|
Thank
you Mr. Chairman.
It
is a pleasure to be here today to discuss HR 4678, the Consumer Privacy
Protection Act of 2002.
I am Rebecca Whitener, Director of Privacy Services for
EDS. In that capacity I am responsible
for the global strategy, service line offering development, and methodology for
EDS client-focused Privacy services.
Prior to joining EDS, I was a co-founder and Chief Operating Officer of
Fiderus, a Security and Privacy Consulting firm, and before that a Principal in
charge of global privacy services at IBM. In my career, I have worked with
companies around the world to develop business solutions for security and
privacy. In 2000; I had the privilege of serving on the Federal Trade
Commission Advisory Committee for Online Access and Security.
Privacy
is one of those issues that generate a great deal of passion in any
discussion. We Americans have always
viewed privacy as a core principle of our society and democratic way of life. We hold privacy dear and defend it with
great vigor when we believe it is threatened.
But
the Digital Economy, with all its promises, poses interesting dilemmas on our
view of privacy. For instance, do we
consider an online bookseller sending us an e-mail about a release from our
favorite author an invasion of privacy or effective marketing? Do we feel that the selling of information
to a third party so that we can be made aware of a new product is an abuse of
consumer trust or an important source of information?
Mr.
Chairman, HR 4678 is the culmination of many hearings and discussions with
people of different points of view. You
have proceeded carefully and are to be commended for that approach. Your bill understands that the protection of
privacy and data and the ability to share information, are good for business
and consumers alike.
EDS’
Chairman and CEO Dick Brown is chairman of the Digital Economy Task Force of
the Business Roundtable. That task
force has made several recommendations on how we should proceed in ensuring
that any legislative remedies do not impede electronic commerce.
First,
do not hinder self-regulation efforts of industry to give consumers informed
choice. By and large, industry has done
a good job. If a company decides to
share information in a perceived detrimental way, the market is pretty quick to
act.
Second,
ensure consistency and certainty in the marketplace through a national standard
in rules. Without strong federal
preemption there will be confusion among consumers, and business will
reconsider engaging in more efficient, electronic transactions. Many states are now pursing their own
legislative remedies and the patchwork of laws that may emerge will surely be a
roadblock to the Digital Economy.
Next,
have one federal agency responsible for regulating consumer privacy. Again, it is unrealistic to expect business
and consumers to coordinate with multiple entities.
Fourth,
treat e-commerce as any other form of commerce. The Internet is becoming so ingrained in business processes that
e-commerce should not be singled out for any special regulatory treatment. Unfortunately, there are those who seek to
discriminate against this way of doing business.
Fifth,
keep a level, consistent playing ground between government and business. Do not prohibit the selling of information
by the ABC book company while allowing the Department of Motor Vehicles to sell
drivers’ license records.
Finally,
there should not be any new private right of action. It is just not necessary.
The market and existing laws and regulations will do the job.
Mr.
Chairman, HR 4678 goes a long way to meeting these requirements. And it encompasses much of what EDS has
included in its Global Privacy and Data Protection Policies.
There
are, however, several specific issues I would like to highlight in certain
sections of the bill.
In
Section 101, Privacy Notices to Consumers, subsection b (Forms and Content of
Notice), point two could also include a physical mail address as an option for
obtaining a privacy statement. In that
same subsection, point three would be strengthened if it read “If the notice is
required under subsection (a)(2), a statement that there has been a material
change in the organization’s privacy policy, and where in the privacy policy
the change(s) have occurred.
A
comment on Section 109, Effect on Other Laws, subsection d. This is most welcome as we see states
passing inconsistent privacy laws. The
other thing we are seeing is that some counties and even cities are
contemplating passing laws because they don’t think the state laws do the right
job. If cities start doing the same
thing then we will never know what law prevails. Preemption must be part of any legislation.
In
the Improved Identity Theft Data section, a reflection of some of the best
practices that are starting to appear in the proposed state measures may be
useful, particularly as they relate to the use of social security numbers.
In
Section 304, Harmonization of International Privacy Laws, Regulations and
Agreements, the approach is on target. Businesses should have the freedom to
operate globally under harmonized laws. Processes that leave the door open for
a claim of inadequacy and that continue a bilateral agreement do little to
promote e-commerce.
We
are especially pleased to see that you have addressed security concerns in your
legislation. Cyber security continues
to be a growing problem and there are significant indications that more should
be done to protect data and networks.
The
numbers are staggering. In 2000,
computer viruses worldwide cost $17.1 billion in damages. EDS alone counters more than 650 attempted
break-ins and three new viruses every day on servers it runs for 2500
clients. A major virus like Code Red or
ILOVEYOU costs billions to eliminate.
The
release last week of the President’s National Strategy to Secure Cyberspace is
a step in the right direction. It
highlights many of the areas that must be addressed so that consumers can be
confident that their transactions and information shared with government and
business are secure.
As
part of our education effort on the urgency of protecting our economic
infrastructure, we are submitting a high level security and privacy checklist
that can be used by companies, organizations and governments. It may seem simple and straightforward but
we find a number of entities needing advice about the basic steps.
Now
on to some specific comments about Section 105.
In
paragraph a(2) we agree with the requirement that senior management consider
and approve an information security policy.
Security awareness needs to be raised in the consciousness of senior
management and this will go a long way to that end.
Paragraph
a(3)(B) makes a great deal of sense.
Most organizations have someone responsible for IT security but in many
cases they aren’t designated or there are unclear lines of responsibility.
Paragraph
b(1): There are a number of sources that can be used for timely notification.
We believe that flexibility as to the source of the notification and the
corrective action taken, which is more clearly outlined in the Exceptions in
105(b)(2). This will provide a broadened approach based on company policy.
Paragraph
b(1): Corrective action implies that there is an effective process within an
organization to monitor threat warnings and know when to effectively apply
remediation. This is a critical
security capability.
In
Paragraph c, the process for how the Commission will base a decision to hold
the organization culpable in violating Section 105 is unclear.
We
agree on the importance of the role placed on self-regulatory programs as
defined in Section 106. In (E) the
requirement for “regular compliance testing which shall take place not less
frequently than every 4 years” to ensure self-reviews and self-certifications
are accurate. Companies should be given
the choice of addressing this compliance testing through their own Internal
Audit programs, through privacy consultants, and through public accounting
firms.
We
would be glad to work with your staff on these points.
Mr.
Chairman, we appreciate the opportunity to testify on HR 4678. We want to continue working with you next
year on this legislation. If it becomes
necessary to pass a consumer privacy bill then we want to make sure that it
supports the growth of the Digital Economy rather than placing roadblocks in
the way and limiting those who can enjoy the benefits of the new economy.
I
will be happy to answer any questions.
Thank
you.
|
