The Secure Times

The number of Google searches on Google must have dramatically increased in the past few weeks as a result of Google’s announcement that its Street View cars had collected “payload data.”  Google’s aptly-named Street View cars take photographs to create a street map with eye-level photographs.  While driving the streets of numerous countries, the cars were collecting information about the name and location of wireless networks to improve applications that provide location information, such as GPS functionality on smartphones. 

This new information revealed that Google had collected, not just the name and location of wireless networks, but also information sent over unsecured wireless networks, which is called payload data.  Google has said that the collection of payload data was unintentional and the result of software code mistakenly included in the Street View cars program.  Google also noted that, because the cars are on the move and the software that the cars use rapidly changes channels, the chance that Google captured data containing anything fragments of data is unlikely. 

Continue reading "Fallout for Google from the Street View Data Collection" »

The Supreme Court recently addressed the challenges created by workplace privacy for public employees in the electronic era.  The Court’s decision in City of Ontario v. Quon sidestepped the critical question of whether a government employee has a reasonable expectation of privacy in text messages transmitted on an employer-issued pager, leaving the proper test for a Fourth Amendment violation in this context unsettled.  But every member of the Court easily agreed that even assuming that a public employee has a reasonable expectation of privacy in such text messages, the City’s search in this instance did not violate the Fourth Amendment.

Continue reading "Supreme Court Addresses Privacy of Personal Text Messages on Pager Supplied by Employer" »

Continue reading "Amendments to Alberta’s Information Protection Law Take Effect" »

With Elena Kagan’s confirmation hearings scheduled to begin in late June, her recent response as Solicitor General to a Third Circuit decision could provide some insight into her position on privacy matters.  Two weeks before President Obama announced her nomination to the Supreme Court, Solicitor General Kagan filed a petition for certiorari with asking the Supreme Court to overturn a Third Circuit decision that gave a corporation “personal privacy” rights under the Freedom Of Information Act.  See Petition For a Writ of Certiorari, No. 09-1279 (U.S. April 22, 2010), AT&T Inc. v. Fed. Commc’ns Comm’n, 582 F.3d. 490 (3^rd Cir. 2009).

Continue reading "Elena Kagan On Corporate "Personal Privacy" Under the Freedom of Information Act" »

The FTC announced today that it is delaying enforcement of its FACTA Red Flags Rule yet again, this time through December 31, 2010. This is the fifth time the FTC has delayed enforcement of its beleaguered red flag rule, which it originally had planned to enforce beginning November 1, 2008. This latest delay, just like the previous one, comes at the request of members of Congress who plan to amend the FACTA red flag provisions to narrow the scope of the entities that are covered. On May 25, 2010, members of Congress introduced S. 3416, which would exclude health care, accounting and law practices with fewer than 20 employees as well as certain other small businesses. 

Continue reading "FTC Red Flags Rule Enforcement Delayed Again (and New Legal Challenge)" »

On May 4, Representatives Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) of the House Subcommittee on Communications, Technology, and the Internet published a discussion draft of long-anticipated privacy legislation that would restrict companies’ online collection and use of personal information and online activity, including use for the purpose of targeted online advertising.  Here are some observations about the draft bill, in its current form:

• The bill would require any company that collects “covered information” from or about individuals to obtain opt-in consent to a statutorily mandated privacy policy containing at least fifteen enumerated disclosures.  Consent would be deemed adequate if the user expressly opted in to the information collection after being presented with the required disclosures, or in most circumstances if the user “does not decline consent at the time such statement is presented."  This would seem to imply that web sites would need to ensure that privacy policies appear on users’ screens at some point, to either expressly opt in or to fail to “decline consent” when the statement is presented to the user.  At the same time, however, the bill permits privacy policies to be “accessible through a direct link from the Internet homepage of the web site.”  It is unclear, then, whether the bill would consider the existence of such a link to be sufficient to infer that a user “does not decline consent” when merely accessing a web site, which would otherwise obviate the need to obtain opt-in consent.
  
