Jo u r n a l o f

Internet Law
Edited by

DLA

P i pe r

Rudnick

G r ay

Volume 9
Number 12

JUNE 2006

Ca r y

A Privacy and Security Compliance

Checklist for the Internet Era
By Kirk J. Nahra

uch like the Internet itself, privacy and security law

is changing and expanding rapidly, in terms of overall
effects on a broader array of businesses, the multiplicity of legal requirements, and the risks associated
with the gathering, maintenance, and disclosure of information about individuals. The very nature of the Internet,
with massive and rapid access to information about virtually anything, has been a primary driver of both attention
to privacy and security risks and the perception that
more needs to be done to protect privacy and security. In
that vein, developing appropriate standards for uses and
disclosure of personal information, as well as identifying
practices to protect the security of this information, now
occupies a significant amount of the attention of legislators, regulators, the media, consumers, and others around
the United States and the globe.
Accordingly, Internet companies, meaning for
this purpose any company whose business touches the
Internet, face substantial challenges in identifying and
meeting the legal obligations of the privacy and security
alphabet soup, with a variety of old laws (meaning laws
from the past few years), along with a wide array of new
and emerging legal standards. Therefore, for essentially
any corporation that uses, receives, maintains, or creates
any kind of personal information about employees,
Kirk J. Nahra is a partner with Wiley Rein & Fielding LLP in Washington,
DC, where he specializes in healthcare, privacy and information security
litigation, and counseling for the health care and property/casualty
insurance industries and others facing compliance obligations in these
areas. He is chair of the firms Privacy Practice and co-chair of its
Health Care Practice. He serves on the Board of Directors of the
International Association of Privacy Professionals, and edits Privacy
Officers Advisor, the monthly newsletter of the IAPP. He is a Certified
Information Privacy Professional and is the Chair of the ABA Health
Law Sections Interest Group on eHealth, Privacy & Security. He can be
reached at 202.719.7335 or [email protected].

JIL0606_Final.indd 1

customers, potential customers, or others, developing

an effective privacy and security compliance plan and
strategy is now a first-tier corporate obligation.
What is set out in this article is not everything that an
Internet company needs to know about privacy and security. Instead, I identify a checklist of the key privacy and
security issues facing companies today so that companies
operating in all aspects of cyberspace can understand what
needs to be done to meet these ongoing challenges.
D O I H AV E A N E F F E C T I V E
I N F O R M AT I O N S E C U R I T Y
PROGRAM?
With the almost daily news reports concerning
security breaches affecting entities in a wide range of
Continued on page 12

In This Issue
a privacy and seCuRity compliance
checklist for the internet era . . . . . . . . . . . . . . . . 1
by Kirk J. Nahra
e-sops fables: recent developments
in electronic service of process . . . . . . . . . . . . . . . 3
by Jeremy A. Colby
emerging inssues in internet child
pornography cases: balancing acts . . . . . . . . . 22
by Susan S. Kreston

6/15/06 4:12:17 PM

J o u r n a l o f I n t e r n e t Law

A Privacy and Security Compliance

Checklist for the Internet Era
Continued from page 1
industries, effective information security programs have
moved to the top of the list for companies that maintain
any information about individuals, whether customers or
employees. While certain industries, such as health care
and financial institutions, already have specific regulatory
standards for the protection of personal information, the
obligation to maintain an effective information security
program now applies to any company that maintains personal information.
The Federal Trade Commissions (FTCs) recent
settlement with BJs Wholesale Club makes an effective
security program a national requirement for any company
that holds personal information, regardless of industry or
specific statutory or regulatory requirements. To the FTC,
a failure to develop and implement an effective information security program constitutes an unfair and deceptive
trade practice, independent of any specific statutory or
regulatory requirements. As such, every company should
be familiar with the facts about the BJs Wholesale case and
the security program mandated by the FTC enforcement
action so that the company can design an effective security program for its business operations.
The FTC has been an aggressive enforcer of security
programs, typically relying on its jurisdiction under 5 of
the Federal Trade Commission Act (FTC Act) to regulate
unfair or deceptive trade practices. In its numerous
prior enforcement actions, the FTC typically has relied
on measuring a companys promise to provide effective
security protections and taking enforcement action when
a companys program did not live up to these promises,
even when there was no legal requirement to make such
a promise.
BJS ALLEGED VIOLATION
In the BJs Wholesale case, however, the FTC took
enforcement action despite the fact that BJs Wholesale
apparently had made no representations whatsoever to its
customers concerning security protections. Instead, the
FTC alleged (in the complaint filed along with various
settlement documents) that BJs Wholesales information security practices, taken together, did not provide
reasonable security for sensitive customer information.
Specifically, the FTC alleged that BJs Wholesale violated
the FTC Act because it had:
Failed to encrypt consumer information when it was
transmitted or stored on computers in BJs Wholesale
stores;
Created unnecessary risks to the information by storing

