission from requiring VoIP providers toregister as a phone company or submit to local telephonerules. That decision raised significant questions over whetherstates have the authority to regulate VoIP carriers. Since then,states largely have held back from asserting broad regulatoryauthority over VoIP carriers. But as states look for newsources of revenue, lawmakers will have a renewed interestin taxing and regulating VoIP. In 2005, there were 40 bills intro-duced in 26 states. Only 10 states passed laws, most ofwhich proposed extension of the state’s E-911 surcharge tonew Internet communication services including VoIP.
Lawmakers also will focus on privacy issues surroundingthe use of Radio Frequency Identification (RFID). The hopeamong retailers is that the technology will be used as a “next
Close Up On…
2006: A State Legislative Outlook
Emily Hackett
Security BreachPhishingSpyware/Adware/Pop-upsViolent Video Games
Online DatingVoIPRFIDOutsourcing
THE PRIVACY ADVISOR
17
generation” barcode, automating inventory, while cut-ting costs for manufacturers and retailers. However, asthe RFID technology advances, the debate aboutpotential privacy infringements has increased. The ideaof businesses or government having the capability tocreate a personal log of a consumer’s past purchases,shopping patterns and behavioral patterns, is consid-ered intrusive by many people. The RFID debate isexpected to widen in 2006. About 18 bills were intro-duced in 14 states in 2005. Of those states, eight havebills that will carry over to the 2006 session. Mostrecently, after studying the issue over the summer, theNew Hampshire House Commerce Committee votedto reintroduce a bill in January that would ban “all tracking devices.”
Demand for outsourced services is rising quicklyas more and more companies look for ways to cuttheir costs and improve productivity. By 2007, globalspending on IT outsourcing alone is expected to top$50 billion per year, according to market analystGartner. The number of service jobs outsourced fromthe industrialized world to low-wage countries isexpected to surge to 4.1 million by 2008, according toBangladesh press.
Proposed state laws to limit outsourcing increasedmarkedly in 2005. Around 216 bills were introduced in44 states. The bills included prohibitions on outsourc-ing jobs when receiving state funds, restrictions onoffshoring personally identifiable information, such aspatient data, and requirements that offshore call cen-ters disclose their location and/or reroute calls to U.S.operators upon request.
In 2005, 12 states enacted outsourcing laws. All of the new laws were limited to state contracts;either prohibiting hiring offshore, or giving preferenceto companies that will hire in the states.
More than 20 states have outsourcing bills currently pending for 2006.
Emily Hackett is Executive Director of the InternetAlliance, the leading Internet trade association operating in the states. The IA represents a broadspectrum of Internet users, including marketers, content providers, ISPs and consumers. She can be reached at +202.861.2476 or by email at [email protected].
IAPP In The News
News of the IAPP National Summit 2006 hit the wiresearlier this month to promote the largest and most anticipatedprivacy conference. This year’s Summit will offer an in-depthfocus on domestic and international privacy issues while providing access to privacy pros who seek to connect andnetwork with key public policymakers.
We look forward to hosting privacy pros in the heart ofWashington, D.C., for an invaluable opportunity to networkwith public policymakers and significant leaders in the privacyprofession,” said J. Trevor Hughes, the IAPP’s ExecutiveDirector. “The National Summit 2006 gives attendees thechance to tailor programming specifically for their interests.We urge privacy pros from diverse industries to register assoon as possible for an opportunity that will expand theirbreadth and depth of expertise in the privacy profession.”
The Summit agenda will include the most recent information on hot topics, including: ID theft; genetic privacy;international privacy issues, including India and its outsourcingindustry; and generational privacy issues that affect the attitudes of different age groups.
The Summit also will offer privacy pros IAPP certificationtraining and testing. On Wednesday, March 8, the IAPP willhold an all-day workshop to help students prepare for certifica-tion testing for both credentials, the Certified InformationPrivacy Professional (CIPP) and the Certified InformationPrivacy Professional/Government (CIPP/G). Certification examinations will be administered Friday, March 10.