  
• In a few specific circumstances, the bill would permit the use of web site user information for the purposes of marketing, advertising, or selling only with express opt-in consent.  This includes (1) when the web site wishes to disclose the information to unaffiliated third parties, such as advertisement networks, unless certain requirements are met (see the next bullet); (2) when the web site collects or discloses any “sensitive information,” which is defined as medical records or history, race, ethnicity, religious beliefs, sexual orientation, financial records or other information associated with a financial account, or geolocation information; or (3) when the web site collects or discloses “all or substantially all of an individual’s online activity.”
  
  
• Nevertheless, the bill would provide an exception permitting a web site to share user information with unaffiliated third parties for the purposes of marketing, advertising, or selling without express opt-in consent if it:  (1) provides users with a “readily accessible” opt-out mechanism; (2) deletes or renders anonymous any “covered information” within 18 months after it is first collected; (3) allows users to review and modify, or completely opt out of having, any profiles maintained about their preferences by web sites or their advertisement network partners for marketing purposes (these so-called “preference profiles” must be accessible through a hyperlinked “symbol or seal” on the web site and on or near any advertisement served based on the profile); and (4) prohibits advertisement networks from further disclosing any such information they receive.  This would seem to almost directly endorse the use of the online behavioral privacy icon put forth by groups supporting industry self-regulation of behavioral advertising.
  
  
• The term “covered information” would include a number of individual data elements – such as name, e-mail address, and Social Security number – that might otherwise be considered personally identifiable information under other statutory or regulatory regimes (at least in combination with other data elements).  In addition to the novel development of regulating the collection of these data elements individually, the bill includes in its definition of covered information:
  
  "Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user."
  
  Adopting this definition would be significant because no American privacy law has ever considered an anonymous identifier or IP address to be legally protected information (though IP addresses are considered to be personally identifiable in the EU and FTC Chairman Jon Leibowitz commented just a couple weeks ago that he believes that IP addresses should be considered personal information).  Additionally, this definition means that the bill would apply to any web site that maintains and uses information about users keyed to a unique identifier, which means that it applies to just about every web site that collects user registration information.
  
  

Continue reading "Reps. Boucher and Stearns Release Long-Awaited Advertising Privacy Bill" »

On Friday, May 7, 2010, the Office for Civil Rights (“OCR”) issued guidance related to the HIPAA Security Rule’s risk analysis requirement.  Under HITECH, OCR is responsible for issuing annual guidance on provisions of the HIPAA Security Rule.  This guidance is the first in a series of documents aimed at helping covered entities and business associates implement effective and appropriate administrative, physical, and technical security safeguards. 

This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH.  For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”).  NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance.  Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007. 

OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at OCRPrivacy@hhs.gov

Mark Paulding of the Privacy and Information Management practice in Hogan Lovells' Washington, D.C. office prepared this entry.

FCC CONSIDERS NEW "CYBER SECURITY" CERTIFICATION PROGRAM

FOR COMMUNICATIONS SERVICE PROVIDERS 

            On April 21, 2010, the Federal Communications Commission ("FCC") issued a Notice of Inquiry  that kicks off  a proceeding seeking comment on a "cyber security" certification program designed to encourage communication service providers (i.e., those entities providing communications services by radio, wire, cable, satellite, or lightguide for a fee to one or more unaffiliated entities) to implement a full range of cyber security best practices.  The FCC is reviewing this potential program, which was recommended under the Commission's National Broadband Plan, in an effort to counter cyber attacks and protect the communications infrastructure in the U.S.  Among other things, the FCC cites a 2008 Data Breach Investigation Report that found that 87% of cyber breaches could have been avoided if reasonable security controls had been in place.

            The proposed voluntary certification program would involve security assessments of service providers' networks, to be conducted by the FCC or private sector auditors.  The audit would entail a review of whether the networks comply with "stringent cyber security practices" to be developed by a public-private partnership.   Those providers who successfully complete the audit would receive a special certification and then be able to market their networks as complying with these FCC network security requirements.

