INFORMATION SECURITY LAW PRIVACY

1
INFORMATION SECURITY LAW - PRIVACY
2
DOUBLE CLICK

• Dynamic Advertising and Reporting Technology
  (DART)
• Cookies track online users behavior to develop a
  surfing profile that can be used to target
  online advertising

3
DOUBLE CLICK

• Double Click decided to combine the DART system
  information with Abacus Direct, a
  direct-marketing database
• This combined database would have coupled the
  personal info of Abacus with the surfing info
  from DART

4
DOUBLE CLICK

• In response, privacy invasion lawsuits were filed
  and government investigations at the state and
  federal levels were initiated
• Double Click eventually abandoned its plans, but
  the controversy illustrates some of the policy
  issues surrounding Internet privacy

5
PRIVACY LAW

• U.S. privacy law is a patchwork of state and
  federal statutes, regulations, and court
  doctrines
• No comprehensive federal privacy law relating to
  the Internet or uniform state law

6
COMMON LAW

• Tort of invasion of privacy
• Other torts (trespass) and other legal theories
  based on contract or property may protect privacy
  

7
INVASION OF PRIVACY

• INTRUSION
• PUBLIC DISCLOSURE OF PRIVATE FACTS
• FALSE LIGHT
• APPROPRIATION OF IDENTITY

8
INTRUSION

• Invasion of someones private domain or seclusion
• Includes unauthorized access to ones private
  records e.g., financial or medical records

9
PUBLIC DISCLOSURE OF PRIVATE FACTS

• Facts must be private ones, not information that
  is publicly available
• Must be a public disclosure - disclosure to
  general public or to a group of persons

10
FALSE LIGHT

• Communication that creates a false impression
  about a person
• Impression created must be offensive to that
  person
• Communication need not be defamatory -- a false
  statement of fact

11
APPROPRIATION

• Violation of the Right of Publicity
• Using anothers identity (e.g., name, photo,
  likeness) for commercial purposes without his or
  her consent

12
CONSTITUTIONAL PROTECTION FOR PRIVACY

• Constitutional Right to Privacy
• Fourth Amendment Protection Against Unreasonable
  Searches and Seizures

13
CONSTITUTIONAL RIGHT TO PRIVACY

• Protects a sphere of highly personal decisions
  from government interference
• Includes some protection for personal information
  and activities

14
FOURTH AMENDMENT

• Prohibits unreasonable searches and seizures
• Government usually must secure a warrant based on
  probable cause to conduct a search
• Search occurs only when government intrudes into
  area or activity in which person has reasonable
  expectation of privacy

15
Statutory Privacy Protection

• Government Related Privacy Laws
• Industry Specific Laws
• Internet and Computer Related Privacy Laws

16
Government Related Privacy Laws

• Privacy Act of 1974
• Freedom of Information Act

17
Privacy Act of 1974

• Limits the collection of personal information by
  federal agencies relevant and necessary
• Requires the use of appropriate administrative,
  technical and physical safeguards to ensure the
  security and confidentiality of records.

18
Industry Specific Laws

• Gramm-Leach-Biley Act
• Fair Credit Reporting Act
• Video Privacy Protection Act
• Health Insurance and Portability Act

19
GRAMM-LEACH-BLILEY (GLB)

• Law designed to protect the privacy of consumers
  private financial information
• Requires financial institutions to provide
  customers with their privacy policies on an
  annual basis
• Opt out allows consumers an opportunity to
  prevent the sharing of their financial
  information with non-affiliated entities

20
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
ACT (HIPAA)

• Health reform law designed to allow employees to
  move more freely among different health care
  plans of employers
• Law also restricts the sharing of protected
  health information by hospitals, health care
  professionals, insurers and employers

21
Internet and Computer Related Privacy Laws

• Childrens Online Privacy Act
• Electronic Communications Privacy Act
• Computer Fraud and Abuse Act

22
CHILD ONLINE PRIVACY PROTECTION ACT (COPPA)

• Law designed to protect the private of
  information of children under 13 years of age
• Prohibits use/disclosure/collection of such info
  without parental consent

23
Electronic Communications Privacy Act

• Prohibits intentional interception and disclosure
  of oral, wire, and electronic communications,
  including the disclosure of the content of
  electronic communications by ISPs (except to
  intended recipient)
• Prohibits the unauthorized access to stored
  electronic communications, including e-mail and
  voice mail

24
Electronic Communications Privacy Act
Exceptions

• Provider Exception
• Ordinary Course of Business Exception
• Consent Exception

25
Regulatory Controls

• Federal Trade Commission
• Has jurisdiction over unfair and deceptive trade
  practices
• Conducted studies and surveys of Internet
  businesses information practices and privacy
  policies and made recommendations to Congress
• Brought administrative actions against Internet
  firms, e.g., Geocities, ReverseAuction

26
Industry Self Regulation

• Online Privacy Alliance guidelines for
  effective privacy policies and third party
  privacy seals of approval BBBOnLine, TRUSTe
• Network Advertising Initiative, group of online
  advertising companies, including DoubleClick,
  adopted a set of privacy guidelines re online
  profiling (FTC endorsed them)
• Platform for Privacy Preferences (P3P) initiative
  by Internet companies

27
EU Data Privacy Directive

• Designed to protect the right to privacy with
  respect to the processing of personal data
• Defines personal data broadly to include any
  information relating to a natural person

28
EU Data Privacy Directive

• Data controllers are required to ensure data
  quality
• Data processed fairly and lawfully
• Data collected for specified legitimate purposes
• Data is relevant and not excessive in relation to
  the purposes for it
• Data is current and accurate
• Data is maintained no longer than necessary

29
EU Data Privacy Directive

• Processing of personal data requires
• Consent of data subject or
• It must be necessary for a contract with the data
  subject or
• It must be necessary to comply with legal
  obligations, the vital interests of the
  controller, the public interest, or legitimate
  interests of the controller that outweigh the
  privacy interests of the subject

30
EU Data Privacy Directive

• Dispute resolution mechanisms are required
  including
• Giving data subjects access to the information on
  them
• Allowing data subjects the right to correct or
  challenge inaccurate information
• The right to sue for damages and bring
  administrative complaints

31
EU Data Privacy Directive

• Transfer of data to non-EU countries is
  prohibited unless there is an adequate level of
  privacy protection
• Safe harbor arrangement with US companies that
  voluntarily agree to certain privacy principles
  are assured of data flows from EU