Personally Identifying Information - PowerPoint PPT Presentation

1 / 30
About This Presentation

Personally Identifying Information


Cell phone cameras and recording capabilities ... Still the CL can be a weapon in hidden camera cases and false light situations ... – PowerPoint PPT presentation

Number of Views:72
Avg rating:3.0/5.0
Slides: 31
Provided by: manag7
Learn more at:


Transcript and Presenter's Notes

Title: Personally Identifying Information

Personally Identifying Information
  • Privacy Protection Legislation and other
    Government Actions

Consequences of not Controlling PII
  • Personally identifying information (PII)
  • One category of PII includes name, address,
    email, phone number
  • Sensitive PII financial records, medical
    information, social security number, sexual
    orientation, religion, political party
  • In the EU there is more protection for the latter
    than the former
  • In the U.S. there are separate statutes that
    protect financial and medical information

Identity Theft
  • According to the FTC, for the fifth year in a
    row, Identity Theft has been the leading cause of
    consumer complaints
  • In 1998 Congress passed the Identity Theft and
    Assumption Deterrence Act
  • Identity theft occurs when someone co-opts your
    name, SS, credit card or some other item of PII,
  • In order to commit a crime

Identity Theft
  • Identity theft can result on significant dollar
    losses as well as
  • Ruined credit and lost job opportunities
  • The aggravation and inconvenience of various bill
    collecting efforts.
  • Other costs of ID theft are discussed in various
    government documents

New Tracking Technologies
  • RFIDradio frequency identification
  • Can be used at checkout counters and other places
  • To date there is no regulation of this technology
  • Cell phone cameras and recording capabilities
  • Again legal protection is thin and behind the
    curve in this area
  • Some states are making atrocious acts
    illegalsurreptitiously photographing
    step-daughters, upskirting
  • Photographing shower scenes without consent

Common Law Protection of Privacy
  • In the absence of legislation, the common law
    (CL) has long recognized privacy as a protectible
  • Under the CL it is a tort to
  • Intentionally intrude, physically or otherwise,
    upon the solitude or seclusion of another if the
    intrusion would be highly offensive to a
    reasonable person
  • It is also a tort to publicize private facts
    about another when the disclosure would be highly
    offensive to a reasonable person and does not
    involve a legitimate topic of public interest
  • False light placing the plaintiff in a false

Common Law Protection of Privacy
  • Problems with the CL invasion of privacy torts
  • Individual damages are often too small to justify
    the suit
  • Organizing class actions are difficult
  • Class action specialists find it more profitable
    organize class action suits based on product
    liability or securities fraud
  • If CL was adequate, we would not have the
    plethora of privacy legislation
  • Still the CL can be a weapon in hidden camera
    cases and false light situations
  • Note that an invasion of privacy claim is an
    intentional tort giving rise to potential
    punitive damage claims

Governmental Actions to Protect Privacy
  • It is fair to characterize government actions as
    being responsive to privacy concerns
  • As a result of the Internet and computerization
    of information, the typical scenario is that an
    abuse takes place and the government then
  • Example COPPA (Childrens Online Privacy
    Protection Act)
  • Geocities website was obtaining PII from children
    about their parentswhat kind of car to do drive
  • COPPA requires verifiable permission parents or
    guardian of children under 13 before PII can be
  • Most observers agree that COPPA has stopped most
    of the worst abuses

Governmental Actions to Protect Privacy
  • Privacy legislation in the U.S. is piecemeal
  • There is no comprehensive protection for privacy
    in the U.S.
  • Areas of concern are dealt with through
  • Medical records, children, financial records
  • In contrast, the EU requires member countries to
    enact legislation consistent with the Information
    Directive of 1995,
  • based on general informational principles

General Principles Associated with Collection of
  • EU Information principles include that the PII be
  • In a way that is fair and lawful
  • For a legitimate purpose
  • Not excessive in relation to the purpose for
    which it was collected
  • Accurately and updated when necessary
  • Kept in a way that PII is destroyed when no
    longer needed for the purpose for which it was
  • Unlike in the U.S., a prerequisite for collecting
    PII is that the data subject must consent

