The Practical Privacy Series Issue
May 2007 • Volume 7 • Number 5
Data Breach
Financial Services
Pharma/Healthcare
Editor: Kirk J. Nahra
N.H. Pharma Law May Set Precedent for Other States
Luis Salazar, CIPP
ew
Hampshire
has become
the unlikely front in
the latest battle
between the pharmaceutical industry and privacy advocates.
In June 2006, New Hampshire passed
its “Prescription Confidentiality Act,”
which bars the license, transfer, use or
sale for any commercial purpose of
patient-identifiable or prescriber-identifiable information. Supporters of the law
argue that it protects the privacy of doctors and patients who use prescriptions,
while at the same time helping control
the rising healthcare costs. But the pharmaceutical industry — which has
N
outcome will likely have nationwide
dubbed it the “Prescription Restraint
impact, as at least six other states have
Law” — argue that the measure is as
similar pending legislation. At the federal
unconstitutional as it is wrong-headed.
level, several congressmen have introThey assert that the law will limit valuduced The Prescription Privacy Protection
able information provided to prescribing
Act, which would enact a similar law.
doctors and researchers, all to the ultimate detriment of patients.
More than just a philo“Honey, Are You Sitting
sophical battle, privacy supDown?”
porters — represented by the
Rep. Cindy Rosenwald
state of New Hampshire —
sponsored the Prescription
and the pharmaceutical indusConfidentiality Act, New
try — led by IMS Health
Hampshire House Bill 1346,
Incorporated and Verispan,
in early 2006. Her husband —
LLC — recently concluded a
a cardiologist — had alerted
five-day trial precipitated by
her to a pharmaceutical sales
the pharmaceutical industry’s
challenge to the law. The trial’s
See, N.H. Pharma Law, page 3
Luis Salazar, CIPP
Defensible Process vs. Tactical Defense
A World of Difference
Ted Frank and Brett Curran
he history of
risk management and compliance in the financial
services industry
offers examples of
companies that responded to certain
risks in purely tactical ways. In many of
these cases, the results were difficult for
everyone — consumers were hurt,
investors incurred losses, corporations
lost brand equity and employees lost
opportunities — and sometimes their
jobs. Yet history tends to repeat itself
and companies continue to respond tactically to compliance mandates and key
risks. Why do so many companies lack a
T
comprehensive,
proactive strategy and operating plan
for managing risk and compliance? While
there are undoubtedly dozens of reasons, three seem to consistently rise
above the rest. Analyzing and coming to
terms with these three reasons can help
transform an organization’s efforts into
much more sustainable and defensible
risk/compliance programs.
Reason #1: “My area of risk is
unique and warrants different
treatment than all others.”
One could easily argue that privacy
is unique in the world of risk management. There are few areas of risk where
the threats are changing as quickly.
Whether it’s the rapid advancement of
This Month
J. Trevor Hughes on the President’s
Identity Theft Task Force Report .....Page 2
The E-Medical Records
Privacy Debate ..................................Page 7
How-to Guide: Information
Security Breaches .............................Page 9
The Lighter Side of Privacy...............Page 13
Impact of New Federal
Pretexting Law ..................................Page 14
IAPP in the News..............................Page 16
Web Watch: Back-end Systems .......Page 18
Calendar of Events............................Page 19
Privacy News ....................................Page 20
Privacy Classifieds ............................Page 21
Certification Graduates ..................... Page 22
Career Corner....................................Page 23
See, Process vs. Defense, page 5
May • 2007
THE PRIVACY ADVISOR
Editor
Kirk J. Nahra, CIPP
Wiley Rein LLP
[email protected]
+202.719.7335
Managing Editor
Ann E. Donlan, CIPP
[email protected]
+207.351.1500 X109
Publications Manager
Ali Forman
[email protected]
+207.351.1500
The Privacy Advisor (ISSN: 1532-1509) is published
monthly by the International Association of Privacy
Professionals and distributed only to IAPP members.
ADVISORY BOARD
Elise Berkower, CIPP, Executive Vice President of
Privacy Strategy, Chapell & Associates
Keith P. Enright, Director, Customer Information
Management, Limited Brands, Inc.
Philip L. Gordon, Shareholder, Littler Mendelson, P.C.
Brian Hengesbaugh, Partner, Privacy/Information
Technology/E-Commerce, Baker & McKenzie LLP
Todd A. Hood, CIPP, Director, Regional Privacy,
The Americas, Pitney Bowes Inc.
Ben Isaacson, CIPP, Privacy & Compliance Leader,
Experian & CheetahMail
Jacqueline Klosek, CIPP, Senior Associate in the
Business Law Department and member of Intellectual
Property Group, Goodwin Procter LLP
Lydia E. Payne-Johnson, CIPP,
LPJohnson Consulting, LLC
Billy J. Spears, CIPP/G, Senior Manager of Privacy
and Information Protection, Dell, Inc.
Harry A. Valetk, CIPP, Director, Privacy Online,
Entertainment Software Rating Board
To Join the IAPP, call:
+800.266.6501
Advertising and Sales, call:
+800.266.6501
Postmaster
Send address changes to:
IAPP
266 York Street
York, ME 03909
Subscription Price
The The Privacy Advisor is a benefit of membership
to the IAPP. Nonmember subscriptions are available
at $199 per year.
Requests to Reprint
Ann E. Donlan
[email protected]
+207.351.1500 X109
Notes from the Executive Director
A
fter nearly a year of work, the President’s Identity Theft
Task Force recently issued its comprehensive strategic
plan for the government’s coordinated approach to fight
identity theft. The report documents the challenges that privacy
professionals grapple with everyday — whether they work in the
public or private sectors. The report notes that in the past eight
years, identity theft has “become more complex and challenging
for the general public, the government, and the private sector.”
It’s no mistake that the IAPP’s inception and maturity into
the world leader of privacy networking, education and
certification occurred during that same eight years. We have been part of the solution, and
organizations have come to count on us to help them understand the privacy and security
challenges they face as well as the potential solutions.
Innovation has thrived during those eight years. The crooks have stayed ahead of
the curve, constantly forcing organizations to do the same to thwart them. Lawmakers at
the state and federal level have responded with laws intended to help consumers.
Regulators have done their part too. But as the report points out, the steady stream of
revelations about security breaches is leaving consumers feeling “vulnerable and uncertain
of how to protect their identities.”
Despite the emphasis in the media on security breaches, the task force’s report calls
into question the actual link between a data breach and ID theft. However, the damage
is done as the barrage of security breach details serve to fuel “consumers’ fears of identity
thieves gaining access to sensitive consumer information,” which then undermines
consumer confidence, according to the report.
The task force gives credit where credit is due in the private sector: “Many private
sector organizations understand their vulnerabilities and have made significant strides in
incorporating data security into their operations or improving existing security program.”
Predictably, the task force stresses that “further improvements are necessary.” In addition to data security safeguards that businesses need to adopt, the task force singles out the
need for “improvement by businesses in planning for and responding to data breaches.”
Enter the IAPP.
Our efforts to deliver the most urgent and relevant educational opportunities is again
right on target.
Next month, we are launching three new events, The Practical Privacy Series,
June 27-28 in New York City — and one of the intensive events is solely focused on
data breach response. The June 27 sessions are designed to provide attendees with the
knowledge, skills and tools necessary to proactively identify and manage risks while
effectively planning for the worst.
The next day, The Practical Privacy Series will allow attendees to choose between two
different events, Pharma/Healthcare or Financial Services.
Whatever your focus, we have assembled the profession’s leading privacy experts and
practitioners to arm you with the practical tools and knowledge you need to return to your
organizations with solutions.
So please join us at the City University of New York in Manhattan for the launch of
our newest educational programming!
Copyright 2007 by the International Association of
Privacy Professionals.
All rights reserved. Facsimile reproduction, including
photocopy or xerographic reproduction, is strictly
prohibited under copyright laws.
2
www.privacyassociation.org
J. Trevor Hughes, CIPP
Executive Director, IAPP
THE PRIVACY ADVISOR
N.H. Pharma Law
continued from page 1
representative’s intimate knowledge of
his prescription histories. In fact,
although most consumers are
completely unaware of it, there is a
long-established and widespread practice of collecting specific information
from pharmacies about every
prescription they fill and selling it to
pharmaceutical manufacturers.
In Rosenwald’s view, as expressed in
the bill’s introduction, “Not only is patient
identity inappropriately used for pharmaceutical marketing, but the identity of the
prescribers — doctors, nurse practitioners, optometrists and assistants — is
routinely bought and sold for marketing.
… The use of personal identities prove an
unwarranted intrusion into professional
privacy and, more to the point, it adds to
the financial burden of New Hampshire’s
health care system by increased pharmaceutical costs for the state, our consumers, and our businesses.”
The law bars any pharmacy, pharmacy benefits manager, insurance company
or other similar entity from licensing,
transferring, using or selling prescription
information containing patient-identifiable
and prescriber-identifiable data for commercial purposes, other than the limited
purposes of pharmacy reimbursement,
care management and the like. It also
specifically defines “commercial purpose” as including advertising, marketing, promotion or any activity that could
be used to influence sales or market
share of a pharmaceutical product, influence or evaluate the prescribing behavior
of an individual healthcare professional,
or evaluate the effectiveness of a professional pharmaceutical sales force. It does
not bar, however, the collection and use
of patient and prescriber “de-identified”
data by zip code, geographic region, or
medical specialty for commercial purposes. It specifies that a violation of these
terms is considered an unfair or deceptive act or practice, subjecting violators to
civil and potentially criminal penalties.
It is interesting to note that the law
passed quickly and almost unanimously,
and, according to the Nashua Telegraph,
prompted Rosenwald’s cell phone call
and excited exclamation to her husband,
“Honey, are you sitting down? Guess
what just happened?!” Rosenwald
attributed the swift passage to the
simple fact that “New Hampshire folks
don’t like people invading their privacy.”
But at the same time, there were supposed economic concerns underlying its
adoption, since legislators were of the
opinion that pharmaceutical sales representatives used the information to drive
the prescription of higher-priced medicine. New Hampshire’s Medicaid costs
for prescription drugs have risen 84 percent in the last five years.
The Industry’s Challenge
A variety of pharmaceutical and
medical players, including the New
Hampshire Association of Chain Drug
Stores, scientists from the Mayo Clinic
and at least two health information companies, IMS Health and Verispan, LLC,
opposed the measure. With $1.7 billion
in annual sales, IMS Health is the
world’s leading provider of market
intelligence to the pharmaceutical and
healthcare industries. Similarly, Verispan
provides a broad array of information,
products and services to the healthcare
industry, including market research
audits, healthcare profiles and pharmaceutical data analysis and consulting. To
these companies and others, the law is
a step in the wrong direction.
“By effectively denying access to
prescriber-identified data, the new law
will have significant unintended consequences and go against the national
movement towards making healthcare
information more accessible and
transparent,” stated Robert H. Steinfeld,
IMS Senior Vice President and General
Counsel, in an IMS news release: “The
success of initiatives to improve health
care quality, and ensure patient safety
and manage costs depends on access
to more information, not less.”
