The Effectiveness of Privacy Protection in Economic Systems

General Opening

Good Morning. Thank you, Mr. Rasi.

And, let me also thank Professor Rodotá and the Italian Garanté for the invitation to participate in this important privacy dialogue.

In particular, I want to commend the conference's review of privacy protection in the context of:

• consumer expectations,
• costs and benefits to businesses and governments, and
• effects on economies and the global marketplace.

Disclaimer/FTC

I am one of five Commissioners at the Federal Trade Commission. So as I begin, let me explain that my remarks today are my own. They do not necessarily represent the views of the Federal Trade Commission or of any other individual Commissioner.

Road Map of My Remarks

My remarks today will principally focus on our experience at the Federal Trade Commission in helping to shape privacy protection in the marketplace through the use of:

• our enforcement authority against unfair or deceptive acts or practices in or affecting commerce; and
• our education and outreach to consumers and businesses.

At the FTC, our experience supports the notion that effective privacy protection is best ensured by focusing enforcement action against the misuse of information and the harmful consequences of such misuse.

Let me suggest a premise for consideration:

Effective privacy practices are good for business; the free flow of information is good for consumers.

Or said another way by a Member of the U.S. Congress:

"The ideas that privacy can actually be good for business and that information sharing can actually be good for consumers are the "two dirty little secrets" of the privacy issue." [Representative Diana DeGette (D-Colorado)]

Information Economy

What are consumers' privacy expectations in an Information Economy?

• There is no question that consumers are deeply concerned about the privacy of their personal information.
• And, there is no question that a lot of information is being collected and exchanged offline and online in a networked environment where we are all increasingly interconnected.
• While consumers want the conveniences, services and product choices that are made possible through new mediums and information technologies, there are questions about how consumer information is being used and who is using it.

These are questions of importance to Americans, and we know that they are concerns for individuals, businesses, and governments around the world. For this reason, consumer privacy and consumer information security are two of the Federal Trade Commission's highest priorities.

FTC's Framework For Analyzing Privacy Issues

Let me begin by describing to you the framework we use to analyze privacy issues.

• The availability of information confers many benefits in our information-driven economy.
• The miracle of instant credit helps to drive the American economy --- and at automobile dealerships, it allows Americans to drive away in new car
• Consumers can shop online 24 hours a day/7 days a week.
• These are benefits that consumers want and enjoy.
• At the same time, consumers are clearly concerned about their privacy.
• We believe that what consumers are most concerned about is that their information, once collected, may be misused in ways that harm them or disrupt their daily lives.
• These kinds of negative consequences drive consumer concerns about privacy.
• At the FTC, we think the most important part of any privacy agenda is stopping or minimizing the kinds of practices that can cause those negative consequences. Consumers want protection from:
  • physical consequences -- Consumers want to restrict availability of personal information, particularly for safety reasons [potential harm to children, stalking];
  • economic consequences -- Consumers fear harmful economic consequences ranging from improper denial of credit, even a job, or, in extreme circumstances, identity theft; and
  • unwanted intrusions -- Consumers have had enough of what I call "nuisance" intrusions to their privacy from activities like unsolicited spam and unwanted telemarketing calls.
• Existing laws in the U.S., which target the need for privacy in different information sectors (financial, children, medical, etc.) areas through an industry sectoral approach, allow us to address harmful consequences and enforce privacy promises.
• Our broad enforcement authority under Section 5 of the Federal Trade Commission Act

--- to deter "unfair or deceptive acts or practices in or affecting commerce" ---

assists us in bringing cases that enforce privacy promises made to consumers. This includes the promises made by U.S. companies that self-certify compliance with privacy principles under the U.S.-EU Safe Harbor framework.

• So, we focus on the consequences of information use, good or bad.
• When there are bad consequences from information uses, we look for ways to correct the problems that may result.

We believe that this framework of analyzing privacy issues is highly effective in the United States for:

• • influencing the expectations and behavior of consumers and businesses in the marketplace, and
  • representing a pragmatic and efficient use of government resources by directing our enforcement efforts at the misuse of personal information that can actually cause harm to consumers.

The FTC Privacy Agenda

In October 2001, FTC Chairman Timothy Muris announced an ambitious privacy agenda that focused on vigorous enforcement of U.S. laws and privacy promises to consumers.

We have doubled the number of staff dedicated to privacy enforcement and have brought major cases and educational efforts forward.

During the past year,

• More than 30 cases were brought or settled, involving privacy and security, children=s online privacy protection, pretexting, the Fair Credit Reporting Act, abusive telemarketing practices, and spam.
• There are ongoing efforts to stop identity theft through collecting and analyzing consumer complaints, criminal referrals, education and training;
• We have conducted public workshops on financial privacy notices and security;
• There has been activity in rulemakings on telemarketing (pending Telemarketing Sales Rule) and security of financial information;(1) and
• We have conducted more than 15 consumer and business education initiatives.

