• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Personally Identifying Information Privacy Protection ...

Personally Identifying Information Privacy Protection ...






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Personally Identifying Information Privacy Protection ... Personally Identifying Information Privacy Protection ... Presentation Transcript

    • Personally Identifying Information Privacy Protection Legislation and other Government Actions
    • Common Law Protection of Privacy
      • In the absence of legislation, the common law (CL) has long recognized privacy as a protectible interest
      • Under the CL it is a tort to:
        • Intentionally intrude, physically or otherwise, upon the solitude or seclusion of another if the intrusion would be highly offensive to a reasonable person
          • It is also a tort to publicize private facts about another when the disclosure would be highly offensive to a reasonable person and does not involve a legitimate topic of public interest
          • False light—placing the plaintiff in a false light
    • Common Law Protection of Privacy
      • Problems with the CL invasion of privacy torts
        • Individual damages are often to small to justify the suit
        • Organizing class actions are difficult and class action specialists would rather organize class action suits based on product liability or securities fraud
        • If CL was adequate, we would not have the plethora of privacy legislation
        • Still the CL can be a weapon in hidden camera cases and false light situations
          • Placing a celebrity head on the body of another
    • Governmental Actions to Protect Privacy
      • It is fair to characterize government actions as being responsive to privacy concerns
        • As a result of the Internet and computerization of information an abuse takes place and the government then responds
        • Example: COPPA (Children’s Online Privacy Protection Act)
          • Geocities website was obtaining PII from children about their parents…what kind of car to do drive
          • COPPA requires verifiable permission parents or guardian of children under 13 before PII can be obtained.
            • Most observers agree that COPPA has stopped most of the worst abuses
    • Privacy On The New Frontier of Cyberspace
      • The Federal Trade Commission (FTC) has authority to combat unfair and deceptive trade practices
        • Much of the FTC’s Internet work has been in their consumer protection branch
        • http://www. ftc . gov / ftc /consumer. htm
          • In the Consumer Protection branch there are a wide range of activities that the FTC has listed as unfair and deceptive trade practices
    • Federal Trade Commission
      • The FTC is the most active govt. agency charged with promoting privacy
      • According to the FTC
        • A trade practice is unfair if the trade practice causes or likely to cause substantial injury to consumers and is not outweighed by countervailing benefits to consumers or to competition
          • FTC considers racists or pornographic advertising to be unfair
            • Selling pearls without specifying whether the pearl is cultured or cultivated
          • The FTC is moving toward the standard that it is unfair for a website to collect PII and not have a privacy policy
    • Deceptive Trade Practices
      • According to the FTC a trade practice is deceptive if:
        • The practice is likely to mislead the reasonable consumer and affect their decisions
          • As a result, surveys mentioned in commercials must be conducted in a fair and statistically accurate manner
          • Celebrities who endorse a product must actually use the product
    • FTC Actions
      • For years the FTC made use of the five FIPs, Fair Information Practices (see below)
      • More recently the FTC under Tim Muris and Howard Beales has abandoned the five FIPs for a more law and economics approach
        • Under Muris and Beales the FTC has been scrutinizing statements made in company privacy policies and making determinations as to whether those statements are justified in light of the security practices of the company
    • Privacy On The New Frontier of Cyberspace
        • FTC Fair Information Practices
            • Notice/Awareness —consumers should be notified as to who is gathering the data and the uses that will be made of that data
            • Choice/Consent —consumers should consent to any secondary use for the data. There should be opt-in and opt-out provisions.
            • Access/Participation —consumers should have the right to contest the accuracy of the data collected.
            • Integrity/Security —there should be managerial mechanisms in place to guard against loss, unauthorized access, or disclosures of the data.
            • Enforcement/Redress —there should be remedies available to victims of information misuse.
    • FTC Actions
      • In spite of the five FIPs, websites have continued to
        • Collect information from visitors without notice or permission
          • Cookies
          • To date the act of attaching a cookie to browser and the hard drive of the operator is not illegal,
          • So long as it is not coupled with PII
        • Also websites have sold PII without notice or permission of consumers
          • Some websites have offered opt-outs, but are not required to by law
    • FTC Actions
      • The FTC considers it a deceptive trade practice for a company not to adhere to promises made in its privacy policies
        • FTC has been successful in several high-profile suits
        • More recently the FTC has challenged some privacy policies, even in the absence of a malfunction, such as hacking
          • The FTC has maintained that it can evaluate whether the security used by a website is commerially reasonable
          • Note that the GLB Act requires security that is reasonable in light of anticipated threats, ie., it requires financial institutions to use commercially reasonable measures