June

2006

it for up to 30 days, in violation of bank security rules,

even when it no longer needed the information;
Stored the information in files that could be accessed
using commonly known default user IDs and passwords;
Failed to use readily available security measures to
prevent unauthorized wireless connections to its networks; and
Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security
investigations.
These problematic practices apparently came to light
because of a large number of false or fraudulent charges
posted to BJs Wholesale customer accounts, which the
FTC determined to have been derived from hacker access
to this poorly secured information (including through instore wireless networks).
As a result of these alleged failures, BJs Wholesale
settled the FTC allegations without admitting any wrongdoing. This settlement included not only a requirement to
implement a comprehensive information security program
that is reasonably designed to protect the security, confidentiality and integrity of personal information collected
from or about consumers but also to have an independent
third-party assessment of this program every other year for
the next 20 years, subject to ongoing FTC oversight.
In effect, the FTC required BJs Wholesale to implement a security program mirroring the requirements set
out by the FTC for entities regulated under the GrammLeach-Bliley Act. This comprehensive security program,
which must be fully documented in writing and be
appropriate to the companys size and complexity, the
nature and scope of [the companys activities, and the
sensitivity of the personal information collected, must
include the following components:
1. The designation of an employee (or employees) to
coordinate and be accountable for the information
security program;
2. The identification of material internal and external
risks to the security of this personal information (with
this risk assessment to include employee training and
management; information systems and prevention:
detection and response to attacks, intrusions, or other
system failures);
3. The design and implementation of reasonable safeguards to control the risks identified in this risk assessment; and
4. The evaluation and adjustment of the program in
light of the results of testing and ongoing monitoring
of the program, material changes to the companys
operations or business arrangements, or any other
circumstances that may have a material impact on the

12

JIL0606_Final.indd 12

6/15/06 4:12:20 PM

June

2006

effectiveness of the security program.

Beyond the specific components of the information security
program, BJs Wholesale also agreed to obtain, on a biannual basis, an assessment and report from a qualified,
objective, independent third party professional that:
Sets forth the specific safeguards that have been
implemented and maintained by the company;
Explains how these safeguards are appropriate for the
company;
Explains how the safeguards meet the requirements
of the settlement agreement components for such a
program; and
Certifies that the program is operating with sufficient
effectiveness to provide reasonable assurance of the
effectiveness of the program.
The settlement requires BJs Wholesale to provide
the first assessment directly to the FTC and to make all
subsequent reports, for a 20-year period, available to the
FTC upon request. (There are other document retention requirements related to documents that contradict,
qualify or call into question the companys compliance
with the settlement order and all other documents relating to the companys compliance with the order). The
settlement agreement remains in effect for 20 years from
the date of its issuance.
IMPLICATIONS
With each successive enforcement action, the FTC
is extending the reach of its information security enforcement activities. Starting with regulated entities, and
moving on to breach of security representations and now
to a general obligation to maintain an effective security
program, the FTC has essentially created a national, nonstatutory standard requiring any business that collects and
maintains personal information to develop and implement
an information security program. The only remaining
step, perhaps, is to take enforcement action without a
security breach, but the standard has been set across the
country. What does this mean?
DEVELOPING AN EFFECTIVE
SECURITY PROGRAM
The clearest conclusion from the BJs Wholesale case
is that the FTC believes that every company, regardless of
industry and formal statutory or regulatory requirements,
must maintain an effective information security program
if it is to avoid unfair and deceptive trade practices. So,
regardless of industry, any company that collects or maintains personal information must have such a program.
(Note that this program also must incorporate the dis-

J o u r n a l o f I Nt e r n e t Law

posal requirements of the FTCs rule on the disposal of

consumer report.
While an effective program is not the same as a
perfect program, an effective security program must be
appropriate to the size and complexity of the companys
business activities, and must take into account the sensitivity of the customer information. This program must
include a risk assessment, addressing the companys overall
collection of personal information (and, unlike the rules
for the health care industry, is not limited to electronic
information). Following this risk assessment, the company
must make reasonable choices about how it is to mitigate the risks identified in this assessment. Once this initial assessment and plan has been developed, a company
must test, monitor, and regularly re-evaluate the program
to ensure that the program keeps pace with developments
both in the information security field in general and in the
specific operations and environment of the company.
Moreover, even for a company with a reasonable security plan, it is critical to re-evaluate existing security programs in light of emerging legal requirements and highly
publicized incidents arising from a wide array of security
breaches (ranging from computer hackers to fraudulent
customers obtaining data to low tech problems such as
misplaced data tapes). This assessment needs to include
not only information systems, where most computer security issues have been addressed, but also the full range of
areas within a company where information can be used,
stored, transmitted, or maintained. One clear challenge at
many companies, particularly larger companies, involves
ensuring that the information security personnel, who
often have had sole responsibility for developing security
programs, can relate effectively to other affected audiences
within a company, including legal and compliance staffs.
Regardless of whether these legal requirements apply to
a company today, no company can afford to ignore the
emerging standards for protection of customer or other
personal information.
D O I H AV E A S E C U R I T Y B R E AC H
N OT I F I C AT I O N A N D M I T I G AT I O N
POLICY?
As a corollary to the importance of developing an
effective information security plan, companies must recognize the critical importance of developing an effective
mitigation and response plan in the event of a security
breach. No other issue has occupied as much attention in
the public debate over privacy and security as the enormous rash of highly publicized security breaches in the
past two years. Starting with the extensive publicity over
the ChoicePoint incident, high profile breaches occupied
13

JIL0606_Final.indd 13

6/15/06 4:12:20 PM

J o u r n a l o f I n t e r n e t Law

public and media attention throughout 2005 and have

continued in 2006. Seldom does a day go by without some
new story concerning security breaches. In fact, one fact
stands out among these stories: the vast array of means by
which personal information is at risk. Among the publicized incidents in the past few months are the following,
covering all kinds of information, industries and security
problems.
THE CHOICEPOINT INCIDENT
In February 2005, ChoicePoint Inc. revealed that
it had sold the personal information, including Social
Security numbers, of 145,000 individuals to a criminal
ring posing as small businesses. The theft and the FTCs
subsequent action against ChoicePoint made front-page
news, causing new attention to be brought to the issue.
In a settlement with the FTC, ChoicePoint agreed to pay
a $10 million fine and to establish a $5 million fund for
victims of identity theft, while instituting new security
measures designed to protect personal information in the
future.

