Latest Developments in Consumer Privacy - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Latest Developments in Consumer Privacy

Description:

Privacy Considerations in Developing and Managing a Website. E-Commerce ... Data analysis firms (Toys R Us) *GLB security guidelines apply* E-Commerce ... – PowerPoint PPT presentation

Number of Views:106
Avg rating:3.0/5.0
Slides: 24
Provided by: brianhen
Category:

less

Transcript and Presenter's Notes

Title: Latest Developments in Consumer Privacy


1
Latest Developments in Consumer Privacy
  • Brian Hengesbaugh
  • Baker McKenzie (Chicago office)
  • 312-861-3077
  • brian.hengesbaugh_at_bakernet.com
  • www.bakernet.com/ecommerce

2
BIG PICTURE
  • State Law Developments
  • Information Security Programs
  • Privacy Considerations in Developing and Managing
    a Website

3
STATE LAW DEVELOPMENTS
  • Legal Context
  • GLB, FCRA, HIPAA all minimum standards
  • States invited to do more, so long as not
    inconsistent
  • States as laboratories

4
Post September 11
  • Legislative Interest in Privacy
  • 750 state privacy bills
  • 50 state financial privacy bills
  • 85 federal privacy bills

5
Vermont Regulation
  • Financial and Health Information
  • Opt-in for nonaffiliate sharing
  • Legal challenge by ACLI, AIA, and more
  • exceeds authority
  • violates intent of law
  • Chances of success???

6
New Mexico Regulation
  • Financial and Health Information
  • Opt-in for nonaffiliate sharing
  • Any legal challenge?

7
California, Illinois, New York, and others
considering more
  • Opt-in measures for nonaffiliate sharing
  • Limits on sharing within affiliated groups (e.g.
    prior CA bill)
  • Driving force for federal preemption?
  • Financial privacy commission and moratorium on
    new state laws (HR 3068)

8
California -- Social Security Numbers
  • Restrictions on
  • transmitting SSNs over Internet
  • printing SSNs on mailed materials
  • July 1, 2002 implementation, but grandfather for
    existing practices if
  • continuous
  • notice of right to opt-out
  • individual does not opt-out

9
INFORMATION SECURITY PROGRAMS
  • Final Interagency Guidelines Establishing
    Standards for Safeguarding Customer Information
    (February 1, 2001)
  • FTC Proposed Standards for Safeguarding Customer
    Information (Comment Period Closed October 9,
    2001)

10
Focus on Process
  • Due diligence is 90 of battle (checklist)
  • STEP 1 Conduct comprehensive assessment that
    examines
  • internal and external threats
  • sensitivity of data
  • potential damage

11
Focus on Process (cont.)
  • STEP 2 Assess sufficiency of existing policies
    and procedures
  • access controls on systems and encryption
  • physical access restrictions
  • automatic reviews of system modifications
  • technological and environmental hazards
  • Subjective Standard . . adopt those measures the
    bank considers appropriate

12
Focus on Process (cont.)
  • STEP 3 Take appropriate organizational and
    administrative actions
  • written information security program
  • involve board of directors
  • implement a system for regular testing
  • information security officer
  • service provider arrangements

13
Service Provider Arrangements
  • Due diligence in selecting SPs
  • Establish contract to meet objectives of
    Guidelines
  • Where appropriate, ongoing monitoring (or review
    SAS 70 or similar report)

14
Contract with SPs
  • Key Issues
  • Appropriate measures to meet objectives of
    Guidelines (full compliance not required) (e.g.,
    board of directors)
  • Overly strict limits on use and disclosure
  • Scope of information covered

15
WEBSITE PRIVACY ISSUES
  • Context entire privacy and consumer protection
    legal framework PLUS online application of that
    framework
  • FTC and State AG dedication to enforcement

16
Website Privacy Issues
  • Passive and active collection
  • Relationships with third parties
  • Satisfying GLB notice requirements
  • Jurisdiction

17
Passive and Active Collection
  • Passive collections -- cookies, web bugs, IP
    addresses, clickstream data, etc.
  • wooden obligations to notify under GLB
  • broader notification obligations under consumer
    protection statutes (e.g. Michigan AG and New
    Jersey AG)
  • Active collections
  • unfriendly GLB language for policy

18
Relationships with Third Parties
  • Support Services
  • Internet Service Providers
  • Web hosting services
  • Application Service Providers
  • Data analysis firms (Toys R Us)
  • GLB security guidelines apply

19
Relationships with Third Parties (cont.)
  • Marketing/ Advertisers
  • 3rd party advertisers (NAI principles)
  • Framing and co-branded websites
  • Joint marketers

20
Satisfying GLB Notice Requirements Electronically
  • Reasonable expectation of receipt
  • Customer agrees
  • Obtains financial product or service
    electronically
  • Retention and accessibility

21
Jurisdiction
  • Reach of New Mexico and Vermont
  • Zippo analysis
  • How do you know who you are dealing with?

22
General Website Tips
  • Know what you are collecting
  • Know what your service providers are doing
  • Disclose, disclose, disclose
  • Keep it simple avoid flowery language
  • Keep it flexible avoid the never trap
  • Be mindful of jurisdiction

23
Keep track of privacy developments at
  • www.bakernet.com/ecommerce
  • www/bakernet.com/e-law (weekly newsletter)
  • Baker McKenzie
  • One E-Commerce World. One Firm. Connected.
  • For companies moving with change
Write a Comment
User Comments (0)
About PowerShow.com