Privacy Advisor

Privacy News

October 1, 2006

White House ID Theft Task Force Issues Interim Recommendations

President Bush's Identity Theft Task Force has released its interim recommendations. Comprised of 17 federal agencies and departments, the nation's first-ever Identity Theft Task Force was created as a result of the President's May 10 Executive Order.

"The President created the Identity Theft Task Force to oversee the implementation of real and practical solutions at the federal level to defeat this ongoing intrusion into the lives of law-abiding Americans," said Attorney General Alberto Gonzales.

The final plan will be released in November.

The Task Force's Seven Interim Recommendations

   1. Directing the Office of Management and Budget to issue guidance to federal agencies on how to handle data breaches.
   2. Strengthening data security in the government.
   3. Accelerating and broadening the review of where Social Security numbers are used by agencies.
   4. Establishing a new "routine use" by which agencies would be allowed to share information otherwise restricted by the Privacy Act to facilitate responding to a data breach.
   5. Holding workshops for academics and businesses to develop better methods to authenticate identities.
   6. Amending criminal statutes to allow identity theft victims to seek restitution from defendants for time spent undoing damage from the offense.
   7. Developing a universal police report to make it  easier to report identity theft and enter it into  existing systems.


Nine Founding Partners Join ANSI and BBB to Form Identity Theft Prevention and Identity Management Standards Panel

The American National Standards Institute (ANSI) and the Better Business Bureau (BBB) recently announced a cross-sector team partnership to prevent and respond to identity theft and fraud through a single resource of standards and guidelines. The nine founding, high-profile partners are: AT&T, Citi, ChoicePoint, Dell Inc., Intersections Inc., Microsoft, Staples Inc., TransUnion and Visa U.S.A.

As reported in the group's news release, this "initiative leverages ANSI's unique expertise as coordinator of the U.S. standards and conformity assessment system with BBB's extensive experience in advancing trust in the marketplace." The panel has set an aggressive timetable of 12-18 months to produce a comprehensive, cross-sector set of requirements and best practices to help any organization protect the confidential personal data of employees and customers.

The panel also seeks the involvement of standards development organizations, trade and professional associations, government agencies, consumer groups, organized labor, academia and other interested groups.

More information is available at www.ansi.org/idsp.

Australian, New Zealand Privacy Chiefs Collaborate on Privacy

The Australian and New Zealand Privacy Commissioners have signed an agreement to allow for cooperation between their offices on privacy-related issues, including cross-border complaints and joint investigations. This agreement fosters cooperative agreements as set forth in the APEC Privacy Framework, OECD Guidelines Governing the Protection and Transborder Flows of Personal Data, and the Asia Pacific Privacy Authorities Forum.

"The agreement will cement the already close ties between our Offices and tackling emerging privacy challenges and will enhance the management of cross-border cases," said Karen Curtis, Australian Privacy Commissioner.

Marie Shroff, New Zealand Privacy Commissioner, added, "The agreement will provide our Offices with a broader framework and base of resources, affording Australians and New Zealanders an ongoing high level of privacy protection."


Study Finds Canadian Privacy Laws Are Working

Canada NewsWire cites the new 2006 Nymity Trends in Transparency Report as a testament to corporate Canada's compliance with privacy law requirements to protect personal information.

The report identifies key improvements, including more comprehensive privacy policies that average six pages in length and contain specific privacy practices to aid readability and consumer decision-making. Most organizations have dedicated Canadian privacy policies that address all corporate operations and third-party transfers.

Jennifer Stoddart, Privacy Commissioner of Canada, said, "I hope that this report will help raise awareness among organizations about the importance of having sound privacy policies and practices in place to protect their customers' personal information."


Gregory Garcia Appointed First DHS Cybersecurity Czar

Homeland Security Secretary Michael Chertoff has appointed Gregory Garcia to serve as the agency's first Assistant Secretary for Cybersecurity and Telecommunications.

Garcia joins the Department of Homeland  Security from the Information Technology Association of America, where he was Vice President for Information Security Policy and Programs. In that role, Garcia led the public debate on cybersecurity policy and national cyber readiness. He has worked closely with the department over the past few years in his role on the IT Sector Coordinating Council. He also worked with industry to found the National Cyber Security Partnership.