June

2006

dom. The laptop had sophisticated encryption software,

which made it much more difficult to access the sensitive
information.
EMPLOYEE RISKS
In February 2006, a contract employee illegally downloaded the names and Social Security numbers of 27,000
former and current Blue Cross and Blue Shield of Florida
Inc. employees to his home computer. The employees motive for downloading the information remains
unknown.
LOST DATA
In June 2005, CitiFinancial notified 3.9 million of its
customers that computer tapes containing their account
information, payment histories, and Social Security numbers had been lost. The tapes had been shipped via UPS
to an Experian credit bureau facility, but were lost in
transit. CitiFinancial assured customers that the tapes
would be difficult to decode without special equipment
and software.

LEXISNEXIS
HUMAN ERROR
In March 2005, intruders accessed personal information for more than 310,000 consumers in a database
owned by LexisNexis. The hackers compromised the logins and passwords of a handful of legitimate customers to
gain access to the database. LexisNexis noticed abnormal
usage patterns on the compromised accounts and notified
authorities of the security breach.
LAPTOP PROBLEMS
Stolen or lost laptops are becoming an enormous
source of security risk and confusion. In March 2005, for
example, the University of California, Berkley, reported
the theft of a laptop computer containing the names
and Social Security numbers of 98,000 graduate students
and applicants. The information included applicants to
the graduate school between fall 2001 and spring 2004,
graduate students enrolled at the school between fall 1989
and fall 2003, and recipients of doctoral agrees from 1976
through 1999. None of the information was encrypted.
In February 2006, a laptop computer containing the
private health information and Social Security numbers
of nearly 4,000 patients of the University of Texas M.D.
Anderson Cancer Center was stolen from the house of a
PricewaterhouseCoopers employee that had been reviewing centers insurance claims. Since the laptop was stolen
along with other valuables, the theft appeared to be ran-

In October 2005, it was discovered that an employee

of Montclair State University (MSU) accidentally stored
the Social Security numbers and declared majors of 9,100
MSU students on the universitys Web server, thinking
that it was inaccessible to the public. Despite the fact that
the university had invested heavily in a secure firewall,
the human error allowed the information to be searched
and indexed by search engines, exposing it to the world.
In January 2006, a firm under contract with the Farm
Service Agencys Kansas City Administrative Office accidentally released the Social Security numbers of 350,000
participants in the tobacco buyout program to eight
Freedom of Information Act requesters.
In February 2006, FedEx Freight West reported that
the W-2 forms of 8,500 of its employees included segments
from the W-2 forms of other FedEx employees. Thus, an
employee could view the Social Security number, salary,
and tax information for another employee.
In February 2006, discarded bank and credit card
account information for 240,000 subscribers of The Boston
Globe was accidentally recycled into paper used to print
routing slips. More than 9,000 individual routing slots
used to label bundles of its sister newspaper, the Worcester
Telegram & Gazette, were distributed with the personal
information displayed.
Given these examples, most of which, to some degree,

14

JIL0606_Final.indd 14

6/15/06 4:12:20 PM

June

2006

could happen to any company, developing an appropriate

mitigation plan is both a practical and legal necessity.
As a result of these incidents, more than 20 states passed
legislation in 2005 (following Californias early law on this
topic) requiring various notice obligations in the event of
a security breach. With no sign of security breaches slowing down and the pressure to respond quickly in the event
of a breach, it is imperative that companies have a plan in
place in advance of a breach to address how the company
will respond to a security breach.
This plan needs to have two critical components.
First, you need a mitigation plan. This mitigation plan is
very important because this plan kicks in when the rubber
meets the road: You have had a breach, and need to fix it
immediately in the eyes of your customers, regulators, and
management. This should involve four main problems: (1)
How do I stop or control the breach? (2) How do I determine what happened and what information was subject to
the potential for improper use or disclosure? (3) How do
I repair any injury from the breach (including recovering
lost data for internal purposes)? (4) What do I need to do
to make sure this doesnt happen again? Companies in all
industries need to recognize that the biggest litigation risk
today involving privacy and security relates to credible
threats of identity theft and costs related to identity theft
prevention. An effective mitigation plan often will reduce
or eliminate these realistic threats.
Second, as part of the repair point, companies need to
have a quick and effective approach to the question of whether
and through what means to notify individuals of a security
breach. This involves several questions. Do I have to notify
anyone? If so, who must I notify and through what means?
If I dont have to notify, should I notify anyway? Is there
anyone else I need to notify (clients, regulators, etc)?
Because the state laws are complicated and not fully
consistent, it is important to have an understanding of
the legal requirements in developing a policy, and it may
be too late to do this once a breach happens. In addition,
keep in mind that the congressional debate about breach
notification is ongoing, with passage of a federal standard
(that may or may not preempt state law) likely in 2006.
The current federal proposals take a somewhat different
approach than do many of the state laws, so even companies that have the state laws under control will need to
re-evaluate their approach once the federal law is passed.
This plan also needs a reporting component that
includes evaluating whether reporting (to regulators or
customers) is required, and whether reporting should be
undertaken independent of any specific legal requirements. (This reporting component is a key feature of the
ongoing legislative debate). This analysis should include
consideration of what to say about a breach and when to

