From the Desk of the Executive Director:
Marketers and Privacy Officers: It's time to get together. »Learn More

Letters to the Editor:
Monthly letters from our readers. »Learn More

Privacy Best Practices:
Ever wonder what "a day in the life" of a privacy product manager is like? We asked Microsoft's Diane McDade to keep a running journal. »Learn More

Industry Insider:
Attending the IAPO Privacy and Security Academy in Chicago? Read what's in store during this year's academy. »Learn More

The Politics of Privacy:
California Gov. Gray Davis took action on privacy legislation this month. Emily Hackett gives us the Internet Alliance's analysis of what this means for consumers and companies. »Learn More

TRUSTe Member TIPS:
Monthly tips for TRUSTe members on how to manage privacy. »Learn More

Bits & Pieces: 
Current TRUSTe happenings and how to take advantage of them. »Learn More

Stay Current: 
Upcoming privacy and security related events. »Learn More

Where are the Marketers?
By Fran Maier

Late last month I attended the Privacy 2002 Conference in Cleveland. Esther Dyson, who delivered the keynote speech, asked the audience "How many of you are marketers?" Guess what? Very few hands were raised.

Marketers must be involved in the privacy discussion - they are both most bound by privacy protections and, at the same time, in the best position to communicate their organizations' commitment to privacy.

It's time to convince marketers to support privacy. As we develop policy, we need to convince marketers that choice, notice, seal programs and the like are important to their consumers and their brand strength. Marketers aren't stupid, nor are they the enemy. We need to listen to their objectives -- and objections -- and find the many ways that privacy policies support rather than hinder marketing. If we successfully convince the marketers, they will more likely support the required investments and changes because they will see it as consistent with their business objectives of delivering and communicating brand value.

We can also convince marketers to communicate privacy. Survey after survey shows that consumers really care about privacy. Increasingly, we are seeing evidence of a strong return on investment on privacy efforts. Companies will benefit by communicating their commitment to privacy. This doesn't belong only on a small link at the bottom of the home page. It rightfully belongs alongside any expression of brand value.

Who's Doing it Well? Companies like Earthlink that weave privacy messages into their marketing campaigns. This is an important part of their brand equity. They are not only communicating privacy but offering important and differentiating benefits to their consumers.

Who's Not Doing it Well? The financial industry. The failed implementation of GLB is proof positive that marketing execs should be at the core of the privacy conversation. GLB was a missed marketing opportunity by financial institutions. After millions of dollars spent, they won over zero consumer confidence.

So Privacy Officers and Marketers, get together:

1. Develop and abide by good policy. Listen to each other and learn.

2. Work together to communicate your organization's privacy commitment. Let the marketer write the privacy statement! Make privacy part of your brand values.

3. Send marketers to privacy conferences and privacy officers to marketing conferences. Read each other's newsletters and magazines.

Dear TRUSTe Newsletter:

Thank you for publishing Peter Mackay's excellent piece on "navigating the privacy maze" (TRUSTe Advocate, September 2000).

Mr. Mackay makes a point that bears repeating: Establish the role of the Chief Privacy Officer. This is a critical position, and one that is oft overlooked by well meaning companies. What a grave error!

Primarily, the CPO is responsible for overseeing how a company uses personal information. Additional assignments often include:

• developing policies for the privacy and security of personal data,
• developing training strategies
• interfacing with legal and IT teams.
  

Creating and maintaining such a role not only facilitates compliance with emerging law, it also makes good business sense. A proactive approach to data protection can help companies mitigate the rapidly increasing costs of identity theft and fraud, end-user identity management, dropped electronic shopping carts and in extreme cases, class action law suits.

Thanks to Mr. Mackay for pointing this out, and to TRUSTe for delivering the message.

John Dallas
Senior Associate, Privastaff

Do you have an opinion on anything you've read in the TRUSTe Newsletter? Send comments to us at newsletter@truste.org.

A Day in the Life of a Privacy Product Manager: Privacy at MSN
By Diane McDade, Microsoft Corp.

While the privacy debate evolves, privacy managers are turning the Fair Information Principles into actions within their companies every day. At MSN, this is a complex, fast-paced job because of multiple product development cycles, emerging privacy issues, new technologies, ongoing policy development, and compliance challenges - but the always-new nature of the work is what makes it so rewarding.

Through our Trustworthy Computing initiative, Microsoft is working to foster a safer, more private and reliable computing experience. As Privacy Product Manager for MSN, my role is to help MSN become the most trustworthy Internet service worldwide by incorporating privacy best practices into products, policies, and compliance efforts every day.

Early morning meeting: new product review
Early review of new products/services is always time well-spent, paying off with more privacy-centric features and fewer lapses, lessening the chance for costly, time-consuming changes or feature cuts down the road.