To register for the Summit or learn more about the event, goto https://www.privacyassociation.org/.
Registration Opens for the IAPP
National Summit 2006
Line-Up of Keynote Speakers Announced for InternationalGathering of Privacy Pros March 8-10 in Washington, D.C.
The IAPP National Summit 2006 Keynote Speakers
Jonathan Zittrain, Co-Founder of the Berkman Center for Internet & Society atHarvard Law School.
Brad Smith, Senior Vice President, General Counsel, for Microsoft, who helpedspearhead the company’s global campaigns to bring enforcement actions againstthose responsible for illegal spamming, virus creation and software counterfeiting.
David J. Brailer, National Coordinator for Health Information Technology, U.S.Department of Health and Human Services. Dr. Brailer heads President Bush’s effortsto deploy widespread health-information technology within the next 10 years.
Christophe Pallez, Secrétaire général de la CNIL, France. Secretary General Pallezhas served as head of the French data protection authority since September 2005.
January • 2006
18
IAPP In The News
A fter an enthusiastic response from IAPP members to a call for
candidates to serve on a new AdvisoryBoard, the IAPP has announced themembers of its inaugural AdvisoryBoard for The Privacy Advisor, one of the main benefits of IAPP membership.
Kirk J. Nahra, CIPP, Editor of ThePrivacy Advisor and a partner withWiley Rein & Fielding in Washington,D.C., will serve as chairman of the 10-member board.
“We are eager to hear from ournew board members what privacy andsecurity issues are crossing theirdesks everyday,” Nahra said. “We areseeking the valuable expertise ofthese privacy pros who will bringdiverse perspectives from back-grounds in law, online marketing,financial services, government andother various industries. We’ve beenable to cover the privacy waterfrontwith this board.”
“The Privacy Advisor is a powerfulforum for informing and educating privacy professionals,” said EliseBerkower, CIPP, and Senior PrivacyCompliance Officer, for DoubleClickInc., a leading provider of digital adver-tising technology and services, head-quartered in New York. “It is an honorto work with such knowledgeable pri-vacy experts on this valuable resource.Our first Advisory Board meeting con-firmed the depth of experience andanalysis that the Board members havedevoted to privacy issues.”
In October, the IAPP announcedthe creation of the board and askedcandidates to submit their credentials.IAPP membership was a prerequisitefor consideration. More than 60 candi-dates sought consideration for thisvaluable contribution to the privacycommunity.
Privacy News
Privacy Pros to Serve on Inaugural Board
Vontu, Inc., a leader in data lossprevention solutions, is the
winner of the Technology of the YearAward for Best Insider ThreatDefense application from IDG’sInfoWorld.
Vontu 4.0 was recognized as theindustry’s top solution for preventingloss of customer data and intellectualproperty.
“The fact that InfoWorld createda new award for Best Insider ThreatDefense is proof that Data LossPrevention is now a top priority for ITSecurity and as such represents asignificant market,” said JosephAnsanelli, CEO of Vontu. “InfoWorld’sselection of Vontu clearly demon-strates that Vontu has the best prod-uct in this growing category.”
InfoWorld’s Test Center reviewedVontu in June 2005. “Vontu accurate-ly monitors all network traffic; selec-tively stops confidential data fromgoing outside the enterprise; is easyto manage with role-based access,even in large deployments; and pro-vides multiple levels of reports toidentify risks and demonstrate corpo-rate and regulatory compliance,”reported Mike Heck, ContributingEditor at InfoWorld’s Test Center.
Steve Fox, InfoWorld’s editor-in-chief added, “Our annual awardshighlight progress across nearly theentire enterprise IT landscape.InfoWorld’s 2006 Technology of theYear Award winners represent thebest products defining, and oftenredefining, the role of IT and resultingbusiness impact.”
Vontu Wins IDG’s
InfoWorld 2006
Technology of the
Year Award
Elise Berkower, CIPP, SeniorPrivacy Compliance Officer,
DoubleClick Inc.
