 |
|
|
|
| |
|
MAY
TOP 5 PRIVACY STORIES
|
|
|
Late-Breaking
News
As of July 1, a new California privacy law will affect
any organization that electronically stores personal
information on California residents. »Learn
More
Knowledge
You Need
Do you have clients in the European Union? Here's what
you need to know about the EU Safe Harbor program. »Learn
More
Roundtable
Industry leaders discuss their experiences with TRUSTe's
EU Safe Harbor seal.
»Learn
More
Leading
Edge
TRUSTe's new Bonded Sender program protects valid email
messages from being deleted by spam filters.
»Learn
More
Privacy
Resources
This U.S. Department of Commerce Web site is the best
resource for information on Safe Harbor. »Learn
More
Stay
Current!
Privacy and security events around the world -- and
new privacy innovation awards. »Learn
More
TRUSTe
Tech Tip
How to judge when you need to notify your clients about
changes to your privacy statement. »Learn
More
Welcome
New Licensees
The newest Web sites to display the TRUSTe seal.
»Learn
More
|
|
 |
 |
| |
New California Privacy Legislation Affects Businesses
Across the United States
On July 1, 2003, a new California privacy law with wide-sweeping
implications takes effect. California Senate Bill 1386,
passed in November, will require any corporation or
nonprofit organization that electronically stores personally
identifiable information (PII) on California residents
-- no matter where the organization is based -- to notify
the public in the event of unauthorized access to that
information.
The law is written broadly enough that "unauthorized
access" to an organization's network does not just
mean hacker attacks but also internal breaches of security,
benign or criminal. The legislation is designed to slow
the growth of identity fraud, an increasingly common
crime in the Electronic Age.
The effect on businesses nationwide is yet unknown.
All companies that store information such as clients'
bank accounts, credit card numbers, and even driver's
licenses will need to secure and closely monitor their
networks for any evidence of unauthorized access.
TRUSTe is currently working on developing reasonable
security guidelines for licensees. Look for them in
the fall.
|
|
|
 |
|
| |
EU Safe Harbor at a Glance
by Stephanie Lim
In
October 1998, European
Union Data Protection Directive 95/46/EC
went into effect across all 15 member states of
the European Union. Known colloquially as "the
directive," the law regulates the collection,
use, storage, and transfer of any personally identifiable
information (PII) regarding EU citizens, including
both customer and employee data. As part of the
directive, all EU organizations maintaining a
PII database are required to register with government
data protection authorities and to disallow data
transfers to countries outside the EU with inadequate
data protection policies.
With
$379 billion worth of trade between the United
States and the EU each year, most of which is
dependent on the exchange of sensitive information,
the directive has massive consequences for U.S.
businesses. To prevent U.S. companies from unwittingly
breaking EU laws regarding the transfer of PII
out of the EU into the United States and from
being subjected to large fines or disruptions
in commercial transactions, the U.S. Department
of Commerce created a "Safe Harbor"
self-certification process. By self-certifying
as an EU Safe Harbor-compliant company, organizations
can satisfy the "adequacy" requirement
for transferring PII out of the EU.
Most
U.S. organizations that handle any sort of PII
regarding EU citizens must adhere to Safe Harbor
guidelines, provided that the organization is
subject to the jurisdiction of a recognized government
body. As of yet, only two U.S. government bodies
have been recognized by the European Commission
(EC): the Federal
Trade Commission (FTC)and the Department
of Transportation (DOT). Although it
may seem counterintuitive, organizations like
banks and insurance carriers are not eligible
for Safe Harbor certification since their sector-specific
regulations have not as of yet been deemed adequate
by the EC.
In
general, the privacy principles governing the
directive are similar to those governing current
FTC Fair Information Practices and, consequently,
TRUSTe privacy seal programs. However, while organizations
may currently enjoy the lax domestic laws regarding
privacy-related infractions, companies in violation
of the directive will have to answer directly
to the EU data protection authorities.
At
a June 2003 conference on Safe Harbor certification
sponsored by the U.S. Department of Commerce and
TRUSTe, Miriam Wugmeister, a privacy attorney
at Morrison & Foerster, said to participants,
"Let me tell you why most large, multinational
organizations are considering becoming a safe
harbor. It's a uniform approach across Europe
. . . and onward data transfers are facilitated."