Privacy On The New Frontier of Cyberspace
  • The Federal Trade Commission (FTC) has authority
    to combat unfair and deceptive trade practices
  • Much of the FTCs Internet work has been in their
    consumer protection branch
  • http//
  • In the Consumer Protection Division of the FTC
    there are a wide range of activities that the FTC
    has listed as unfair and deceptive trade practices

Federal Trade Commission
  • The FTC is the most active govt. agency charged
    with promoting privacy
  • According to the FTC
  • A trade practice is unfair if the trade practice
    causes or likely to cause substantial injury to
    consumers and is not outweighed by countervailing
    benefits to consumers or to competition
  • For example, the FTC considers racist or
    pornographic advertising to be unfair
  • Selling pearls without specifying whether the
    pearl is cultured or cultivated
  • The FTC is moving toward a standard that it is
    unfair for a website to collect PII without
    having a privacy policy

Deceptive Trade Practices
  • According to the FTC a trade practice is
    deceptive if
  • The practice is likely to mislead the reasonable
    consumer and affect their decisions
  • As a result, surveys mentioned in commercials
    must be conducted in a fair and statistically
    accurate manner
  • Celebrities who endorse a product must actually
    use the product
  • It is also deceptive to collect PII, assure
    customers that you value their privacy and then
    not have commercially reasonable security.

FTC Actions
  • For years the FTC made use of the five FIPs, Fair
    Information Practices (see below)
  • More recently the FTC under Tim Muris and Howard
    Beales has abandoned the five FIPs for a more law
    and economics approach
  • Under Muris and Beales the FTC has been
    scrutinizing statements made in company privacy
    policies and making determinations as to whether
    those statements are justified in light of the
    security practices of the company

Privacy On The New Frontier of Cyberspace
  • FTC Fair Information Practices
  • Notice/Awarenessconsumers should be notified as
    to who is gathering the data and the uses that
    will be made of that data
  • Choice/Consentconsumers should consent to any
    secondary use for the data. There should be
    opt-in and opt-out provisions.
  • Access/Participationconsumers should have the
    right to contest the accuracy of the data
  • Integrity/Securitythere should be managerial
    mechanisms in place to guard against loss,
    unauthorized access, or disclosures of the data.
  • Enforcement/Redressthere should be remedies
    available to victims of information misuse.

FTC Actions
  • In spite of the five FIPs, websites have
    continued to
  • Collect information from visitors without notice
    or permission
  • Cookies
  • To date the act of attaching a cookie to browser
    and the hard drive of the operator is not
  • So long as it is not coupled with PII
  • Also websites have sold PII without notice or
    permission of consumers
  • Some websites have offered opt-outs, but are not
    required to by law

FTC Actions
  • The FTC considers it a deceptive trade practice
    for a company not to adhere to promises made in
    its privacy policies
  • FTC has been successful in several high-profile
  • Geocities litigation
  • More recently the FTC has challenged some privacy
    policies, even in the absence of a malfunction,
    such as hacking
  • The FTC has maintained that it can evaluate
    whether the security used by a website is
    commercially reasonable
  • Note that the GLB Act requires security that is
    reasonable in light of anticipated threats, ie.,
    it requires financial institutions to use
    commercially reasonable measures

Privacy Act of 1974
  • Prohibits federal agencies that collect PII from
    disclosing that information without permission of
    the data subject
  • There are 12 separate exceptions
  • Individuals have the right to access of their
    records for purposes of correcting the errors
  • Is the source of the Freedom of Information Act

Buckley-Pell Amendment
  • Buckley-Pell Amendment to the Family Educational
    Rights and Privacy Act
  • Federal funds are denied to institutions that do
    not protect confidentiality of student records

Privacy Legislation ECPA
  • Electronic Communications Privacy Act (ECPA),
  • Makes it illegal to intercept phone calls, email,
    cell phones, radio paging devices and private
    communication carriers
  • Protection was extended to both storage and
    transmission of email
  • Email storage before it is read by the recipient
  • Customer records of ISPs
  • Two major exceptions for employers
  • Monitoring takes place in the ordinary course of
    business, or
  • It is by consent of the employee

