Privacy and Security Work Group Draft Privacy & Security Policies & Recommendations.
CONSUMER PRIVACY, NATIONAL SECURITY AND THE
description
Transcript of CONSUMER PRIVACY, NATIONAL SECURITY AND THE
CONSUMER PRIVACY, NATIONAL SECURITY AND THE GLOBAL FIRM
Philip Larson, 3E, GMUSL, [email protected]/10/2007
I. INTRODUCTION
The commercial distribution of consumers’ personal information is rapidly
increasing. While this information can be used to benefit consumers by providing them
with more choices and personalized services, it can also be misused in ways that invade
consumers’ privacy, increase the threat to national security and inhibit economic growth.
Two emerging technologies – Service-Oriented Architectures (SOAs) and Business
Process Management Suites (BPM) – are breaking down organizational processes into
individual tasks and other manageable segments. These technologies have made it more
common for an organization’s business processes to consist of a network of decentralized
services. To benefit from cheap foreign labor markets, organizations are outsourcing
more services in their core business processes. While outsourcing helps organizations
reduce costs, it also places consumers’ personal information into the hands of a growing
number of foreign commercial entities increasing the likelihood of misuse.
To address these privacy and national security concerns, the United States should
enact comprehensive federal privacy legislation. Part II of this article describes how
SOA and BPM technology are enabling companies to outsource business processes and
thereby distribute consumers’ personal data to growing numbers of global service
providers. Part III explains how self-regulation has provided insufficient protection for
consumers’ privacy. Part IV discusses the limitations of the existing “sectional”
approach to United States federal privacy law in regulating abuses by third-party
1
outsourcing service providers. Part V argues that Congress should address these
deficiencies by enacting comprehensive federal privacy legislation.
II. THE ADOPTION OF EMERGING TECHNOLOGIES AND INCREASED
DEPENDENCE ON OUTSOURCING ARE MAGNIFYING THREATS TO
NATIONAL SECURITY POSED BY MISUSE OF CONSUMER DATA.
The world is getting smaller. Organizations are adopting emerging technologies
that are making it easier to transact with service providers located anywhere in the world.
As a result, consumers’ personal information is increasingly being distributed to a wider
network of companies magnifying the risk of abuse. These data privacy and security
abuses are a threat to national security.
A. Business Process Outsourcing (BPO) and Networks of Global Service Providers.
Outsourcing is the practice of shifting an organization’s operations to a third party
vendor.1 Business process outsourcing (BPO) occurs when an organization leverages
third party services to streamline any number of processes from administrative support to
product development.2 The market for BPO is growing rapidly in multiple industries. On
a global scale, IDC has estimated that the worldwide market for BPO will reach $641.2
billion by 2009, up from $382.5 billion in 2004.3 Even Gartner Group's more
conservative estimate for BPO growth suggests the market in North America alone will
be $110 billion by 2009.4 Moreover, Gartner argues that the BPO market will continue to
outpace other IT services and will see compound annual growth rates of 8.8% through
2
2009.5 While there are many models of outsourcing, the two most common are on-
shoring - outsourcing to a vendor located domestically - and off-shoring - outsourcing to
a vendor in a different country.6 While India is the preferred destination for offshore
BPO, it is expected there will be continued growth of outsourcing to China and Eastern
Europe.
Organizations have cited many drivers for this trend. Cost savings is the most
obvious and frequently cited driver, with some estimates arguing that outsourcing can cut
costs by 25-30% and up to 50% when off-shored.7 For example, a study by University of
California at Berkeley found that programming jobs paying $60-80k in the United States
go for as little as $8,952/year in China, $5,880 in India and $5,000 in Russia.8
Outsourcing enables organizations to focus attention on their core competencies without
the distraction of having to manage non-core services.9 Moreover, by using off-shore
vendors in different time zones, organizations benefit from consistent, round-the-clock
access to these outsourced services. In customer service processes, this can reduce the
difficulty of managing 24/7 customer support agreements. In product development
processes, this can reduce the time required to bring a new product to market.10
While the benefits driving adoption of BPO are clear, there are certain important
risks to consider. Companies fear losing control over core business operations and
processes as well as losing expertise and industry knowledge to these third party service
providers.11 The financial instability of outsourcing vendors is another concern.
Moreover, as more third parties participate in an organization’s business processes data
national security is threatened from an increased likelihood of privacy and information
security abuse.12
3
B. Service-Oriented Architectures (SOAs) are Enabling Businesses to Leverage
Services from Global Third-Party Service Providers.
Service-Oriented Architecture (SOA) projects are becoming more common across
a number of different industries.13 An SOA is an approach to software architecture that
exposes an organization’s business components as reusable “services.”14 These services
are self-contained, reusable software components that can be invoked in a standard way
by other people and systems over the Internet.15
The scope of a service in an SOA has a wide range of uses. It may be a simple,
one-step task, such as updating an employee’s home address, or a more complex task
involving processing an invoice or approving a loan application. In the travel industry,
for instance, there are services that check hotel availability, book airline tickets, and make
dinner reservations. Each of these autonomous services might be provided by separate
vendors and combined by a single organization to create an overall “vacation” process.
