1 the privacy act of 2003 cpsc 457/557 : sensitive information in a wired world wesley c. maness

1

The Privacy Act of The Privacy Act of 20032003

CPSC 457/557 : Sensitive Information in a Wired World

Wesley C. Maness

2

The Privacy Act of 2003The Privacy Act of 2003

State:

•Introduced on 3/31/2003 into Senate by Senator Feinstein (D-California)

• Printed into public record, online thomas.loc.gov (Library of Congress)

•Referred to Senate committee: Read twice and referred to the Committee on the Judiciary

Reasons why a need? Particular current (critical) events? - Surprisingly that it didn’t gain any popularity after JetBlue

3

The Privacy Act of 2003The Privacy Act of 2003The Privacy Act 2003 (TPA) (Feinstein) claims:

•Gives consumers more control over how their personal information is used regardless of channels used.

•Would provide protection for a person’s most sensitive data

•Personal financial data

•Health data

•Driver’s license information

•Social Security numbers

•Gives individual ultimate control over whether or not his or her information is shared. (Opt-out, Opt-in)

Underlying belief/assumption

4

The Privacy Act of 2003The Privacy Act of 2003Structure:

•Title 1 – Commercial Sale and Marketing of Personally Identifiable Information

•Title II – Social Security Number Misuse Prevention

•Title III – Limitations on Sale and Sharing of Nonpublic Personal Financial Information

•Title IV – Limitations on the Provision of Protected Health Information

•Title V – Driver’s License Privacy (Title II)

•Title VI – Enforcement by State Attorneys General, Federal Injunctive Authority.

5

The Privacy Act of 2003: Title I: Commercial The Privacy Act of 2003: Title I: Commercial Sale and Marketing of Personally Identifiable Sale and Marketing of Personally Identifiable

InformationInformation

Definitions:

Commercial entity – The term “commercial entity” means any person offering products or services involving commerce among the several States or with 1 or more foreign nations, in any territory of the United States or in the District of Columbia, or between any such territories. Does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45); any financial institution that is subject to title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.); or any group health plan, health insurance issuer, or other entity that is subject to the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 201 note).

Like most US legislation; sector-specific, segregates commercial business from financial institutions from health care providers.

6



Definitions:

•Individual – The term “individual” means a person whose personally identifying information has been, is, or will be collected by a commercial entity.

•Medium – The term “medium” means any channel or system of communication including oral, written, and online communication.

•Nonaffiliated third party – The term “nonaffiliated third party” means any entity that is not related by common ownership or affiliated by corporate control with, the commercial entity, but does not include a joint employee of such institution.

Medium applies to any communication post initial exchange of individual with commercial entity. Attempts to define and set a standard of communication based on individuals agreement.

7



Definitions:

Personally identifiable information – The term “personally identifiable information” means individually identifiable information about the individual that is collected including–

(A) a first, middle, or last name, whether given at birth or adoption, assumed, or legally changed;

(B) a home or other physical address, including the street name, zip code, and name of a city or town;

(C) an e-mail address; (Spammers and email harvesting)

(D) a telephone number;

(E) a photograph or other form of visual identification;

8



Definitions:

(Continued) Personally identifiable information – The term “personally identifiable information” means individually identifiable information about the individual that is collected including–

(F) a birth date, birth certificate number, or place of birth for that person;

(G) information concerning the individual that is combined with any other identifier in this paragraph.

Does not include biometric information; retinal scans, fingerprints, DNA, etc.

9



IndividualCommercial Entity

Personally Identifiable Information (PII)

(Medium)

Affiliate

PII

Nonaffiliated third party

PII

Commercial entity and affiliates by definition (TPA) jointly owned, or controlled

10



Sec 101: COLLECTION AND DISTRIBUTION OF PERSONALLY IDENTIFIABLE INFORMATION

• In general. -- It is unlawful for a commercial entity to collect personally identifiable information and disclose such information to any nonaffiliated third party for marketing purposes or sell such information to any nonaffiliated third party, unless the commercial entity provides–

• (A) notice to the individual to whom the information relates … and

• (B) an opportunity for such individual to restrict the disclosure or sale of such information.