    • Privacy Act of 1974
      • Prohibits federal agencies that collect PII from disclosing that information without permission of the data subject
        • There are 12 separate exceptions
        • Individuals have the right to access of their records for purposes of correcting the errors
        • Is the source of the Freedom of Information Act (FOIA)
    • Buckley-Pell Amendment
      • Buckley-Pell Amendment to the Family Educational Rights and Privacy Act
        • Federal funds are denied to institutions that do not protect confidentiality of student records
    • Privacy Legislation: ECPA
      • Electronic Communications Privacy Act (ECPA), 1988
        • Makes it illegal to intercept phone calls, email, cell phones, radio paging devices and private communication carriers
          • Protection was extended to both storage and transmission of email
          • Customer records of ISPs
        • Two major exceptions for employers:
          • Monitoring takes place in the ordinary course of business, or
          • It is by consent of the employee
    • Children’s Sites
          • Again the FTC has been active in this area
            • The Geocities case is just one example
            • The FTC considers it an unfair and deceptive trade practice to collect information from children without parental consent when that information will be used for another purpose
          • Congress has passed the Children’s Online Privacy Protection Act of 1998, which basically requires the same safeguards
            • Children are considered under 13
            • Most of the FTC Fair Information Principles are required
              • Notice, an opportunity to review, opt out, security and confidentiality
    • Anti-Hacking Legislation
      • Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 and
        • The Computer Fraud and Abuse Act of 1986
      • The 1984 Act makes it a crime to
        • Knowingly, with intent to defraud, produce, use or traffic in counterfeit access devices
          • Access devices are any card, plate, code, or account number that can be used to obtain money, goods, or services or can be used to transfer funds
          • A counterfeit access device is any access device that is forged or altered
    • Computer Fraud and Abuse Act of 1986
      • As a result of the USA Patriot Act it make it a crime punishable by up to 20 years to
        • Knowingly access a computer without authorization or exceeding authorized access and thereby obtaining
          • Information contained in a financial record of a financial institution, or
          • Information from any government agency
    • Financial Records
          • Financial Records: The Gramm-Leach-Bliley Act, 1999
            • The Privacy aspects of the Act are summarized by the beginning of Title V:
              • “ It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”
            • The Act requires that financial institutions insure the privacy and confidentiality of customer records and information
    • Financial Records
        • The Gramm-Leach-Bliley Act also
            • Provide protection against any anticipated threats or hazards to the security or integrity of those records, and
            • Protect against unauthorized access to or use of such records or information.
          • It is clear that the Act prohibits giving out of nonpublic information to 3rd parties without notice and an opt out option
          • The Act prohibits giving out account numbers and credit card information to unaffiliated third parties for use in telemarketing, email and direct mailings
    • Identity Theft
      • In 1998 Congress passed the Identity Theft and Assumption Deterrence Act
        • Identity theft occurs when someone co-opts your name, SS#, credit card or some other item of PII,
        • In order to commit a crime
      • As a result of the USA Patriot Act, the maximum penalties for Identity Theft are 15 years in jail and a fine of $250,000
      • The Identity Theft is enforced by the FTC
    • Medical Records
        • The Health Insurance Portability and Accountability Act of 1996
          • There are two parts to this legislation
            • One part deals with denial of health insurance when a person changes jobs and this part has been successful
            • The other part deals with the privacy of medical records
          • Regulations drafted by HHS prohibits nonconsensual secondary use of medical records
            • It allows transfers of medical records among healthcare providers, insurers, and HMOs
            • Other transfers of medical information must be approved by patients unless they fall into certain exceptions
    • Medical Records
          • The HIPAA exceptions include
            • Public health authorities
            • Medical researchers
            • Law enforcement
            • Officials performing over sight functions for purposes of determining whether fraud has taken place
            • There are other exceptions
          • HIPAA regulations went into effect in April of 2003
            • Requires opt-in for transfer of medical information
    • European Union and Privacy
      • In the U.S. there is a much greater reliance on self-regulation than in the EU
        • The EU passed a Data Protection Directive that prohibits sharing data with any country who does not subscribe to their heavily regulated standards
        • The Department is Commerce has fashioned some regulations that seem to satisfy the EU at present
    • New Issues
      • Do Not Call Registry—has been a large success
      • CAN-SPAM—FTC has resisted compilation of Do Not SPAM registry
        • CAN-SPAM makes it illegal to send an email without a way of opting out
          • Illegal to send sexually explicit email that is not labeled as such
      • To date there is no anti-spyware legislation but it is a target of law makers. Expect legislation soon.