J o u r n a l o f I Nt e r n e t Law

say it. Again, because of the tensions and pressures created when a security breach takes place, these reporting
decisions typically are made under intense business pressure and (perhaps) public scrutiny. Reporting is neither
required nor appropriate with every security breach (and
Congress and the FTC both are concerned about the risk
of over-notification, with the concern that consumers
will become numbed by constant security breach notifications), but it should be considered by senior management when there is any realistic likelihood of customer
impact.
Security breaches remain in the news, with each
successive breach both reinforcing the risks and increasing awareness of security problems. No company, large or
small, can afford to ignore this sea change in the protection
of personal information. The FTC guidelines stemming
from BJs Wholesale should be a minimum starting point
for every company, with a critical need to identify the risks
in a particular companys environment and an effective
means of reducing these risks to reasonable levels.
D O I H AV E A N A P P R O P R I AT E
P R I VAC Y P O L I C Y ?
One of the first privacy debates that Congress entered,
in the mid 1990s as the Internet age began, was to examine whether Web sites were required to have appropriate
privacy policies. No consensus emerged, so there has
been no broad national law requiring Web site privacy
policies as a general matter. Nonetheless, it is now the
corporate norm for such policies to exist and to describe
in a reasonably meaningful way the appropriate protections applicable to information submitted via a Web site.
Any corporation that collects information on its Web site
should review (1) whether there is a privacy policy for the
site, (2) whether the company is in an industry or market
where there are specific required components for such a
Web site policy, and perhaps most important, (3) whether
the policy accurately states the privacy practices of the
company. The FTC has made clear in public statements
and enforcement actions that companies will be held
responsible for inaccurate privacy policies, even if there
was no requirement for such a policy in the first place. So,
while these policies may be only a commercial necessity in
certain settings, ensuring the accuracy and completeness
of these policies is essential.
This point was driven home in a recent enforcement
action brought by the New York Attorney Generals
Office. The Attorney General brought suit against Gratis
Internet, alleging that the company sold personal information obtained from millions of consumers under a promise
of confidentiality in its privacy policy. According to the
15

JIL0606_Final.indd 15

6/15/06 4:12:21 PM

J o u r n a l o f I n t e r n e t Law

suit, from 2000 through 2004 Gratis made numerous

explicit promises to the users of its Web sites about protecting personal information. Among the promises that
the company made were:
We will never give out, sell or lend your name or
information to anyone.
We will never lend, sell or give out for any reason
your email address or personal information.
We at [Gratis Web site] respect your privacy and do
not sell, rent or loan any personally identifiable information regarding our customers to any third party.
Please note that we do not provide your E-mail
address to our business partners.
The New York suit seeks penalties and injunctive
relief against Gratis and its principals under New Yorks
consumer fraud statutes.
In addition to enforcement actions, private lawsuits also have brought allegations that companies have
breached their privacy promises. For example, in the
JetBlue saga, a nationwide class of airline passengers sued
JetBlue, based on the companys alleged transfer of data to
a third party government contractor. This complaint was
dismissed, with the court rejecting the plaintiffs assertion
that JetBlue had violated the Electronic Communication
Privacy Act.
Interestingly, the JetBlue court rejected the argument
that the plaintiffs could assert actual damages under various causes of action. In connection with a breach-of-contract claim stemming from the companys privacy policy,
the court stated that the sparseness of the damages allegations is a direct result of plaintiffs inability to plead or
prove any actual contract damages. As plaintiffs counsel
concedes, the only damage that can be read into the present complaint is a loss of privacy. Moreover, the court
found that the passengers had no reason to expect that
they would be compensated for the value of their personal information. In addition, there is absolutely no support
for the proposition that the personal information of an
individual JetBlue passenger had any value for which that
passenger could have expected to be compensated. Last,
in connection with a trespass-to-chattel claim, the court
again rejected any assertion of actual damages, stating that
[t]he only type of harm plaintiffs allege anywhere in the
Amended Complaint is harm to their privacy interests,
and even if their privacy interests were indeed infringed
by the data transfer, such a harm does not amount to a
diminishment of the quality or value of a materially valuable interest in their personal information. This case
leads to the idea that a privacy policy is, at best, a limited
form of contract and typically will not be one that leads to
damages from a violation.
So, while the risks of a privacy policy do exist, compa-