Garcia also helped to draft and enact the Cyber Security Research and Development Act of 2002 during his tenure with the U.S. House of Representatives Committee on Science. He also has worked to strengthen encryption control regulations during his tenure with the Americans for Computer Privacy. Garcia also was involved with the international trade and IT policy at the Americans Electronics Association.

"I am gratified that Greg will join the department as the first Assistant Secretary of Cyber Security and Telecommunications, and I look forward to his many contributions that will advance the important progress that has already been made in this area," Chertoff said in a statement.


Zoe Strickland Joins Wal-Mart as the Company's First CPO

Formerly with the U.S. Postal Service as its first CPO, Zoe Strickland, CIPP/G, recently joined Wal-Mart Headquarters as the retail giant's first Vice President, Chief Privacy Officer. In this new role, Strickland holds domestic and global responsibility for developing a privacy program and integrating all privacy policies and procedures for Wal-Mart and Sam's Club.

Strickland joined the USPS in 2001. She was responsible for privacy program development, and previously practiced privacy and records law. An active participant in the privacy
community, Strickland also serves on the Board of Directors of the IAPP.


Bank of America, JP Morgan Chase, Washington Mutual Receive Recognition as Highest-Rated Consumer ID Theft Protectors


Javelin Strategy & Research released the results of its Banking Identity Safety Scorecard in San Francisco at the Identity Theft and Fraud Symposium sponsored by American Banker. Twenty-four of the country's top financial institutions, which collectively hold more than 60 percent of the nationwide banking market, were rated on their ability to prevent, detect and resolve consumer ID theft in partnership with customers.

The highest overall ranking recognition went to Bank of America, closely followed by JP Morgan Chase and Washington Mutual. Marshall & Ilsley Bank received top honors for prevention, representing the most weighted category in the evaluation. A category award for detection also was awarded to JP Morgan, with Washington Mutual receiving the resolution award. An honorable mention award for overall strength across all the categories went to KeyBank, while Citibank was acknowledged for its email policies to avoid phishing.

"This is the third year of our study, and financial institutions have improved significantly in giving consumers the tools they need to detect fraud on their own," said James Van Dyke, President of Javelin Strategy & Research. "Prevention is the next area in which financial institutions should focus their efforts. Overall, the industry must accomplish more in this area. We found that financial institutions focus more on resolving problems after they occur rather than stopping them up front."

With regard to regulatory compliance, the report extends a clear warning.

"With the end-of-the-year deadline looming for FFIEC (Federal Financial Institutions Examination Council) remote authentication compliance, we found that only one institution has fully implemented a solution," Van Dyke said. "Financial institutions, as a whole, have not yet taken the necessary steps to conform to the new guidelines. The next few months will be a critical time period as financial institutions need to focus their attention and research efforts on prevention methods to conform to this federal mandate."


Maxamine, TRUSTe Announce Strategic Alliance

Maxamine and TRUSTe have partnered to provide unprecedented levels of privacy assurance with solutions optimized for today's increasingly sophisticated, dynamic and rapidly growing Web environments. The result of this alliance will effectively automate much of the privacy compliance monitoring of the more than 2,400 TRUSTe-certified Web sites, according to the news release announcing the effort.

The two companies will initially use PrivacyMAX, the privacy compliance suite from Maxamine's high-performance site analytics solution, to automate TRUSTe's Web site privacy compliance audits. This alliance also strengthens the collaboration to benefit customers with solutions that help them with self-governance, self-assessment and standards compliance to improve overall Web site implementation quality.

 "Ensuring the integrity of sealholders' privacy practices on an ongoing basis is vital to TRUSTe's mission of building trust between consumers and organizations online," said John Tomaszewski, vice president of Legal, Policy and Compliance for TRUSTe.


Dana Rosenfeld Named Privacy Ombudsman for Tower Records Bankruptcy Case

Dana Rosenfeld, former assistant director of the FTC's Bureau of Consumer Protection and now counsel with Bryan Cave LLP, will serve as the consumer privacy ombudsman for the Tower Records Chapter 11 case.

Rosenfeld, the second person to hold the ombudsman role in bankruptcy court, will be required to provide a report analyzing Tower's privacy policy as it pertains to the transfer of customers' personal information to a third party. Rosenfeld's report also will recommend whether Tower's customer information may or may not be transferred to a new purchaser.