An SOA enables applications to easily pass data over the Internet to invoke
services from anywhere in the world. Therefore, in addition to enabling geographic
independence, an SOA makes it easier for an organization to outsource services in its
business processes to third parties.16 It is therefore understandable that the adoption of
SOA is gaining momentum, particularly in global organizations looking to outsource
aspects of its operations.17 While older applications typically reside in a single
geographic location, SOAs are enabling applications to be built as a composition of
services provided by multiple vendors located anywhere in the world. As long as the
4
performance, reliability and security of the services are sufficiently high, they can be
linked together as parts of these composite applications.18
Naturally, the implementation and use of an SOA creates data security and data
privacy concerns.19 Many technologists and thought leaders are currently of the mind
that as long as quality of service are sufficient, including performance, reliability and
security, it does not matter where on the planet the service is provided.20 The messages
exchanged between these services often contain user credentials and other personal
information necessary to invoke the service.21 This personal information may include
names, addresses, Social Security numbers or even credit card and banking information.
As a result, U.S. consumer data is being transferred to growing numbers of service
providers located around the world making it more likely that the security and privacy of
the data will be compromised.22
C. Adoption of Business Process Management (BPM) Software is Also Fueling the
Growth in Business Process Outsourcing.
Business Process Management (BPM) refers to software used to design, execute,
monitor and optimize an organization’s business processes.23 BPM is rapidly becoming
the preferred architecture for building agile composite applications by linking together
services exposed through an organization’s SOA.24 According to Gartner, adoption of
BPM is on the rise and will continue to grow at a “high rate” through the end of the
decade.25 In particular, Gartner estimates that BPM new license revenue grew 17.3
percent from 2003 through 2004, amounting to $603.4 million in 2004. Moreover,
5
revenue grew across all 10 of the geographic regions and subsegments showing that there
is a major, global market for this technology.26
BPM and SOA technologies complement each other well. The more business
components a company exposes through their SOA, the more services BPM has to
orchestrate within the enterprise processes it manages and automates. Using analytics
capabilities, BPM can also help benchmark and monitor the performance of the services
executing in the process to ensure they are aligned with performance goals.27 Therefore,
BPM can help reduce the risk organizations face from outsourcing services to third
parties by providing a standard mechanism for evaluating vendor performance and
service reliability. Moreover, BPM makes it much easier for organizations to swap
services in and out of their enterprise processes helping organizations gain agility and
adapt quickly to changing business needs. BPM reduces the cost for organizations to
experiment with different combinations of third party service providers enabling them to
identify the most efficient combination for their business. BPM can then encapsulate best
practices and ensure these processes execute consistently and optimally.28
D. The Growing Adoption of BPM, SOA and BPO Has Significantly Increased the
Threat to National Security Posed by Misuse of Consumers’ Personal Information.
Globalization has forced a “fundamental transformation from regional
economies to a single, integrated global economy.”29 Today’s firm may adopt a “follow-
the-sun” model to ease the burden of providing 24/7 customer support while outsourcing
product development services to Russia and payroll processing services to China. The
6
network of global partners in most companies’ supply chain management processes are
growing. As part of this transformation, consumers have become more aware of privacy
and data security issues and their potential impact on economic markets and national
security.
SOA and BPM are breaking down organizational processes into individual tasks
and other manageable segments making it easier to swap new services in and out of end-
to-end business processes. To stay competitive, organizations are outsourcing many
services in their business processes in order to benefit from cheap foreign labor markets.
It is now much easier to collect, analyze and transmit consumer information
instantaneously to a wider network of affiliates, service providers and partners.
While this has increased the efficiency and agility of organizations, it has also
raised new data privacy and national security concerns. Foreign companies and workers
are gaining access to some of the most private information about American consumers.
One particular concern raised by privacy advocates has been the threat of misuse by “data
brokers,” or companies specializing in the collection and distribution of consumer data.
Data brokers must manage the fine line between using information that will benefit
consumers and the increased threat to national security that arises from using information
in a way that increases the likelihood of identify theft and other harms.
According to the Federal Trade Commission, the data broker industry is "large
and complex and includes companies of all sizes." Some of the data brokers collect
information from public and private sources and use it to provide their own personalized
services in the marketplace. Others simply resell this information to others, oftentimes
with few restrictions on the terms and conditions of these transactions, particularly in
7
emerging foreign markets that represent the heart of the business process outsourcing
business. The FTC states that the "amount and scope" of the information these data
brokers collect differs significantly. While many of these uses benefit consumers, such
as "fraud prevention, debt collection, law enforcement, legal compliance, applicant
authentication, market research", this also makes these databases attractive targets for
1 Outsourcing, http://en.wikipedia.org/w/index.php?title=Outsourcing&oldid=61793844 (last visited March
31, 2007).
2 Business Process Outsourcing, http://en.wikipedia.org/w/index.php?
title=Business_process_outsourcing&oldid=16941873 (last visited March 31, 2007).
3 Romala Ravi, Brian Bingham & Lisa Rowan, Worldwide and U.S. Business Process Outsourcing (BPO)
2005-2009 Forecast: Market Opportunities by Horizontal Business Functions, Aug. 2005, at
http://www.idc.com/getdoc.jsp?containerId=33815 (last visited April 18, 2007).
4 Robert Brown, BPO Market to Grow to $110 Billion in North America by 2009, Gartner Group, August
12, 2005, at http://www.gartner.com/DisplayDocument?ref=g_search&id=484470 (last visited July 3,
2006).