Midmorning meeting: policy development roundtable
Online privacy statements are never finished. While that may mean greater job security for privacy managers, the fluid regulatory environment and rapid pace of technology mean that privacy officers need to be flexible and keep the lines of communication open to ensure policies are up-to-date.

Lunchtime meeting: privacy statement review with TRUSTe
Staying in constant contact with leading privacy groups like TRUSTe helps us to continuously improve our thinking and results in better policies and products.

Afternoon meeting: compliance audit results
The challenge with compliance is to identify potential conflicts before they happen and put effective prevention measures in place. At Microsoft, we utilize various techniques to assure compliance including employee training, discussion groups, audits, and a new measurement index to help teams improve upon their current practices.

End of day: catch up on email!
While the rules of the game keep changing, privacy managers are helping define the next era of "trustworthy computing." There is no better job than this!

IAPO Privacy & Data Security Academy, October 16-18, 2002
By Agnes Bundy Scanlan
President, IAPO
Chief Compliance Officer and Managing Director of Privacy FleetBoston Financial

As privacy professionals, it is our responsibility to create and execute privacy programs that maintain industry standards and fulfill all government requirements. The challenges we face are monumental. Our roles and responsibilities have grown dramatically as the government and private sector recognize and increasingly require a need for privacy protection.

The Academy will address the daily operational challenges we face. Sessions at the Academy will address privacy law, corporate privacy infrastructure, enforcement, the role of the privacy officer and security issues. Federal and state regulations, HIPAA requirements, and international implications will be covered along with analysis of recent privacy settlements, actions and lawsuits.

If you have not already registered for this conference, I urge you to do so. The Academy is a great opportunity to learn from industry experts and network with colleagues. On behalf of IAPO, I invite you to prepare yourself, your company & your clients for the future of privacy. To register, please contact the IAPO National Office at 800-266-6501 or go to www.PrivacyAssociation.org.

California Enacts Privacy Legislation
By Emily Hacket, Executive Director, Internet Alliance
Kaye Caldwell, California Policy Director, Internet Alliance

The following is an analysis of legislative movement in the State of California.

Security Breach Notification Law
On September 25th, California's Governor Davis signed legislation requiring data subjects to be notified of breaches of security affecting their personal information. The Act applies both to state agencies and to any person or business that conducts business in California, with respect to computerized personal data about California residents.

Data Covered:
The Act applies to computerized data consisting of an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

1. Social security number.
2. Driver's license number or California Identification Card number.
3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

The Act does NOT apply to publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Requirements:
Upon a security breach or notification of breach (as required of any entity maintaining the data for the data owner), the business must disclose the breach to residents of California whose information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in expediently and without unreasonable delay consistent with the legitimate needs of law enforcement, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Delay Allowed for Law Enforcement Purposes:
The notification can be delayed until a law enforcement agency determines that it will not compromise a resulting investigation. Notification may be further delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

Specific Notice Requirements:
The Act spells out exactly how notice is to be accomplished. Notice must be either written, or electronic, but may be electronic only if provided consistent with the provisions of the federal E-SIGN Act. "Substitute notice" may be provided if the cost of providing notice exceeds $250,000, if more than 500,000 persons must be notified, or if sufficient contact information is not held by the business required to notify. "Substitute notice" must include ALL of:

1. E-mail notice when the person or business has an e-mail address for the subject persons.
2. Conspicuous posting of the notice on the Web site page of the person or business, if the person or business maintains one.
3. Notification to major statewide media.

Exception to Specific Notice Requirements:
If a person or business maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part, then that person or business is deemed to be in compliance with the notification requirements if the person or business notifies subject persons in accordance with those policies.

Service Provider Obligations:
Any person or business that maintains computerized data that includes personal information that the person or business does not own is required to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Effective Date:
The Act becomes effective on July 1, 2003. The Act preempts any local regulation of matters that are covered by the Act.

Unanswered Questions:
While the security breach notification legislation was significantly improved during the course of its progress through the legislature, some questions remain. Among those are whether there is enough flexibility for companies that are victims of a breach to determine whether the breach is actually one that the data subjects should be concerned about, and also what criteria a company should use to determine which of its data subjects are residents of California. Although the law contains an exception to the requirement to provide notice of breach for "good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency, provided that the personal information is not used or subject to
further unauthorized disclosure," that exception may not be flexible enough to allow a company to refrain from providing notice even if they know that the breach will not result in the misuse of the data. Thus many false alarms could result.