Ben Isaacson, CIPP, Privacy & Compliance Leader, Experian &
CheetahMail
Jacqueline Klosek, Senior Associate, Goodwin Procter LLP.
Billy J. Spears, CIPP/G
Lydia E. Payne-Johnson, CIPP,Executive Director, Chief Privacy
Officer, Morgan Stanley
Harry A. Valetk, CIPP, Director,Privacy Online, Entertainment
Software Rating Board
Philip L. Gordon, Shareholder, Littler Mendelson, P.C.
Brian Hengesbaugh, Partner,Privacy/Information Technology/
E-Commerce, Baker & McKenzie LLP
Todd A. Hood, CIPP, Director,Regional Privacy, The Americas,
Pitney Bowes Inc.
Keith P. Enright, Director, Customer Information Management,
Limited Brands, Inc.
THE PRIVACY ADVISOR
MasterCard is working with merchants on a new
multi-faceted security program thatprovides incentives, tools and education to help merchants bettersafeguard consumer data.
“MasterCard understands that mer-chants are on the front lines of com-merce,” said Chris Thom, Chief RiskOfficer, MasterCard International.“We’re working collaboratively withmerchants by providing them with prac-tical content, tools and support to helpprotect their customers’ data. This is acritical part of our strategy for ensuringsecurity in the payments system.”
One aspect of the new program isto make the Master Card
SecureCode™ program cost-effectivefor merchants. The security programallows cardholders to enter a codeknown only to them and their cardissuer when making online purchases.The program allows the secure collec-tion and processing of cardholderauthentication data at the merchant’sWeb site. Online merchants that sup-port MasterCard SecureCode will beeligible for lower rates comparable tothose for face-to-face transactions —up to a 16 percent reduction.
MasterCard also is offering freenetwork vulnerability scans for mer-chants to make it easier for them tounderstand, adopt and comply with thePayment Card Industry Data Security
Standard (PCI). Select companies, suchas AmbironTrustWave, Cybertrust,One-Sec, Qualys and SecurityMetrics,will help merchants learn more aboutnetwork vulnerabilities and how theycould improve network security andachieve PCI compliance. Visitors to anew Web site, www.mastercardsecuri-ty.com, can access the links to the par-ticipating security companies.
The third element of the programis education for merchants. The pro-gram combines advertising, Web con-tent and Webinars on important securi-ty issues and resources. The new Website will feature detailed, current infor-mation about security resources avail-able to merchants and others.
Alive test of e-Passports began thismonth at the San Francisco
International Airport as part of a jointeffort with officials from the U.S.,Australia, New Zealand and Singapore.
The test, which will run throughApril 15, will gather information that willhelp countries around the world todevelop and implement e-Passportsthat comply with International CivilAviation Organization standards.
“This test provides an importantopportunity to work with our interna-tional partners to further theDepartment of Homeland Security’sefforts to put in place an e-Passportreader solution by the fall of this year,”said Jim Williams, director of US-VISIT,a Department of Homeland Security(DHS) program.
The e-Passport contains the hold-er’s biographic information and theholder’s digital photograph, which areembedded in a contactless chip in the
passport. The passports areenabled with a security feature thatprevents the unau-thorized reading, or“skimming,” of information.
Participantsinclude citizens ofAustralia and New Zealand who havebeen issued the new e-Passports,Singapore Airlines crew and officialsholding trial e-Passports and U.S. diplo-matic and official e-Passport holders.
This month’s test is the secondone conducted by the U.S., Australiaand New Zealand.
“The results of the previous test,held at Los Angeles InternationalAirport and Sydney Airport, indicatedthat further testing would be beneficialto our development of a fully opera-tional system,” Williams said. “So we
will conduct further testing to allow forthe evaluation of new technologies.”
The US-VISIT program is a DHS priority to enhance the security of U.S. citizens and visitors. It facilitateslegitimate travel and trade, ensures theintegrity of the U.S. immigration system and protects personal privacy,according to DHS. More than 46 millionvisitors to the U.S. have beenprocessed through US-VISIT and 990criminals or immigration violators havebeen caught with the use of biomet-rics, according to DHS.