Would this apply to JetBlue? Did JetBlue *break any Federal or State laws? Impact on spammers?

Citibank has 2761 affiliates and counting …

11




EXCEPTION.--A commercial entity may collect personally identifiable information and use such information to market to potential customers such entity's product.

12




NOTICE.– (wrapped up in ‘Privacy Statements’)

• IN GENERAL.--A notice shall contain

•(A) The identity of the commercial entity collecting the personally identifiable information.

•(B) The types of personally identifiable information that are being collected on the individual.

•(C) How the commercial entity may use such information.

Banknorth Group, Inc. GLB say what is collected, and what is disclosed

13




NOTICE.–

• IN GENERAL.--A notice shall contain

•(D) A description of the categories of potential recipients of such personally identifiable information.

• (E) Whether the individual is required to provide personally identifiable information in order to do business with the commercial entity.

•(F) How an individual may decline to have such personally identifiable information used or sold…

14

Some techniques of how information is gathered online:

1.) Automatically gathered information:

• name of the domain and host used to access the Internet• IP address of computer you are using• browser software• OS type• date and time of access to website• address of website from which you linked directly to *this site

Not really interesting right now, by definition not PII

15


2.) Information from Cookies:

• username• password• sites visited• shopping cart contents• billing and shipping address information• *customized pages, address book• any type of information that would be needed so you don’t have to reenter it each time you visit• anything else…

Gathering other cookie information (i.e. websites reading other website cookies) i.e. affiliate and other-cookie-reading

TPA’s Policy infrastructure and possible changes

- i.e. how to ask for individual’s permission

16


3.) Actively submitted information: purchasing some ground coffee beans

• name, email address• billing address, shipping address• phone number• credit card information

4.) Clear GIFs (Web Beacons, Web Bugs) - used in combination with cookies.

• monitor user behavior, sites visited, how often, time, etc.• browser type• message response (if message is opened)• message format (if email supports HTML)• other cookie values

17




NOTICE.–

• TIME OF NOTICE.-- Notice shall be conveyed prior to the sale or use of the personally identifiable information as described in previous slides in such a manner as to allow the individual a reasonable period of time to consider the notice and limit such sale or use.

18




NOTICE.–

• MEDIUM OF NOTICE.--The medium for providing notice must be–

• (A) the same medium in which the personally identifiable information is or will be collected, or a medium approved by the individual; or

• (B) in the case of oral communication, notice may be conveyed orally or in writing.

• FORM OF NOTICE.--The notice shall be clear and conspicuous.

19




OPT-OUT.–

OPPORTUNITY TO OPT-OUT OF SALE OR MARKETING.--The opportunity provided to limit the sale of personally identifiable information to nonaffiliated third parties or the disclosure of such information for marketing purposes, shall be easy to use, accessible and available in the medium the information is collected, or in a medium approved by the individual.

Places responsibility/burden on the individualWill this work? (5% financial response) Gives legal recourse to those who do exercise this right.

20




OPT-OUT.–

DURATION OF LIMITATION.--An individual's limitation on the sale or marketing of personally identifiable information shall be considered permanent, unless otherwise specified by the individual.

21




OPT-OUT.–

REVOCATION OF CONSENT.--After an individual grants consent to the use of that individual's personally identifiable information, the individual may revoke the consent at any time, except to the extent that the commercial entity has taken action in reliance thereon. The commercial entity shall provide the individual an opportunity to revoke consent that is easy to use, accessible, and available in the medium the information was or is collected.

22




Issue with REVOCATION OF CONSENT

However this will not allow an individual any control of their information once it has been sold or disclosed to a nonaffiliated third party by the commercial entity that the individual originally entered into the commercial relationship with.

Once its out, its out.

23



Individual Commercial Entity

PII

(Medium)

Affiliate

PII


PII


PII

PII

Affiliate

PIIPII

PII

PII

The Privacy Act of 2003

Web-rings, sleuth-rings other vehicles for trafficking PII

24



Sec 102: ENFORCEMENT.