5 Id.
6 Modes of outsourcing, http://www.tutorial-reports.com/book/print/604 (last visited April 18, 2007).
7 Lynn Ward, To Outsource or Not to Outsource?, E-CommerceTimes, June 17, 2003, at
http://www.ecommercetimes.com/perl/story/21700.html (last visited April 18, 2007).
8 Id.
9 Outsourcing, supra note 2.
10 Id.
11 Outsourcing, supra note 2.
12 Id.
13 Michael Barnes, Daniel Sholler & Paolo Malinverno, Benefits and Challenges of SOA in Business
Terms, Gartner Group, Sept. 6, 2005, at http://www.gartner.com/DisplayDocument?
ref=g_search&id=485146 (last visited April 18, 2007).
8
identity thefts that may use this information to harm U.S. financial markets or otherwise
threaten national security.
While identity theft is a crime punishable by law in the U.S., a 2003 FTC survey
nevertheless estimated that 10 million consumers were victims of identity theft in the
twelve months leading up to the survey.30 The FTC estimated that this misuse of
14 Service Oriented Architecture, http://en.wikipedia.org/w/index.php?title=Service-
Oriented_Architecture&oldid=17012698 (last visited April 18, 2007).
15 Id.
16 David Chappell, Service-Oriented Architecture: What Next?, Apr. 4, 2004, at
http://web-services.gov/chappell4804.ppt (last visited April 18, 2007).
17 Id.
18 Bob Sutor, Open Standards vs. Open Source, at http://www.sutor.com/newsite/essays/e-OsVsOss.php
(last visited April 18, 2007).
19 Eric Pulier & Hugh Taylor, Security in a Loosely Coupled SOA Environment, June 13, 2006, at
http://www.aspnews.com/strategies/print.php/11296_3613041 (last visited April 18, 2007).
20 Id.
21 Id.
22 Pulier, supra note 23.
23 Business Process Management, http://en.wikipedia.org/w/index.php?
title=Business_Process_Management&oldid=61784948 (last visited April 18, 2007).
24 Id.
25 Jim Sinur, Janelle Hill & Michael Melenovsky, Market Share: Pure-Play BPM Software Worldwide
2004, Gartner Group, Nov. 22, 2005, at http://www.gartner.com/DisplayDocument?
ref=g_search&id=487272 (last visited April 18, 2007).
26 Id.
27 Id.
28 Id.
9
consumers' personal information resulted in roughly $48 billion in losses and cost general
consumers an additional $5 billion in out-of-pocket losses. In addition to this significant
financial impact, increased prevalence of identity theft is making it easier and easier to
use consumers' personal information in ways that threaten national security.
By some estimates, in the last two years alone over 93 million Americans have
had their personal information “lost, stolen, or otherwise compromised.”31 Paul Kurtz,
the head of the Cyber Security Industry Alliance, made this assessment noting
additionally that information security breaches have eroded public confidence and
represents a “serious threat to economic growth.” He argues that it is “time for Congress
to act” by creating a comprehensive national law aimed at preventing further data
breaches.
While identity theft is a particularly common way consumers’ personal
information is misused it is by no means the only threat to privacy and national security.
In some instances, threatening to misuse consumers’ personal information has been an
effective bargaining chip for employees to extract personal benefits from their employers.
For example, in October of 2003 a highly publicized case of misuse of consumer’s
personal information involved a Pakistani transcriber doing basic clerical work for the
29 Alison Diana, Outsourcing by the Numbers, E-commerce Times, Nov. 12, 2003, at
http://www.ecommercetimes.com/story/32114.html (last visited April 18, 2007).
30 Statement of the Federal Trade Commission Before the Subcommittee on Financial Institutions and
Consumer Credit, Committee on Financial Services, U.S. House of Representatives, on Enhancing Data
Security: The Regulators’ Perspective (M ay 18, 2005), available at
http://www.ftc.gov/opa/2005/05/databrokertest.htm.
31 Paul Kurtz, Needed: A National Cyber Security Law, Business Week Online, October 16, 2006, at
http://www.businessweek.com/technology/content/oct2006/tc20061017_457028.htm.
10
University of California, San Francisco. This transcriber threatened to post patients’
confidential information on the Internet unless she was paid more money.32 While her
motives appeared to have been entirely pecuniary in nature, the threat that consumers’
personal information will be used in terrorist activities or in other ways that threaten
national security are growing.
There have already been examples of employees at foreign outsourcing
companies using consumers’ personal data to steal from and defraud American
consumers. In April 2005, employees of an outsourcing company in Pune, India were
arrested for the theft of $300,000 from four Citibank customers.33 Citibank did not find
out about the problem until it was notified of discrepancies by its American customers.34
Reports have been made of Indian gangs offering to pay employees at outsourced call
centers for Western consumers’ credit card and bank account information.35 This number
may even understate the true risk given that successful hacking of outsourced company’s
databases is very difficult to measure.36 With over 150,000 American tax returns
prepared in India in 2004, many fear that exploitation of personal data and the threat to
American economic interests will only increase.37 A number of senators, including Liz
32 Lou Dobbs, Is Nothing Private Anymore?, U.S. News & World Rep., May 17, 2004, available at
http://www.usnews.com/usnews/opinion/articles/040517/17dobbs.htm (last visited April 18, 2007).
