Dan Solove
Above the Law has an entertaining interview with FPF advisory board member Prof Dan Solove on the “skanks” case, as well as some background on his career. Check it out here.
Above the Law has an entertaining interview with FPF advisory board member Prof Dan Solove on the “skanks” case, as well as some background on his career. Check it out here.
Kudos to the New York Times for addressing the government’s use of cookies in an editorial in this morning’s paper . As the piece indicates, currently there is no ban in place which prevents a federal agency from using tracking devices, such as cookies. Unfortunately, it is an all or nothing policy, which allows agencies in the government to use cookies with the approval of their agency head or a specific designee. If approval is granted by an agency head, the current use of cookies is allowed without any substantial privacy protections or use limitations. A new policy is needed that would both enable government web managers to ensure federal web sites are optimized for the public and to make the government policy more privacy protective. By addressing issues that the Future of Privacy Forum and other advocates have proposed, such as limiting the retention of Internet Protocol addresses and setting policies that would increase transparency and user control, we can have our cake (or our cookies in this case) and eat it too.
The Commonwealth of Massachusetts, home of the infamous 2007 TJX data security breach, is the first state to require detailed regulation over how personal data is secured. As an incubator of a new kind of law, it has found that getting the regs right is no easy task. The regs have been revised once already, and the deadline for compliance has been extended once before.
Our friend from her FTC days, Barbara Anthony, now Massachusetts Undersecretary of the Office of Consumer Affairs and Business Regulation, took up her post this year, and heard various concerns expressed by many small businesses and others about the effect of even the revised regs. So, yesterday she announced that a second revision to the Massachusetts data security regulations will occur, and that the original compliance deadline of January 1, 2010 will be extended again, this time to March 1, 2010. The regulations now will have a “risk-based approach”, which is intended to make it easier for small businesses that may not handle a lot of personal information about customers. Several specific provisions required to be included in a business’s Written Information Security Program have been removed from the regulation and are intended as guidance only. The scope of the regulations was revised to cover “persons who own or license personal information,” removing previous regulatory language related to those that “store or maintain personal information”. (Thus, if a business simply uses swipe technology for credit cards only, and does not have actual custody or control over the personal information, then a business does not own or license personal information with respect to that data. Still, Payment Card Industry (PCI) standards would have to be observed.) The encryption definition was amended to be technology neutral and, in addition, technical feasibility will apply to all computer security requirements.
As to portable devices, only those that contain personal information of customers or employees need to be protected and only where “technically feasible”. And as to back-up tapes, there is a requirement to encrypt backup tapes on a prospective basis, but with respect to the transport of a backup tape from storage, only if it is technically feasible to encrypt must one do so prior to the transfer. If it is not technically feasible and there is sensitive personal information on the tapes, the regs suggest that using an armored car service (rather than an ordinary courier) would be in order.
Getting granular is hard, as the regulators in Mass. have found, but kudos to them for trying. Interested parties will have another opportunity to weigh in on this round of revisions at a public hearing in Boston on September 22d and written comments will be accepted until September 25th. For more details, click here.
Jules is scheduled to participate in the 31st Annual International Conference of Data Protection and Privacy Commissioners in Madrid, Spain at the Palacio de Congresos (Congress Palace).
Click here for more information regarding this event.
http://webanalysis.blogspot.com/2009/08/individual-visitors-tracking-vs.html
In our comments on the federal government’s request for input on the use of cookies, we made the point that for the purpose of Web site analytics use of data in the aggregate was quite sufficient. This discussion and debate between analytics industry experts from Google and Comscore provides some insight on the issues around analytics, individual data, personalization and related privacy issues.
Steve Smith’s description of the DailyMe service puts it perfectly.
“Transparency alone is not the right answer to the quandary over privacy and targeting. The users must not only feel in control but be able to see a real benefit from the technology”.
Jules will be participating in the Association of Corporate Counsel 2009 Annual Meeting.
October 18-21, 2009
Hynes Convention Center
900 Boylston Street
Boston, MA 02215
Click here for more information regarding this event.
Chris is scheduled to participate on a panel at the TARGUSinfo “Online Lead Quality Summit” entitled, “2010 Privacy Debate: Who and What Will Drive Resolution?”
September 24, 2009
2:25pm- 3:15pm
Panelists:
Alan Chapell, President, Chapell & Associates
Chris Pirrone, General Counsel, Connexus
Matt Wise, CEO, Q Interactive
Mike Zaneis, VP of Public Policy, IAB
Chris will deliver a luncheon address to the California Healthcare Institute on “Behavioral Adversiting, Disclosure, and the Life Sciences Sector” on September 22, 2009 from noon to 1:30pm in Newport, California.
Chris will be moderating a panel at the IAPP Privacy Academy, “Into the Breach: Dealing with the Aftermath of a Data Breach” in Boston, MA.
September 18, 2009
11:00am – 12:00pm