Childrens Sites
  • Again the FTC has been active in this area
  • The Geocities case is just one example
  • The FTC considers it an unfair and deceptive
    trade practice to collect information from
    children without verifiable parental consent when
    that information will be used for another purpose
  • Congress has passed the Childrens Online Privacy
    Protection Act of 1998, which basically requires
    the same safeguards
  • Children are considered under 13
  • Most of the FTC Fair Information Principles are
    required in order to collect PII from children
  • Notice, an opportunity to review, opt out,
    security and confidentiality

Anti-Hacking Legislation
  • Counterfeit Access Device and Computer Fraud and
    Abuse Act of 1984 and
  • The Computer Fraud and Abuse Act of 1986
  • The 1984 Act makes it a crime to
  • Knowingly, with intent to defraud, produce, use
    or traffic in counterfeit access devices
  • Access devices are any card, plate, code, or
    account number that can be used to obtain money,
    goods, or services or can be used to transfer
  • A counterfeit access device is any access device
    that is forged or altered

Computer Fraud and Abuse Act of 1986
  • As a result of the USA Patriot Act it make it a
    crime punishable by up to 20 years to
  • Knowingly access a computer without authorization
    or exceeding authorized access and thereby
  • Information contained in a financial record of a
    financial institution, or
  • Information from any government agency
  • Information from any protected computer if the
    conduct involved an interstate or foreign

Financial Records
  • Financial Records The Gramm-Leach-Bliley Act,
  • The Privacy aspects of the Act are summarized by
    the beginning of Title V
  • It is the policy of the Congress that each
    financial institution has an affirmative and
    continuing obligation to respect the privacy of
    its customers and to protect the security and
    confidentiality of those customers nonpublic
    personal information.
  • The Act requires that financial institutions
    insure the privacy and confidentiality of
    customer records and information

Financial Records
  • The Gramm-Leach-Bliley Act also
  • Provide protection against any anticipated
    threats or hazards to the security or integrity
    of those records, and
  • Protect against unauthorized access to or use of
    such records or information.
  • It is clear that the Act prohibits giving out of
    nonpublic information to 3rd parties without
    notice and an opt out option
  • The Act prohibits giving out account numbers and
    credit card information to unaffiliated third
    parties for use in telemarketing, email and
    direct mailings

Identity Theft
  • In 1998 Congress passed the Identity Theft and
    Assumption Deterrence Act
  • Identity theft occurs when someone co-opts your
    name, SS, credit card or some other item of PII,
  • In order to commit a crime
  • As a result of the USA Patriot Act, the maximum
    penalties for Identity Theft are 15 years in jail
    and a fine of 250,000
  • The Identity Theft is enforced by the FTC
  • For the past five years, ID Theft is the No. 1
    complaint received by the FTC

Medical Records
  • The Health Insurance Portability and
    Accountability Act of 1996
  • There are two parts to this legislation
  • One part deals with denial of health insurance
    when a person changes jobs and this part has been
  • The other part deals with the privacy of medical
  • Regulations drafted by HHS prohibits
    nonconsensual secondary use of medical records
  • It allows transfers of medical records among
    healthcare providers, insurers, and HMOs
  • Other transfers of medical information must be
    approved by patients unless they fall into
    certain exceptions

Medical Records
  • The HIPAA exceptions include
  • Public health authorities
  • Medical researchers
  • Law enforcement
  • Officials performing over sight functions for
    purposes of determining whether fraud has taken
  • There are other exceptions
  • HIPAA regulations went into effect in April of
  • Requires opt-in for transfer of medical

European Union and Privacy
  • In the U.S. there is a much greater reliance on
    self-regulation than in the EU
  • The EU passed a Data Protection Directive that
    prohibits sharing data with any country who does
    not subscribe to their heavily regulated
  • The Department is Commerce has fashioned some
    regulations that seem to satisfy the EU at present

Other Issues
  • Do Not Call Registryhas been a large success
  • CAN-SPAMFTC has resisted compilation of Do Not
    SPAM registry
  • CAN-SPAM makes it illegal to send an email
    without a way of opting out
  • Illegal to send sexually explicit email that is
    not labeled as such
  • To date there is no anti-spyware legislation but
    it is a target of law makers. Expect legislation
Write a Comment
User Comments (0)