            The inquiry is being led by the FCC's Public Safety and Homeland Security Bureau.  The FCC's Notice of Inquiry seeks comment on a variety of topics, including:

·        the costs/benefits of the program

·        whether the program will really lead to an increase in security and improved cyber security practices

·        whether the certification program should be open to all communication providers, or only certain types

·        the composition and operating procedures of a certification authority

·        whether the security criteria should be definitive or established on a case-by-case basis.

·        assessment standards

·        form and duration of the security certification, and the renewal process

·        FCC enforcement process, if any, for the program

·        education process regarding cyber security  for consumers, businesses, and government agencies 

The big question being debated at this morning’s session on financial reform legislation and the proposed Consumer Financial Protection Agency/Bureau: how will the legislation impact the FTC’s authority, both in terms of rulemaking and imposition of civil penalties?

In December 2009, the House passed the “Wall Street Reform and Consumer Protection Act of 2009” (HR 4173). An important provision in the bill would strip the FTC of its powers to regulate consumer financial protection -- while also expanding the agency’s powers in two key ways. First, by giving the FTC “APA” rulemaking authority for areas that fall within the FTC’s jurisdiction and second, by giving the agency greater latitude to assess civil penalties for unfair and deceptive practices.

These amendments will surely impact FTC enforcement of online advertising, marketing, privacy, and data security. For instance, violations under the FTC’s expanded authority could trigger civil penalties even in the absence of an FTC order. Civil penalties would be assessed in antitrust cases brought by the FTC that include a consumer protection claim.

In addition, the HR 4173 language that expands the FTC’s authority would impose liability on companies that “substantially assist” in an unlawful act, even if the company does not have direct knowledge or responsibility for the violation. This provision will probably raise some serious concerns for companies currently enjoying a safe harbor under the Communications Decency Act.

Today, FTC rulemaking jurisdiction comes in two flavors – “APA” rulemaking under certain laws as prescribed by Congress e.g. the Children’s Online Privacy Protection Act, as well as general rulemaking authority under the 1975 Magnusson-Moss Act. Under the latter, the FTC can only regulate “prevalent” unfair and deceptive acts, and must justify that regulation with “substantial evidence.” The key difference between these two types of rulemaking occurs during judicial review; a court can overturn an FTC regulation under Magnusson-Moss if the rule lacks a substantial evidentiary record to support it. In contrast, FTC regulations enacted under the APA rulemaking scheme, such as those implementing COPPA, can only be overturned if the agency was "arbitrary or capricious" in enacting the rule – a much higher standard. As former FTC Chairman Muris explained in his presentation at the panel, Magnusson-Moss gives the FTC authority to act only when a problem occurs often enough to justify a rule, or when a problem has a common cause in a sufficient number of cases.

Current FTC Chairman Jon Leibowitz, supported by President Obama and the Administration, has strongly advocated for an expansion in the FTC’s authority, stating that it is “critical” for the FTC to carry out its mission of protecting consumers. In particular, Leibowitz has argued that the procedural requirements of Magnusson-Moss – such as the requirement that a practice be prevalent before the agency can act - makes FTC rulemaking more burdensome than at most other federal agencies. Although the relevant amendments expanding the FTC’s power are missing from the Senate version of the legislation, it is widely expected that these differences will be worked out in conference. Financial reform legislation appears to be on a fast track - earlier today, a Senate panel approved the bill, and both Republicans and Democrats have indicated that passage is likely.

The CFPA would be a new independent federal agency – the composition of which would vary depending on whether you are looking at the House Bill (5 members and a Director for two years) or Senate Bill (5 members). Its enactment would strip the FTC and other federal banking agencies of their federal consumer protection powers under a number of laws, including the Electronic Funds Transfer Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, the Home Mortgage Disclosure Act, the Real Estate Settlement Procedures Act, the Secure and Fair Enforcement for Mortgage Licensing Act, the Truth in Lending Act and the Truth in Savings Act. In short, any product or service that results from or is related to engaging in a financial activity and that is to be used by a consumer “primarily for personal, family or household purposes” will come under the new agency’s purview.