The opposition further points out
that the database it creates with this
pharmaceutical information is used for
research that benefits all patients. As
266 York Street
York, ME 03909
Phone: +800.266.6501 or +207.351.1500
Fax: +207.351.1501
Email: [email protected]
The Privacy Advisor is the official monthly newsletter of the
International Association of Privacy Professionals. All active
association members automatically receive a subscription to
The Privacy Advisor as a membership benefit. For details
about joining IAPP, please use the above contact information.
BOARD OF DIRECTORS
President
Kirk M. Herath, CIPP/G, Associate Vice President,
Chief Privacy Officer, Associate General Counsel,
Nationwide Insurance Companies, Columbus, Ohio
Vice President
Sandra R. Hughes, CIPP, Global Privacy Executive, Procter
& Gamble, Cincinnati, Ohio
Treasurer/Past President
Chris Zoladz, CIPP, Vice President, Information Protection,
Marriott International, Bethesda, Md.
Assistant Treasurer
David Hoffman, CIPP, Group Counsel and Director of
Privacy & Security, Intel Corp., Germany
Secretary
Jonathan D. Avila, CIPP, Vice President - Counsel, Chief
Privacy Officer, The Walt Disney Company, Burbank, Calif.
Executive Director
J. Trevor Hughes, CIPP, York, Maine
John Berard, CIPP, Managing Director,
Zeno Group, San Francisco, Calif.
Malcolm Crompton, Managing Director, Information
Integrity Solutions Pty Ltd., Chippendale, Australia
Peter Cullen, CIPP, Chief Privacy Strategist,
Microsoft Corp., Redmond, Wash.
Peter Fleischer, Privacy Counsel – Europe, Google,
Paris, France
Dean Forbes, CIPP, Global Privacy Officer,
Schering-Plough Corp., Kenilworth, N.J.
D. Reed Freeman, Jr., CIPP, Partner, Kelley, Drye & Warren,
Washington, D.C.
Kimberly Gray, CIPP, Chief Privacy Officer,
Highmark, Inc., Pittsburgh, Pa.
Jean-Paul Hepp, CIPP, Corporate Privacy Officer,
Pfizer Inc., New York, N.Y.
Jane Horvath, Chief Privacy and Civil Liberties Officer,
U.S. Department of Justice
Barbara Lawler, CIPP, Chief Privacy Officer, Intuit,
Mountain View, Calif.
Kirk Nahra, CIPP, Partner, Wiley Rein LLP,
Washington, D.C.
Nuala O’Connor Kelly, CIPP/G, Chief Privacy Leader and
Senior Counsel, General Electric Company, Washington, D.C.
Harriet Pearson, CIPP, Vice President Corporate Affairs,
Chief Privacy Officer, IBM Corporation, Armonk, N.Y.
Lauren Steinfeld, CIPP, Chief Privacy Officer,
University of Pennsylvania, Philadelphia, Pa.
Zoe Strickland, CIPP/G, Vice President, Chief Privacy
Officer, Wal-Mart
Amy Yates, CIPP, Chief Privacy Officer,
Hewitt Associates, Lincolnshire, Ill
See, N.H. Pharma Law, page 24
International Association of Privacy Professionals
3
May • 2007
THE PRIVACY ADVISOR
Process vs. Defense
continued from page 1
ry defense into better operating efficiencies and a more agile, effective privacy
risk management program.
Finally, a successful business case
in most areas of risk management
requires a plan that has simple, incremental steps toward a more comprehensive vision. Too few executives have
experience with proactive risk/compliance projects, but they are looking for
ways to say yes — which typically
means incremental investment with
measurable milestones.
technology attacks or the astounding
increase in the sophistication of social
Reason #2: “It’s tough to get the
engineering, it’s hard to imagine many
budget necessary to address comareas of risk with the same dynamic
pliance proactively. It’s much easier
pace of continual change. Information is
after things go wrong.”
essential in the information economy
Developing a compelling business
and an inescapable component of corcase has long been one of the biggest
porate value. As a result, effective colchallenges facing those managing enterlection, protection and utilization of
Reason #3: “There are so many
prise-wide risk or specific areas, such as
information are key components of
areas that need attention; it’s often
privacy. The challenge is that many combusiness strategy.
difficult to determine where to
pliance specialists have yet to develop a
Sounds like a case for stating privacompelling proactive business case. To
start.”
cy is unique, doesn’t it? The answer is
achieve success, a clear and compreIf resources were readily available
both yes and no. It’s unique in that prihensive strategy is required that incorfor investment, the question of where to
vacy is subject to one of the most rapid
porates quick wins to address the most
target those resources is easily
rates of change. It’s unique in that it
pressing concern, privacy in
answered by the U.S. Supreme
surrounds a broad corporate asset
this case, and begins to
Court’s Seven Elements of an
which is increasing in value at a breakestablish the fundamental
Effective Compliance and
neck pace. But these unique characterprocesses and supporting
Ethics Program. However,
istics don’t have much to do with
technology that can be
given resource realities in most
underlying risk management principles
repeated across a variety of
situations, and barring a major
or processes. If anything, these factors
compliance requirements.
direct or industry failure, securonly increase the importance of buildFormulating a business case
ing this level of commitment is
ing a defensible process and resisting a
is tough for a number of reaoften difficult and pushes an
tactical response to individual circumsons. First, few organizaEffective Compliance Program
stances. There are consistencies in the
tions have a handle on the
into more of a vision. Even so,
underlying process. Is there really that
Ted Frank
actual direct cost of privacy
there are many incremental
much difference among the processes
compliance and all of its
steps that can be undertaken
for effectively managing financial
associated processes. Other hurdles
to move the organization forward.
reporting risk and the
include a grasp on the indiDepending on the circumstances and
processes for managing prirect costs associated with
maturity of the program, any of the folvacy risk?
lost marketing opportunities,
lowing make strong starting points and
Take money laundering
reputational damage and fear
fit neatly into the constructs of an
for example. When it comes
of being too aggressive in the
Effective Compliance Program:
to regulatory enforcement
marketplace.
actions and building effective
The second business
• Privacy Inventory — Given the finanlegal defenses, the U.S. govcase challenge has more to
cial services industry’s merger and
ernment clearly takes the
do with context and demonacquisition activity, and the rapidly growview that one process can be
strating value. Privacy profesing and exposed data stores from such
applied to different areas of
sionals are often challenged
initiatives as Web-based account manrisk/compliance across a
Brett Curran
to simply get through the
agement, customer portfolio analytics
matrix organization with cenbasic administrative components of
and increased integration of customer
tral oversight. These entities use an
their programs. As a result, they lack
data across a financial services company
enforcement standard — an Effective
the time to work with other executives
and its partners, it is becoming increasCompliance Program — developed and
and determine how their programs can
ingly important for organizations to
published by The United States
improve business and present new
implement specific processes for continSentencing Commission. This standard is
opportunities. Building a consistent,
uous identification of privacy risks.
used, in combination with a degree of
defensible process that, at a minimum,
Through formal assessment processes,
self-reporting, to determine penalties, jail
covers the downside is a first step
organizations can continually keep fresh
time and fines. But the benefits of a
toward creating the necessary time to
strong, consistent and defensible
focus on extending the process to
process extend far beyond legal/regulatoSee, Process vs. Defense, page 6
address other risk areas.
International Association of Privacy Professionals
5
May • 2007
Process vs. Defense
continued from page 5
inventories of what privacy-related information exists, who has access to the
information and for what purposes. Only
with this information can organizations
map the risks and regulations that apply
to financial services companies.
• Privacy Framework — Given the
growth of regulations in the U.S. and the
world, companies are constantly challenged to keep the multitude of mandates that apply to their organizations
straight. In fact, in a February 2007
Gartner Research study, the firm forecasted that worldwide regulations
focused on IT operations will double over
the next five years. One can only
assume that a good portion of this
increase will directly relate to privacy.
Starting with organizing frameworks
such as the Generally Accepted Privacy
Principles and Organization for Economic
Co-operation and Development are a
good way to start organizing your understanding of the privacy risks that apply to
your business.
• Procedure/Control Design
Assessment — Assuming an organization has mapped all operational and
legal/regulatory risks, most then move to
ensure that they have defined an appropriate set of procedures to control one
or more risks. Often through a self
assessment, organizations can effective-
“It is becoming
increasingly important
for organizations to
implement specific
processes for
continuous identification
of privacy risks.”
6
www.privacyassociation.org
ly catalogue and evaluate the procedures
that currently exist or need to be developed. Without these controls mapped to
the organizing framework, it is extremely
difficult to continually monitor and
assess the performance of a privacy program. To keep the job manageable, many
start by addressing specific regulations
or groups of regulations such as the
Bank Secrecy Act, Gramm-Leach-Bliley
Act, Payment Card Industry/Data
Security Standard and security breach
notification. Once even one of these is
implemented, the road map has been
laid for easier rollout to others.
• Communication and Training — One
of the most important components of
the Effective Compliance Program is
establishing effective communication.
Clean, consistent and measurable communication through policies, procedures
and training to the appropriate employees, brokers, agents and contractors is
crucial. In addition, organizations must
have an effective and managed mechanism for employees to seek guidance.
• Performance Assessment — In a
recent survey conducted by the Open
Compliance and Ethics Group and
Axentis, 76 percent of privacy professionals indicated that assessing the performance of their own privacy program is
an urgent concern. Given that 65 percent
of these same respondents also indicated measurable increases in external privacy program scrutiny, it’s no surprise
that many organizations are sharply
focused on ensuring this part of their
program is functioning effectively.
• Incident Management (Corrective
Action) — Most organizations have now
recognized that a spreadsheet is no way
to manage the response and remediation of issues, breaches and inquiries
with respect to their privacy program.
Organizations should have a process
that is consistent, predictable and measurable. Having inconsistent remediation
for similar incidents can create substantial liability, and metrics are critical for
identifying systemic design and performance problems.
“… 76 percent of privacy
professionals indicated
that assessing the
performance of their
own privacy program
is an urgent concern.”
What all of these “places to start”
have in common is that they tie directly
to the Effective Compliance Program
enforcement standard. Even acting on
one of these items can have a significant
impact and move the organization
toward a defensible process. Tactical
fixes such as hardware, perimeter protection and encryption are important, but
not enough, given that the threats are
multiplying exponentially. The question
isn’t “will a breach or failure occur,” but
“when an inevitable breach or failure
occurs, will we be able to demonstrate a
defensible process.” Better to begin the
process now. Along the way, the process
may even change the posture of privacy
from one of cost to one of value.
Ted Frank is the President of Axentis. He
can be reached at [email protected].
Brett Curran is Director of GRC and
Privacy Practices at Axentis. He may be
reached at [email protected].
About Axentis:
Axentis delivers an on-demand business performance optimization environment that empowers companies to turn
governance, risk and compliance (GRC)
initiatives into better business performance and competitive advantage. With its
unique, industry only software-as-a-service (SaaS) model, Axentis Enterprise (Ae)
Suite delivers a one-world view of the
entire organization for better risk management, mitigation and compliance.