• IN GENERAL.--In accordance with the provisions of this section, the Federal Trade Commission shall have the authority to enforce any violation of section 101 of this Act.

• TRANSFER OF ENFORCEMENT AUTHORITY.--The Federal Trade Commission shall allow for the transfer of enforcement authority from the Federal Trade Commission to a Federal agency regarding section 101 of this Act.

25



Sec 102: ENFORCEMENT.

• CIVIL PENALTIES.--In addition to any other penalty applicable to a violation of section 101, a penalty of up to $25,000 may be issued for each violation.

Too high? Think of JetBlue. Assume only 1% of consumers opted out in the Time of Notice timeframe.

1% * 2,000,000 * 25,000 = 500 Million in fines.

26

The Privacy Act of 2003: Title II: The Privacy Act of 2003: Title II: Social Social

Security Misuse PreventionSecurity Misuse Prevention

Title II provides each individual that has been assigned a social security number some degree of protection from the display, sale, and purchase of that number in any circumstance that might facilitate unlawful conduct.

27



Sec 202: PROHIBITION OF THE DISPLAY, SALE, OR PURCHASE OF SOCIAL SECURITY NUMBERS

LIMITATION ON DISPLAY.—No person may display any individual's social security number to the general public without the affirmatively expressed consent of the individual.

LIMITATION ON SALE OR PURCHASE.—No person may sell or purchase any individual's social security number without the affirmatively expressed consent of the individual.

There are exceptions on display, sale, or purchase. More on this later.

28




PREREQUISITES FOR CONSENT.—The person displaying or seeking to display, selling or attempting to sell, or purchasing or attempting to purchase, an individual's social security number shall–

• (1) inform the individual of the general purpose for which the number will be used, the types of persons to whom the number may be available, and the scope of transactions permitted by the consent; and

• (2) obtain the affirmatively expressed consent (electronically or in writing) of the individual.

29



Currently too easy and in many cases legal…

In July of 2003 Jamie Court said in an interview on National Public Radio “I bought the Social Security numbers of John Ashcroft, CIA Director George Tenet and Karl Rove for $26 each on the Internet. Their home addresses and telephone numbers cost a little more. For $295, another Internet service says it will sell me bank account balances.”

SecretInfo, KnowX, University websites, search engines, etc

30




EXCEPTIONS. Display, sell or purchase Social Security Numbers

•required, authorized, or excepted under any Federal law; •for a public health purpose•for a national security purpose; •for a law enforcement purpose; fraud, child abuse, etc. •the prevention of fraud •the facilitation of credit checks•the facilitation of background checks of employees, prospective employees, or volunteers;

31



Sec 203: APPLICATION OF PROHIBITION OF THE DISPLAY, SALE, OR PURCHASE OF SOCIAL SECURITY NUMBERS TO PUBLIC RECORDS.

“No government entity shall include social security numbers in public records posted onto the Internet or provided in an electronic medium by, or on behalf of a government entity after the date of enactment of this section, except as limited by the Attorney General.”

Example:

State of Maine (City of Portland (Cumberland Co.)) lists the Registered Voters along with names, address, phone numbers, and social security numbers. (Scrub the social security number)

32



Sec 203: APPLICATION OF PROHIBITION OF THE DISPLAY, SALE, OR PURCHASE OF SOCIAL SECURITY NUMBERS TO PUBLIC RECORDS.

EXCEPTION FOR GOVERNMENT ENTITIES ALREADY PLACING PUBLIC RECORDS ON THE INTERNET OR IN ELECTRONIC FORM

Attorney General may include in the regulations a set of procedures for implementing the regulations and shall consider the following:

The cost and availability of technology available to a governmental entity to redact social security numbers from public records first provided in electronic form after the effective date of this section.

The cost or burden to the general public to comply…

33



Sec 205: TREATMENT OF SOCIAL SECURITY NUMBERS ON GOVERNMENT DOCUMENTS.

PROHIBITION OF USE OF SOCIAL SECURITY ACCOUNT NUMBERS ON CHECKS ISSUED FOR PAYMENT BY GOVERNMENTAL AGENCIES.–

Amends the Social Security Act (42 U.S.C. 405(c)(2)(C) by adding at the end the following:

No Federal, State, or local agency may display the social security account number of any individual, or any derivative of such number, on any check issued for any payment by the Federal, State, or local agency.