At today’s session, we saw differing viewpoints from both Tim Muris, former FTC Chairman, and Julie Brill, incoming FTC Commissioner, on this current push to expand the FTC’s authority under financial reform legislation.

Former Chairman Muris views the FTC’s current role as important, and he sees FTC rulemaking as relevant in certain areas – e.g. the do-not-call rules. He is concerned about the current proposals to expand the FTC’s authority because the agency often lacks industry-specific knowledge and expertise (I see this most recently in the area of privacy, as the FTC is currently gleaning this knowledge through its Exploring Privacy roundtable series). Muris also thinks the agency’s rulemaking authority under Magnusson-Moss is more than sufficient as it imposes an obligation on the agency to be clear about its proposed theories while focusing its evidence on key questions. He cites the agency’s recent business opportunity rulemaking as an example of an instance where the FTC initially proposed a broad rule that would have disproportionately impacted both fraudulent and legitimate business. The FTC eventually narrowed its proposed business opportunity rule after the public comment process.

On civil penalties, Muris thinks these are important only when a company violates an FTC order or rule. He sees blanket civil penalty authority as a mistake that may have unintended consequences – such as a penalty on a firm’s stock price. He’s also concerned that the standard of review laid out in the financial reform legislation will return the FTC’s definition of unfairness to its pre 1994 definition i.e. the Sperry-Hutchinson or "cigarette rule" which defines an unfair practice as one that is injurious to consumers, violate established public policy or is it unethical or unscrupulous. As many know, Congress amended the FTC Act in 1994 to specify that an unfair act or practice is one that causes or is likely to cause substantial injury to consumers that is not reasonably avoidable and is not outweighed by countervailing benefits to consumers or competition.

Providing a counterpoint to Muris’ remarks, FTC Commissioner Julie Brill, speaking “on behalf of herself,” is generally in favor of expanding the FTC’s authority. She sees the FTC as both a law enforcement and regulatory agency. She views civil penalties as just “one of the arrows” in the FTC’s quiver – not to be used in every instance, but as appropriate. As a law enforcer, she does not see the FTC’s request to have civil penalty authority as unusual – since most state AGs already have this type of authority. To view such penalties as “automatic” is particularly misleading to her, since the FTC would only be able to obtain such penalties after judicial review in court. Brill also sees the FTC as a regulatory agency and notes that APA rulemaking is enjoyed by most other federal agencies. In addition, she points out that APA rulemaking under the proposed amendments would also be subject to review by a judge in court. Brill also views civil penalties as helpful in quantifying equitable remedies to compensate consumers for their injury - e.g. disgorgement or restitution for data breach violations.

Taking a broader view of the situation, Brill sees an expansion of the FTC's authority as a way to make the agency's enforcement efforts more effective – which benefits both consumers and competition in the long run. She also feels that consumers want an agency that has the right enforcement tools – not an “emasculated” FTC - and finds it surprising that the issue is even being debated, given the events of the financial meltdown and the current economic recession.

On the subject of FTC regulation, Brill is strongly in favor of an update, noting that rulemaking under Magnusson-Moss can often take up to 8 – 10 years. She recalls comments she made on the hearing aid rule as an Assistant AG in Vermont in 1992 – rules that have yet to be issued, nearly 20 years later. Her statements suggest that expanded rulemaking authority might give companies in dynamic industries – such as technology - FTC regulation that actually keeps pace with innovation.

The question of course, is whether such FTC regulation would also stifle innovation preemptively. Companies have started to take note of the recent push to expand the FTC’s power, and it is likely that the topic will continue to be debated fiercely in the coming weeks as financial reform legislation comes to a vote. Some have even expressed concerns that such an expansion of the FTC’s rulemaking authority could impact funding and investment in technology and Internet companies by both Wall Street and Silicon Valley VCs. For more, take a look at this transcript of the Progress & Freedom Foundation’s recent forum entitled “Supersizing the FTC.”