THE PRIVACY ADVISOR
The Debate Over Computerized Health Record Privacy
Shifts Toward Privacy Protections
David Ermer
fter a 3-year
investment to
achieve
President Bush’s
mandate to create a
national e-medical
records system, the focus of the
computerized health records discussions
in Washington has shifted to privacy
protections.
In his 2004 State of the Union
address, President Bush challenged the
nation to eliminate paper medical
records within a decade. The president
followed up with an Executive Order on
April 27, 2004, that called for the widespread deployment of health information
technology within 10 years.
Since then, there have been many
Congressional hearings on the topic of
computerized health records that
focused on achieving the Bush administration’s mandate to improve healthcare
quality and reduce healthcare spending.
But since Democrats took control in
Washington nearly four months ago,
lawmakers have focused more intently
on the need for stronger privacy protections in any nationwide system of digital
medical records.
A
Developments in 2007
On Feb. 1, 2007, Sen. Daniel Akaka
chaired a Senate Homeland Security and
Governmental Affairs subcommittee hearing on “Private Health Records: Privacy
Implications of the Federal Government’s
Health Information Technology Initiative.”
The Government Accountability Office
presented a report concluding that Health
and Human Services (HHS) needs to
create a stronger business plan for
incorporating privacy and security
milestones into its health information
technology expansion plans.
Dr. Robert Kolodner, the HHS Interim
National Coordinator for Health
Information Technology, explained at the
hearing that HHS will develop
those milestones once it
receives a baseline report on
state privacy laws from the
National Governors
Association’s Privacy Taskforce
in the second quarter of 2007.
Tennessee Gov. Phil Bredesen
later explained to the Health
Information and Management
Systems Society (HIMSS) conference that:
technology is launching without adequate built-in privacy
and security standards. He
complained that HHS
Secretary Leavitt is not implementing the NCVHS privacy
and security recommendations
made in a June 22, 2006,
NCVHS letter. Akaka appears
interested in a legislative
David Ermer
remedy, such as expanding the
scope of the Health Insurance
Portability and Accountability Act (HIPAA)
Privacy and Security provisions.
“The [NGA’s] Privacy Taskforce is now
charged with looking at the major state
Before the month was over, Paul
health privacy laws with an eye to how
Feldman, Deputy Director of the Health
they affect the ability to achieve a
Privacy Project, resigned as co-chair of
workable sharing of information. It is
the American Health Information
then charged with making recommenCommunity’s (AHIC) confidentiality, pridations as to how to address such
vacy and security workgroup in protest
issues. It will work with the Health
of the group’s allegedly slow pace. In
Information Privacy and Security
response to this resignation, the chair of
Collaboration that 33 states and Puerto
the House Ways and Means health subRico have begun. Every state has laws
committee, Rep. Pete Stark, D-Calif.,
on the books that never envisioned
said in a written statement:
interoperable health records, and we
need to point the way to cleaning up
this landscape.”
“The only way health information
technology will take off is if people
have confidence that their sensitive
Also at the Feb. 1 hearing, Mark
medical information will be protected.
Rothstein, a law professor who sits on an
Without this assurance, we will never
HHS advisory board, the National
be able to realize the benefits that
Committee for Vital and Health Statistics
electronic systems offer. Democrats
(NCVHS), warned that health information
pushed for privacy protections during
last year's debate, but our pleas fell
on deaf ears. I hope that the GAO
“HHS needs to create a
report and Mr. Feldman's resignation
will finally be the wake-up call this
stronger business plan
administration needs to begin taking
for incorporating privacy
this issue seriously.”
and security milestones
into its health information
technology expansion
plans.”
At the HIMSS conference on March
1, in an apparent effort to counter these
developments, Dr. Kolodner announced
that HHS plans to contract for a pilot
See, E-Medical Records, page 8
International Association of Privacy Professionals
7
May • 2007
E-Medical Records
continued from page 7
“network of networks” that would allow
healthcare consumers to control the
flow of their own electronic health information. Dr. Kolodner explained that the
government’s requests for proposals on
a trial implementation of the National
Health Information Network (NHIN) will
require bidders to include specific technical capabilities for enabling such consumer control.
Computerized health records fall
into two basic categories, personal
health records, or PHRs, and electronic
health records, or EHRs. PHRs generally
are created by health plans and insurers
for their members based on benefit
claims records while EHRs are created
by healthcare providers for their patients
based on the medical care provided.
Efforts are under way to make PHRs
and EHRs transportable and interoperable. HHS is working with others to
develop the NHIN, which would serve
as a nationwide patient registry for
“While the HIPAA law
treats healthcare claim
clearinghouses as
covered entities, it did not
contemplate the creation
of healthcare record
clearinghouses… .”
electronic health records maintained
locally.
Provider medical records are
subject to HIPAA privacy and security
rules if the provider, also known as a
HIPAA-covered entity, engages in
electronic claim transactions. Because
Medicare generally mandates the
submission of electronic claims, except
for small practices, most facilities and
medical groups are HIPAA-covered
entities. However, gaps in the HIPAA
privacy and security rule coverage do
exist among providers, and often the
state privacy laws applicable to those
non-covered entities are not as strict as
the HIPAA rules. While the HIPAA law
treats healthcare claim clearinghouses
as covered entities, it did not contemplate the creation of healthcare record
clearinghouses such as the regional
health care organizations, or RHIOs,
and the NHIN.
Health plan and insurer claim
records that form the basis for PHRs are
subject to the HIPAA privacy and security rules. Because the HIPAA law
expressly was developed to encourage
the use of electronic claim transactions,
one might expect that there would be
less controversy over PHR privacy protections, but that is not the case.
At its March 13, 2007 meeting,
HHS‘s American Health Information
Community approved, with some dissension, a consumer empowerment
workgroup recommendation that product certification be made available for
insurer record-based personal health
records, according to Government HIT
magazine and Healthcare IT News. The
dissidents complained that certification
is premature and could stifle innovation
and that certification standards cannot
assure privacy and security protections.
The tensions are evident as the
nation’s healthcare providers increasingly move toward paperless records. But
with all the promises of built-in privacy
protections, and the doubts of skeptical
healthcare consumers, the outcome is
not yet certain.
Congress is focusing attention on
privacy and other data security issues
with legislation, including the Personal
Data Privacy and Security Act of 2007
(S. 495) and the Personalized Health
Information Act of 2007 (H.R. 1368). The
ongoing debate is worth your attention.
David Ermer is the Managing Partner of
Gordon & Ermer, Washington, D.C. He is
general counsel to a trade association of
Federal Employees Health Benefits
Plans. Read David Ermer’s blog at
www.gordon-ermer.com/FEHBlog.html,
or reach him at +202.833.3400.
8
www.privacyassociation.org
THE PRIVACY ADVISOR
A How-To Guide to Information Security Breaches
Lisa J. Sotto and Aaron P. Simpson
breach must look beyond
the language of the “typical” state law in the event
of a national, or even multiState Security Breach
state, incident. The variaNotification Laws
tions among state breach
Public awareness was
notification laws greatly
not focused in earnest on
complicates the legal analysecurity breaches until
sis as to whether the
2005, fully two years after
breach laws are triggered
California enacted a law
with respect to a particular
requiring organizations to
event. Because most
notify affected Californians
breaches impact individuals
of a security breach. At the
Aaron P. Simpson
in multiple jurisdictions,
time of enactment, few
companies often must take a “highest
understood the enormous implications
common denominator” approach to
of that law. Since 2005, 35 other states,
achieve legal compliance.
as well as New York City, Washington,
Key areas of variation among state
D.C. and Puerto Rico, have jumped on
breach
notification laws include:
the bandwagon and enacted breach
notification laws of their own. In addi• Affected Media: Under most state
Background
tion, numerous federal security breach
breach laws, notification is required
Since 2005, there have been
bills have been proposed. With no clear
only if “computerized” data has been
reports of over 500 security breaches,
frontrunner, it is hard to predict when a
accessed or acquired by an unauthomany of which have involved the most
federal law might be passed, though a
rized individual. In some states, howrespected organizations in the United
federal preemptive law appears likely.
ever, including North Carolina, Hawaii,
States, according to the Privacy Rights
At the state level, the duty to notify
Indiana and Wisconsin, organizations
Clearinghouse. In fact, the number of
individuals affected by a breach generalthat suffer breaches involving paper
reported incidents does not begin to
ly arises when there is a reasonable
records are required to notify affected
define the actual number of breaches
belief that unencrypted, computerized
individuals.
that have occurred in the United States
sensitive personal information has been
during the past two years. From univeracquired or accessed by an unauthorized
• Definition of “ Personal
sities to government agencies to
person. Typically, the state laws define
Information”: Breach notification laws
Fortune 500 companies, no industry
“personal information” to include an
in some states expand the definition of
sector has been spared. These breaches
individual’s first name or first initial and
personal information to include data
have run the gamut from lost backup
last name, combined with one of the
elements such as medical information
tapes and laptops, to hacking incidents,
three following data elements:
(Arkansas, Puerto Rico), biometric data
to organized crime. The
(Nebraska, North Carolina, Wisconsin),
reported breaches are esti• Social Security number;
digital signatures (North Carolina,
mated to have exposed
North Dakota), date of birth (North
personal information con• driver’s license or state
Dakota), employee identification numtained in over 100 million
identification card number (North Dakota), mother’s maiden
records. Consequently, a
ber, or
name (North Dakota), and tribal identifisignificant percentage of
cation card numbers (Wyoming).
the American public has
• financial account, credit or
received notification that
debit card number, along
• Notification to State Agencies: Many
the security of their perwith a required password
states require entities that have sufsonal information has been
or access code.
fered a breach to notify state agencies.
breached. Indeed, it seems
that hardly a day goes by
Unfortunately, entities
without a new press report
struggling with a potential
See, Information Security Breaches, page 10
Lisa J. Sotto
ontrary to what
the headlines
suggest, information security
breaches are not a
new phenomena.
What is new is that we are hearing
about them in record numbers. While
consumers are newly focused on information security due to the emergence of
e-commerce, the reason security breaches now seem ubiquitous is a result of
the development of a body of state laws
requiring companies to notify affected
individuals in the event of a breach. The
differing requirements of over 35 state
security breach notification laws make
legal compliance a challenge for organizations operating on a national level.
C
of a significant security
breach.
International Association of Privacy Professionals
9
May • 2007
Information Security Breaches
continued from page 9
Currently, the states that require such
notification include Hawaii, Maine,
New Hampshire, New Jersey, New
York, North Carolina and Puerto Rico. In
Puerto Rico, organizations must notify
the state government within ten days
of detecting a breach. In New Jersey,
the breach notification law requires
entities to notify the state police prior
to notifying affected individuals.
• Notification to Credit Reporting
Agencies: While the threshold for
notification differs among the state
laws, many states require organizations
that suffer a breach to notify the three
national consumer reporting agencies
(Equifax, Experian and Transunion).