Wugmeister reported that enforcement of the directive
is increasing, facilitated by the 50 Safe Harbor
enforcement officials that the EU recently hired.
Fines for improperly sharing data, even with a
subsidiary organization, or for public disclosure
of information can reach as high as 1.08 million
euros (US$1.3 million).
The
directive also carries some surprising exceptions
with it. It is information-specific, meaning that
companies may choose to certify only the portions
of their database that are subject to Safe Harbor
requirements, such as human resources data. Additionally,
while it is typically unacceptable to deny U.S.
citizens access to their own PII, there are many
situations in which an organization has the right
to deny this access under the provisions of the
Safe Harbor framework. A company can even charge
a fee to grant access to individuals' information.
TRUSTe
has worked with the U.S. Department of Commerce
and other regulatory agencies to develop its Safe
Harbor Seal program, ensuring that companies who
receive the Safe Harbor Seal are in full compliance
with Safe Harbor standards. Qualifying for the
TRUSTe seal also satisfies the verification and
dispute resolution requirements. For more information
on the TRUSTe EU Safe Harbor Seal, contact Michelle
Lucas at mlucas@truste.org.
|
|
|
|
 |
|
| |
Privacy Officers Discuss TRUSTe's EU Safe Harbor Seal
Program
by Stephanie Lim
A
quick glance at the Department of Commerce's Safe Harbor
Web site (see "Privacy Resources" below) may
incite panic in some privacy officers, but the Safe
Harbor self-certification process is necessary -- and
much more manageable than it may seem. To date, 46 companies,
with 106 URLs, have certified themselves as EU safe
harbors with TRUSTe's EU Safe Harbor Seal. Penalties
for failure to comply with the EU directive are so severe
that some organizations that do not handle personally
identifiable information (PII) are choosing to certify
simply to dispel fears of both current and potential
investors. The current TRUSTe Safe Harbor Seal holders
are typically U.S. companies that maintain PII regarding
employees or consumers residing in the EU.
Kathleen
Helm, director of service center operations at Armed
Forces Communications and Electronics Association (AFCEA)
International, said that TRUSTe was "very helpful"
throughout the Safe Harbor certification process. "AFCEA
is an international association whose membership includes
residents of the EU," said Helm. "In order
to comply with EU directives, AFCEA needed a third-party
verifier of its privacy policies to implement a membership
portal. TRUSTe was listed by the Department of Commerce
as one of the organizations that could meet this need."
Privacy
officer Eleonora Romagnoli of Cribis
Corporation, an information services firm,
said that although she found the certification process
to be longer than expected, Cribis was able to complete
the process with minimal legal counsel simply by following
TRUSTe's Safe Harbor guidelines. In addition to the
accessible framework provided by the seal program, she
feels that TRUSTe's high level of brand recognition
presents a further element of confidence to EU citizens.
"TRUSTe's EU Safe Harbor Seal is famous in Europe.
It has the quality to certify our compliance to the
EU directives about privacy policy."
Paola
Dovera, portal content manager for Sybase,
Inc., said that Sybase has taken extra measures
to ensure compliance with the EU directive by establishing
a privacy officer in the EU. "Sybase is concerned
about working to establish and maintain worldwide privacy
standards," she said. "TRUSTe was the easiest
choice [for ensuring Safe Harbor compliance] as we had
already established a relationship via the [standard]
online privacy certification."
Organizations that handle large amounts of consumer
data have to take extra steps when determining which
data must be certified. Harris
Interactive, a global market research and
consulting firm, had to pay close attention to detail
when mapping its data collection processes, but found
that its current standards were already adequate. Lynn
Siverd, chief privacy officer for Harris Interactive,
said, "given that we operate with a confirmed registration
process . . . and provide opt-out capabilities in each
of our communications to our registrants as well as
the ability to modify their personal data, we were essentially
already compliant with the EU directives."
Equally
important, each of these organizations has developed
education programs to train personnel involved in data
collection and storage processes about the EU directive.