Last week, in what appears to be the first instance in which a  state supreme court has addressed the issue, the Supreme Court of New Jersey unanimously ruled that the attorney-client privilege applies to email communications between an employee and her personal attorney  even when she e-mails her attorney with a personal, password-protected Yahoo e-mail account accessed through a company-provided laptop.  This decision should be read carefully when conducting forensic investigations or reviews into company IT systems.

Continue reading "New Jersey Supreme Court Decides Computer Use Policy is Not Enough to Defeat Protection for Employee-Attorney E-mails Exchanged on Company Computers" »

Continue reading "Industry/Civil Liberties Coalition Calls for ECPA Reform" »

On March 11, 2010, the Eleventh Circuit issued its decision in Rehberg v. Paulk, addressing privacy expectations in email communications.  In a decision that has important implications for emerging cloud computing services, the Court held that the Fourth Amendment protection against unreasonable searches and seizures does not apply to an email once the sender has voluntarily provided it to a third party or once it has been delivered to the recipient. 

Continue reading "The Fourth Amendment in the Cloud" »

On February 25, 2010, the FTC announced two separate settlements.  One is a Stipulated Final Judgment and Order to settle a complaint, without trial, filed in the U.S. District Court, Northern District of Georgia.  This settlement is with ControlScan, a company that provides privacy and data security certification to online retailers and other Web sites.  Based on the same facts, Richard Stanton, the founder and former chief executive officer of ControlScan also agreed to settle charges pursued by the FTC at the Federal Trade Commission.  The FTC charged that ControlScan misled consumers about how often ControlScan monitored the sites and the steps it took to verify the privacy and security practices of the sites that had ControlScan certificates. The settlements bars future misrepresentations. Mr. Stanton's settlement requires him to give up $102,000 in "ill-gotten gains". The Stipulated Final Judgment and Order specifies that the complaint which it settles states a claim upon which relief may be granted against ControlScan under Sections 5(a)(1) and 13(b) of the FTC Act.  A judgment against ControlScan of $750,000 is suspended, based on ControlScan’s inability to pay, but if the court finds that ControlScan misrepresented its financial condition, the entire amount will be payable immediately, less any amounts paid by Stanton.

More information can be found at http://www.ftc.gov/opa/2010/02/controlscan.shtm.

Yesterday, February 25, 2010, the Federal Trade Commission filed notice of appeal to the DC Circuit Court of Appeals to attempt to reverse Judge Walton’s ruling late last year that the FTC cannot require practicing lawyers to comply with the Red Flags Rule.  In August 2009, the American Bar Association challenged the applicability of the Red Flags Rule to lawyers, arguing that it would impose a serious burden on law firms.  At that time, the ABA sought an injunction and declaratory judgment finding that lawyers were not covered. The FTC replied that lawyers should be covered because billing practices, such as charging clients on a monthly basis rather than upfront, made them “creditors” under the plain language of the Red Flags Rule. Judge Walton ruled from the bench in late October and issued his Order and Memorandum Opinion in December.  

Continue reading "FTC Appeals Judge Walton's Decision on Red Flags Rule" »

On February 24, 2010, the Federal Trade Commission (“FTC”) released the “Consumer Sentinel Network Data Book” (“Report”).  This Report includes a listing of the top consumer complaints reported in 2009 to the FTC. 

The top ten complaints for 2009 are:

The Federal Trade Commission (“FTC”) is preparing for the third and final roundtable discussion on privacy.  The first roundtable was held in December 2009 in Washington, DC, to explore privacy implications of developing technology and business practices that collect and use of consumer data.  This event was followed by a second roundtable in Berkley, CA in January 2010.  The discussion in Berkley focused on benefits and risks created by technology and the privacy implications of social networking, cloud computing, and mobile marketing. 

