Securius Newsletter

December 3, 2003
Volume 4, Number 7
http://www.securius.com

Creating a New Privacy Principle Not legal tender

By Steven Lerner-Wright

Last July, a new California privacy law went into effect. The law, commonly referred to as "SB 1386" and formally a part of California's Civil Code, Sections 1798.29 and 1798.82-84,[1] requires those that store sensitive personal information — including government agencies, businesses, and persons engaged in business activities — to notify California residents when that information data has been, or may have been, accessed without authorization.

The purpose of the new law is to give California residents adequate time to take steps to check their credit ratings and protect against identity theft. An almost identical bill is now before the US Senate.

The California law is important for two reasons:

1. It's the first in the US requiring government agencies and businesses to alert individuals when private personal data has been accessed without authorization. In 2002, California led the states with more than 30,000 reported identity thefts.[2] More generally, California is a trailblazer in the US and often sets the stage for how to solve the new ethical and legal issues that arise in our fast moving societies. It is no surprise for California to enact the first law requiring notification when data has been breached.

2. It appears to be creating a foundation for what may be a new "principle" concerning privacy. Privacy principles have been formulated and expanded upon since the mid-1970s. Numerous organizations, individuals, and businesses have developed such principles to help them lay the foundation for developing more detailed privacy policies and procedures.


The First Law to Require Notification

During the last twenty-five years, a number of significant privacy laws and regulations have been proposed and enacted in various jurisdictions around the world. Milestone legislation in the US includes the Privacy Act of 1974, which controls and limits collection and disclosure of personal information by the US government, the Family Educational and Privacy Rights Act of 1974, which enforces similar controls over educational institutions, and the Right to Financial Privacy Act of 1978, which prevents financial institutions from providing federal authorities unfettered access to customer financial records (and requires such institutions to notify customers when their records are handed over to the authorities).

These first laws focused on public concern that the US government was collecting information about its own citizens without authorization. Privacy legislation has changed as social issues have evolved, particularly in response to technological advances.

For instance, in the last ten years, US privacy law has focused on regulating non-government entities such as businesses and individuals. Two pieces of important legislation are representative: the Gramm-Leach-Bliley Act, also referred to as the Financial Modernization Act of 1999, and the Health Insurance Portability and Accountability Act (HIPAA) of 1996. These laws tend to focus (1) on regulating electronic collection (especially via the Internet) and warehousing of personal information; and (2) sharing or unauthorized distribution of that personal information with other entities and individuals, particularly among business partners and affiliates.

Privacy law is evolving further to reflect newer and more immediate concerns, particularly identity theft. As consumers move to online purchasing, personal information -- including credit card information and US Social Security numbers -- have been electronically collected and stored by retailers. Numerous high-profile thefts, such as the alleged online theft by a Russian hacker of more than 300,000 credit card numbers from an online music retailer in the US, have led to new laws regulating what can be collected electronically and how it should be protected.


A New Privacy Principle?

Privacy principles have been proposed for some time. For example:

* Robert Ellis Smith gathered a list of general privacy principles developed in the US and Europe in his 1993 book _Our Vanishing Privacy_. See http://www.amazon.com/exec/obidos/ASIN/1559501006/pcguardian-20

* The nearly four-year process of developing a health information privacy standard required by HIPAA resulted in the creation of numerous patient information privacy principles. Review the list developed by the Institute of Electronic and Electrical Engineers (IEEE) at http://www.ieeeusa.org/forum/POSITIONS/healthinfo.html or the position developed by The American Medical Association at http://www.ama-assn.org/ama/pub/category/2703.html

* Canada, which has created numerous privacy regulations as well as a government-appointed privacy ombudsman, the Office of the Privacy Commissioner, articulated a set of privacy principles, which appear at http://canada.justice.gc.ca/en/news/nr/1998/attback2.html

These and other various principles generally fall into the following categories:

* Transparency and Access
* Consumer Consent and Choice
* Appropriate Use
* Safeguarding Information
* Redress

Here is a brief summary of each category:

TRANSPARENCY AND ACCESS
No system that gathers personal information should ever in and of itself be kept a secret. Individuals have a right to know why personal information is being collected, and information should be used only for the originally intended purpose. Individuals must have access to the information being collected about them and they must be told how that information is to be used. As much as possible, personal information should be gathered directly from the individual with that individual's informed consent.

