Latest Developments in Consumer Privacy

1
Latest Developments in Consumer Privacy

• Brian Hengesbaugh
• Baker McKenzie (Chicago office)
• 312-861-3077
• brian.hengesbaugh_at_bakernet.com
• www.bakernet.com/ecommerce

2
BIG PICTURE

• State Law Developments
• Information Security Programs
• Privacy Considerations in Developing and Managing
  a Website

3
STATE LAW DEVELOPMENTS

• Legal Context
• GLB, FCRA, HIPAA all minimum standards
• States invited to do more, so long as not
  inconsistent
• States as laboratories

4
Post September 11

• Legislative Interest in Privacy
• 750 state privacy bills
• 50 state financial privacy bills
• 85 federal privacy bills

5
Vermont Regulation

• Financial and Health Information
• Opt-in for nonaffiliate sharing
• Legal challenge by ACLI, AIA, and more
• exceeds authority
• violates intent of law
• Chances of success???

6
New Mexico Regulation

• Financial and Health Information
• Opt-in for nonaffiliate sharing
• Any legal challenge?

7
California, Illinois, New York, and others
considering more

• Opt-in measures for nonaffiliate sharing
• Limits on sharing within affiliated groups (e.g.
  prior CA bill)
• Driving force for federal preemption?
• Financial privacy commission and moratorium on
  new state laws (HR 3068)

8
California -- Social Security Numbers

• Restrictions on
• transmitting SSNs over Internet
• printing SSNs on mailed materials
• July 1, 2002 implementation, but grandfather for
  existing practices if
• continuous
• notice of right to opt-out
• individual does not opt-out

9
INFORMATION SECURITY PROGRAMS

• Final Interagency Guidelines Establishing
  Standards for Safeguarding Customer Information
  (February 1, 2001)
• FTC Proposed Standards for Safeguarding Customer
  Information (Comment Period Closed October 9,
  2001)

10
Focus on Process

• Due diligence is 90 of battle (checklist)
• STEP 1 Conduct comprehensive assessment that
  examines
• internal and external threats
• sensitivity of data
• potential damage

11
Focus on Process (cont.)

• STEP 2 Assess sufficiency of existing policies
  and procedures
• access controls on systems and encryption
• physical access restrictions
• automatic reviews of system modifications
• technological and environmental hazards
• Subjective Standard . . adopt those measures the
  bank considers appropriate

12
Focus on Process (cont.)

• STEP 3 Take appropriate organizational and
  administrative actions
• written information security program
• involve board of directors
• implement a system for regular testing
• information security officer
• service provider arrangements

13
Service Provider Arrangements

• Due diligence in selecting SPs
• Establish contract to meet objectives of
  Guidelines
• Where appropriate, ongoing monitoring (or review
  SAS 70 or similar report)

14
Contract with SPs

• Key Issues
• Appropriate measures to meet objectives of
  Guidelines (full compliance not required) (e.g.,
  board of directors)
• Overly strict limits on use and disclosure
• Scope of information covered

15
WEBSITE PRIVACY ISSUES

• Context entire privacy and consumer protection
  legal framework PLUS online application of that
  framework
• FTC and State AG dedication to enforcement

16
Website Privacy Issues

• Passive and active collection
• Relationships with third parties
• Satisfying GLB notice requirements
• Jurisdiction

17
Passive and Active Collection

• Passive collections -- cookies, web bugs, IP
  addresses, clickstream data, etc.
• wooden obligations to notify under GLB
• broader notification obligations under consumer
  protection statutes (e.g. Michigan AG and New
  Jersey AG)
• Active collections
• unfriendly GLB language for policy

18
Relationships with Third Parties

• Support Services
• Internet Service Providers
• Web hosting services
• Application Service Providers
• Data analysis firms (Toys R Us)
• GLB security guidelines apply

19
Relationships with Third Parties (cont.)

• Marketing/ Advertisers
• 3rd party advertisers (NAI principles)
• Framing and co-branded websites
• Joint marketers

20
Satisfying GLB Notice Requirements Electronically

• Reasonable expectation of receipt
• Customer agrees
• Obtains financial product or service
  electronically
• Retention and accessibility

21
Jurisdiction

• Reach of New Mexico and Vermont
• Zippo analysis
• How do you know who you are dealing with?

22
General Website Tips

• Know what you are collecting
• Know what your service providers are doing
• Disclose, disclose, disclose
• Keep it simple avoid flowery language
• Keep it flexible avoid the never trap
• Be mindful of jurisdiction

23
Keep track of privacy developments at

• www.bakernet.com/ecommerce
• www/bakernet.com/e-law (weekly newsletter)
• Baker McKenzie
• One E-Commerce World. One Firm. Connected.
• For companies moving with change