On November 17, 2009, Kelley Drye & Warren hosted a seminar and webcast, “Privacy Law Paradigm Shift: Policymakers Respond to Rapidly Evolving Technologies,” addressing new developments in privacy and information security law, regulation, and enforcement. Kelley Drye Partner Tom Cohen, and Of Counsel Jodie Bernstein, opened the seminar with an overview of privacy law and a history of the Federal Trade Commission’s enforcement priorities. Nine experts from the government and private sector spoke during three different panel sessions, The New Privacy Paradigm, Developments in Data Security, and Privacy and New Technologies. This advisory provides an overview of the key take-aways from each panel.
A webcast recording is also available to view online.
The New Privacy Paradigm—moderated by Kelley Drye Partner Dana Rosenfeld
- Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission
- Lee Peeler, President, National Advertising Review Council
- Ari Schwartz, Vice President and Chief Operating Officer, Center for Democracy and Technology
Panelists focused on the future of consumer privacy regulation and enforcement and the practices organizations should follow to protect consumers’ privacy in light of changing technology and marketplace conditions.
- Maneesha Mithal, from the Federal Trade Commission (FTC), discussed how the FTC’s upcoming series of privacy roundtable discussions will impact the Commission’s examination of its privacy regulation framework. According to Ms. Mithal, the roundtable discussions are designed to address drawbacks in the current privacy regulatory framework; determine challenges the FTC will face moving forward, such as how the FTC can create clear privacy rules while maintaining flexibility to adopt to changing technology and marketing techniques; and what goals the FTC should adopt for privacy regulation and enforcement.
- Other topics included the Center for Democracy and Technology’s (CDT) view of the FTC’s roundtable discussions, including an overview of comments submitted by CDT regarding the event. Ari Schwartz, from CDT, urged the FTC to bring more enforcement actions using the unfairness standard to prevent misuse of consumers’ personal information and advocated the adoption of fair information practices, such as those used by the Department of Homeland Security.
- From the industry self-regulation perspective, Lee Peeler with the National Advertising Review Counsel, discussed the benefits of privacy self-regulation as a fast and flexible approach to create new privacy standards. Mr. Peeler also presented a model to regulate behavioral advertising and mechanisms that could monitor the industry for organizations that violate self-regulatory rules.
Developments in Data Security—moderated by Kelley Drye Associate Alysa Hutnik
- Marc Groman, House Energy & Commerce Committee Staff
- Stephen L. Surdu, Vice President of Professional Services, MANDIANT
- Naomi Lefkowvitz, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission
The second panel addressed privacy and data security legal developments including current legislation, recent criminal data breach activity, and agency enforcement actions and new regulations.
- Legislative developments include Congressional data breach bills introduced in the House and Senate. Marc Groman, a staff member for the House Committee on Energy and Commerce, discussed the Committee’s efforts to enact federal data breach legislation and the requirements of this pending legislation, including a FTC mandate to promulgate data breach rules, coverage of both paper and electronic records, federal preemption standards, and civil penalty provisions available for both FTC and state enforcement actions.
- Stephen Surdu, from MANDIANT, an information security company, discussed new types of data security attacks that can leave organizations vulnerable to information breaches. Mr. Surdu warned that many new system attacks are more sophisticated, making them harder to recognize as security intrusions, such as new phishing scams that accurately spoof company logos, e-mail formats, and other information.
- FTC attorney for the Division of Privacy and Identity Protection, Naomi Lefkovitz, spoke about legislative and regulatory developments regarding identity theft, including the scope of the FTC’s Red Flags Rule. Ms. Lefkovitz provided information regarding the FTC’s approach to risk-based identity theft prevention plans and the rule’s effect on covered entities that use third party vendors to collect, use, or protect personal information.
Privacy and New Technologies—moderated by Kelley Drye Partner John Heitmann
- Mary Ellen Callahan, Chief Privacy Officer, Department of Homeland Security
- Edward Palmieri, Deputy Chief Privacy Officer, Sprint Nextel
- C.M. Tokë Vandervoort, Senior Counsel—Technology & Privacy, XO Communications
Panelists involved in the final session of the day discussed how different organizations, from government to the private sector, handle privacy issues associated with new technologies.
- C.M. Tokë Vandervoort from XO Communications discussed benefits, drawbacks, and privacy issues associated with cloud computing. Cloud computing is beneficial to consumers and business because it minimizes costs of data storage, allows individuals and business to access new applications at a low cost, and can provide users with expert application support. But, privacy and information security problems can arise if consumer data is not properly protected or cloud computing organizations do not adequately communicate privacy and data security standards to consumers. Ms. Vandervoort provided possible remedies for privacy and security issues and explored what privacy and security issues could arise for cloud computing in the future.
- Edward Palmieri from Sprint Nextel addressed privacy issues related to emerging cell phone and location-based technology. These technologies offer valuable and convenient services for users; however, businesses should be careful to tailor privacy notices and notice/consent regimes to adequately warn consumers about different types of information used and collected by each program. Mr. Palmieri also stressed that consumer privacy education, simple and meaningful privacy disclosures, and comprehensive data security measures are necessary to protect consumers’ information and ensure consumer satisfaction with use of personal information by carriers.