June

2006

nies should be examining whether they need a reasonable

policy (most companies do) and what that policy should
say before confirming carefully that the company is doing
what it says it is doing.
D O I K N OW T H E P R I VAC Y P O L I C I E S
O F M Y B U S I N E S S PA RT N E R S ?
In addition to developing and following a companys
own privacy policies, it now is important for companies
to understand the policies of their business partners. For
several years, one of the primary privacy and security challenges facing companies has involved how to police the
activities of vendors. Many of the most significant privacy
rules, including HIPAA and Gramm-Leach-Bliley, require
companies covered by these rules to pass along privacy and
security requirements to their vendors. The challenge has
come from two sources: determining how to implement an
effective contracting strategy for what could be thousands
of vendors and, even more challenging, determining what
is appropriate monitoring and oversight of vendors. This
oversight function is becoming more crucial as companies routinely face liability and related risks derived from
activities of their vendors.
Now, again courtesy of New York Attorney General
Eliot Spitzer, comes an entirely new spin on this challenge. In a settlement announced on March 13, 2006,
with Datran Media, an email marketing firm, Spitzer
imposed liability (through a negotiated settlement) on
Datran when it received personal information from
another company (Gratis Internet, among others) and
then engaged in activities that violated the privacy policies of the second vendor, allegedly because Datran knew
that its actions violated the privacy policies of that data
source. What is astonishing about this case, however, is
that Datran only had data in the first place because the
list seller had violated both its contract with Datran and
its own privacy policies when it gave the data to Datran.
So, here, Spitzer is holding Datran liable for the list sellers
violation of its own policies.
How did this Alice-in-Wonderland result come
about?
According to the Attorney Generals press release,
Datran was alleged to have improperly used information
it had obtained from several companies that compile and
sell information on consumers. In most previous kinds of
cases, this would mean that Datran had agreed to perform
a particular service for a client, and had then taken the
information to use it, in violation of a contractual agreement, for another purpose.
But not so fast. Again, according to the press release,
The largest [list supplier], Gratis Internet, had assured

16

JIL0606_Final.indd 16

6/15/06 4:12:21 PM

June

2006

consumers on several websites it owned and operated that

it would never lend, sell or give out for any reason the
information provided by users. Despite Gratis promise,
it sold the information. The press release described the
Gratis/Datran transaction as follows: The seven million
files that Gratis sold to Datran [are] believed to be the
largest deliberate breach of a privacy policy discovered by
U.S. law enforcement to date. The Attorney Generals
investigation revealed that Datran knew of Gratis promise to consumers when it purchased the consumer lists.
But after obtaining these lists, Datran sent millions of
unsolicited emails to the listed consumers. So, the settlement apparently finds that Datran is responsible because
it had bought data from a company that Datran knew was
violating its own privacy policy when it sold the data to
Datran.
Why did this lead to a case against Datran? According
to Spitzer, With this case, we hope to set a new standard
for Internet marketers and consumer research companies. Personal information secured through a promise of
confidentiality must always remain confidential. Spitzer
further said that he hoped the case would help establish
basic controls on data compiled and sold by professional
consumer research companies and list builders. Moreover,
[c]ompanies must adhere to known privacy policies and
promises. Failing to do so constitutes a clear consumer
fraud, said Spitzer.
So, its not really clear what happened. Did Datran
do something that violated the terms of the data agreement with Gratis? Did Gratis violate its own policy and
its vendor agreement when it sold the data to Datran?
How does taking action against Datran send a message to
its data sources that violated their own privacy policies?
How does the settlement with Datran make sure that the
companies that have privacy policies, the Gratises of the
world, follow their policies?
Not only was the theory aggressive and unprecedented, but the settlement was substantial. The settlement
agreement between Datran and the Attorney General is
termed an Assurance of Discontinuance. The key terms
were:
Datran has agreed to pay $1.1 million as penalties,
disgorgement and costs.
Datran must destroy the personal information it
obtained from Gratis and the other list sellers at
issue.
Datran must [a]void acquisition of any personal
consumer information without first independently
confirming that such acquisition is permissible under
relevant seller privacy policies.
Datran must appoint a chief privacy officer to oversee
privacy compliance efforts.

J o u r n a l o f I Nt e r n e t Law

What conclusions can we draw about this case? It

may certainly be appropriate to surmise that this case is
merely a blip on the screen, the result of particularly egregious facts and the efforts of a very powerful enforcement
agency that few people have the desire to challenge. It
may essentially be a one-time event. But what if its not?
If one were trying to discern the precedent from the
settlement, this case means that vendors must do more
than worry about their own privacy policies and negotiating appropriate contractual oversight for their relationships with their customers. The settlement appears to
impose a new due diligence obligation on the vendor to
understand and review the privacy policy of its principals
and sub-vendors to make sure that the data supplier isnt
doing something wrong in providing data.
How far will this go? Does the vendor/purchaser have
to review underlying consents? Does the vendor/purchaser
have to engage in an audit of the list suppliers privacy
practices? How does this new vendor-to-vendor due diligence obligation affect the already growing client-to-vendor oversight obligations?
Obviously, it is too soon to know the full implications
of this case, including whether there are any real implications beyond this specific set of facts and companies. It is
clear, however, that the Datran settlement adds a new and
difficult dimension to vendor contracting, making it even
more time consuming and burdensome to retain vendors
for any activity that involves personal information. Is that
really a result that protects peoples privacy?
D O I H AV E A N E F F E C T I V E V E N D O R
S T R AT E G Y ?
In addition to the issues raised by the Datran case,
companies need to be concerned about the increasing
challenge of overall vendor selection, monitoring, and
oversight. While many of the sector-specific laws apply
directly only to entities in that industry, most of these
laws also impose contractual obligations on any entity
that does business with these regulated companies. So, if
your company does business with health care companies
or those in the financial services industries, while you may
not be regulated directly, you will need to adopt a wide
range of privacy and security practices in order to provide
services to regulated companies. It is imperative for companies to evaluate their customer base, determine whether
there are health care or financial services customers, and
then develop an appropriate strategy both for contracting with these entities and in implementing reasonable
and appropriate privacy and security practices pursuant
to these contract requirements. Because of the volume
of contracts with these entities and the challenges with
17

