Message-ID: <5227197.1075853113617.JavaMail.evans@thyme> Date: Wed, 10 Oct 2001 17:36:17 -0700 (PDT) From: mpascual@mdbe.com To: pascual@enron.com, mpascual@mdbe.com Subject: McCutchen Alert: Privacy & Security Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-From: "Pascual, Maria (Tess)" @ENRON X-To: Pascual, Maria (Tess) X-cc: X-bcc: X-Folder: \MCASH (Non-Privileged)\Cash, Michelle\General Research X-Origin: Cash-M X-FileName: MCASH (Non-Privileged).pst October 10, 2001 Federal Trade Commission Announces Broad Privacy Agenda and Promises Strict Enforcement Online and Offline In a long-awaited address to Privacy 2001, FTC Chairman Timothy Muris has announced a new, wide ranging privacy agenda and promised to increase enforcement of privacy standards both online and offline. It has been unclear for some time just how the Bush Administration would approach consumer privacy in the US, and there has been speculation in the wake of the September 11 attacks that this agenda item, once so commonly discussed, would take a back seat to public security concerns. In his speech on October 4, 2001, Chairman Muris announced that as part of getting back to business, it was time to focus on "individual privacy in the commercial realm and on what the FTC itself can do." Assuring consumers that privacy promises will be taken seriously, Muris promised to "increase our enforcement of laws protecting consumer privacy." Importantly, Chairman Muris announced that the FTC would not itself propose new legislation to accomplish the FTC's privacy goals (though there are dozens of bills pending in the 107th Congress addressing consumer privacy which their advocates vowed to continue to push). Instead, the clear message of his address was that the FTC would use existing laws, regulations and standards to achieve the FTC's privacy agenda. The chairman made a point of stating that the FTC's role would no longer be limited to online concerns as has been the case since the FTC began studying online privacy in 1995. Instead, due to the convergence of online and offline information systems, the FTC would expand its activities to consumer privacy issues, wherever they may arise. FTC Privacy Agenda The FTC Chairman issued a 12-point "Privacy Agenda." Key points that likely are of most interest to the business community include: 1. Enforcement of Privacy Promises. FTC will step up its enforcement under Section 5 of the FTC Act, which will include inappropriate information transfers under the guise of bankruptcy or reorganizations; it will also enforce compliance with the US-EU Safe Harbor Privacy Program. 2. Encouragement of Consumer Complaints. Part and parcel of its enforcement through the FTC Act, the FTC will make the complaint process more consumer-friendly. 3. Enforcing the Gramm-Leach-Bliley Act. The FTC will "undertake enforcement efforts to ensure that financial institutions comply with the law and will implement an outreach program to increase consumer awareness of the [privacy] notices." The FTC also will increase its enforcement against pretexting, by seeking injunctions against information brokers. (Pretexting involves fraudulently obtaining personal financial information by individuals calling financial institutions under the "pretext" of being a customer.) 4. Enforcing the Fair Credit Reporting Act. The FTC will "step up its efforts" to ensure that consumers are advised of reasons for the denial of credit and that information in their credit files is accurate. 5. Amendment of Telemarketing Sales Rule. The FTC will amend the Telemarketing Sales Rule to allow consumers to make a single call to remove their names from telemarketing lists by creating a national "do-not-call list." Rule revisions also will include limitations on the misuse of names and credit card numbers already in possession of telemarketing companies. Other items on the FTC's new Privacy Agenda include: * Increased efforts to eliminate fraudulent and deceptive SPAM. * Stronger enforcement of the Children's Online Privacy Protection Act (COPPA). * Assistance to victims of identity fraud, and stepped up prosecution of perpetrators. * Conduct of workshops to evaluate compliance with privacy laws and self-regulation standards, and evaluation of improved means for assuring information security. To achieve the FTC's new agenda, Chairman Muris announced an increase of 50% in its privacy enforcement staff, from 37 to 52. No Need for More Legislation - At Least for Now Despite promises of stepped-up enforcement of privacy standards, Chairman Muris announced that he thought it was still too early to assess the effectiveness of existing legislation and industry self-regulation on privacy concerns. He rejected, at least for now, new legislation, saying that "[a]t this time, we need more law enforcement, not more laws." Nevertheless, Muris clearly has not been impressed with certain industry's compliance with existing law. Regarding the Gramm-Leach-Bliley Act, he said: "Acres of trees died to produce a blizzard of barely comprehensible privacy notices. . . We can do better." To address this and other compliance issues, the FTC will hold a compliance workshop in Washington, D.C., in December, where the FTC will review compliance experience before new legislation is proposed. Further Developments We will continue to monitor the privacy agenda announced by the FTC. Please let us know if you would like to be advised of further developments in this area. * * * * * McCutchen lawyers represent a wide range of clients in the privacy and information security area. For more information on the important issues in this McCutchen Alert, please contact Michael Arruda (marruda@mdbe.com; 415-393-2588). We have taken the liberty of adding you to our privacy mailing list because we thought you might be interested in receiving our periodic updates in this area. If you wish to be removed from our privacy mailing list, please send an email to privacy@mdbe.com asking us to do so and we will respect your request immediately. E-MAIL NOTICE This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any review, use, disclosure or distribution by persons or entities other than the intended recipient(s) is prohibited. If you are not the intended recipient, please contact the sender by reply and destroy all copies of the original message. Thank you. To reply to our E-mail Administrator directly, send an email to Postmaster@mdbe.com or call (415) 393-2000 and delete this email. McCUTCHEN, DOYLE, BROWN & ENERSEN, LLP http://www.mccutchen.com - C.DTF