Home / Privacy Resources / Article Search / PrivaTalk - February 2002

PrivaTalk - February 2002

PrivaTalk

February 2002
Volume 2
Issue 2

The U.S. Federal Trade Commission makes Enforcement a Priority

With the Federal Trade Commission (FTC) displaying more aggressiveness lately, the threat of privacy enforcement from the U.S. government, and private litigation, may be emerging as the leading concern of businesses in the year ahead. The FTC recently settled its first security-related privacy case against drugmaker Eli Lilly and Co., who unintentionally released customer addresses collected through its Prozac.com Web site last summer.

The FTC said Eli Lilly violated its online privacy policy during the incident, when an employee accidentally sent an e-mail to 669 people with all of their e-mail addresses included in the “To:” line. The message announced the discontinuation of the company's Medi-messenger service, which provided an automatic e-mail reminders to people taking the anti-depressant medication Prozac.

The settlement doesn't impose any fine on the company since there was no clear case of fraud, but requires it to take steps to ensure the security of data, outlining a four-stage information security program. One settlement provision requires the company to conduct an annual review by “qualified persons” of its information security program.

Another recent settlement involved Toys R Us Inc. in New Jersey. The toy retailer agreed to pay $50,000 and change its Internet privacy policies to end a state inquiry into how the company shares personal information about its customers.

In December 2000, the New Jersey Attorney General’s Office subpoenaed records from Toys R Us as part of its investigation into whether the company had lived up to its written pledge to protect the privacy of personal information, such as addresses and credit card numbers, gathered from consumers on its Internet site. The centre of the state’s investigation was data gathered by Coremetrics Inc., a San Francisco-based company that worked with Toys R Us to help improve the customer experience when shopping at the toystore on-line.

The state was concerned about the retailer’s privacy policy which didn’t disclose how the data being collected through cookies was being shared with Coremetrics. As part of the settlement, Toys R Us agreed to maintain “a clear and conspicuous link to (its) privacy policy”, and that all data transmitted to Coremetrics from the Toys R Us Web site was to be returned to consumers or destroyed.

Toys R Us severed its ties with Coremetrics before the New Jersey investigation began, and the company now works jointly with Amazon.com in operating its Internet shopping site. This means that customers of Toysrus.com are subject not only to its privacy policy but also Amazon's policy. At the time the deal was struck, Amazon's privacy policy said it would not share information with third parties. But Amazon has since changed its privacy policy to say that it will share data with business partners and that its customer database could be sold as an asset.

The Toysrus.com privacy policy spells this out in the following statement: “Because we are working with Amazon.com to provide our products to you over the Internet, your personal information will also be subject to Amazon.com's privacy policy when you provide personal information while visiting the Toysrus.com/Amazon.com toy store.” It also contains a link to the Amazon.com privacy policy. As long as Toysrus.com makes its relationship with Amazon clear, Toys R Us is being open about its practices, and thus the FTC has no jurisdiction to interfere.

It is clear that the Bush administration has brought a philosophical shift to the FTC’s approach on privacy. During the Clinton administration, the FTC focused on corporate data collection practices and sought privacy legislation offering basic consumer protections. The Bush administration is targeting the misuse of data and tough enforcement. The Federal Trade Commission is now rolling out a coordinated campaign to crack down on fraudulent and deceptive spam.

The EU’s Finding on the Adequacy of Canada’s Private Sector Privacy Law

In early January, the EU Commission published their decision finding that the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) ensures “adequate protection” of personal information. In accordance with Article 25 of EU Directive 95/46/EC on the protection of personal data, personal information processed in any of the 15 European member states may not be disclosed to recipients located in a country outside the EU unless that country provides an “adequate level of protection”. Article 25(6) of the Directive empowers the Commission to take decisions as to whether levels of protection in third countries can be deemed satisfactory, and where protection cannot be guaranteed, Member States are at liberty to suspend the transfer of personal data. The Commission’s decisions regarding adequacy are binding on all the Member States and represent a powerful guarantee against the suspension of data flows.