JIL0606_Final.indd 17

6/15/06 4:12:21 PM

J o u r n a l o f I n t e r n e t Law

analyzing technical distinctions between the regulations

affecting different industries, simply negotiating reasonable contracts, even when most of the requirements are
set by law, can require substantial expertise.
On the flip side of this question, it is increasingly
important for companies to be aware of the vendors
that they use to perform services that involve personal
information and to have an effective vendor-management strategy to contract appropriately and monitor and
oversee vendor activity. While it may not be feasible to
actively monitor all vendors, it is critical for companies
to develop a strategy that focuses attention on high-risk
vendors, either those located off-shore (where political
sensitivities are particularly acute) or that deal with a high
volume of personal information, a particularly sensitive
set of information, or otherwise engage in some high risk
activity. While it is not crucial to treat all vendors equally,
it is important to have an overall strategy for dealing with
the reality that vendors often are a weak link in the privacy-protection chain.
This examination also needs to include an assessment
of whether off-shore vendors are being used, including
how companies can determine whether information is
being sent off-shore. While virtually all privacy laws allow
outsourcing, either within a country or internationally, it
should be clear to most companies that any outsourcing
of business operations that involves the use or disclosure
of personal information creates significant risks (including political and public relations risks related to sending
information and jobs off-shore). These risks are driven
home by widespread publicity about security breaches
from companies that largely serve as vendors, and from
enforcement fines leveled at principals because of the
actions of their agents.
So, it is critical to develop a strategy for managing
vendors. This involves (1) identifying who your vendors
are; (2) understanding what they do, how they do it, and
who they do it with; and (3) developing a reasonable
and appropriate program for management and oversight
of these vendor relationships, focusing on privacy and
security in addition to whatever substantive oversight is
performed of the vendor function. The emerging legal
standard is to require additional oversight and monitoring
of vendors, both at the front end, through due diligence
in vendor selection, and on the back end, through audits,
assessments and oversight. This is an enormous challenge
for many companies, but it is also one that, if not taken
seriously, can create enormous legal and reputational risks
for any company.
These vendor issues also work both ways with most
companies. Not only do you hire vendors, but most companies also serve as vendors as well. So, most companies

June

2006

will be on the receiving end of these privacy and security

contracts as well.
Accordingly, it is important for companies to develop
a strategy for acting as a vendor. This strategy should
include (1) model (or desired) contract provisions; (2) a
client-facing privacy and security policy designed to give
potential business partners confidence in your privacy and
security practices; and (3) an approach to tough issues,
mainly areas where clients may ask for more than you are
willing to give (e.g., detailed audit rights, specific security
practices, prohibitions on off-shore vendors, etc). Where
are you willing to bend your behavior, and where will you
draw a line with your customers?
A M I F O L L OW I N G T H E
MARKETING RULES?
Many of the most significant privacy rules are focused
on marketing: defining appropriate limits for marketing
and explaining where marketing efforts cannot go. For
better or worse, the rules have evolved in such a way
that the mode of communication of marketing messages
defines the appropriate rules. So, companies need to be
aware of the various rules affecting marketing and must
have an appropriate strategy to comply with all of them.
For example, one of the most popular privacy laws of
the past few years has been the telemarketing rules issued
by the FTC and the Federal Communications Commission
(FCC). These rules have generated enormous publicity,
and individuals have flocked to the Do-Not-Call lists.
While many privacy laws remain largely unenforced, the
Do-Not-Call list stands out as an area where enforcement
has been consistent and aggressive. The $5.3 million FTC
settlement recently with Direct TV dwarfs all previous
privacy settlements. The FTC and FCC have been investigating telemarketing complaints aggressively, encompassing a wide range of companies.
Due to the enormous popularity of this program and
the active enforcement, companies need to review their
telemarketing activities to determine whether there are
any marketing calls that fall within the reach of these rules
and, if so, to ensure that there is an effective telemarketing
compliance program in place to meet the detailed FTC
and FCC requirements. In addition, companies need to
evaluate how they are policing the Do-Not-Call mandates
for calls conducted by their agents, including marketing
representatives who sell a companys products.
As a rough corollary to the telemarketing rule, the
FTC also has implemented a Do-Not-Spam rule, called
affectionately CAN-SPAM, focusing on electronic marketing messages. The primary rules concerning email
marketing are still in flux, mainly in terms of defining the