11
Figueroa of California, have argued in favor of privacy legislation that would prevent
“outsourcing without any protections for privacy.”38
The privacy and intellectual property laws in common outsourcing destinations
like India, China and Russia, are not strict enough to protect consumers.39 For example,
the U.S. placed India and China on its “priority watch list” of countries that do not
provide adequate protection to intellectual property.40 Moreover, while there has been
“progress” in China’s efforts to enforce intellectual property rights, the State Department
still believes the country has “a long way to go” before those protections are considered
adequate.41 Additionally, since these processes can involve companies in many legal
33 John Ribeiro, Indian Call Center Workers Charged with Citibank Fraud, April 7, 2005, at
http://www.infoworld.com/article/05/04/07/HNcitibankfraud_1.html (last visited April 18, 2007).
34 Id.
35 Edmund Conway, Legal Challenge to Call Centres: Bank Union Claims Outsourcing to India Can
Contravene European Law, Daily Telegraph (London), Aug. 18, 2004, at 27.
36 Carrie Kirby, Hacking danger for outsourced records hard to gauge, San Francisco Chronicle, March 28,
2004, at http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2004/03/28/MNG573MCQG25.DTL.
37 Dobbs, supra note 29.
38 Id.
39 U.S. Department of State, China Has a High Rate of Intellectual Property Infringement, Apr. 29, 2005, at
http://usinfo.state.gov/usinfo/Archive/2005/Apr/29-580129.html (last visited March 31, 2007); Cassie
Duong, Intellectual Property Rights Protection Weak in China U.S. Says, June 7, 2006, at
http://usinfo.state.gov/xarchives/display.html?p=washfile-
english&y=2006&m=June&x=20060608164932cagnoud0.1814234 (last visited April 17, 2007).
40 Id.
41 Id.
12
jurisdictions, there is question as to who may exercise authority when there are privacy
and information security issues.
III. SELF-REGULATION HAS NOT PROVIDED ADEQUATE PROTECTION
OF CONSUMERS’ PERSONAL INFORMATION.
The United States has traditionally promoted a combination of market-based self-
regulation and targeted, sectional legislation to attempt to prevent misuse of consumers’
personal data in ways that might weaken national security. This approach has failed to
provide adequate protection against misuse of consumer data by foreign companies.
A. Privacy Policies Are Insufficient to Protect Consumers’ From Misuse of their
Personal Data.
In 1998, the Online Privacy Alliance (OPA) was formed to encourage industry
self-regulation of privacy.42 The OPA created privacy guidelines that encouraged two
modes of self-regulation: 1) the adoption of privacy policies and 2) the creation of
certification groups.43 Privacy policies articulate the manner in which a company collects,
uses, and protects data, and the choices they offer consumers to exercise rights in how
their personal information is used.44 With privacy policies, consumers may determine
whether and to what extent they wish to make information available to companies.45
13
While American law does not require companies to post privacy policies, under Section 5
of the FTC Act the FTC has sued companies for failing to comply with their stated
privacy policies.46
Nevertheless, the adoption of privacy policies has not provided adequate
protection of consumers’ personal data. American law does not even require companies
to post privacy policies let alone ensure the policies are drafted in ways that actually
protect consumers’ data from misuse. Moreover, having individual privacy policies for
each website means users interested in protecting their information must read through the
statements of each website they visit in order to understand how their information is
being protected. Unfortunately, 70% of people in a recent study disagreed that “privacy
policies are easy to understand,”47 and few people make the effort to actually read them.48
In 2003, for instance, an Annenberg Public Policy Center poll claimed 57% of
respondents believed that if a company had a privacy policy, they would not share
information with other entities.49
It is an unreasonable burden to require consumers’ to read all of these statements
particularly since most of them state that they may be changed at any time. Moreover, it
appears that many consumers misinterpret the meaning of privacy statements and are
simply lulled into a false sense of confidence. For example, a survey conducted by the
42 Marcia Smith, Internet Privacy: Overview and Pending Legislation, CRS Report for Congress, July 6,
2004, at http://fpc.state.gov/documents/organization/35133.pdf (last visited April 17, 2007).
43 Id.
44 Esther Dyson, Privacy Protection: Time to Think and Act Locally and Globally, Apr. 1998, available at
http://www.firstmonday.org/issues/issue3_6/dyson/index.html (last visited April 17, 2007).
45 Id.
46 15 U.S.C. § 45(a).
14
Annenberg Public Policy Center found that 75% of adults that use the Internet incorrectly
assumed that having a privacy policy meant that a website would not share their
information with other websites and companies.50 People assume that if a site has a link
to a “Privacy Policy,” their privacy will be protected.
Privacy policies therefore do not sufficiently protect consumers from the misuse
of their personal data by third party service providers.
B. Private Sector Certifications Fail to Adequately Protect Consumers’ Personal
Information.
The Better Business Bureau (BBB), TRUSTe, and WebTrust have created “seals”
certifying various levels of privacy protection for participating websites.51 The seal may
only be displayed if the company abides by specific privacy principles. While advocates
of self-regulation suggest that these seal programs preclude the need for federal
47 Joseph Turow, Lauren Feldman, and Kimberly Meltzer, Open to Exploitation: American Shoppers
Online and Offline, June 1, 2005, at
http://www.annenbergpublicpolicycenter.org/04_info_society/Turow_APPC_Report_WEB_FINAL.pdf
(last visited April 17, 2007).