MasterCard Launches Merchant Program to Protect Consumer Data
19
e-Passport Testing to Begin at San Francisco International Airport
January • 2006
To list your privacy event in the The Privacy Advisor, email Ann E. Donlan at [email protected].
data brokers. Data brokers certainly aredifferent from many commercial enti-ties, in that the individuals on whomthey maintain information typically arenot customers of the data broker andoften have no knowledge that their per-sonal information has been collected bythe data broker. While the anticipatedfederal legislation most likely will gobeyond data brokers, this continuingdebate will have an enormous effect onentities that are not data brokers butthat maintain sensitive personal data.
What to Do Today
Although Congress continues todebate the formalities of security breachlegislation, any company that collectsand maintains personal informationshould recognize that the core principlesembodied in these proposals are, for themost part, already effectively incorporat-ed into legal requirements. Accordingly,
for any company that collects or main-tains personal information, it is critical to:
• Develop reasonable and appropriatesecurity practices.
• Implement an effective mitigation planfor any significant security breaches.
• Have an effective approach to evaluating whether customer notice is required or appropriate and designa process for distributing a suitablenotice in a reasonable time frame.
This article was published previously inWiley Rein & Fielding’s Privacy in Focusnewsletter (November 2005).
Nahra is a partner with Wiley Rein &Fielding LLP in Washington, D.C., where he specializes in healthcare, privacy, information security and insurance fraud litigation and counseling. He is chair of the firm’sPrivacy Practice and co-chair of itsHealth Care Practice. He was elected |to the Board of Directors of theInternational Association of PrivacyProfessionals, and serves as the editorof The Privacy Advisor. He is a CertifiedInformation Privacy Professional. He can be reached at +202.719.7335 [email protected].
Breach Legislationcontinued from page 15 “While the anticipated
federal legislation mostlikely will go beyonddata brokers, this continuing debate willhave an enormouseffect on entities thatare not data brokers butthat maintain sensitivepersonal data.”
FEBRUARY
16 Genetic Privacy
Audio Conference
Genetic And Health Privacy —Policies, Practices And SafeguardsTo Foster Customer TrustSpeakers: Harriet Pearson, ChiefPrivacy Officer, IBM ; Sharon Terry,President and CEO, The GeneticAlliance; Tim Leshan, BranchChief/Senior Policy Analyst, Policy andProgram Analysis Branch, NationalHuman Genome Research Institute,National Institutes of Health1 p.m. – 2:30 p.m.Check the IAPP Web site for moredetails: www.privacyassociation.org
MARCH
8-10 IAPP National Summit 2006
Omni Shoreham Hotel, 2500 Calvert Street NW
Washington, D.C. 20008+202.234.0700Register at www.privacyassociation.org.
8 IAPP Certification Training
(CIPP and CIPP/G)
8 a.m. – 6 p.m. Eastern TimeDiplomat Room
8 General Electric’s Successful
Binding Corporate Rules
Program for International
Transfers of Personal Data;
Hot Human Resources Issues in the European UnionDLA Piper Rudnick Gray Cary US LLP,Washington, D.C. More information is available atwww.privacylaws.com
10 CIPP and CIPP/G Exams
IAPP Certification Testing (CIPP/CIPP/G)8 a.m. – 11 a.m. Eastern Time Grand Ballroom
APRIL
9 – 11 NATIONAL HIPAA SUMMIT 12
Hyatt Regency Capitol Hill400 New Jersey Avenue NWWashington, D.C.+202.737.1234
7 IAPP Certification Training
(CIPP and CIPP/G)
8 a.m. – 6 p.m. Eastern Time HyattRegency Capitol Hill400 New Jersey Avenue NWWashington, D.C.(Room TBD)
7 IAPP Certification Testing
(CIPP and CIPP/G)
9 a.m. - 12 p.m. Eastern Time Hyatt Regency Capitol Hill400 New Jersey Avenue NWWashington, D.C.(Room TBD)
Calendar of Events
20