The third roundtable will be held on March 17, 2010 in Washington, DC.  At this event, panelists will discuss the collection and use of “sensitive” information.  In preparation for this roundtable, the FTC has requested comments on the following issues:

• How can we best achieve accountability for best practices or standards for commercial handling of consumer data?  Can consumer access to and correction of their data be made cost effective?  Are there specific accountability or enforcement regimes that are particularly effective? 
• What potential benefits and concerns are raised by emerging business models built around the collection and use of consumer health information?  What, if any, legal protections do consumers expect apply to their personal health information when they conduct online searches, respond to surveys or quizzes, seek medical advice online, participate in chat groups or health networks, or otherwise?
• Should “sensitive” information be treated or handled differently than other consumer information?  How do we determine what information is “sensitive”?  What standards should apply to the collection and uses of such information?  Should information about children and teenagers be subject to different standards and, if so, what should they be? 

For those who cannot join the discussion in person, a live webcast of this conference will be available at the FTC's website. 

On February 24, 2010, the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection and Subcommittee on Communications, Technology, and the Internet will hold a joint hearing on the collection and use of location information for commercial purposes.  This joint hearing is the third on privacy held by these two subcommittees this Congress.  A joint hearing was held in June 2009 to learn about online behavioral advertising practices and to consider whether federal privacy legislation is necessary to address concerns associated with these practices.  A second hearing was held in November 2009 on the online and offline collection and commercial use of consumer information.

The scheduled witnesses for Wednesday’s hearing are:

Lorrie Cranor

Associate Professor

Computer Science and Engineering & Public Policy

Carnegie Mellon University

 

Mike Altschul

Senior Vice President and General Counsel

CTIA – The Wireless Association

 

John B. Morris, Jr.

General Counsel

Center for Democracy and Technology

 

Anne Collier

Connect Safely

 

Jerry King

Chief Operating Officer
uLocate Communications, Inc.

 

Tony Bernard
VP/GM
Useful Networks

These hearings are being held in preparation for introducing privacy legislation.  Rep. Boucher (D-VA), the Chairman of the Subcommittee on Communications, Technology, and the Internet, has stated that he intends to introduce a bill to regulate online collection and use of consumer information.  Privacy legislation is expected soon.

An industry group is launching its response to the FTC's challenge for better self-regulation of behavioral advertising.  In a variety of fora, the FTC has made it clear that it wants to see stronger and more clear disclosures regarding targeted on-line advertising.  The challenge of just how to provide useful information to consumers, who may or may not understand the technologies at issue, has proved problematic to say the least.

The Future of Privacy Forum's answer, reported today in the New York Times, is a new "Power I" symbol that will alert consumers that further information is available regarding the source of the content they are seeing.  The hopes is that this will give consumers the power to understand and shape how their information is used online. 

The open question is whether the Power I will be enough for an FTC that seems uncomfortable with notice and consent (a/k/a contractual) solutions, and seems inclined to regulate in this area of rapidly evolving technologies.  And of course it also remains to be seen whether consumers will view this "Power I" as empowering information, or as a "Power Eye" invading their privacy. 

The full story is over at The New York Times, in the article by Stephanie Clifford, "A Little ‘i’ to Teach About Online Privacy."   

Maine's Democratic state Senator Elizabeth Schneider is expected to introduce a revised bill aimed at protecting the online privacy of minors by the end of the month, Maine Public Broadcasting's A.J. Higgins reports.

The federal Children's Online Privacy Protection Act (COPPA) already protects the privacy of children under 13, but Schneider has expressed concern that COPPA does not do enough to protect all minors from marketing, particularly prescription-drug and health care product marketing on the web.

The new bill in the works will replace controversial legislation previously introduced by Schneider, signed into law and scheduled to enter into force in September 2009. The first bill, which proposed severe restrictions on marketing to anyone under the age of 18, was subject to a barrage of criticism and several legal challenges. Maine attorney general Janet Mills even declared that she would not enforce the law due to constitutional free speech concerns. (My colleague, Deborah Birnbach, and I covered those developments in a November article in Goodwin Procter's Privacy & Data Security Advisory newsletter.)