48 Harris Interactive, Privacy Notices Research Final Results, Privacy Leadership Initiative, December
2001.
49 Joseph Turow, Americans and Online Privacy: The System is Broken, Annenberg Public Policy Center,
June 2003, available at
http://www.annenbergpublicpolicycenter.org/04_info_society/2003_online_privacy_version_09.pdf (last
visited April 17, 2007).
50 Turow, supra note 38;
51 Smith supra note 38.
15
legislation, these seal programs have not proven effective at protecting consumers’
personal data. First, these seal programs do not carry the weight of law.52 Second, they
tend to only apply to data provided through an organization’s websites.53 Third,
TRUSTe and BBBOnline have been criticized for being mere corporate apologists rather
than defenders of privacy.54 Regarding TRUSTe, even people central to the
establishment of the seal program have been disappointed with it.55 Esther Dyson, who is
credited with playing a central role in the establishment of the seal program, has stated
that TRUSTe's board "ended up being a little too corporate, and didn't have any moral
courage."56
Therefore, while these programs combined with other forms of self-regulation
have provided some benefits, a full solution addressing the national security risks of
misuse of consumer data will not be complete without legislation that brings the full
weight of the law.
IV. THE UNITED STATES’ PATCHWORK OF FEDERAL PRIVACY LAW HAS
TOO MANY HOLES.
In addition to self-regulation, a variety of federal laws and regulations regarding
data privacy and information security have emerged. Unlike the broader European
52 Id.
53 Id.
54 Id.
55 Paul Boutin, Just How Trusty is Truste?, Wired News, Apr. 9, 2002, at
http://www.wired.com/news/exec/0,1370,51624,00.html (last visited April 17, 2007).
56 Id.
16
approach to privacy law, U.S. privacy law has been more “sectional.”57 The United
States’ patchwork of privacy legislation regulates how certain types of entities may use
information. Restrictions on the use of consumers’ personal information have been
extended one vertical at a time and now include regulations for health care organizations,
financial institutions, and consumer reporting agencies. These laws help to strengthen
national security by reducing the likelihood that consumers’ personal information will be
misused in ways that harm the country. Unfortunately, in many situations current federal
privacy laws provides no protection against foreign companies that choose to misuse
consumers’ personal information in ways that harm national security. Moreover, this
patchwork approach is creating problems with harmonizing U.S. law with that of the rest
of the world.
A. Protecting Consumer Data in Financial Institutions: The Gramm-Leach-Bliley
Act.
In 1999, the Gramm-Leach-Bliley Financial Modernization Act (“GLBA”) was
enacted in order to protect the privacy of consumer information held by “financial
institutions.”58 The two primary components of the GLBA that govern the collection,
disclosure and protection of consumers’ nonpublic personal information are the Financial
Privacy Rule and the Safeguards Rule.
57 Fred H. Cate, The EU Data Protection Directive, Information Privacy, and the Public Interest, 80 IOWA
L. REV. 431, 438 (1995).
58 15 U.S.C. §§ 6801-09.
17
The Financial Privacy Rule gives consumers more control over how and when
financial institutions share their personal information.59 First, financial institutions are
prohibited from disclosing their customers' account numbers to non-affiliated companies
when it comes to telemarketing, direct mail marketing or other marketing through e-
mail.60 Second, when a financial institution passes consumer information to a service
provider that service provider may only use the information for limited purposes.61 If the
consumer had no right to opt-out, the service provider may not sell the information to
other organizations or use it for marketing.62 However, if the service provider receives
nonpublic personal information from a financial institution and the consumer does not
opt-out, the service provider may use the information for its own purposes or re-disclose
it to a third party.63
The Safeguards Rule requires financial institutions to implement reasonable
safeguards to prevent misuse of clients’ nonpublic personal information.64 This rule
requires the company to develop, monitor and test their program to ensure the security of
their client’s information. Moreover, this rule requires companies to select only
appropriate service providers and require them by contract to implement the safeguards.65
59 Id.
60 FTC, In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act , available at
http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm (last visited April 17, 2007).
61 Id.
62 Id.
63 Id.
64 15 U.S.C. §§ 6801-09.
65 Id.
18
Therefore, while both the Financial Privacy Rule and the Safeguards Rule provide
some protection from misuse of consumer information by third party service providers,
the protection is limited to companies providing services to “financial institutions.”
Therefore, the GLBA does not protect against abuse by offshore outsourcing vendors that
receive consumer information from other types of organizations and institutions.
B. Protecting Consumer Medical Records: The Health Insurance Portability and
Accountability Act.
Enacted by Congress in 1996, the Health Insurance Portability and Accountability
Act (HIPAA) required the establishment of national standards for electronic healthcare
transactions.66 The HIPAA Privacy Rule, which took effect on April 14, 2003, applies to
health plans and any healthcare providers that transmit health information in electronic
form.67 In particular, the Privacy Rule protects all “individually identifiable health
information” held or transmitted by a “covered entity” or one of its business associates.68
In addition to requiring covered entities to take reasonable steps to protect the
confidentiality of communications with consumers of health care services, it also states
that a covered entity may not use or disclose protected health information unless the
individual authorizes the use in writing.69
66 HIPAA, http://en.wikipedia.org/w/index.php?title=HIPAA&oldid=31293402 (last visited April 17,
2007).
67 45 C.F.R. 164.501.