For
more information on the TRUSTe Safe Harbor Seal, visit
www.truste.org/programs/pub_harbor_join.html
or contact Michelle Lucas at mlucas@truste.org.
|
|
|
 |
|
| |
Bonded Sender: A New Method for Improving Spam Filtering
by Colin O'Malley
If
you thought you've been receiving too much spam lately,
watch out, because the problem is only getting worse.
According to major network ISPs, the volume of spam
their users have received has more than doubled since
the beginning of the year -- and it's only June.
As
the volume of spam continues to grow exponentially,
the costs associated with the problem -- including consumer
frustration, lost productivity, and bloating IT budgets
-- are growing just as quickly. TRUSTe considers spam
to be one of the most important privacy challenges on
the Web, and we have significantly increased our activity
in this area over the last year.
The
latest initiative in our ongoing effort to add trust
and accountability to email is Bonded Sender, a product
that we are slated to launch with IronPort
Systems in July.
Bonded
Sender provides legitimate email senders with a way
to be recognized as good players in the industry and
in return to receive an assurance that ISPs will honor
their status by giving their emails preferential treatment
in the filtering process.
One
recent survey estimated that 15 percent of legitimate
email (about one in six messages) is being routed away
from consumer inboxes due to overzealous spam filtering.
The deleterious effects of "false positives"
are difficult to overstate for any business that relies
on email for marketing or customer relationship management.
How
does Bonded Sender work? Senders agree to abide by a
TRUSTe-certified set of baseline standards in email,
and they back up this pledge with money -- an amount
proportional to the volume of email they send. Incremental
amounts will be debited from this "bond" if
consumer complaints exceed normal thresholds. The complaint
rate also provides an ongoing feedback mechanism that
empowers consumers to vote against unscrupulous mailers.
The
financial mechanism provides an ongoing, real-time assurance
to TRUSTe and to ISPs that senders will behave ethically.
Once senders complete the certification process, they
designate specific outbound mail IP addresses as "bonded"
IPs. ISPs and other network operators can identify incoming
mail from bonded IPs with a standard DNS query.
The
current filtering tools used by major ISPs are tuned
as sensitively as possible, and anyone with an inbox
knows that plenty still gets by. As filters are broadened
to catch more suspect email, the incidence of false
positives also increases. One vendor recently tested
adjustments to its spam filtering technology that produced
a 15 percent increase in the spam "catch rate"
-- and raised the rate of false positives by 10,000
percent. By identifying legitimate mailers, Bonded Sender
allows spam filters to be further fine-tuned without
the trade-off of increasing false positives.
We
at TRUSTe recognize that there is no silver bullet to
kill off spam. But Bonded Sender is a self-regulatory
approach with a sound, underlying technical basis that
can go a long way in ensuring that good email is delivered.
If
you are interested in participating in the Bonded Sender
program, or if you have any questions, please let us
know right away. We're still accepting sender applications
for the upcoming launch. If you represent an ISP or
a network and you are interested in more information
about the adjustments necessary to accept "bonded"
mail, we'll be happy to review the details with you.
Colin
O'Malley has recently joined TRUSTe as a product manager
focusing on anti-spam and email trust initiatives. If
you would like to participate in licensee research on
email, please contact Colin at colin@truste.org.
|
|
|
|
|
|
| |
U.S.
Department of Commerce Safe Harbor Site
The Department of Commerce oversees certification
and enforcement of the Safe Harbor program, so
their Web site is the number-one resource for
organizations interested in becoming Safe Harbors.
Not only does the site provide an overview of
Safe Harbor and post all the formal EU and U.S.
documents setting out its parameters, the DOC
provides step-by-step instructions for bringing
a company's privacy policy in line with the program
and completing the online self-certification process.
Plus, a complete list of companies participating
in the Safe Harbor program is updated regularly.
|
|
|
 |
|
| |
Here are a few upcoming conferences and workshops around
the world -- and a call for nominations for online privacy
awards.