CONSUMER CONSENT AND CHOICE
Individuals must be given a way of preventing information gathered for one purpose from being used for some other purpose without prior consent. People must be able to correct, amend, or add to the information gathered about them. Individuals should have the opportunity and method for "opting out" of programs using their personal information for commercial reasons.

APPROPRIATE USE
An information-gathering system must have socially desirable purpose and only data relevant to that purpose should be collected. Those entities that gather personally identifiable information must make sure that the data are used as intended and must take steps to prevent misuse.

SAFEGUARDING INFORMATION
Those entities that collect information should act as trustees. They do not "own" private information. They must safeguard the information they collect, and they must use it in the best interests of the individual. Whenever data systems are designed, privacy protections should be included in the specification and implementation of the system. The definitions and standards for privacy may change as new technologies, social concerns, and markets emerge. Personal information may be transferred between parties only when the privacy protections of the recipient trustee are at least equal to the protections provided by the original trustee.

REDRESS
Individuals whose privacy has been violated have the right to seek relief of some kind. Privacy violations can be resolved by either negotiation, complaint resolution, or civil and criminal procedures.

In terms of current privacy principles, notification of the individual in the case of security breach is a new concept. With passage of SB 1386, we may be seeing the development of a new principle that could be added under the heading, SAFEGUARDING INFORMATION: Organizations that collect, use, and distribute personal private information are responsible for notifying individuals when personal information may have been accessed without authorization -- especially in circumstances where there is a reasonable suspicion or expectation that the personal information may be used to commit a crime or harm the individual.


Other Pending Laws

Although SB 1386 is the first law requiring notification in case of a security breach, it won't be the last. This year US Senator Dianne Feinstein, D-CA, introduced S1350, a federal law which is almost identical to the California law; and nearly simultaneously US Representative John Shadegg, R-AZ, introduced HR2617, which requires the Federal Trade Commission to "provide guidelines for a business to follow in notifying customers of the likelihood that information concerning such customers has been stolen or compromised."

During the summer of 2003, in response to the requirements of Gramm-Leach-Bliley, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation issued "Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice."[3] The proposed guidelines create a standard for notifying customers "whenever [a financial institution] becomes aware of unauthorized access to sensitive customer information." The Treasury, Federal Reserve Board, and the FDIC have gathered comments on the proposed guidelines.

Over time, these new laws will have more and more impact on the conduct and management of privacy-sensitive businesses. Recently, a consultant to a large bank based in San Francisco suffered an office break-in: his laptop containing personal data on thousands of bank customers was stolen.[4] The bank had to notify thousands of affected customers about the potential breach and decided to change each account number and purchase a credit-monitoring service for each impacted individual.

Vulnerable companies can reduce the risk of this kind of pain and expense by protecting sensitive information with PC Guardian's computer and information security solutions, which are used by numerous enterprises in the defense, financial services, and healthcare industries. For more about PC Guardian, visit our home page http://www.pcguardian.com.

See you next issue. 'Til then, keep your guard up.

REFERENCES

[1] You can find the text at
http://www.privacy.ca.gov/code/cc1798.291798.82.htm

[2] See the Federal Trade Commission's report at
http://www.consumer.gov/idtheft/idt_statemap/statemap4_3.pdf

[3] Federal Register, Vol. 68 No. 155, August 12, 2003, pages 47, 954-60.

[4] Lazarus at Large, San Francisco Chronicle, Nov. 21 2003. See
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2003/11/21/MNGLT37MH71.DTL



Subscribe to the Securius Newsletter
Please enter your email address:



Securius.com is a service of GuardianEdge Technologies.
Copyright © 2006 GuardianEdge. All rights reserved.
We will not share your personal information with third parties.
Nor will we contact you without your permission.