34




PROHIBITION OF USE OF SOCIAL SECURITY ACCOUNT NUMBERS ON CHECKS ISSUED FOR PAYMENT BY GOVERNMENTAL AGENCIES.–

Most surveys (online) have floated around the 50% value for how someone gains access to an individuals social security number by “theft of mail” e.g. steal mail on particular days of the month when federal checks are delivered.

•1st - Disability Checks•3rd - Social Security Checks•15th - Other Disability Checks

35




PROHIBITION OF APPEARANCE OF SOCIAL SECURITY ACCOUNT NUMBERS ON DRIVER'S LICENSES OR MOTOR VEHICLE REGISTRATION.

An agency of a State may not display the social security account numbers issued by the Commissioner of Social Security, or any derivative of such numbers, on the face of any driver's license or motor vehicle registration or any other document issued by such State (or political subdivision thereof) to an individual for purposes of identification of such individual.

Dakota, S. Dakota, Guam currently display SSN, unless explicitly express at time of application or renewal not to do so.

36



Case Study of ‘Commonwealth of Virginia Department of Motor Vehicles’

Prior to July 1, 2003 that your social security number was used as your “customer number” and was displayed as “Customer No.” on your driver’s license.

The branches that are a part of Virginia’s Department of Motor Vehicles are; Inspection, Emission, Property Tax, License and Registration, County Decal Registration, and Insurance.

Each one of these branches above uses the “customer number” as a way to uniquely identify you. Each branch, or division, regularly mails out information with respect to you and your registered vehicles while using your “customer number” printed on and through the contents of the mail sent to you.

37



38



Case Study of ‘Commonwealth of Virginia Department of Motor Vehicles’

While there isn’t any data that correlates the rise in identity thefts in Virginia with Virginia’s Department of Motor Vehicles using social security numbers on ID cards and drivers licenses. It is safe to assume that all of this extra mail containing social security numbers will eventually end up in the trash giving anyone and everyone the numbers necessary to commit any form of [identity] theft.

State Attorney Generals Office reported ~3500 Identity Thefts. FTC’s report “Federal Trade Commission Identify Theft Survey Report” says 25% reported crimes to authority, so real number could be 4X.

39



Sec 206: LIMITS ON PERSONAL DISCLOSURE OF A SOCIAL SECURITY NUMBER FOR CONSUMER TRANSACTIONS.

IN GENERAL.--A commercial entity may not require an individual to provide the individual's social security number when purchasing a commercial good or service or deny an individual the good or service for refusing to provide that number

Exceptions…….

40



Sec 206: LIMITS ON PERSONAL DISCLOSURE OF A SOCIAL SECURITY NUMBER FOR CONSUMER TRANSACTIONS.

Exceptions:

• obtaining a consumer report for any purpose permitted under the Fair Credit Reporting Act;

• a background check of the individual;

• law enforcement; or a Federal, State, or local law requirement;

• or to prevent fraud.

41

The Privacy Act of 2003: The Privacy Act of 2003: Title III: Limitations Title III: Limitations on Sale and Sharing of on Sale and Sharing of Nonpublic Personal Nonpublic Personal

Financial InformationFinancial Information Sec 302: RULES APPLICABLE TO SALE OF NONPUBLIC PERSONAL INFORMATION.

Amends Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809)

OPT IN FOR DISCLOSURES TO NONAFFILIATED THIRD PARTIES

•AFFIRMATIVE CONSENT REQUIRED- A financial institution may not sell or otherwise disclose nonpublic personal information to any nonaffiliated third party, unless the consumer to whom the information pertains—

•has affirmatively consented to the sale or disclosure of such information; and

•has not withdrawn the consent.