Seventh
Annual Internet Law Institute
New
York: July 14-15, 2003
San
Francisco: July 28-29, 2003
Overview:
Every year the country's leading practitioners, corporate
counsel, and business executives gather at PLI's Internet
Law Institute to examine key issues in Internet law;
hot copyright issues such as peer-to-peer litigation,
ISP and third-party liability, the use and misuse
of trademarks on the Internet, building and managing
an IP portfolio in a down economy, online payments,
and Web-services outsourcing do's and don'ts. For
complete details, visit PLI's Web
Site.
25th International Conference on Data Protection
and Privacy
Dates:
September 10-12, 2003
Location:
Sydney, Australia
Overview:
Business leaders and privacy professionals from around
the world will be gathering in Sydney this September
to meet with key decision-makers in the Asia-Pacific
region and to hear about international privacy regulation,
implementation, and the privacy needs of consumers.
With the theme of "Practical Privacy for People,
Government, and Business," sessions will focus
on technologies, marketing and relationship building
within a privacy framework, compliance, and consumer
advocacy. To learn more about the conference or to
register online, visit the conference Web site at
www.privacyconference2003.org.
Call for Nominations: TPG Privacy Innovation Awards
The
Technology Policy Group (TPG) at Ohio State University's
Fisher College of Business has announced the creation
of the HP Privacy Innovation Awards. The first annual
awards will be presented at TPG's 5th annual PrivacyCon
in Columbus, Ohio, on October 1, 2003. They will recognize
commercial and government/nonprofit organizations
for integration of privacy protection throughout the
organization's business processes. Criteria for the
award include the impact of the organization's privacy
protection policies on the protection of customer
privacy, innovation in developing metrics of effectiveness,
and marketing or business advantages realized through
the implementation of privacy protection.
Online
entry forms and additional information, including
details about PrivacyCon 2003, which TRUSTe is cosponsoring,
are available through August 18 at http://www.privacyinnovation.org.
TRUSTe licensees are eligible for a discount on PrivacyCon2003
registration. For the TRUSTe password, please call
Michelle Lucas at (415) 618-3402 or George Mamashiani
at (415) 618-3403.
|
|
|
 |
|
| |
Tech Tip: Every time you make changes to your company's
privacy statement, you must determine whether they constitute
a "material change" requiring you to notify
all site users.
The
TRUSTe certification guidelines stipulate that companies
must provide "notice and choice." This means
that users should be made aware of the current use of
their personally identifiable information (PII) and
be given choice for unrelated uses or sharing with third
parties. Therefore, if you make a change to the privacy
policy that changes the way PII is handled, you must
let users know about this material change so they can
choose whether they want to continue sharing their PII
with you. If you fail to follow proper notification
procedures you may invalidate your TRUSTe certification.
Here
is a list of four questions that you and your staff
should ask yourselves when making a change to the privacy
statement. Distribute the list to your division heads
so they can engage in fact-gathering before proposing
changes to the statement.
- Does
this change affect notice, use, security, or integrity
of PII?
- Does
this change refer to a new function of the Web site
or a new technology that will be associated with PII
in a way that is not already disclosed in the statement?
- Does
this change affect only new users or users already
in your system?
- Does
this change affect the method by which you will notify
users about material changes?
If
you answer "yes" to one or more of these questions,
review your privacy statement to determine the procedures
you have spelled out for just such an occasion. Then
contact your TRUSTe account manager. He or she can help
you answer any questions about material changes and
about the associated notice and choice process.
--
Robert Behrens, JD, Senior Account Manager and Internet
Privacy Specialist
|
|
|
 |
|
| |
TRUSTe would like to congratulate the following new
licensees on successfully completing our certification
process:
Ande
Jewelry & Mineral, Avatar Group, GDSX, Logitech,
Nationwide Insurance, Solidbill, US Websitebuilder,
Vertigo Online, and Walker Information.
|
|
|
 |
|
| |
Got Feedback?
We would like to hear what you
think of the TRUSTe Advocate. Send an email with your
comments and suggestions to newsletter@truste.org.
TRUSTe
is an independent, nonprofit organization that administers
the Internet's first and largest privacy seal program.
685
Market Street, Suite 560
San Francisco, CA 94105
(415) 618-3400
Email: info@truste.org
Web: www.truste.org
|
|
|
 |
|
 |
|