68 Id.
69 Id.
19
Therefore, similar to the Gramm-Leach Bliley Act, HIPAA provides some
protection against misuse of personal information by third party service providers
receiving health information from health care providers. However, HIPAA only applies
to “covered entities” which consist of those who pay for health care “in the normal course
of business.”70 This definition would not provide protection from misuse by many
offshore outsourcing vendors that receive information from other types of companies and
institutions.
C. Section 5 of the Federal Trade Commission Act.
Under the Federal Trade Commission Act (“FTCA”), the FTC is empowered to
(a) prevent unfair methods of competition, including unfair or deceptive acts in
commerce; (b) seek monetary redress for injured consumers; (c) prescribe trade
regulation rules defining practices that are unfair or deceptive; (d) conduct investigations
relating to organizations engaged in commerce; and (e) make reports and legislative
recommendations to Congress.71
Section 5 of the Federal Trade Commission Act (“FTCA”) prohibits “deceptive”
business practices.72 Deceptive practices are material representations or omissions that are
likely to mislead consumers acting reasonably under the circumstances.73 The FTC stated
in 1998 that using personal information in violation of a posted privacy policy constitutes
70 42 U.S.C. 1395x(s).
71 15 U.S.C. §§ 41-58.
72 15 U.S.C. § 45(a).
73 Cliffdale Associates, Inc., 103 F.T.C. 110 (1984).
20
a “deceptive practice” and is actionable under the FTCA. Since 1998, the FTC has been
quite successful in bringing suits against companies that fail to comply with their stated
privacy policies.74
In addition to prohibiting deceptive practices, Section 5 also prohibits “unfair”
practices.75 Unfair practices are those that are likely to cause consumers substantial
injury that is neither reasonably avoidable by consumers nor offset by countervailing
benefits to consumers or competition.76 The FTC has used this authority to successfully
bring suits against companies whose practices, while not in direct violation of their stated
privacy policies, still threaten data security. For example, the FTC sued DSW for having
insufficient security measures to protect credit card and checking account information
and found that this constituted an “unfair” practice.77 Similarly, BJ’s settled with the
FTC after claims that its failure to encrypt information stored on its networks and its
failure to change default user id and passwords led to the breach of thousands of
consumers’ credit and debit cards numbers.78 Most recently, the FTC levied a
groundbreaking $15 million fine after finding that ChoicePoint’s lack of adequate
security measures resulted in a breach that led to over 800 cases of identity theft.79
While the FTCA is different from GLBA and HIPAA in that it is not limited to
industry-specific institutions, the FTC has never used its Section 5 authority to bring suit
against a company that provided consumers’ personal information to a foreign affiliate
that then abused or misused the information. Therefore, it is unlikely that Section 5 of
74 Petko Animal Supplies, Inc. (FTC Docket No. C-4133) (Mar. 4, 2005); Tower Records (FTC Docket No.
C-4110) (May 28, 2004); Microsoft Corp. (FTC Docket No. C-4069) (Dec. 20, 2002); Eli Lilly & Co. (FTC
Docket No. C-4047 (May 8, 2002). Documents related to these enforcement actions are available at
http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html (last visited April 18, 2007).
21
the FTCA, in its current form, significantly reduces threats to national security that arise
from misuse of American consumers’ personal information by offshore service providers.
The recommendation that the FTC push Congress to grant them the authority to hold
offshore service providers legally liable for either direct misuse or personal information
or misuse that can be traced back to inadequate security measures is addressed in the next
section.
V. COMPREHENSIVE FEDERAL PRIVACY LEGISLATION IS NEEDED TO
REDUCE THE THREAT TO NATIONAL SECURITY FROM MISUSE OF
CONSUMERS’ PERSONAL DATA.
There is a growing risk to national security as businesses adopt emerging
technologies that increase America’s dependence on outsourced services. The solution is
comprehensive federal privacy legislation. The general public, as well as a growing
75 15 U.S.C. § 45(n).
76 Id.
77 Press Release, FTC, DSW Inc. Settles FTC Charges, Dec. 1, 2005, at
http://www.ftc.gov/opa/2005/12/dsw.htm (last visited April 17, 2007).
78 Press Release, FTC, BJ's Wholesale Club Settles FTC Charges, June 16, 2005, at
http://www.ftc.gov/opa/2005/06/bjswholesale.htm (last visited April 18, 2007).
79 Press Release, FTC, ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil
Penalties, $5 Million for Consumer Redress, Jan. 26, 2006, at
http://www.ftc.gov/opa/2006/01/choicepoint.htm (last visited April 18, 2007).
22
consortium of private sector companies, supports national privacy legislation. Moreover,
comprehensive federal legislation could be used to harmonize privacy requirements with
those of the European Union creating a compelling model for the rest of the world.
A. The General Public Supports National Privacy Legislation.
Opinion polls suggest that a majority of the American public would support
national privacy legislation. In a June 2001 Gallup poll two thirds of respondents were in
favor of new federal legislation that would protect online privacy.80 In April 2001, the
American Society of Newspaper Editors found that 51% of respondents were “very
concerned” and 30% were “somewhat concerned” that companies would violate their
personal privacy.81 In a 2002 Harris Poll, 63% of respondents considered current law
inadequate to protect their privacy and a majority of consumers stated they did not trust
businesses to handle their personal information properly.82
In particular, consumers have shown interest in legislation that would restrict a
company’s ability to provide their personal information to third parties. A 1991 Time-
CNN Poll stated that 93% of respondents believed companies should obtain permission
from the individual before selling personal information to a third party.83 A March 2000
Harris Poll found that 88% of users supported requiring a website to obtain consent
before sharing personal information with others.84 Recent surveys suggest that this trend
80 Id.
81 Id.
82 Id.
23
for consumers to prefer legislation that would provide additional protection to their
personal information is growing.
