Hengesbaugh
Upcoming SlideShare
Loading in...5
×
 

Hengesbaugh

on

  • 384 views

 

Statistics

Views

Total Views
384
Views on SlideShare
384
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Hengesbaugh Hengesbaugh Presentation Transcript

  • E-Commerce Latest Developments in Consumer Privacy Brian HengesbaughBaker & McKenzie (Chicago office) 312-861-3077 brian.hengesbaugh@bakernet.com www.bakernet.com/ecommerce
  • E-Commerce “BIG PICTURE”• State Law Developments• Information Security Programs• Privacy Considerations in Developing and Managing a Website Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce STATE LAW DEVELOPMENTS• Legal Context – GLB, FCRA, HIPAA all minimum standards – States invited to do more, so long as not “inconsistent” – States as laboratories Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Post September 11• Legislative Interest in Privacy – 750+ state privacy bills – 50+ state financial privacy bills – 85+ federal privacy bills Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Vermont Regulation• Financial and Health Information• Opt-in for nonaffiliate sharing• Legal challenge by ACLI, AIA, and more – exceeds authority – violates intent of law• Chances of success??? Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce New Mexico Regulation• Financial and Health Information• Opt-in for nonaffiliate sharing• Any legal challenge? Baker & McKenzie -- Global E- Commerce Law
  • E-CommerceCalifornia, Illinois, New York, and others considering more – Opt-in measures for nonaffiliate sharing – Limits on sharing within affiliated groups (e.g. prior CA bill) – Driving force for federal preemption? – Financial privacy commission and moratorium on new state laws (HR 3068) Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce California -- Social Security Numbers• Restrictions on: – transmitting SSNs over Internet – printing SSNs on mailed materials• July 1, 2002 implementation, but grandfather for existing practices if: – continuous – notice of right to opt-out – individual does not opt-out Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce INFORMATION SECURITY PROGRAMS• Final Interagency Guidelines Establishing Standards for Safeguarding Customer Information (February 1, 2001)• FTC Proposed Standards for Safeguarding Customer Information (Comment Period Closed October 9, 2001) Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Focus on Process• Due diligence is 90% of battle (checklist)• STEP 1: Conduct comprehensive assessment that examines: – internal and external threats – sensitivity of data – potential damage Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Focus on Process (cont.)• STEP 2: Assess sufficiency of existing policies and procedures: – access controls on systems and encryption – physical access restrictions – automatic reviews of system modifications – technological and environmental hazards – Subjective Standard: . . adopt those measures the bank considers appropriate Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Focus on Process (cont.)• STEP 3: Take appropriate organizational and administrative actions: – written information security program – involve board of directors – implement a system for regular testing – information security officer – service provider arrangements* Baker & McKenzie -- Global E- Commerce Law
  • E-CommerceService Provider Arrangements• Due diligence in selecting SPs• Establish contract to meet “objectives” of Guidelines*• Where appropriate, ongoing monitoring (or review SAS 70 or similar report) Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Contract with SPs• Key Issues: – Appropriate measures to meet “objectives” of Guidelines (full compliance not required) (e.g., board of directors) – Overly strict limits on use and disclosure – Scope of “information” covered Baker & McKenzie -- Global E- Commerce Law
  • E-CommerceWEBSITE PRIVACY ISSUES• Context: entire privacy and consumer protection legal framework PLUS online application of that framework• FTC and State AG dedication to enforcement Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Website Privacy Issues• Passive and active collection• Relationships with third parties• Satisfying GLB notice requirements• Jurisdiction Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Passive and Active Collection• Passive collections -- cookies, web bugs, IP addresses, clickstream data, etc. – “wooden” obligations to notify under GLB – broader notification obligations under consumer protection statutes (e.g. Michigan AG and New Jersey AG)• Active collections – “unfriendly” GLB language for policy Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Relationships with Third Parties• Support Services – Internet Service Providers – Web hosting services – Application Service Providers – Data analysis firms (Toys R Us) – *GLB security guidelines apply* Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Relationships with Third Parties (cont.)• Marketing/ Advertisers – 3rd party advertisers (NAI principles) – Framing and co-branded websites – Joint marketers Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Satisfying GLB NoticeRequirements Electronically– Reasonable expectation of receipt– Customer agrees– Obtains financial product or service electronically– Retention and accessibility Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Jurisdiction• Reach of New Mexico and Vermont• Zippo analysis• How do you know who you are dealing with? Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce General Website Tips• Know what you are collecting• Know what your service providers are doing• Disclose, disclose, disclose• Keep it simple; avoid flowery language• Keep it flexible; avoid the “never” trap• Be mindful of jurisdiction Baker & McKenzie -- Global E- Commerce Law
  • E-Commerce Keep track of privacy developments at: www.bakernet.com/ecommercewww/bakernet.com/e-law (weekly newsletter) Baker & McKenzie One E-Commerce World. One Firm. Connected. For companies moving with change