18

JIL0606_Final.indd 18

6/15/06 4:12:21 PM

June

2006

broad scope of what are commercial messages and how

companies can implement effective opt-out programs for
email marketing. Enforcement has been limited (mainly
because the rules have not been in effect for too long),
but clearly is growing. Companies need to review their
email marketing programs and develop an appropriate
compliance program that recognizes the broad sweep of
the CAN-SPAM rules. (There are other rules that are still
developing involving faxes, with the possibility of a more
general law on marketing in the future that might apply
across the board).
Companies also need to be aware of special rules
related to the gathering of information from children. As
the Internet blossomed, one of the first areas of concern
was how information of all kinds became more accessible
to children and how the Internet could be a threat to
children. Accordingly, one of the first privacy laws on
which Congress could agree was the COPPA law, which
creates privacy obligations for any company that collects
information from children over the Internet. The COPPA
law creates parental consent requirements that impose
significant burdens on companies before they can collect
information from children under the age of 13. Therefore,
companies need to determine if they collect information
from children on a Web site, particularly if the site has any
component directed at children or the company otherwise
has reason to know that they are collecting information
from young children. If so, all information collection
activities must meet COPPAs detailed requirements.
Like the telemarketing rule, this is an area where active
enforcement has begun.
So, companies need to pay close attention to the
specific requirements of the Do-Not-Call list. At the top
of this compliance strategy must be an aggressive approach
to training, for both employees and agents. The strategy
must also include effective oversight, not only of employees but also of telemarketing agents. It is clear, from both
the public enforcement efforts and the other ongoing and
concluded investigations, that compliance by vendors is
a major threat under the Do-Not-Call rules and that the
FTC and the FCC (which regulates some industries, such
as insurers, that are outside of traditional FTC jurisdiction) will investigate aggressively into how a principal
controlled and monitored the activities of its telemarketing vendor.
While the Do-Not-Call list is at the top of the
enforcement list, we also can expect significant enforcement activities related to other kinds of marketing, particularly email and fax. For better or worse, the rules for each
marketing vehicle are somewhat different, and companies
must understand what each rule permits (and prohibits)
and must be able to develop an integrated marketing

J o u r n a l o f I Nt e r n e t Law

approach that encompasses all of these requirements.

D O I H AV E A N I N T E R N AT I O N A L
DATA S T R AT E G Y ?
Despite the panoply of confusing and often over-lapping privacy laws facing US corporations, it is fair to say
that the privacy laws in many other countries, particularly
the European Union countries, impose far more burdensome obligations on the protection of personal information. Therefore, US companies must know whether they
receive any information, regardless of where it starts or
where the individuals reside, from EU countries and otherwise around the globe. This includes use of any vendors
or subsidiaries in the EU countries or elsewhere outside
the United States. If a company receives ANY personal
information from the EU (or Canada, where a similar set
of burdensome rules exists, or other countries), it will need
to implement a compliance plan to ensure that these difficult rules are followed.
A related question is how to comply with the particular set of international requirements and whether to
develop a single global approach or a country-specific plan
of compliance. For data flowing from Europe, there are a
variety of compliance choices, ranging from a Department
of Commerce safe harbor program to contract clauses to
compliance with EU laws directly. Evaluating which of
these options makes sense for a particular company is a
substantial challenge. Once the EU issues are dealt with,
companies also face the difficulty of evaluating all international data flows and developing reasonable practices that
are appropriately compliant with the full range of national
laws, but also allow sufficient business flexibility in situations where the law allows these variations.
While US privacy and security laws continue to
expand, managing the international privacy process has
become a nearly impossible challenge. Often using the
EU model as a basis for going forward, countries across
the globe are experimenting with new privacy regimes.
The consistent EU framework is being prodded, pushed,
and pulled by aggressive data commissioners, such that
the standard is very difficult to define. In many situations, there may be no practical means of meeting all the
appropriate requirements. Moreover, while enforcement
remains relatively low, more companies are grasping the
difficulties of maintaining global privacy compliance and
are trying to pass as many obligations as possible onto their
business partners and customers.
In order to deal with these complex issues, the first
challenge for companies is to understand their international data flows. What comes into your company from
Europe? What about other areas of the globe? What do
19

JIL0606_Final.indd 19

6/15/06 4:12:21 PM

J o u r n a l o f I n t e r n e t Law

you send out of the country? What vendors are you hiring?
What vendors are they using to send data out of the country? Even if you have answered these questions before, it
typically will be time to reassess (at least every other year
if not every year), as business operations change, new customers arrive, and vendors change and restructure their
operations.
Once this data flow is understood, companies then
can begin to assess their options for international compliance. The range of choices is impressivesafe harbor,
model contracts, binding corporate practices, etc.but
finding the choice that works for your company is quite
difficult.
H OW A M I H A N D L I N G M Y
M I S TA K E S A N D T H E M I S TA K E S O F
OT H E R S ?
In implementing privacy and security laws, most
companies are finding areas of mistakes, either inadvertent errors or situations where companies have developed
a policy that leads to complaints or mistakes, or just
something that the company missed in developing a
compliance program. While limited, the enforcement history for privacy laws makes clear that, in many situations,
there is an informal one-free-pass rule for certain kinds of
privacy errors, particularly those where no clear harm can
be found. In the HIPAA regime, for example, the HHS
Department of Civil Rights has been focused on correcting mistakes and developing action plans to prevent future
errors, rather than punishing mistakes.
Accordingly, for both enforcement action and risk
management, it is important for companies to be aware of
areas where there have been mistakes and/or complaints
and to ensure that there is an approach in place to modify
behavior to respond to these situations. The most likely
avenue for aggressive enforcement action is to know of a
problem and not take action to correct it.
In addition to fixing your own mistakes, however,
companies need to have an aggressive external focus: to
learn as much as possible about what is affecting other
companies, so that their mistakes dont become yours.
This may be as simple as reading the newspaper and the
trade press (it certainly has been interesting how many
stories have been reported in the past year about low-tech
security breaches involving lost packages and mis-directed
materials). Did someone have problems because they
disposed of computer equipment without completely erasing data? Was a particular vendor involved in a security
breach? Were Social Security numbers disclosed when
there use was not necessary? Companies must be aware of
these problems and must be able to modify their programs