Therefore, the general public appears to support broad privacy legislation that
would give them greater control over how companies use their personal data.
B. There is Growing Support in the Private Sector for Comprehensive Federal
Privacy Legislation.
Traditionally, the private sector has been opposed to broad federal privacy
legislation believing that regulation could inhibit growth and innovation. Nevertheless,
support for federal privacy legislation has been growing even in the private sector,
particularly among large, global firms. Recently, twelve companies formed the
Consumer Privacy Legislative Forum (“CPLF”), an advocacy group to lobby for greater
protection of private information.85 The CPLF includes both high tech companies such
as Microsoft, Google and eBay as well as companies that haven’t traditionally had a large
online presence such as Eastman Kodak Co., Eli Lilly and Co. and Procter & Gamble Co.
The broad range of industries represented by members of the CPLF suggest that new data
privacy issues are not unique to particular industries and that sectional, targeted federal
legislation is therefore inappropriate.
83 Electronic Privacy Information Center (EPIC), Public Opinion on Privacy, at
http://www.epic.org/privacy/survey (last visited April 17, 2007).
84 Id.
85 Consumer Privacy Legislative Forum, Statement of Support in Principle for Comprehensive Consumer
Privacy Legislation, June 20, 2006, at http://www.cdt.org/privacy/20060620cplstatement.pdf (last visited
April 17, 2007).
24
The group believes the “time has come” for “comprehensive harmonized federal
privacy legislation” to create a “uniform but flexible legal framework” for protecting
consumers’ personal data.86 While the CPLF has not yet recommended specific language
for the statute, the law would likely require businesses to provide notice to consumers
when collecting or using personal information and provide individuals control over how
the information is used.87
The members of the CPLF have given a number of reasons for their position in
favor of federal regulation. According to Brad Smith, Microsoft’s General Counsel, the
complex patchwork of varying national and state laws around data and financial privacy
has been confusing and contradictory and has made it difficult for Microsoft to establish
consistency in their transactions with consumers.88 It is often unclear what standard will
be required in what area of the country when activity that is legal in one jurisdiction may
be illegal in another.89 Nicole Wong, Google’s associate general counsel, agrees that the
"uneven patchwork" of state privacy laws in the United States has made it difficult and
expensive for companies to comply.90 Moreover, many companies support national
legislation because they believe consumer fear of identity theft and other information
security abuses have chilled commerce.91
Therefore, the current approach towards privacy law in the United States has
become burdensome on the private sector and a growing number of companies believe
the time has come for comprehensive, federal legislation.
86 Id.
87 Id.
25
C. Federal Privacy Legislation Will Harmonize U.S. Policy with International Laws.
As companies’ enterprise processes continue to invoke more and more services
from around the world to streamline operations and implement corporate strategy,
consumers’ personal data will pass between many countries with a variety of different
legal standards. Therefore, foreign privacy laws will apply to a growing number of
commercial transactions. It is important for any American legislation to consider these
foreign privacy laws in developing its own privacy legislation in order to prevent
conflicting obligations on global businesses.
A comprehensive, harmonized federal approach to American privacy legislation
would be more in line with most of the world than the existing patchwork approach. The
European Union Data Protection Directive, in effect since October 1998, created a set of
common rules for protecting personal data and preventing abuse in the EU.92 The
Directive requires companies to ensure that data is collected only for specific purposes, is
accurate and current, and is discarded when no longer needed.93 The Directive creates 88 Microsoft Addresses Need for Comprehensive Federal Data Privacy Legislation, November 3, 2005, at
http://www.microsoft.com/presspass/features/2005/nov05/11-03Privacy.mspx (last visited 3/12/2007).
89 Id.90 Kim Hart, Firms Seek Federal Privacy Rules, Washington Post, June 21, 2006, at
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/20/AR2006062001367.html (last visited
March 12, 2007).
91 Press Release, Microsoft Corporation, Microsoft Advocates Comprehensive Federal Privacy Legislation,
Nov. 3, 2005, at http://www.microsoft.com/presspass/press/2005/nov05/11-03DataPrivacyPR.mspx (last
visited April 18, 2007).
92 Press Release, European Union, EU Directive on Personal Data Protection Enters Into Effect, Oct. 23,
1998.
93 Id.
26
certain obligations on the “processors” of personal data defining the circumstances by
which the data may be transferred to a third party.94 Article 25 prohibits the transfer of
personal information regarding EU citizens to countries that lack “adequate” privacy
laws.95 Since most countries do not have data privacy laws that satisfy the EU standards,
third party service providers are susceptible to legal challenges under the Directive.96
For example, the EU determined that US privacy laws were inadequate in January
1999. However, the U.S. Commerce Department negotiated a Safe Harbor agreement by
which U.S. companies can exempt themselves from the Directive. The Safe Harbor
requires these companies to voluntarily adhere to a set of privacy principles including
notice, choice, onward transfer, security, data integrity, and access. Other countries that
have not negotiated a Safe Harbor agreement with the EU are liable for security breaches
that result from their inadequate protections.