The Commission's decision on Canada was reached after consultation with the Member States. It found that “the Canadian Act covers all the basic principles necessary for an adequate level of protection for natural persons, even if exceptions and limitations are also provided for in order to safeguard important public interests and to recognize certain information which exists in the public domain. The application of these standards is guaranteed by judicial remedy and by independent supervision carried out by the authorities, such as the Federal Privacy Commissioner invested with powers of investigation and intervention. Furthermore, the provisions of Canadian law regarding civil liability apply in the event of unlawful processing which is prejudicial to the persons concerned.”

However, the Commission set out circumstances where the suspension of data flows may be justified, notwithstanding its finding of adequate protection. In particular, the Commission said that the relevant authorities in the Member States can suspend the transfer of personal data to Canada: if a competent Canadian authority has determined that a recipient is in breach of the standards of protection; or, if “it is probable that protection standards are not being respected” even if the relevant Canadian authority doesn't take steps to remedy the situation. The suspension of data transfers should cease once protection standards are assured.

This decision thus seems less than satisfactory, since any member state can cut off data flows to Canada if the Federal Privacy Commissioner, for example, is not happy with an organization’s practices. Given that the Canadian legislation does not give the Commissioner enforcement powers, except through the Federal Court, would a simple press release (such as those found on the Commissioner’s Web site), or a report of recommendations by the Commissioner, result in a suspension of EU data flows, even if the Commissioner does not attempt to enforce his view through the court, or, if he does so and loses his case?

This decision is still highly significant for Canada because if PIPEDA had been found to be inadequate altogether, businesses in Europe transferring data to their Canadian operations would be prevented from doing so, subject to limited exceptions. Currently, PIPEDA’s provisions only apply to federal entities (such as airlines and banks) that process personal data in the course of commercial activities, and to the employee data that these organizations hold, and to organizations disclosing personal information inter-provincially or outside Canada. Therefore, the Commission's decision only applies to EU companies dealing with these Canadian entities until 2004. The Commission has made it clear that it will review and possibly amend its decision based on Industry Canada’s findings on the substantial similarity of provincial laws, if enacted.

American companies that outsource their data processing to Canada and import personal information from the EU under the Safe Harbor agreement will benefit from this decision. Under the Safe Harbour "Onward Transfer" principle, personal data may be transferred on to another company only if that company ensures adequate protection for the information that is received. When PIPEDA takes effect for all Canadian organizations, therefore, American companies will be able to transmit information to Canada without having to enter into specific, contractual data protection agreements with Canadian companies.

The full text of the EU decision, published in the EU Official Journal on January 4, 2002, may be downloaded at:
http://europa.eu.int/eur-lex/en/oj/2002/l_00220020104en.html

Ontario Proposes Broad Privacy Legislation for the Private Sector

The Ontario Ministry of Consumer and Business Services has announced that it plans to enact a tough new law to prevent businesses, non-profit organizations, health care institutions and other organizations from violating the personal privacy of Ontarians. The Ministry plans to table the legislation in the spring of this year, and the law could take effect as early as next year. It goes much further than the federal Personal Information Protection and Electronic Documents Act (PIPEDA) that puts privacy rules in place only for commercial activities, leaving charities and hospitals largely exempt. The Ontario government will want the law in force by no later than January, 1 2004, when the federal legislation will apply within the provinces that have not enacted their own laws.

The Ontario law would effectively give individuals control over the collection, use and disclosure of their personal information, subject to limited exceptions. Organizations can’t ask for information that is not relevant, and must provide individuals with access to the information they hold about them. This will impact the common marketing practices of many businesses for example, such as the sending of unsolicited mail.

The law will give Ontario’s Information and Privacy Commissioner investigation powers similar to those of the federal Privacy Commissioner, expanding her current office that only has a mandate to deal with public sector privacy complaints.

A guide to the draft legislation, currently on the Ministry’s Web site at http://www.cbs.gov.on.ca/mcbs/english/56HK6V.htm, makes it clear that the provincial government does not feel that PIPEDA goes far enough to protect privacy in key areas, such as health care. Unlike the federal legislation, the Ontario law, to be called the Privacy of Personal Information Act, will pay specific attention to personal health information. Although PIPEDA applies to health information, there are no additional protections on considerations with respect to the health care industry’s needs. Concerns about the superficiality of the protection for health records caused the draft Personal Health Information Privacy Act (Bill 159), introduced last year, to die when the House rose. The unsuccessful law allowed extensive and unnecessary disclosures of health information, for example, to the Ministry of Health and Long-Term Care. The government believes it has rectified such concerns in the new proposed law.