We have ambitious plans for this coming year that further emphasize consumer information security, anti-spam efforts, and a federal Do-Not-Call List option for consumers who choose not to receive certain telemarketing contacts.

Case Discussion

The FTC has placed particular emphasis on the relationship between privacy and security -- which are really two sides of the same coin. Both have enormous effects on consumer trust and confidence. Without trust and confidence the full potential of information technology will not be realized.

The most recent FTC privacy cases underscore the basic principle that privacy promises are important and must be honored. This is a test.

National Research Center for College and University Admissions and American Student List

• Last month, we announced settlements with two companies: National Research enter for College and University Admissions and American Student List. These cases involved the offline collection of sensitive personal information from high school students - such as name, date of birth, and religious and ethnic affiliation.
• The two companies market a student survey to high school teachers and guidance counselors asking them to administer the survey during class time. the offline collection of sensitive personal information from high school students - such as name, date of birth, and religious and ethnic affiliation.
• The two companies market a student survey to high school teachers and guidance counselors asking them to administer the survey during class time.
• The privacy statement on the survey claimed that students' data "is used by colleges, universities and other organizations to assist students and their families by providing them with valuable information."
• While using this information to match students to colleges might benefit students and their parents, regrettably the companies also shared the information with commercial marketers.
• Contrary to their claim, substantial funding to finance the survey came from commercial entities, including American Student List, one of the defendants.
• As a result of our action, the companies are prohibited from misrepresenting their privacy policy. If they sell the information for any non-education-related marketing purpose, they must disclose that fact as well as the types of entities to whom they will sell the information. And, previously-collected information may be used only for education-related purposes.

In addition to looking at privacy promises both on and off-line (whatever the medium), we are also focusing great attention on information and network security.

The Eli Lilly Case focuses on a firm's responsibility for the security of information

• First, a brief review of what happened in our Eli Lilly case:

The privacy promise: Ely Lilly promised to keep consumers' information confidential and secure

The privacy problem: Consumers using prescription drugs for depression subscribed to a reminder email service offered at Lilly's website.

• When Eli Lilly terminated the service, the email notifying subscribers revealed the subscribers' email addresses - over 600 in all.
• The reason for the privacy problem was Lilly's inadequate security
• Our complaint alleged that Eli Lilly's failure to take appropriate steps to ensure the security of consumers' information - in light of the sensitivity of the information - violated the FTC Act
• In Eli Lilly, there was an inadvertent breach that led to the disclosure of sensitive personal information.

Consequences can also be "potential" harm, rather than actual or realized harm. In other words, we do not have to wait for a breach to take action.

The Microsoft Case focuses on keeping promises and potential harm

• The Microsoft Passport System is an online authentication service. Microsoft has 200 million e-mail accounts. Its Passport Wallet has 2 million accounts.
• Microsoft promised that it maintained a high level of security by taking sufficient measures reasonable and appropriate under the circumstances.
• To our knowledge, there was no security breach which compromised consumer information.
• However, we still alleged Microsoft failed to or could not deliver on its privacy and security promises.
• In particular, we alleged that Microsoft did not maintain a high level of security because it failed to have systems in place to prevent or detect unauthorized access; to monitor for potential vulnerabilities; and to record and retain system information sufficient to perform security audits and investigations.
• The Remedy: Microsoft must implement an information security program and submit to bi-annual audits by an independent third-party for many the next 20 years.
• Besides failing to deliver on its security promises, the Microsoft complaint alleged other privacy violations:

• Collection of sign-in history was not disclosed
• Microsoft erroneously promised parents that they could control information collected about their children for Kids Passport service.

• The FTC's Order requires Microsoft to institute an information security program that takes into account the sensitivity of the information collected and an ongoing assessment of reasonably foreseeable risks and threats. It also requires Microsoft to comply with its privacy promises.

Other Privacy and Security Concerns

Deceptive Spam

Within the past month, the Federal Trade Commission and 12 federal, state, and local law enforcement and consumer protection agencies announced a four-part initiative launched to fight deceptive spam.

• The centerpiece of the initiative is a group of more than 30 law enforcement actions, including three FTC complaints and four settlements with Spammers caught in an FTC sting. In addition, 10 law enforcement agencies signed letters to approximately 100 Spammers warning them that their Spam appeared to be illegal and that action against them could be taken if they continued their fraudulent scams.
• Ten agencies participated in the FTC's "Spam Harvest," an initiative designed to test which actions consumers take online that put them most at risk for receiving spam.
• The initiative also developed consumer education material, including a publication, "E-mail Address Harvesting: How Spammers Reap What You Sow" (/bcp/menu-internet.htm). This material uses the lessons learned from the Spam Harvest to provide tips to consumers who want to minimize their risk of receiving spam.