Among the states with this requirement, the state with the lowest
threshold requires notification to the
credit reporting agencies in the event
500 state residents must be notified in
accordance with the notification
requirement.
• Timing of Notification to Affected
Individuals: Most state notification
laws require notification to affected
individuals within “the most expedient
time possible and without unreasonable delay.” Some states, such as
Ohio, Florida and Wisconsin, require
notification within 45 days of
discovering the breach.
• Harm Threshold: Some states (e.g.,
Indiana, Michigan, Ohio, Rhode Island,
Utah and Wisconsin) require notification of affected individuals only if there
is a reasonable possibility of identity
theft. Other states (e.g., Colorado,
Idaho, Kansas, Maine, New Hampshire,
New Jersey and Vermont) do not
require notification unless it has been
determined that misuse of the information has occurred or is reasonably likely
to occur. And in other states (e.g.,
Arkansas, Florida, Hawaii and
Louisiana) notification is not required
unless there is a reasonable likelihood
of harm to customers. For organizations that suffer multi-state
10
www.privacyassociation.org
security breaches, any harm threshold is
irrelevant as a practical matter because
many state breach notification laws do
not contain such a threshold.
Federal Enforcement
In addition to the compliance maze
at the state level, the Federal Trade
Commission (FTC) has enforcement
authority in the privacy arena pursuant
to Section 5 of the FTC Act. Section 5 of
the FTC Act prohibits unfair or
deceptive trade practices. The FTC
recently has brought a number of
enforcement actions pursuant to
Section 5 stemming from security
breaches. In fact, most of the enforcement actions brought by the FTC in the
privacy arena have resulted from security issues. Some of the more noteworthy
FTC enforcement actions stemming
from security breaches have included
those against BJ’s Wholesale Club,
“As our society becomes
increasingly information
dependent, it is likely that
there will be an increase
in FTC enforcement
associated with security
breaches. In fact, in
response to heightened
consumer concern and
an increased need for
regulatory oversight in
this arena, the FTC
recently established a new
division of Privacy and
Identity Protection. This
signals a new FTC focus
on data privacy and security, along with what will
likely be a concomitant
increase in enforcement.”
CardSystems, Choice-Point and DSW.
The CardSystems case highlights
the significant reputational risk associated with privacy events generally, and
security breaches in particular. In this
case, over 40 million credit and debit
card holders’ information was accessed
by hackers leading to millions of dollars
in fraudulent purchases. In its enforcement action, the FTC alleged that the
company’s failure to take appropriate
action to protect personal information
about millions of consumers was tantamount to an unfair trade practice. As
part of its settlement with the FTC,
CardSystems agreed to implement a
comprehensive information security program and conduct audits of the program
biennially for 20 years. The real punishment, however, was the reputational
damage the company suffered in the
wake of the breach. Both Visa and
Discover severed their relationship with
CardSystems and the company ultimately was sold to an electronic payment
company in Silicon Valley.
As our society becomes increasingly information dependent, it is likely that
there will be an increase in FTC
enforcement associated with security
breaches. In fact, in response to heightened consumer concern and an
increased need for regulatory oversight
in this arena, the FTC recently established a new division of Privacy and
Identity Protection. This signals a new
FTC focus on data privacy and security,
along with what will likely be a concomitant increase in enforcement.
Managing a Data Breach
If a possible breach occurs, it is
critical to determine as quickly as
possible whether the event triggers a
requirement to notify affected
individuals. To make this determination,
organizations must be able to answer
the following questions:
1. What information was involved?
Does the compromised information
meet the definition of “personal information” under any of the state breach
notification laws? As discussed above,
certain states have adopted expansive
May • 2007
definitions of “personal information” for
purposes of their breach notification
laws. These broader definitions must be
considered in analyzing the information
involved in the event.
2. Was the information computerized?
In most states, only incidents involving
computerized information require individual notification. But special attention
should be paid to the laws in those
states in which notification is required
for incidents involving personal information in any form, including paper.
3. Was the information encrypted?
Encryption is available as a safe harbor
under every extant state security
breach notification law. Importantly, all
of the relevant laws are technologyneutral, meaning they do not prescribe
specific encryption technology. If the
information is maintained in an unreadable format, then it may be considered
encrypted for purposes of the state
breach laws. Encryption does not, however, include password-protection on
equipment such as desktop computers,
laptop computers and portable storage
devices. As a result, many organizations
have been required to notify affected
individuals when laptop computers subject to password-protection have been
lost or stolen.
4. Is there a reasonable belief that
personal information was accessed or
acquired by an unauthorized person?
If an entity has a reasonable belief that
the information was compromised by an
unauthorized person, notification is
required. Note that a number of state
breach notification laws contain a harm
threshold whereby notification is not
required unless there is reasonable possibility of harm, misuse or identity theft
(see above). Organizations should be
wary of relying on harm thresholds,
however, because they are not included
in many state breach laws and thus may
not be available in the event of a multistate breach.
Because breaches come in all
shapes and sizes, many of them require
THE PRIVACY ADVISOR
and stock drops stemming from early
security breaches made sure of that. It
is often advisable to involve the Board
of Directors (or its equivalent) and senior management soon after learning of a
security breach affecting the organization.
“Encryption is available
as a safe harbor under
every extant state
security breach notification law. Importantly,
all of the relevant laws
are technology-neutral,
meaning they do not
prescribe specific
encryption technology.”
significant technical analysis to answer
these questions. Organizations often
must enlist the assistance of highly
skilled forensic investigators to assist
with the evaluation of their systems.
Recognize the Stakeholders
Once an organization has
determined that the breach notification
laws have been triggered, it is important
to understand the panoply of stakeholders throughout the breach process.
Depending on the type of organization
involved, the potential universe of stakeholders is extensive and may include:
• Affected Individuals: Individuals
affected by a security breach are the
primary focus for every organization
during the notification process.
Although the breach may not have
occurred as a result of any misdeeds
by the organization suffering the
breach, in the eyes of consumers,
employees and other affected individuals, the organization is responsible for
the data it collects and maintains. As a
result, regardless of the circumstances,
an organization suffering a security
breach should be appropriately helpful
and respectful to individuals whose
data may have been compromised.
• Board of Directors/Senior Management:
Information security is no longer an area
of a company that is relegated to the
dusty basement. Front-page headlines
• Law Enforcement: Depending on the
nature of the event, it may be important
to report the security breach to law
enforcement authorities for purposes of
conducting an investigation. The state
security breach laws allow organizations
to delay notifying affected individuals
pending a law enforcement investigation. New Jersey’s breach notification
law makes it a legal requirement to notify law enforcement prior to notifying
affected individuals.
• State and Federal Regulators: In addition to the laws’ requirements to notify
state regulators, organizations should
give serious consideration to notifying
the FTC in the event of a significant
security breach. Proactively notifying
the FTC, while not a legal requirement,
provides an organization with the opportunity to frame the circumstances of
the breach and provide appropriate context. Because the FTC will undoubtedly
learn about every significant security
breach, organizations are well-advised
to tell the story themselves rather than
have the FTC learn about the breach
from unfavorable media reports.
• Financial Markets: For publicly-traded
companies, some security breaches
rise to the level of reportable events. In
these cases, it may be necessary to
notify the Securities and Exchange
Commission and the relevant exchange
of the breach.
• Payment Card Issuers: To the extent
payment cards are involved, it is often
essential to consult the card issuers
as early as possible in the process.
Organizations should review their
contractual obligations with the card
issuers because there are likely to be
See, Information Security Breaches, page 12
International Association of Privacy Professionals
11
May • 2007
Information Security Breaches
continued from page 11
provisions relevant to a security breach.
In addition, the card issuers may
require organizations suffering breaches
to file formal incident reports.
Depending on the scope of the breach,
the card issuers also may require that
an independent audit be conducted by
their own auditors.
• Employees: In some cases, employees of the organization should be notified of an incident affecting customers.
Many employees care deeply about
the entity for which they work. To the
extent the organization’s reputation
may be tarnished by the event,
employees will not want to be left in
the dark about the incident.
• Shareholders: Public companies that
suffer breaches must consider their
shareholders in the aftermath of a
breach. The investor relations department should be mobilized in the event
of a significant breach to respond to
investors’ concerns.
• Auditors: In some cases, security
breaches may need to be reported to
a company’s auditors.
• Public: Security breaches often ignite
the passions of the public at-large. In
managing the process of notification,
organizations should give careful consideration to the anticipated public
response to the incident. In many
cases, it is helpful to work with experienced public relations consultants. The
risk to an organization’s reputation
stemming from a security breach far
exceeds the risk associated with legal
compliance. Thus, it is imperative in
responding to a security breach to consider measures that will mitigate the
harm to an organization’s reputation.
Timing of Notification
Once the extent and scope of the
incident have been defined and it is
determined that notification is required,
the next step is to notify affected indi12
www.privacyassociation.org
“The risk to an organization’s reputation stemming from a security
breach far exceeds the
risk associated with legal
compliance. Thus, it is
imperative in responding
to a security breach to
consider measures that
will mitigate the harm to
an organization’s
reputation.”
viduals. Most state security breach laws
require organizations that suffer a
breach to notify affected individuals “in
the most expedient time possible and
without unreasonable delay.” In several
states, notification is required within 45
days of the date the incident was discovered. Under both timeframes, the
date of actual notification may be
delayed by the exceptions available in
most states for law enforcement investigations and restoring system security.
Pursuant to the law enforcement
exception, notification may be delayed if
a law enforcement agency determines
that notification would impede a criminal
investigation.
Thus, if law enforcement has
requested such a delay, the clock does
not start ticking on notification until after
the agency determines that notification
will not compromise the investigation.
As to the exception for restoring
system security, notification to affected
individuals may be delayed to provide
the affected organization time to take
any security measures that are necessary to determine the scope of the
breach and to restore the “reasonable
integrity of the system.” Organizations
should not take this exception lightly—
notification to consumers of a system
vulnerability may tip off copycat fraudsters to a system weakness they can
exploit. Thus, prior to notifying affected
individuals, it is essential for organizations suffering security breaches to
restore the integrity of their systems.
Entities that rely on either the law
enforcement or system security exception should document such reliance. In
Hawaii, such documentation is a legal
requirement.
Notification to Individuals
Letters to individuals notifying them
of a possible compromise of their personal information should be simple, free
of jargon and written in plain English.
Entities would be well-advised to avoid
legalistic phrases and any attempt to
pin blame elsewhere. Organizations
that have been most favorably reviewed
by individuals following a breach are
those that have accepted responsibility
and provided useful information to
recipients. (A breach notification letter is
not the place for marketing!)
Organizations should keep in mind
that, in addition to impacted individuals,
the notification letter will likely be scrutinized by numerous interested parties,
including regulators, plaintiffs’ lawyers
and the media. As a result, it is essential
to strike the appropriate tone while at
the same time providing a meaningful
amount of substance.