Controversial issues surrounding predictive genetic information will be addressed with specific provisions for obtaining consent to the disclosure of such information, separate and apart from other types of personal health information. Health researchers would be required to obtain the approval of a research ethics board prior to using personal health information, without consent, for research purposes. The Ontario Hospital Association has already voiced its concerns that the new law will create too much paperwork in the medical system because patients will be faced with lengthy consent forms. Further criticisms from the health sector are expected as the provincial government moves forward with privacy legislation, particularly because extensive consultations and failed legislation in the past has caused intense skepticism towards government privacy initiatives in the health industry.

The Ontario government also feels that the federal legislation places a number of unnecessary administrative burden on smaller organizations, primarily because it is directed at large, sophisticated businesses. For example, it may not make sense for a smaller organization to have an extensive training program in place or to appoint a privacy officer. The government also speaks of the legislation as being directed to the digital economy – it will attempt to achieve a challenging balance: “boosting consumer confidence in using online services without imposing an undue burden on businesses”.

Like the federal legislation, the Ontario legislation will allow for express and implied consent but offers definitions where the federal legislation is silent, making implementation of the consent principle easier. For example, implied consent will apply to “situations where the purpose for the collection, use or disclosure of personal information is reasonably obvious or is related to, or derived from, instances where an individual has already provided express, informed consent”.

Ontario’s proposed legislation would also regulate public sector institutions like the Ministry of Health and Long-Term Care to protect against privacy violations as a result of data matching. Additional safeguards around the health ministry’s current practices will also be in place to ensure that the ministry does not receive personal health information unless given permission to do so by the Ontario Privacy Commissioner.

If passed into law, the Ontario Privacy of Personal Information Act will contain specific offences under which violators could be prosecuted, and would also allow the individuals to sue for compensatory damages.

A draft of the legislation is expected to soon be posted for public review on the Web site of the Ministry of Consumer and Business Services (http://www.cbs.gov.on.ca).

Privacy Rules in New Mexico Criticized by Insurers

A leading U.S. trade association, the Alliance of American Insurers, a national trade association which represents 326 property/casualty insurance companies, recently questioned the legality of privacy rules adopted in New Mexico.

The New Mexico Legislature had directed the Superintendent of Insurance to adopt rules governing the privacy of “non-public personal information of insured persons”. This could be narrowly interpreted to mean a law that only applies to applicants for insurance policies and actual policyholders, in other words, those that have a business relationship with the insurer and pay the premiums.

However, the Superintendent put together a broader set of rules that cover third-party liability claimants and workers compensation claimants, and the Alliance claims that these are not insured persons. Since the federal Gramm-Leach-Bliley (GLB) Act applies only to goods or services for ‘personal, family or household purposes’, the application to workers compensation claimants also seems to go further and conflict with the GLB Act.

The Alliance claims that the most troublesome of all the provisions in the regulations is the creation of a new ‘opt-in’ system, which the association claims will create additional costly barriers for insurers wishing to write business in New Mexico, and places them at a disadvantage compared to banks and securities firms, which can use an ‘opt-out’ approach.

Insurance companies in Canada will likely face a similar struggle. The Personal Information Protection and Electronic Documents Act currently applies to banks, however provincial privacy legislation, if passed, will apply to the insurance industry, such as Ontario’s proposed Privacy of Personal Information Act. It is still too early to tell whether insurance companies in Ontario will be relieved to be under an Ontario law or would prefer the federal law to apply to them.

Are Financial Institutions Spending Wisely on Privacy Compliance?

According to a recent study by Meridien Research (http://www.meridien-research.com ), called “From Policy to Practice: Privacy Management Solutions”, financial institutions worldwide will spend $25 million this year on privacy technology and will likely spend as much as $167 million by 2006. The study stated that much of the spending will be misdirected toward database enhancements or modifications rather than toward privacy management. Many institutions will spend a portion of their privacy budget on encryption technology, biometric authentication systems or single sign-on solutions.