The EU Privacy Directive has dramatically influenced the adoption of privacy law
in non-EU countries and is arguably becoming the standard for the rest of the world.
Argentina, Australia, Canada, Hong Kong, Hungary, New Zealand and Switzerland have
all adopted data protection laws that are substantively very similar to the EU. In May
2003, Japan enacted a broad privacy bill applying to any business that uses personal
information databases.97 While the bill does not specifically declare its jurisdictional
reach, its language suggests it will apply to businesses outside of Japan.98 Additionally,
even officials in India have stated that they believe the EU Privacy Directive is
94 Id.
95 Jill Treanor, Union Claims Lloyds Outsourcing Breaches Data Laws, Guardian (London), Aug. 18, 2004,
at 26.
96 Id.
27
comprehensive and that Indian legislation will be “more or less based on the EU
model.”99
Given that a large part of the world appears to be following the EU model by
adopting broad privacy legislation, American legislation must not fall behind or create
conflicting requirements on global businesses. By adopting comprehensive federal
legislation, the U.S. can harmonize its privacy requirements with those of the EU and
create a unified model for the rest of the world. This will reduce the number of
conflicting privacy regulations imposed on global businesses. Moreover, federal
legislation will create appropriate incentives for the increasing number of third party
service providers to put appropriate security measures in place to protect against misuse
of consumers’ personal information that could result in threats to national security.
D. The FTC Supports More Comprehensive Privacy Legislation.
In addition to the general public and a growing portion of the private sector, the
FTC is also in favor of broader federal privacy legislation. The FTC has recognized that
the protection of data privacy and security “is increasingly international in nature.”100
97 Amy Worlton, Asia Opts for EU-Style Privacy, Privacy in Focus, June 2003, at
http://www.wrf.com/publication_newsletters.cfm?
sp=title&year=2003&ID=10&publication_id=10468&keyword= (last visited April 18, 2007).
98 Amy Worlton, Asia Opts for EU-Style Privacy, Privacy in Focus, June 2003, at
http://www.wrf.com/publication_newsletters.cfm?
sp=title&year=2003&ID=10&publication_id=10468&keyword= (last visited May 3, 2007).
99 Privacy: India Drafting EU-Style Data Privacy Bill – Seeks to Attract Business from Europe, 104 Daily
Rep. for Executives A-18 (BNA) (May 30, 2003).
28
They have even noted that the globalization of the marketplace means “an increasing
amount of U.S. consumer information may be accessed illegally by third parties outside
the United States or located in offshore databases.”101
Given these structural changes, the FTC has recommended that Congress create a
broader, uniform privacy paradigm. For example, the FTC has recommended that
Congress extend the “Safeguards Rule” of the GLBA to companies that are not financial
institutions.102 Currently, the Safeguards Rule applies only to “customer information”
collected by “financial institutions” and therefore does not cover most data provided to
service providers.103 Therefore, while the GLBA restricts disclosure of a consumer’s
social security number and address by a financial institution, that same information is
often readily available for purchase on the Internet from a non-financial institution.
The FTC should also request that Congress extend its Section 5 authority to bring
suit against companies that provide consumers’ personal information to foreign affiliates
that do not have adequate security protections in place. This could simply be an
extension of the FTCA’s existing prohibition on “unfair” business practices. Providing
consumers’ personal information to third party providers that do not have adequate
security protections in place is “likely to cause consumers substantial injury that is
neither reasonably avoidable by consumers nor offset by countervailing benefits to
consumers or competition.” The original company collecting the consumer’s personal
100 Prepared Statement of the FTC, Data Breaches and Identity Theft, June 16, 2005, at
http://www.consumer.gov/idtheft/pdf/ftc_06.16.05.pdf (last visited April 16, 2007).
101 Id.
102 Id.
103 Id.
29
information is the natural place for consumers to seek redress should there be any privacy
abuses that derive from that initial transaction. As such, the extension of the FTCA to
cover this situation is entirely logical.
VI. CONCLUSION
The adoption of emerging technologies such as Service Oriented Architecture
(SOA) and Business Process Management (BPM) is helping to fuel growth in business
process outsourcing. This is creating a structural change in organizations’ in which
business processes are increasingly composed of services provided by geographically
dispersed affiliate and partner organizations. Foreign companies and workers are gaining
access to private personal information about American consumers without adequate
protections in place to prevent misuse. This potential for misuse creates a rising threat to
national and economic security. Abuse of consumer information by foreign entities is on
the rise, decreasing consumer confidence and inhibiting economic growth. While privacy
policies and private sector certifications have afforded some protection, self-regulation
itself has not been adequate. Moreover, the United States patchwork of federal privacy
law applies only to specific areas like finance and healthcare leaving too many gaps to be
filled with confusing and oftentimes conflicting state laws.
The time has come for comprehensive privacy legislation to help address these
national security and data privacy issues. The general public and a growing number of
companies in the private sector have recognized this need. Comprehensive legislation
would help the U.S. harmonize its privacy policies with the international community
protecting global companies from the threat of conflicting legislation. Moreover, the
30
FTC has acknowledged that broader legislation extending the FTCA would enable it to
more effectively protect the privacy interests of consumers against misuse and abuse by
third party service providers.
31
32