There is a growing de facto standard, depending on the information
breached, for the types of “offerings”
companies are making to affected
individuals in their notice letters. These
offerings typically include:
• Credit Monitoring: In the event a
Social Security number or some other
form of identification that may contain
a Social Security number (such as a
driver’s license number or a military
identification card number) has been
compromised, it has become standard
to offer affected individuals one year of
credit monitoring services. Depending
on the size of the breach, this can be a
significant cost for companies.
• Free Credit Report: Separate and apart
from credit monitoring, organizations
should inform affected U.S. individuals
that they are entitled to one free credit
THE PRIVACY ADVISOR
report annually from each of the three
national credit reporting agencies.
• Fraud Alert: Organizations also may
want to recommend that affected
individuals place a fraud alert on their
credit file for additional protection.
There is no charge for this service.
Because fraud alerts can have a
significant impact on a consumer’s
day-to-day purchase habits, most
organizations simply suggest to
consumers that this is an option rather
than insist they take such action.
In addition to the standard offerings,
the letter should describe the details of
the security breach. For obvious reasons,
these details should never include the
specific affected payment card or Social
Security numbers impacted by the
breach. Instead of providing this detail, it
is most effective to explain what happened and what the organization is doing
to help individuals affected by the
breach. In many cases, this means providing the individual with information
about credit monitoring and other information about how they may protect
themselves. Also, it may be necessary
to establish a call center (with trained
agents) to handle consumer response to
the incident.
As a general rule, if an organization
is required to notify in a few jurisdictions,
it is recommended that it notify in all
jurisdictions (often this includes foreign
countries). With few exceptions, this has
become standard in the privacy realm. A
few companies that suffered early security breaches after California passed its
law were torched by the media and subjected to severe criticism by irate state
attorneys general for notifying affected
Californians but not affected residents of
other states without breach notification
laws. The collective experience of these
companies highlights an important, but
often misunderstood, concept: Technical
compliance with law is necessary but
not sufficient in the privacy arena.
Privacy events are hot button social
issues that often transcend mere legal
Attention
IAPP Members!
We Need You!
The IAPP is looking for
international contributors to our
Global Privacy Dispatches column,
a new monthly feature that will
provide brief updates on privacy and
security stories unfolding in
countries around the world.
The IAPP also is looking for copy on an upcoming
issue that will cover the developing trends in privacy enforcement and
litigation. We are looking for story ideas and writers who would be willing
to contribute copy for this upcoming issue.
If you would like to contribute to Global Privacy Dispatches
or have enforcement or litigation story ideas,
please email [email protected].
Reprinted with permission from Slane Cartoons Limited.
See, Information Security Breaches, page 24
International Association of Privacy Professionals
13
May • 2007
Experts Explore Impact of New Federal Pretexting Law
During IAPP Audio Conference
Ann E. Donlan, CIPP
$100,000 or more than 50
he Federal Trade
customers, and when the
Commission (FTC)
information is used to further
promises to continue
certain other criminal offenses.
its aggressive enforcement of
Bundy Scanlan noted that
deceptive and unlawful efforts
GLBA, since it was signed
to obtain consumers’ private
into law in 1999, “is a huge
telephone records, according
step in terms of protecting
to an agency official.
consumer privacy by way of
“The FTC has been confinancial statements.” She
cerned with the issue of preAgnes Bundy Scanlan, CIPP
added that GLBA “served its
texting since before the paspurpose,” but Congress determined that
sage of GLBA (Gramm Leach Bliley Act),”
there was a need to update the law
said Angela Ball, an attorney with the
around the practice of pretexting.
FTC’s Division of Privacy and Identity
Bundy Scanlan’s comments also
Protection, Bureau of Consumer
detailed the elements organizations
Protection. “We will continue our
should include on an “investigative
enforcement efforts aggressively.”
checklist” that should be drafted and
Ball was one of three experts the
in place before a pretexting incident
IAPP tapped for a recent audio conferarises.
ence, “Pretexting: New Laws, New
Ball added that while GLBA’s Section
Challenges, New Expectations.” Joining
521 (a) “had some specific anti-pretexBall were Agnes Bundy Scanlan, CIPP,
ting provisions,” the FTC also used its
Counsel, Goodwin Procter LLP and
unfair or deceptive practices section of
Matthew Leonard, CIPP, Senior Fellow,
federal law to pursue pretexting cases
The Ponemon Institute.
on behalf of consumers.
The audio conference is available for
In its experience, FTC investigators
purchase at a price of $159 for members
found that “Web operators and loosely
and $179 for non-members. More infororganized data brokers” were providing
mation is available at www.privacyassodisclosures that purported to be mindful
ciation.org.
of GLBA.
The experts were commenting on
“We found that a lot of them misthe impact of the new pretexting law,
construe the exceptions under GLBA,”
the Telephone Records and Privacy
Ball said, adding: “If there is no good
Protection Act of 2006, which President
assurance that the information is being
Bush signed in to law on Jan. 12, 2007.
obtained through lawful means, then it is
The new law, according to Bundy
likely that it is not being obtained
Scanlan, mandates a maximum 10-year
prison term for anyone convicted of using through lawful means.”
Ball noted that a pretexting bill
fraudulent tactics to obtain telephone
currently pending in Congress, the
records. Bundy Scanlan said the pretexPrevention of Fraudulent Access to
ting scandal related to HP’s efforts to pinPhone Records Act, would allow the
point the source of boardroom leaks
FTC to impose civil fines on those who
“proved that the law needed to be more
use deceptive methods to obtain conspecific in terms of obtaining non-public
sumers' telephone records.
personal information” about individuals
She detailed the agency’s most
and the penalties that pretexters should
recent pretexting enforcement efforts,
face for their actions. She added that
including five cases in federal district
there are enhanced penalties for aggracourts the agency filed in May 2006
vated cases that involve more than
T
14
www.privacyassociation.org
against sellers of telephone records. Of
those, two cases have settled and three
are pending. In February, the FTC filed a
case in federal court in Florida against a
group of defendants who allegedly
engaged in telephone records pretexting.
“We are moving forward with our
enforcement efforts and we are looking
to see those folks brought to justice,”
she said.
Leonard, of The Ponemon Institute,
wrapped up the discussion, with a focus
on the important role Chief Privacy
Officers play in promoting a business
culture that values honesty. Leonard also
emphasized the need for CPOs to identify departments or groups within the
organization that are collecting data —
outside of the typical marketing or
human resources areas — places within
the enterprise “where we get blindsided” by privacy blunders.
Leonard stressed that in many businesses, “there is sort of a culture of
deception to win in business.” For example, “creative impersonation” to get in to
see a client “becomes part of the
mythology in the sales force.” He urged
CPOs to “help people make ethical decisions” to thwart the “culture of deception. … At the end of the day, we’re asking our employees to be honest.”
Corporate policies and procedures
are critical, said Leonard, who added that
“privacy guidance needs to be appropriate to the group.”
By identifying potential areas
where problems could arise, privacy
pros “can help the business do better,
not just avoid trouble. It should be our
job to think those things through. It’s
an opportunity for us to do something
right in our organization.”
This audio conference is now available
for purchase. Order now at www.privacyassociation.org/index.php?option=com
_content&task=view&id=8&Itemid=70.
May • 2007
THE PRIVACY ADVISOR
The IAPP is pleased to announce the
much-anticipated release of
INFORMATION
PRIVACY
Official Reference for the Certified
Information Privacy Professional (CIPP)
Peter P. Swire, CIPP, and Sol Bermann, CIPP
• The definitive text on the privacy profession
• A valuable desk reference for working
privacy and security professionals
• The essential study tool for the CIPP exam
Order your copy at
www.privacyassociation.org
International Association of Privacy Professionals
15
May • 2007
IAPP In the News
The IAPP Announces New Appointments to 2007 Board of Directors
he IAPP has appointed four
new directors to its Board and
promoted directors to serve new
leadership roles.
The IAPP Board of Directors now
includes privacy leaders from Google
Inc., Information Integrity Solutions
Pty. Ltd., Kelley Drye & Warren and
the U.S. Department of Justice. They
join existing directors from General
Electric Company, Hewitt Associates,
Highmark Inc., IBM Corp., Intel, Intuit,
Marriott International, Microsoft Corp.,
Nationwide Insurance Companies,
Pfizer Inc., Procter & Gamble,
Schering-Plough Corp., the University
of Pennsylvania, Walt Disney
Company, Wal-Mart, Wiley Rein LLP
and Zeno Group.
IAPP Board President Kirk M.
Herath, CIPP/G, Associate Vice
President, Chief Privacy Officer,
Associate General Counsel,
Nationwide Insurance Companies, said
the new Board members deepen the
IAPP’s focus on international and government privacy issues.
“We are proud to announce the
new members of the IAPP Board,”
Herath said. “These accomplished privacy pros will strengthen the experience and depth of our existing board.
The IAPP Board will continue to serve
our members and the profession with
an energetic commitment to foster our
education, networking and certification
goals.”
The IAPP announced the appointment of these four new members to
the Board of Directors: Malcolm
Crompton, Managing Director,
Information Integrity Solutions P/L;
Peter Fleischer, Global Privacy
Counsel, Google; D. Reed Freeman,
Jr., CIPP, Partner, Kelley Drye &
Warren; and Jane Horvath, Chief
Privacy and Civil Liberties Officer, U.S.
Department of Justice.
T
16
www.privacyassociation.org
Malcolm Crompton
Peter Fleischer
Crompton, Australia’s former
Privacy Commissioner, currently advises private and public sector organizations on strategies to build trust
through their collection and use of personal information. During his five-year
tenure as Australia’s Privacy
Commissioner, Crompton implemented
the country’s private sector privacy law.
“I am looking forward to working
with the Board to introduce the benefits of the IAPP to a wider range of privacy professionals around the Asia
Pacific region, where so much change
is happening and the movement of
personal information is expanding rapidly,” Crompton said.
Fleischer is Google’s Global Privacy
Counsel, based in Paris. He works to
ensure that Google protects its users’
privacy, meets all privacy legal obligations and helps to raise the bar for
online privacy protections. With more
than a decade of experience in online
privacy issues, he is committed to
engaging with privacy stakeholders in
Europe and beyond to address the
new privacy challenges of the evolving
Web. Prior to joining Google, Fleischer
served as Microsoft Corp.’s former privacy lead for Europe and Director of
Regulatory Affairs.
“I am delighted to be joining the
Board of the IAPP, and to support its
mission of defining, promoting and
improving the privacy profession globally. Privacy is becoming an increasing-
D. Reed Freeman, CIPP
Jane Horvath
ly global profession, as data flows
themselves become more and more
global. The IAPP provides invaluable
support to its members to confront
these cross border challenges.”
Freeman is a Partner in Kelley
Drye & Warren’s Advertising and
Marketing Practice Group. He focuses
on all aspects of consumer protection
law, including privacy, data security and
breach notification, online and offline
advertising and direct marketing. Since
2005, Freeman has been a member of
the U.S. Department of Homeland
Security’s Data Privacy and Integrity
Advisory Committee.