Of even more concern is how a company is to determine which of its data subjects must be notified. The law requires "residents of California" to be notified. Consider, for example, a large online retailer. The retailer is likely to have a large database of current and previous customers. Given the large number of people in the U.S. who move every year-17% by U.S. Postal Service statistics-many of those data subjects may be California residents at the time of the breach, even though the company records may indicate otherwise. After all, who notifies every business they have ever bought from in the event of an address change? This raises the question of what the obligation of the company is with respect to those data subjects? Is the company obligated to track former customers to ensure that they always have current addresses in the event of a security breach? It should be noted that there is no provision in the bill for delaying the notice in order to obtain current addresses. The author of the legislation was asked to remedy this flaw, by specifying that residence is determined by the address in the company's records, however that request was declined.

The full text of the bill is available at: http://www.leginfo.ca.gov/pub/bill/sen/sb_1351-1400/sb_1386_bill_20020830_enrolled.pdf

Failed or Vetoed Bills
There were two other significant privacy bills that will not be going into effect-Senator Speier's controversial financial privacy bill and Assemblymember Simitian's bill regulating the posting of Internet privacy policies. Both bills will likely be back next year in some form. Local governments, reportedly encouraged by Senator Speier, have been enacting financial privacy ordinances, which are being challenged in the courts by affected banks. Assemblymember Simitian's bill would have required the posting of a privacy policy including with specified contents by every commercial website that collects information (including IP addresses) about individuals located in California.

The full text of the vetoed Simitian bill is available at: http://www.leginfo.ca.gov/pub/bill/asm/ab_2251-2300/ab_2297_bill_20020830_enrolled.pdf

TRUSTe Member TIPs
By TRUSTe Staff

Changes to your business practices can often impact your privacy policy. TRUSTe is here to help.

If your company is considering a change to its business practices that may impact the privacy policy, you should contact your TRUSTe Account Manager. TRUSTe's staff has years of experience in working with companies through changes, as well as a comprehensive understanding of the concerns raised by the Federal Trade Commission or State Attorneys General.

We encourage all of our members to contact us early in the process so the valuable perspective we provide can be used in the business decision-making process.

TRUSTe Announces 2003 Price Schedule - Members Encouraged to Renew Certification and Receive Rate Protection for up to Two Years.

Effective January 1, 2003, TRUSTe will be raising its license fees. TRUSTe is currently accepting renewals under the normal price schedule. Members can also take advantage of a new 2 year certification package and rate protect themselves through 2004. Complete renewal applications must be received by December 31, 2002.

For renewing members, please contact George Mamashiani by phone at 415-618-3403 or by email at gmamashiani@truste.org. For new members, please contact Michelle Lucas by phone at 415-618-3402 or by email at mlucas@truste.org.

International Association of Privacy Officers Privacy
& Data Security Academy & Expo

Date: October 16 - 18, 2002

Location: Marriott Downtown, Chicago, IL

Overview: See article above

TRUSTe Members receive a special rate. For more information on the Academy, visit www.privacyassociation.org or call 800-266-6501!

TRUSTe and Watchfire to Host Online Seminar on Privacy - Oct. 24

Date: October 24, 2002

Time: 2pm - 3pm EDT

Location: Online. Click Here to register.

Overview:
Today's consumers are more privacy aware than ever. Is your company's Web site protected against issues that may arise through unauthorized sharing of personal information with third parties, and collection of personal information via web page forms, cookies, and web beacons.

Current privacy legislation including HIPAA, COPPA, Safe Harbor, and the Gramm-Leach-Bliley Act may also affect a company's business. The size and complexity of enterprise websites makes both checking for these privacy issues a challenge and the task of managing on-going privacy compliance a burden.

TRUSTe, widely known for its leading privacy certification and seal program, and Watchfire Corporation, a provider of Website Management software and services, have partnered to increase consumer trust in ecommerce by strengthening TRUSTe's certification and compliance efforts.

Attend this free online seminar to learn:

• Why website privacy matters
• How privacy glitches impacts your bottom line
• How TRUSTe Seals work and their importance on your site
• How TRUSTe will use WebXM to augment their seal program
  

Got Feedback?
We would like to hear what you think of the TRUSTe Advocate. Send an email with your comments and suggestions to editor@truste.org.

TRUSTe Announces 2003 Price Schedule - Members Encouraged to Renew Certification and Receive Rate Protection for up to Two Years.

For renewing members, please contact George Mamashiani by phone at 415-618-3403 or by email at gmamashiani@truste.org. For new members, please contact Michelle Lucas by phone at 415-618-3402 or by email at mlucas@truste.org.

Privacy Goes International -- TRUSTe is gearing up to launch a Privacy Translation Services program to help companies globalize their privacy strategy. Stay tuned for details next month. To learn more, please contact our business development staff at 415-618-3402.