42

The Privacy Act of 2003: The Privacy Act of 2003: Title III: Limitations Title III: Limitations on Sale and Sharing of Nonpublic Personal on Sale and Sharing of Nonpublic Personal

Financial InformationFinancial Information Sec 303: EXCEPTIONS TO DISCLOSURE PROHIBITION

•with the consent or at the direction of the consumer•to law enforcement agencies •to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;•to persons holding a legal or beneficial interest relating to the consumer;•to persons acting in a fiduciary or representative capacity on behalf of the consumer;•to a consumer reporting agency, in accordance with the Fair Credit Reporting Act or from a consumer report reported by a consumer reporting agency, as those terms are defined in that Act; •to comply with Federal, State, or local laws•to respond to judicial process

43

The Privacy Act of 2003: The Privacy Act of 2003: Title III: Limitations Title III: Limitations on Sale and Sharing of Nonpublic Personal on Sale and Sharing of Nonpublic Personal

Financial InformationFinancial Information Sec 303: DENIAL OF SERVICE PROHIBITED-

A financial institution may not deny any consumer a financial product or a financial service as a result of the refusal by the consumer to grant consent to disclosure … however … a financial institution may offer incentives to elicit consumer consent to the use of his or her nonpublic personal information.

44

The Privacy Act of 2003: Title IV--Limitations The Privacy Act of 2003: Title IV--Limitations on the Provision of Protected Health on the Provision of Protected Health

Information Information

Sec 402: PROHIBITION AGAINST SELLING PROTECTED HEALTH INFORMATION

A noncovered entity shall not sell the protected health information of an individual or use such information for marketing purposes without an authorization [valid]. When a noncovered entity obtains or receives authorization to sell such information, such sale must be consistent with such authorization.

Definition of “NONCOVERED ENTITY”:

Any person or public or private entity that is not a covered entity, not a health plan, not a clearinghouse, not a health care provider.

E.g. a health researcher, school or university, life insurer, employer, public health authority, health oversight agency, or law enforcement official

45



Sec 402: PROHIBITION AGAINST SELLING PROTECTED HEALTH INFORMATION

In order to sell, disclose protected health information the noncovered entity must receive valid authorization from the individual.

Information being sold or disclosed must satisfy Scope and Purpose.

Scope – minimum amount of information necessary to accomplish the job

Purpose – recipient of information sold must use information solely to carry out the purpose for which the information is sold

46



Authorization shall

•contain a description of the information to be sold that identifies such information in a specific and meaningful manner; •contain the name or other specific identification of the person, or class of persons, authorized to sell the information; •contain the name or other specific identification of the person, or class of persons, to whom the information is to be sold; •include an expiration date or an expiration event relating to the selling of such information that signifies that the authorization is valid until such date or event; •include a statement that the individual has a right to revoke the authorization in writing and the exceptions to the right to revoke, and a description of the procedure involved in such revocation; •signature

47

The Privacy Act of 2003: Title V—Driver’s The Privacy Act of 2003: Title V—Driver’s License Privacy License Privacy

Amends Section 2725 of title 18, United States Code so that a state department of motor vehicles can no longer disclose or sell the most sensitive information to nonaffiliated third parties such information as

• Individual's photograph• social security number• driver identification number• medical or disability information• or any biometric identifiers on license, including a finger print

Biometric here, but not in Title I as defined by Personally Identifiable Information

- without the driver's opt-in.

48

The Privacy Act of 2003The Privacy Act of 2003Brief Summary…

•Criminalizes the misuse, purchase, sell, or disclosure of an individuals social security number without individuals permission.

•Provides a legal recourse for FTC (and in some cases State Attorneys General) on behalf of individuals for misuse, trafficking of personal identifiable information (SSN) in between commercial entities and nonaffiliated third parities.

• Attempts to preempt identity theft (and other types of theft) by prohibiting the display and usage of social security numbers and their derivatives on federal documents (checks, IDs) also, by putting the responsibility on the commercial entities

• Remove social security numbers from electronic form of public records

49

The Privacy Act of The Privacy Act of 20032003

End of slide show

1 the privacy act of 2003 cpsc 457/557 : sensitive information in a wired world wesley c. maness

Documents

privacy act

identifiable information

term commercial entity

personal information

commercial sale

sensitive information

bliley act

accountability act