These are important security initiatives, but they do little to manage their customers' privacy overall. Security is one aspect of privacy, but becoming privacy proactive and sensitive involves reviewing information flows in and out of the company, and ensuring customers are aware of how their information is being handled, as well as giving them the ability to object to that.

Dennis Behrman, a Meridien analyst and the author of the report, said financial institutions should focus more on “privacy middleware”, or software that manages and controls both privacy processes and policies, which will let them proactively manage their customers’ privacy needs on a one-to-one level. "Institutions must find a way to use technology to take managerial policy and codify it as a set of operational rules," he said.

Meridien also said that spending on privacy management will be inconsistent, with the 500 largest global financial institutions accounting for about 98 percent of the market. The institutions with a greater number of systems and processes will spend more to enhance the privacy of those systems and less on privacy-related customer service.

Privacy middleware may help manage customer data privacy – for example, rules-based engines can be used to ensure the integrity of those business rules, but cannot be a complete solution in and of itself. Rules need to be enforced, there are employee training issues, decisions around disclosure of personal information need to be made and procedures need to be established for providing access to information. All of this depends on a strong commitment to privacy from senior people in the financial institution. Technology cannot solve everything and should not be the only thing factored into the privacy budget. Professional services and the time devoted by key personnel must also be factored in. The large Canadian banks provide good role models – they are governed by the Personal Information Protection and Electronic Documents Act and have appointed privacy officers to deal with privacy issues.

The United States Selects a New Encryption Standard

The American government has approved a new data encryption standard, that is, a new Federal Information Processing Standard (FIPS), to safeguard sensitive information in federal computer systems, replacing the now obsolete standard adopted in 1977. The National Institute for Standards and Technology (NIST) selected the Advanced Encryption Standard (AES) after a four-year competition in which experts around the globe attacked the candidate encryption codes to test their security. The winning standard, named Rijndael, was named after its co-creators, Joan Daemen and Vincent Rijmen, cryptographers from Belgium. Rijndael relies on an algorithm that encodes electronic communications by generating random numbers using 128, 192, or 256-bit encryption keys. The previous standard relied on a 56-bit key, which provided for approximately 10,000,000,000,000,000 different keys. By comparison, the new 128-bit keys provide a sextillion times greater number of possible keys (a number expressed by 340 followed by 36 zeros). The earlier standard was cracked in the late 1990s after researchers developed machines that could recover a 56-bit key within a few hours. According to NIST, assuming that one could build a machine capable of recovering a 56-bit key in one second, it would take that same machine roughly 149 trillion years to crack a 128-bit AES key.

When considered together with other encryption methodology, Rijndael's combination of security, performance, efficiency, ease of implementation and flexibility make it an appropriate selection for the AES. Specifically, Rijndael appears to be consistently a very good performer in both hardware and software across a wide range of computing. Rijndael’s very low memory requirements make it very well suited for restricted-space environments, in which it also demonstrates excellent performance. Rijndael’s operations are among the easiest to defend against power and timing attacks.

This standard can be used by U.S. government departments and agencies when an agency determines that sensitive information requires cryptographic protection. In addition, this standard may be adopted and used by non-government organizations. Such use is encouraged when it provides the desired security for commercial and private organizations. As is currently the case, those Government organizations will be able to use other FIPS-approved algorithms in addition to, or in lieu of, the AES.

This announcement marks the culmination of a four-year effort involving the cooperation between the U.S. Government, and private industry and academia from around the world to develop an encryption technique that has the potential to be used by millions of people in the years to come. NIST anticipates that this algorithm will be used widely, both domestically and internationally. NIST will formally reevaluate this standard every five years. As is the case with its other cryptographic algorithm standards, NIST will continue to follow developments in the cryptanalysis of Rijndael.

NIST's Data Encryption Standard (DES) was a U.S. Government standard for approximately twenty years before it became practical to mount a key exhaustion attack with specialized hardware. The AES supports significantly larger key sizes than what DES supports. Barring any attacks against AES that are faster than key exhaustion, AES has the potential to remain secure well beyond twenty years, even with future advances in technology. Further information about AES may be found at http://csrc.nist.gov/encryption/aes/ .