June

2006

to incorporate these risks where relevant. Accordingly,

part of any companys ongoing compliance strategy should
be to evaluate the external privacy marketplace so that
the lessons learned by others can be part of your effective
privacy and security program.
D O I H AV E A G O O D A P P R OAC H TO
E M P L OY E E P R I VAC Y ?
The question of employee privacy is one area where
there have been substantial legal risks and obligations
for many years. Nonetheless, as privacy laws evolve and
technology increases both the opportunity to monitor and
oversee employees as well as the risks of a failure to keep
track of employee behavior, it is imperative that companies
develop an effective approach to employee privacy issues.
These issues include varying kinds of privacy interests.
For example, employers have substantial rights to monitor
employees in the workplace, both physically and in use
of information technology, but employers need to have
a clear policy that is accurately described to employees.
Companies face as much risk in todays legal culture from
a failure to monitor as from overly extensive monitoring.
Personnel information is subject to increasing sensitivity
and deserves its own privacy approach. Moreover, some of
the existing privacy rules (such as the HIPAA rules) create substantial difficulties for employers in separating their
regulated activities (e.g., helping employees with health
care claims) from their unregulated or less regulated
activities (such as administering the Family and Medical
Leave Act or processing workers compensation claims).
Employment issues also are a key factor when the EU
privacy rules come into play. For any employer, it is time
to evaluate what is being said to employees, and whether
employee privacy protections are being appropriately dealt
with, both offensively and defensively.
In addition, the federal HIPAA rules create significant privacy issues for any employer that offers health care
benefits to employees. The federal HIPAA rules primarily set privacy and security standards for the health care
industry. Companies in that industry have spent hundreds
of millions of dollars to comply with the various HIPAA
rules (with the most recent, the HIPAA Security Rule,
requiring compliance on April 20, 2005). However, aside
from hospitals, doctors, and health insurers, the HIPAA
rules also impose certain obligations on any employer that
offers health care benefits to its employees. These rules
are confusing and difficult to implement. Moreover, the
new alphabet soup of health insurance offerings (HRAs,
HSAs, etc) complicates an already difficult process.
Accordingly, companies must understand how their
health care benefits process works, as well as the primary

20

JIL0606_Final.indd 20

6/15/06 4:12:22 PM

June

2006

requirements for employers and their health plans in the

protection of health care information. They must evaluate not only how personal data flows but also the security
processes in place to protect this information. Companies
also must assess the boundary lines of the HIPAA rules, so
that they can distinguish covered health care information,
through a benefits plan, from the array of other health
information that an employer may maintain (and can use
much more broadly), such as workers compensation or
disability claims, job applications, or Family and Medical
leave act information. For many companies that outsource
most of their health benefits program, the most substantial
challenge may be to evaluate whether a vendor has appropriate privacy and security protections in place to protect
health care data about your employees.
H AV E I AU D I T E D O R A S S E S S E D M Y
OV E R A L L P R I VAC Y C O M P L I A N C E
AC T I V I T I E S ?
As part of this ongoing monitoring effort, companies
should evaluate how best to assess how they are doing
on privacy and security compliance. For companies in
regulated industries, if you have not conducted a fullscale assessment since the effective dates for HIPAA or
Gramm-Leach-Bliley, the time to do so is now. Are there
areas where there are persistent problems? What about
complaints (even if the behavior that is the subject of the
complaint is permitted)? Are there new business risks that
have not been appropriately encompassed in your privacy
program? Are there areas where you can reduce some of

J o u r n a l o f I Nt e r n e t Law

your protections (for example, did you develop an expensive accounting program for the HIPAA world only to
find out that no one actually wants an accounting report)?
Are there new laws that need to be incorporated into the
privacy compliance program? This assessment, which can
be done internally but often will be more effective if conducted or assisted by outsiders, is essential to maintain a
high level of compliance and to ensure that your program
keeps pace with rapid developments in the privacy and
security areas.
CONCLUSION
Because of this array of broad, overlapping, and (occasionally) inconsistent privacy and security laws and rules,
most companies face the substantial challenge of developing compliance strategies that balance legal requirements
with practical conclusions and effective business strategies.
This dilemma is becoming increasingly difficult, as new
laws are added to the books. Moreover, many companies
face these issues not only directly through specific rules
affecting their business but also through the contracting
provisions contained in most privacy laws. While many of
these laws have been in place for several years, there has
been limited enforcement of many of them, and private
law suits asserting privacy violations have been much
fewer than many have predicted. Accordingly, there is still
time for most companies to grasp the breadth of these rules
and to work efficiently to analyze how these laws apply to
business operations and how compliance can be achieved
within reasonable business goals.

21

JIL0606_Final.indd 21

6/15/06 4:12:22 PM