Consumer and Business Education on Privacy and Information Security

Security Workshop and Education Campaign

• Last May, we held a public workshop to address consumer information security issues. The workshop discussion highlighted one very important - and timely - point: that good information security is everyone's responsibility: government, industry, and individual consumers. In addition, failure to implement good information security practices has potentially devastating consequences at all levels of our economy.

Culture of Security

• Another point that participants emphasized was the role that the FTC should play in educating consumers and businesses in creating a "culture of security."
• The FTC's Information Security Education Campaign was launched in September. The goal of this campaign is to focus on the critical role information security plays in all sectors of our economy. The campaign comes complete with a dedicated website (www.ftc.gov/infosecurity) and it features our very own: DEWIE THE e-TURTLE. (We call this taking a hard shellapproach to security.)
• The website highlights the recently revised OECD Guidelines for the Security of Information Systems and Networks. The FTC led the U.S. delegation in the OECD Guidelines review. Our team consisted of the Departments of Commerce, State, Justice and Treasury.

We are constantly disseminating information throughout our society about how to practically implement a "culture of security".

Closing

The FTC's framework for approaching privacy issues is to focus on the adverse consequences caused by misrepresentations and misuse of consumer information and to enforce existing U.S. privacy laws to ensure that privacy promises are kept. I believe this approach helps curb market abuses and fosters respect for consumer privacy.

We vigorously encourage corporate leadership, investment and innovation to enhance information privacy and security practices.

• I firmly believe that the private sector is best equipped, motivated and capable of solving most of our concerns.
• I believe a combination of responsible self-regulation, market pressures, an informed public, government encouragement, and vigorous law enforcement is the best path to better solutions rather than burdensome and most likely ineffective government regulation.
• Although being an advocate for industry solutions for privacy and security, I never fail to remind industry leaders that,

"Either you lead and make responsible information privacy and security practices a part of your corporate culture, or I will assure you there will be an FTC in your future."

In the United States, we see the results of our public and private sector partnership efforts in terms of increased compliance with privacy policies and increased attention to privacy and information security issues on the part of corporate leadership.

I believe that in the United States, the best means of protecting consumer privacy without unduly burdening e-commerce (or commerce, in general) has been a combination of (1) consumer awareness, ( 2) leadership and self-regulation by the private sector, and (3) aggressive government enforcement of existing law.

This approach is flexible enough to respond to changes in technology and to the tremendous insights that we are gaining from the continuing dialogue among government, industry, and consumers on privacy issues.

To that end, the FTC and I personally have been actively working with industry members, consumer groups, and others to address privacy concerns.

A simple truth: Consumers expect privacy protection -- and, equally important -- firms realize that it is to their competitive advantage to respond to consumer expectations.

As public awareness of privacy issues has grown, market forces have definitely come into play. For example, last year a Progress and Freedom Foundation study indicated that the most frequently visited U.S. websites have clearly recognized that information management policies and privacy practices are necessary parts of everyday business on the Internet.

In addition, recent years' progress in the development of privacy protection tools is encouraging. Firms are making significant investments in time, ingenuity, resources, and money to best solve and minimize privacy concerns. These investments and industry leadership and commitment need to continue.

I agree with U.S. House of Representatives Energy and Commerce Committee Chairman Billy Tauzin (R-Louisiana), who said that " … [t]he real and perceived fears surrounding privacy need to be addressed." "… [B]efore we can have great debates of how to fix the current situation, we must understand the current situation and the constraints we are bound by . . . [B]efore we add new law, we must examine the old, as the heavy hand of government often takes a broad swipe when invited in."

This is the approach we have been taking at the FTC. We have increased our enforcement of existing law by using our broad authority to enforce privacy promises made to consumers. At the same time, we are constantly assessing whether there are areas of concern in need of greater enforcement authority. Yet, we have been guarded in approaching the issue of whether broad new privacy legislation is necessary.

We must all keep the dialogue going in high-quality and professional forums such as this one in Rome.

Working together, domestically and on a cross-border basis, I believe that we can effectively address the misuse of personal information and protect consumers from harm, and at the same time, encourage innovative solutions to meet consumer expectations in the marketplace.

Endnote:

1. 1 The FTC promulgated a "Safeguards Rule" to implement the security requirements set forth in the Gramm-Leach-Bliley Act. The Rule, which becomes effective in May, 2003, requires financial institutions under FTC jurisdiction to secure customer records and information. As part of its plan, each financial institution must:

1. 1. designate one or more employees to coordinate the safeguards;
   2. identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
   3. design and implement a safeguards program, and regularly monitor and test it;
   4. select appropriate service providers and contract with them to implement safeguards; and
   5. evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business arrangements or operations, or the results of testing and monitoring of safeguards.