As a result, Schneider has agreed to draft a more narrowly focused measure, with the specific goal of addressing medical information. It will be interesting to see how the new bill balances the protection of privacy with the free-speech concerns brought up by Mills and other critics. A public hearing on the new bill could be scheduled as early as next month, when the state legislature reconvenes.

• Cecelia Prewett as the Director of the Office of Public Affairs.  Ms. Prewett has a background in communications both in the public and private sector, working for the American Association for Justice, AARP, the State of Illinois, and on Capitol Hill as a communications director to several Members of Congress
• Jessica Rich as Deputy Director in the Bureau of Consumer Protection ("BCP").  Ms. Rich was most recently the Acting Associate Director of the Division of Privacy and Identity Protection in the BCP.  She was formerly an Assistant Director in the same division and the Division of Financial Practices, legal advisor to the Director of the BCP, and staff attorney in one of the FTC's consumer fraud divisions.
• Charles Harwood as Deputy Director in the Bureau of Consumer Protection.  Mr. Harwood previously was the Director of the FTC's Northwest Regional Office in Seattle for 20 years.  Prior to joining the FTC, Mr. Harwood served as a counsel to the U.S. Senate's Committee on Commerce, Science, and Transportation, and the U.S. Department of the Interior's Indian Arts and Crafts Board.
• Norm Armstrong, Jr. as Deputy Director in the Bureau of Competition.  Mr. Armstrong has served as Acting Deputy Direct in the Bureau of Competition, Deputy Assistant Director of the Mergers IV Division, Counsel to the Director, and Liaison to the Department of Defense.
• Joel Winston as Associate Director of the Division of Financial Practices.  Mr. Winston has previously held several positions within the FTC including Associate Director of two divisions, Assistant Director of a division, and Assistant Deputy Director of the BCP.
• Maneesha Mithal as Associate Director of the Division of Privacy and Identity Protection.  Ms. Mithal has previously served as Assistant Director of the same division and Assistant Deputy Director of the BCP.
• Mark Eichorn as Assistant Director of the Division of Privacy and Identity Protection.  Mr. Eichorn has served as an Attorney Advisor to the Chairman and in the Division of Advertising Practices.

• Subcommittee members and witnesses discussed many facets of personal information use for marketing purposes, such as how consumer data is collected, the types of data that businesses collect, consumers' ability to access his or her personal information held by marketers, and consumer education concerning privacy matters.
• Participants discussed elements that could be addressed in future legislation included increasing transparency and choice, consumer education, and providing consumers with a clear statement of their rights--such as the ability to "opt in" and/or "opt out" of having personal data collected.  Witnesses, such as Chris Hoofnagle with the University of California, Berkley - School of Law, encouraged consumer education measures, noting that most consumers are unaware of their obligation to object to data collection practices with which they do not agree, and that many consumers assume that personal information collected by companies is secure--which may not always be the case. 
• Many of the witnesses advocated privacy protection through a self-regulatory scheme, but Subcommittee members countered that self-regulation is ineffective at stopping "bad actors" and comprehensive legislation is necessary to protect consumers from unscrupulous businesses.
• Finally, almost all of the witnesses stressed that legislation should be tailored to meet the needs of different types of businesses and industries, as well as creating different standards to regulate the offline versus online collection and use of personal information. 

• Board of Governors of the Federal Reserve System;
• Commodity Futures Trading Commission;
• Federal Deposit Insurance Corporation;
• Federal Trade Commission;
• National Credit Union Administration;
• Office of the Comptroller of the Currency;
• Office of Thrift Supervision; and
• Securities and Exchange Commission

• Benefits and risks of collecting, using, and retaining consumer data;
• Consumer expectations and disclosures;
• Online behavioral advertising;
• Information brokers; and
• Exploring existing regulatory frameworks