“I am honored to serve on the
IAPP Board of Directors with such
distinguished colleagues, and I look
forward to helping continue the great
work the Board has done already to
further the IAPP’s mission,” Freeman
said. “It’s a privilege to participate in
such an important and growing
organization committed to promoting
the privacy profession through education, networking and certification.”
Horvath is the first person to serve
as the Chief Privacy and Civil Liberties
Officer at the Department of Justice
(DOJ). She is responsible for reviewing
and overseeing DOJ’s privacy operations and ensuring privacy compliance;
developing DOJ’s privacy policy;
representing DOJ with respect to
international privacy policy issues; and
ensuring that privacy and civil liberties
May • 2007
THE PRIVACY ADVISOR
impacts are considered prior to the
launch of a new program.
“I am very excited and honored to
join the Board of the IAPP,” Horvath
said. “I look forward to working with the
Board to reach out to public sector privacy professionals. The IAPP serves a vital
role in connecting privacy professionals
together to foster best practices globally.”
Also effective immediately are the
appointments of:
• Chris Zoladz, CIPP,
Vice President,
Information
Protection,
Marriott
International, to
serve as
Treasurer/Past
President, in place
Chris Zoladz, CIPP
of departing Board
member Becky Burr, CIPP, Partner,
Wilmer Cutler Pickering Hale and Dorr
LLP, who served as Treasurer.
• David Hoffman,
CIPP, Group
Counsel and
Director of Privacy
& Security, Intel
Corp., to serve in
an entirely new
position as
Assistant
Treasurer.
David Hoffman, CIPP
• Jonathan D.
Avila, CIPP, Vice
President –
Counsel, Chief
Privacy Officer, The
Walt Disney Co.,
to serve as
Secretary. Avila
succeeds Dale
Jonathan D. Avila, CIPP
Skivington, CIPP,
Chief Privacy
Officer, Assistant General Counsel,
Eastman Kodak Co.
IBM’s Harriet Pearson Explains ‘Why
Privacy Is Good for Business’
BM Chief Privacy Officer Harriet
Pearson was recently featured in
CEOForum Magazine where she was
interviewed about her “pioneering
position.” She is an example, she
says, “of what has become basically
a new profession.”
According to the article, “This
high-level concern for privacy is a
direct result of the Internet's explosive growth. Once used only for
‘surfing’, the Web has become a
destination for shopping, banking —
even looking after our health and
relationships. As the details of our
lives accumulate in other people's
databases, privacy has become a
source of consumer anxiety — and
corporate concern.”
“Privacy is good for business,”
Pearson says. Companies have a
responsibility to protect customers’
personal data just as they would protect any other valued corporate
asset. Pearson highlights some of
the fundamental tenets of the privacy profession, from building a “trust-
I
ed balance”
with customers
through transparency in handling data
to reinforcing the
idea that privacy
needs to be
addressed as a
strategic issue —
Harriet Pearson, CIPP
what she calls
“privacy by design”.
The article concludes with recommendations for building a “privacy
dream team.” First, start from the
top — get support from the CEO and
other top execs; second, appoint a
CPO — make sure one person is
responsible for privacy policy in the
organization; and last, build a board
— get advice from the departments
most affected, at a minimum, marketing, legal, communications, and
training and IT.
For the complete interview, visit
www-07.ibm.com/innovation/au/customerloyalty/harriet_pearson_interview.html.
Google Blog Highlights Appointment
to IAPP Board
oogle’s official blog announced the appointment of Peter Fleischer,
Google’s Global Privacy Counsel, to the IAPP Board of Directors.
“We're pleased for this recognition, as Peter's work in privacy over the
last decade mirrors a real evolution in the profession,” reads the statement
posted by Deputy General Counsel Nicole Wong. “Today, privacy is universally
viewed as a key corporate goal, and privacy officers are responsible for
creating a culture of respect
for privacy inside their
companies.”
The blog included links
to the IAPP’s Web site and
news release.
G
International Association of Privacy Professionals
17
May • 2007
Web Watch
Web Site Security: Locking the Back Door to Your Back-end Systems
Michael Weider, CTO of Watchfire, explains the top 10 Web application attacks
financial services organizations need to be aware of.
or years, banks have
been encouraging
their customers to
make transactions
online to increase profits and offer their customers a more convenient alternative to
visiting their local branch. Since the
online migration began, customer
adoption of this channel has increased
steadily. However, this also has meant
that the pool of potential online scams
and breaches also are escalating at an
alarming rate. As more and more
consumers are inevitably victimized,
there is a serious risk that confidence in
F
the integrity of online transactions could
plummet, resulting in a devastating
effect on e-commerce.
The corporate Web site is one of
the most important interactions
between a customer and their bank.
Hackers also understand this opportunity. Industry analysts have estimated that
75 percent of attacks are now targeting
applications. In 2006, Mitre identified
the two most common security issues
as Cross-Site Scripting (XSS) and SQL
Injection vulnerabilities. As more financial services organizations encourage
their customers to use the Web as a
first point of contact, it is essential that
Web sites are
secure, trustworthy
and uphold the
financial services
industry’s stringent
standards and
regulations.
Newer breach
notification requirements also have
Michael Weider
made it mandatory
to notify consumers of privacy and
security breaches. Financial services
organizations are facing even more
pressure to proactively assess and
correct security and privacy issues, with
customers, regulators, partners and
investors becoming increasingly vocal
about violations and breaches.
Top 10 Web Application Attacks Financial Services Organizations Should Be Aware of
18
Application Threat
Negative Impact
Example of Business Impact
Cross-Site scripting (X SS)
Identity theft, sensitive information leakage
Hackers can impersonate legitimate users, and
control their accounts
Injection Flaws
Attacker can manipulate queries to the
database
Hackers can access back-end database
information, alter it or steal it
Malicious File Execution
Execute shell commands on server, up to
full control
Site modified to transfer all interactions to the
hacker
Insecure Direct Object Reference
Attacker can access sensitive files and
resources
Web application returns contents of sensitive
file (instead of harmless one)
Cross-Site Request Forgery
Attacker can invoke “blind” actions on Web
applications, impersonating as a trusted user
Blind requests to bank account transfer money
to hacker
Information Leakage and Improper Error
Handling
Attackers can gain detailed system
information
Malicious system reconnaissance may assist
in developing further attacks
Broken Authentication and Session
Management
Session tokens not guarded or invalidated
properly
Hacker can “force” session token on victim;
session tokens can be stolen after logout
Insecure Cryptographic Storage
Weak encryption techniques may lead to
broken encryption
Confidential information (i.e., SSN, credit
cards) can be decrypted by malicious users
Insecure Communications
Sensitive info sent unencrypted over
insecure channel
Unencrypted credentials “sniffed” and used by
hacker to impersonate user
Failure to Restrict URL Access
Hacker can access unauthorized resources
Hacker can forcefully browse and access a
page past the login page
www.privacyassociation.org
THE PRIVACY ADVISOR
Calendar of Events
As Web applications become increasingly complex, tremendous amounts of sensitive data — including personal and financial information — are exchanged and
stored. The consumer not only expects, but
demands, proper security to protect this
information.
A hacker will typically spend time getting to know the Web application by identifying the shortcuts he would have created
had he built the application. Then using
nothing more than the Web browser, the
hacker will attempt to interact with the
application and its surrounding infrastructure in malicious ways.
The results can be disastrous.
An organization called OWASP (Open
Web Application Security Project) created a
“Top Ten” list to help organizations focus on
the most serious Web application security
vulnerabilities. Adopting a process and
implementing technology to monitor for,
identify and remediate these threats is an
effective first step toward helping ensure
the security of Web applications.
Why do these vulnerabilities exist? New
methods for attacking Web applications are
growing daily in volume and frequency.
Security teams are under intense pressure
and many cannot keep up with the volume
of applications they need to test. They are
often either catching issues late in the development cycle or not at all. The continuous
cycle of developing, updating and auditing
customer-facing applications, combined with
trying to keep up with the latest patches, is
a constant battle against hackers.
With the explosion of Web-enabled
applications, a new reality has emerged.
Financial services organizations should not
neglect the important step of securing the
site and the applications and the data they
collect. It only takes a single breach to ruin
a reputation.
Michael Weider is the Founder and CTO of
Watchfire (www.watchfire.com), a leading
provider of software and service to help ensure
the security and compliance of Web sites.
MAY
8
9
IAPP KnowledgeNet —
Chicago
CIPP, CIPP/C and CIPP/G examinations
9 a.m. - noon Central Time
The John Marshall Law School
315 South Plymouth Court,
Chicago, Ill. Register at
www.privacyassociation.org
IAPP KnowledgeNet —
Atlanta
11:30 a.m. - 1 p.m.
Networking Luncheon and Open
Discussion. Exchange ideas and
thinking on current challenges and
opportunities in the privacy industry
10
IAPP KnowledgeNet —
Portland, Ore.
Speaker: Jody Pettit, Health
Information Technology Coordinator
for the State of Oregon. Electronic
Health Information Exchange
10
IAPP KnowledgeNet —
Columbus, Ohio
Speaker: Sol Bermann, CIPP, Chief
Privacy Officer, Office of Information
Technology - State of Ohio
A discussion about his new role
with the State of Ohio
10
Higher Education
Workshop on Online
Privacy Management
9 a.m. - 12:30 p.m.
The Commons, 3rd Floor, Adamian
Academic Center, Bentley College,
Waltham, Mass. Massachusetts
Attorney General Martha Coakley
and a panel of privacy experts will
hold a morning workshop on the
unique challenges of managing
online privacy in higher education.
Register at www.bentley.edu
events/iscw2007/index.cfm.
11
IAPP KnowledgeNet —
Toronto, Canada
9 – 10:30 a.m.
Speaker: Hon. Tom Wappel,
Chairman of the House of Commons
Standing Committee on Access to
Information, Privacy and Ethics,
Current PIPEDA Review
17
IAPP KnowledgeNet —
Philadelphia
11:30 a.m. – 2 p.m.
Open Discussion, Privacy Roundtable:
Running a Privacy Department
24-25 European Data Protection
Intensive — Amsterdam
This unique and ground breaking
event brings together data protection
experts from all 27 EU States plus
Switzerland and Norway, providing
information and advice on the data
protection rules and regulations
throughout Europe. Visit www.e-comlaw.com/ EuropeanIntensive
JUNE
4-7
IAPP Delegate Tour: Europe
KnowledgeNet meetings, networking
and workshops with data protection
officials in Berlin, Paris and London
29
IAPP Certification Testing —
New York
CIPP, CIPP/C and CIPP/G examinations
9 a.m. – 12:30 p.m.
Ernst & Young Offices, 5 Times
Square Plaza, New York, N.Y.
Register at www.privacyassociation.org
SEPTEMBER
25-28 29th International
Conference of Data
Protection and Privacy
Commissioners
Le Centre Sheraton Montreal Hotel
Montreal, Canada
www.privacyconference2007.gc.ca
To list your privacy event in the The Privacy Advisor, email Ann E. Donlan at [email protected].
International Association of Privacy Professionals
19
May • 2007
Privacy News
New Identity Theft Scam Targets Executives
ebix, the Identity Protection Network, is warning corporate executives to be
aware of identity theft specifically targeted to them.
Debix, joined by LooksTooGoodTo BeTrue.com, a Web site funded by the United
States Postal Inspection Service, the Federal Bureau of Investigation and the
Merchant Risk Council, are advising executives and businesses to take precautions
to prevent fraudsters from accessing their lines of credit by stealing the identity of
their business executives.
Working with industry and law enforcement, the groups have found a scam in
which an ID thief defrauds businesses by stealing the identity of a business executive at a publicly traded company, where personal information such as date of birth,
address and phone number are easily accessible in public records. The fraudster
then applies for a new credit account at an online retail store in the name of the
company and uses the executive's information as a personal guarantee.
The fraudster then orders costly equipment, such as computers, which would
quickly deplete the credit line. By the time the retailer sends the delinquent
account to collections, the criminal has moved on to the next victim.
“Because these are business lines of credit, often in excess of $20,000, the
fraud losses are quick and substantial,” said Julie Fergerson, VP of Emerging
Technologies at Debix and Co-Founder and Board Member of the Merchant Risk
Council. “The good news is executives and business can both take simple steps to
protect themselves.”
Debix and the Merchant Risk Council, a non-profit organization dedicated to
helping merchants prevent fraud, recommend that executives place a fraud alert on
their credit files. After a request is made for credit, the creditor would be required to
contact the telephone number placed in the executive’s credit file before issuing
new lines of credit.
D
The IAPP Welcomes
Our Newest
Corporate Members
Class Action Lawsuits Cropping Up Over Credit Card Receipts
ompanies that collect or process
credit cards should be aware of a
new set of lawsuits related to the printing of credit card numbers on receipts,
advises Kirk J. Nahra, CIPP, of Wiley
Rein LLP and Editor of The Privacy
Advisor.
In a recent communication, Nahra
informed clients that a new series of
class action lawsuits — brought
primarily in California, but expanding
around the country — stem from section 1681c(g) of the Fair Credit
Reporting Act, a new requirement from
the Fair and Accurate Credit Transactions
(FACTA) law that prohibits the printing of
full credit card numbers on receipts.
Plaintiffs’ class action lawyers are
C
20
www.privacyassociation.org
taking the position that FACTA permits
statutory damages of up to $1,000 per
willful violation of the law, as a means
of attempting to avoid more common
problems related to a lack of damages
in certain privacy and security cases.
The Bureau of National Affairs
reports that more than 100 of these
suits have been filed in California. A limited number of cases have been filed in
other states.
While these suits are new, there
has been one early decision testing part
of this theory. In a case involving Ikea
(Eskandari v. Ikea U.S. Inc, C.D. Call. No.
8:06-cv-01248-JVS-RNB (March 12,
2007), the court issued the first decision
in this area, ruling on Ikea’s assertion
that the Fair Credit Reporting Act did not
create a private cause of action for violation of this FACTA provision. The court,
in a brief decision, held that the “plain
language” of the statute “provides a private right of action for consumers.”
Accordingly, while this is only the first
step in what is likely to be a much more
significant battle, the court has allowed
this case to go forward.
Companies should review promptly
their policies related to credit card
receipts, Nahra said. They also should
begin to review more aggressively the
overall requirements of the FACTA law,
including such broadly applicable provisions as the “disposal rule” related to the
disposal of consumer report information.
May • 2007
THE PRIVACY ADVISOR
Privacy Classifieds
Richard Thomas Reappointed as UK
Information Commissioner
ichard Thomas has been reappointed
to a second term as Information
Commissioner for the UK. Thomas’
current five-year term expires in November 2007, after which he will serve
another two years until June 2009.
“I am obviously very pleased to be
asked to continue for the next two
years,” Thomas told the IAPP. “It is a
real privilege to lead the ICO and a
very satisfying and rewarding role to
ensure that both Freedom of
Information and Data Protection are
being taken seriously and bring real
benefit to the public. I have also very
much enjoyed my contact with the
international privacy and data protection community and look forward to
this further period of cooperation.”
Thomas was a keynote speaker at
R
the IAPP Privacy
Summit 07 in
Washington, D.C.
His previous career
has included serving as Director of
Public Policy at
Clifford Chance (the
international law
Richard Thomas
firm), Director of
Consumer Affairs at the Office of Fair
Trading, Head of Public Affairs and
Legal Officer at the National Consumer
Council and Solicitor with the Citizens
Advice Bureau Service. He also has
held various public appointments,
including membership of the Lord
Chancellor’s Civil Justice Review
Advisory Committee and the Board of
the Financial Ombudsman Service.
Most Trusted Companies for Privacy
Receive Accolades
RUSTe and the Ponemon Institute
have announced the results of the
2007 Most Trusted Companies for
Privacy Study, an annual evaluation of
how consumers perceive organizations
that collect and manage their personal
information. The study ranks companies and federal agencies by industry
and compile a list of the overall top
performing companies.
For the second year in a row,
American Express was rated the top
company for privacy trust, followed by
Charles Schwab and IBM. Last year’s
top three were American Express,
Amazon and Procter & Gamble.
Previous years’ winners have included
E-Loan, Hewlett-Packard and eBay.
The survey is a Web-based study
that gathers information from participants over a six-week period, which
ended in February 2007. Responses
T
related to more than 200 companies
were analyzed and ranked.
“The Most Trusted Companies
for Privacy Study is one of the most
interesting and important studies of
the year as it gives us a picture of
how the public’s perceptions change
from year-to-year and how different
companies respond to evolving privacy
challenges,” said Larry Ponemon, CIPP,
Chairman and Founder, Ponemon
Institute. “While we read the bad
news in the headlines, it is clear that
there are many companies that have
put on the mantle of privacy leadership, and that are setting a stellar
example for others to follow with their
superlative privacy and data security
programs.”
The executive summary and survey
results can be found at www.truste.org/
pdf/2007_Most_Trusted_Companies.pdf.
The Privacy Advisor is an excellent
resource for privacy professionals
researching career opportunities.
For more information on a
specific position, or to view all the
listings, visit the IAPP’s Web site,
www.privacyassociation.org.
SENIOR PRIVACY & COMPLIANCE
SPECIALIST
Iron Mountain
Boston, Mass.
PRIVACY OFFICER, SENIOR DIRECTOR,
CORPORATE COMPLIANCE
State Street Corporation
Boston, Mass.
INVESTIGATOR 2, CORP
INVESTIGATIONS
T-Mobile
Bellevue, Wash.
PRODUCT COUNSEL, PAYMENTS
Google Inc.
Mountain View, Calif.
PRODUCT COUNSEL
Google Inc.
Mountain View, Calif.
PRIVACY COUNSEL
Google Inc.
Mountain View, Calif.
CORPORATE COUNSEL – PRIVACY
T-Mobile
Bellevue, Wash.
CORPORATE PRIVACY MANAGER
MedStar Health
DC/Baltimore Area
PROJECT MANAGER
Allstate Insurance
Northbrook, Ill.
SENIOR CONSULTANT – PRIVACY AND
DATA PROTECTION SPECIALIST
Deloitte
San Francisco/San Jose, Calif.
International Association of Privacy Professionals
21
May • 2007
Congratulations, Certified Professionals!
The IAPP is pleased to announce the latest graduates of our privacy certification programs. The following individuals
successfully completed the CIPP, CIPP/G and CIPP/C examinations held at the 2007 IAPP Privacy Summit in Washington D.C.
Aref Alvandy, CIPP
Tarun Ambwani, CIPP
Rebecca Andino, CIPP
Melissa Bateman, CIPP
Kenneth Battista, CIPP
Ken Baylor, CIPP
Rachel Bedor, CIPP
Linda Betz, CIPP
George Bills, CIPP
Carol Black, CIPP
Frederick Blumer, CIPP
Bradly Bolin, CIPP
Darren Bowie, CIPP
Christina Brooks, CIPP
Mark Brooks, CIPP
Kimberly Bubnes, CIPP
Jonathan Cantor, CIPP/G
Gail Carmisciano, CIPP
Debra Castanon, CIPP
George Chacko, CIPP
Mary Cheney, CIPP
Fredric Cibelli, CIPP
Amanda Coffield, CIPP
Nathan Coleman, CIPP/G
Robert Cox, CIPP
Hayden Creque, CIPP
Heidi Cross, CIPP/G
Chris Cunningham, CIPP
Raymond Cunningham, CIPP
Norman Damours, CIPP
Miles Daniel, CIPP
Kim Dawson, CIPP
Carol Deadrick, CIPP
Joshua Deinsen, CIPP
Arthur Dietze, CIPP
John Dorsey, CIPP
Francis Duncan, CIPP
Keary Dunn, CIPP
Colin Erasmus, CIPP/G
Patrick Feehan, CIPP
Gilbert Feltel, CIPP
Tanya Forsheit, CIPP
Christopher Foster, CIPP
Stephen Freedman, CIPP/C
Elizabeth Gaffin, CIPP/G
Amit Gandre, CIPP
Carleigh Gavin, CIPP
Ellen Giblin, CIPP/G
Robert Gibson, CIPP
Mark Gilligan, CIPP
Robin Ginn, CIPP
Lynn Goldstein, CIPP
Mark Grant, CIPP
Andrew Graziani, CIPP
Richard Greenfield, CIPP/G
Ryan Grogan, CIPP
Richard Gubbels, CIPP
Catherine Hackney, CIPP
David Hale, CIPP
Johanna Haskell, CIPP
Holly Hawkins, CIPP
Sandra Hawkins, CIPP/G
Vanessa Hayward, CIPP
William Helmstetter, CIPP
Kimberly Hess, CIPP
Seth Hidek, CIPP
William Holzerland, CIPP/G
Robert Hudson, CIPP
Michael Hughes, CIPP
Scott Hyde, CIPP
Brian Hynes, CIPP
Nathan Johnson, CIPP
Jennifer Johnson, CIPP
Melonie Jones, CIPP
Deborah Joslyn, CIPP
Ann Kennedy, CIPP
Jason Khoury, CIPP
Carla Kittle, CIPP
Kathryn Kohler, CIPP
John Kotlarczyk, CIPP
Stacey Kovoros, CIPP/G
Danielle Kriz, CIPP
John Kropf, CIPP/G
Katherine Kuriyama, CIPP/G
Hillary Kushner, CIPP
Merri Lavagnino, CIPP
Christopher Leigh, CIPP
Courtney Leo Powell, CIPP
Karima Leonhardt, CIPP
Greg Levine, CIPP
Donna Lewis, CIPP
Jay Libove, CIPP
Elaine Lin, CIPP
Joseph Lindstrom, CIPP/G
Anders Ling, CIPP
Vania Lockett, CIPP/G
Jeffrey Lolley, CIPP
Robin London, CIPP
Jan Lovorn, CIPP
Elizabeth Lynn, CIPP
Carter Manny, CIPP
Jennifer Mardosz, CIPP
Jennifer Martin, CIPP
Bruce Martino, CIPP/G
Amanda Mayhew, CIPP
Jack McCoy, CIPP
Christopher McCrae, CIPP
Christin McMeley, CIPP
Tom McNeil, CIPP
Clewin Mcpherson, CIPP
Raj Mehta, CIPP
Marines Mercado, CIPP
Suzanne Milliard, CIPP/G
Melvin Murray, CIPP/G
Dean Noble, CIPP
David Nowak, CIPP
Gail Obrycki, CIPP
Mark Oram, CIPP
Edward Palmieri, CIPP
Catherine Papoi, CIPP/G
Anwesa Paul, CIPP
Diana Pentecost, CIPP
Tiffany Phelps, CIPP
Christopher Pierson, CIPP/G
Peter Pietra, CIPP/G
Kirill Popov, CIPP
Earl Porter, CIPP
Stephan Potgieter, CIPP
Saikiran Raghupathy, CIPP
Bradley Reimer, CIPP
Robert Reinhold, CIPP
Scott Rempell, CIPP
Chris Richardson, CIPP
Andrew Riley, CIPP/G
Clyde Roberts, CIPP
Jason Robertson, CIPP
Lilia Rose, CIPP/G
Cathleen Ryan Reneer, CIPP/G
Luis Salazar, CIPP
Matthew Sarris, CIPP/C
Mike Sawyer, CIPP
Nancy Schicker, CIPP
Daniel Sellman, CIPP
Jose Sesin, CIPP/G
J. Sheehan, CIPP
Kamilah Shepherd, CIPP/G
James Shreve, CIPP
Kathryn Shroeder, CIPP
Karen Skarupski, CIPP
Maureen Slipek, CIPP
Douglas Smith, CIPP
David Stark, CIPP
Jeremy Steiner, CIPP
Dorene Stupski, CIPP/C
Brian Sulmonetti, CIPP
Mindy Teegarden, CIPP
Jeroen Terstegge, CIPP
S. Trigg, CIPP
Frank Triveri, CIPP
Tamara Tuchmajer, CIPP
Loretta Tulloch, CIPP
Tony Vallone, CIPP
Robert Vetter, CIPP
Gary Wallace, CIPP
Michelle Ward, CIPP
Linda Weeks, CIPP
Kathryn Whelan, CIPP
Daniel Whitehead, CIPP
Richard Wichmann, CIPP
Josiah Wilkinson, CIPP
Chi Yu, CIPP/G
Periodically, the IAPP publishes the names of graduates from our various privacy credentialing programs. While we make every
effort to ensure the currency and accuracy of such lists, we cannot guarantee that your name will appear in an issue the very
same month (or month after) you officially became certified.
If you are a recent CIPP, CIPP/G or CIPP/C graduate but do not see your name listed above then you can expect to be listed in a
future issue of the Advisor. Thank you for participating in IAPP privacy certification!
22
www.privacyassociation.org
THE PRIVACY ADVISOR
Career Corner
How Do You Express “Value” as a Privacy Professional?
Adam Stone, CIPP
or organizations large
and small,
effective privacy
and data security
management are
crucial elements to
a healthy business.
Adam Stone, CIPP
As all privacy practitioners know, a breakdown in privacy
and security controls can damage seriously an organization’s reputation with
clients, employees and partners. The
time and money spent by organizations faced with remediating a privacy
breach has amounted to millions of
dollars in legal, operational and PR
expenses.
Without a doubt, effective
privacy management adds value to
organizations and so do the
privacy professionals
employed to guide the
organization along the path
of sound privacy practices.
Many privacy practitioners say their individual
value to an organization is
best expressed in moneysaving terms. Often, privacy pros see themselves as
an “insurance policy” against negative business events. Other privacy
leaders indicate that their value also
can be traced to revenue generation
for firms.
Indeed, every individual in a firm is
employed for a specific purpose: either
as a money-saver or a money-maker (a
few lucky folks get to be both — like
the CEO!). Recognizing your purpose in
the organization is the first step toward
understanding the value that you add.
Despite the recognition of individual value, many privacy practitioners
find it difficult to highlight quantitative,
F
as well as qualitative, achievements to
their career history. This becomes
most apparent on a privacy practitioner’s résumé/CV.
Professional achievements are
defined by metrics. Without a metric, a
so-called “achievement” is simply a
task or a duty. True professional
achievements can be directly linked to
money-savings events and/or moneymaking events. On a résumé, numbers
tell the best story!
Consider the following example:
Jane led the development and
implementation of an enterprise-wide
privacy awareness program. One element of the program asks each
employee to take a 20-question test
after viewing a privacy awareness presentation. These results are stored in a
database and analyzed as “baseline”
scores. As the awareness program
continued over the course of a year,
Jane again asked each employee to
retake the same test to see if scores
improved. They did! Scores improved
an average of 80 percent overall.
When reviewing Jane’s entry,
one can easily note the quantitative
metrics. A hiring manager could easily
understand Jane’s achievements. On a
résumé/CV, Jane’s achievement might
read, “Led an enterprise-wide privacy
awareness program that increased
overall employee awareness by 80
percent over one year.” One can infer,
by this quantitative metric, that Jane’s
achievement led to a reduction in exposure (or money-savings) for the firm.
As professional recruiters,
experience tells us that the most
lucrative offers do not go to the
candidates with the best qualifications for a position. Instead, offers are
made to the individuals who are prepared to demonstrate how their background, skills, experience and (most
important) achievements can bring
real value to a potential employer. To
insure that you are prepared to distinguish yourself, set aside some time to
complete a Facts - Achievements Value (FAV) Worksheet. The information you develop will enable you to
create a résumé that excites and
motivates employers to
grant you an interview.
The FAV Worksheet is
also a valuable tool for
preparing for the interview.
Having this document
available will help ensure
that your responses are
clear, crisp and express the
potential value that you can
bring to the table.
To learn more about the FAV
Worksheet, visit the Global Recruiters
of Woodbury Web site at: www.grnwoodbury.com/fav/index.asp.
Adam Stone, CIPP, is Managing
Director of Global Recruiters of
Woodbury, a permanent placement
recruitment firm focused on
executives and professionals in
privacy, data security, IT law and
public policy, e-discovery and related
disciplines. He can be reached at
[email protected].
International Association of Privacy Professionals
23
N.H. Pharma Law
continued from page 3
one New Hampshire think tank commentator told Medical Marketing &
Media: “What the people voting for this
didn’t think about is that the database
created by the tracking of prescriptions
is not just extraordinarily valuable, it’s
also very expensive to create, and its
creation is only possible because of its
commercial use.”
These arguments gained little traction, and, as noted, the law passed and
became effective on June 30, 2006.
Within days, IMS Health and
Verispan sued in U.S. District Court to
have all, or part of the law, declared
unconstitutional on the grounds that it
constitutes a violation of the First
Amendment and the Commerce Clause
of the U.S. Constitution. Because the
First Amendment is implicated, the
state must show that the law passes
the “Strict Scrutiny Test” — that is, it
must be narrowly tailored to promote a
compelling government interest, and if a
less restrictive alternative would serve
the government’s purpose, the legislature must use that alternative. With
respect to the Commerce Clause argument, the challengers must prove the
Information Security Breaches
continued from page 13
compliance. Indeed, the risk to an organization’s reputation and revenues often
far exceeds the risk associated with noncompliance with breach laws. As a
result, organizations responding to a
breach should focus on doing the right
thing as opposed to doing only those
things that are required by law.
Lessons Learned
Security breach notification laws
have brought information security issues
into the spotlight. While no information
security is perfect, proactive incident
response planning can help minimize the
impact when and if a breach occurs.
Such planning includes inventorying the
entity’s databases that contain sensitive
personal information, understanding how
sensitive personal information flows
through the organization, conducting
ongoing risk assessments for internal
24
www.privacyassociation.org
law has a practical effect of controlling
commerce that takes place wholly outside of New Hampshire’s borders, constituting a per se violation of the
Commerce Clause.
Although the Federal District Court
in New Hampshire declined to enter an
immediate injunction of the law, it “fasttracked” the proceedings.
Conclusion
A number of states have considered similar “prescription confidentiality” legislation, including New York,
Massachusetts, Pennsylvania, Illinois
and California, which together represent
roughly half of a national prescribing volume. The outcome could be a case of
whither goes New Hampshire, so goes
the nation. This is especially true in the
privacy area, where states appear to
take a “me too” approach to privacy legislation, as witnessed in the passage of
data breach and security freeze laws
throughout the country. The court’s decision is expected in the next 30 days.
Luis Salazar is a shareholder with
Greenberg Traurig and a founding
member of the firm’s Data Privacy and
and external risk to the data and
responding to reasonably foreseeable
risks, maintaining a comprehensive written information security program, and
developing a breach response procedure.
Given that a recent survey of 31 breaches ranging in size from 2,500 records to
263,000 records conducted by the
Ponemon Institute found that the average cost of responding to a security
breach was $182 per lost customer
record with an average total cost of $4.8
million, the stakes are higher than ever
for companies to focus on their information security programs. Most importantly, concern and respect for information
security should be integrated into the
organization’s core values. A breach
response plan alone, without demonstrable organizational concern for information security generally, exposes the
organization to significant risk. With the
stakes as high as they are, all organizations should be taking a closer look at
their information security practices.
Security Law Taskforce. Salazar is also
the drafter of the Privacy Policy
Enforcement in Bankruptcy Act, an
amendment to the Bankruptcy Code
that prohibits bankrupt companies
from misusing consumers’ personally
identifying information and provides for
the appointment of a Consumer Privacy
Ombudsman to advise Bankruptcy
Courts on privacy issues. Salazar is
based in the firm’s Miami office and
can be reached at [email protected].
Editor’s Note:
At press time, The Privacy Advisor
learned that U.S. District Court
Judge Paul Barbadoro ruled in favor
of Verispan LLC and IMS Health
Inc. In his 54-page ruling, Barbadoro
stated that ordinarily “states should
be given wide latitude to choose
among rational alternatives when
they act to benefit the public
interest.” But he added, “However,
when states adopt speech
restrictions as their method, courts
must subject their efforts to closer
scrutiny.” Watch for more coverage
of this decision in upcoming issues
of the Advisor.
Lisa Sotto heads the Privacy and
Information Management Practice
at Hunton & Williams LLP and is a
partner in the New York office. She is
also vice chairperson of the DHS Data
Privacy and Integrity Advisory
Committee. Sotto will be a speaker
at the IAPP’s Practical Privacy Series:
Data Breach on June 27 in New York
City. She may be contacted at
[email protected].
Aaron P. Simpson is an associate
in the Privacy and Information
Management Practice at Hunton &
Williams, New York. He may be
contacted at [email protected].
This article originally appeared in Privacy
& Security Law Report, Vol. 6, No. 14
(April 2, 2007) pp. 559-562. Copyright
2007 by The Bureau of National Affairs,
Inc. (800-372-1033) www.bna.com.