BLAST
Section of Science and Technology Law
750 North Lake Shore Dr.
Chicago, IL 60610

Editor-in-Chief

Associate Print Editor

Associate Online Editor

Contact Section

Section of Science and Technology Law Officers

Chair

Chair-Elect

Vice Chair

Secretary

Budget Officer

Section Delegates

Immediate Past Section Chair

Section Past Chair Liaison

IN THIS ISSUE JANUARY 2001

• Letter from the Chair
• Join the Section in San Diego for the First Annual Leadership Seminar
• San Diego 2001 ABA MidYear Meeting Section Schedule
• Chicago 2001 ABA Annual Meeting Section Schedule
• The 26th Annual AAAS Colloquium on Science and Technology Policy
• ICANN and You Can
• E-Privacy Law Committee Targets the E-Commerce Legal Issue Facing Every Client
• BioTechnology Subcomittee Tackles Law in the Age of Biology
• The E-Commerce Legal Arsenal: Practitioner Agreements and Checklists
• Critical Information Infrastructre Protection: A New Working Group Within the Information Security Committee
• Year 2001 May be the Year for Privacy in Washington
• Commerce Department "Safe Harbor" Preserves Trans-Atlantic Data Flows
• Special Insert:Report of the Multimedia&Interactive Technology Law Committee: Study of CD-Rom Briefs in Federal Appellate Courts

CRITICAL INFORMATION INFRASTRUCTURE PROTECTION: A NEW WORKING GROUP WITHIN THE INFORMATION SECURITY COMMITTEE
-Emily Frye, Chair

The Critical Information Infrastructure Protection Working Group (CIIPWG) was formed in May 2000 to serve as a channel for communication between members of the legal community and the burgeoning critical-infrastructure movement. The CIIPWG is a subgroup of the Information Security Committee, which wrote the Digital Signature Guidelines (1996) and is currently drafting a guideline for accrediting public key infrastructures. Information channels are just as much a part of our national infrastructure as bridges and dams. The United States has a long history of organizing protection for, and responding to emergencies regarding, these physical infrastructures. Federal agencies such as the Department of Transportation and the Federal Emergency Management Agency have shouldered much of the burden for perpetuating and maintaining these critical infrastructures. The

Information Infrastructure, however, is a different animal. Tools for building, maintaining, and protecting physical infrastructures don't work very well in the digital world - in fact, tools for building, maintaining, and protecting physical infrastructures often rely upon the Information Infrastructure. Furthermore, a failure of the Information Infrastructure can result in much greater harm than the collapse of a single bridge, or even than the effects of a regional disaster (such as an earthquake).

The Information Infrastructure reaches into almost every business and home, into national defense systems, and into international economic stability. Yet protecting the Information Infrastructure itself has only begun to receive attention.

Since Bill Clinton issued Presidential Decision Directive 63 in 1998, efforts to form an organized, consistent approach to critical information infrastructures have been initiated in both the public and private sectors. The President's Commission on Critical Infrastructure Protection has become, over time, the Critical Infrastructure Assurance Office, or CIAO. CIAO works closely with its private-sector counterpart, the Partnership for Critical Infrastructure Security (PCIS). Together, CIAO and the PCIS are building knowledge-sharing and response techniques that can effectively identify and limit harm to Information Infrastructures before these structures are significantly damaged. The CIIPWG provides an opportunity for lawyers - particularly those with a deep knowledge of the interaction of legal and scientific issues - to consider the issues faced by CIAO and the PCIS, to provide feedback to these organizations, and to contribute to future development within the Critical Infrastructure community.

The CIIPWG issued its first letter communication to CIAO and the PCIS in October 2000. The CIPWG intends to continue supporting national and international initiatives to protect the information infrastructure as these efforts take shape.

If you are interested in joining the Critical Information Infrastructure Protection Working Group, contact Emily Frye (303-545-9000, x.111 or Emily.frye@iwitness.com) or Dwight Olson (dolson@dsiescrow.com)

Year 2001 May Be the Year for Privacy in Washington
-Charles Mudd

Note:This article does not include the notes that appeared in the print article.

Although the debate over the privacy of consumer personal information has been ongoing for some years now, only in the last year has Washington significantly responded to its constituency. The Federal Trade Commission (FTC) reversed its long-standing position that commercial web sites could sufficiently regulate themselves to protect consumer privacy. Congress created a bipartisan privacy caucus and introduced a slew of legislation. The Department of Health and Human Services (HHS) will soon reveal proposed privacy regulations to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These policy shifts and regulatory initiatives will make privacy one of the most significant issues over the next several years. More immediately, any entity that collects, stores, or uses personal information must ensure that its privacy policy and practice complies with the changes that are undoubtedly forthcoming.

Federal Trade Commission
Since 1995, the FTC has addressed privacy issues through workshops, reports, and studies. In each instance, the FTC concluded that industry self-regulation would be sufficient to protect consumer privacy and ensure compliance with widely accepted principles on fair information practices. Indeed, the FTC encouraged self-regulation by facilitating dialogue between industry representatives and privacy advocates. Despite these efforts, the privacy practices of commercial web sites gained only slight improvement.

In 1998 and 1999, the FTC reported to Congress that despite certain obstacles, it believed self-regulation would be adequate and recommended that Congress refrain from enacting any legislation on the issue. In May 2000, the FTC released its third report addressing online privacy. This report marks a significant change in FTC policy. The FTC now believes that industry self-regulation cannot alone protect the privacy of consumers online. Consequently, the FTC recommended that Congress enact federal legislation to ensure consumer privacy online.

The specific points of the recommended legislation follow the principles on fair information practices. Specifically, the FTC recommends a regulatory scheme in which consumers receive notice, choice, access, and security with respect to their personal information online. Any commercial web site would be required to develop a privacy policy addressing all four of these principles. Although a significant number of web sites contain privacy policies, the policies often fail to address all four of the principles and, in many instances, address only one of the principles. Should Congress enact the recommended legislation, e-companies and entities with commercial web sites must become extremely familiar with these principles and the manner in which they can be effectuated.

Notice is probably the most important principle. Through notice, a web site informs consumers about the details of its privacy and information practices. Without notice, consumer choice and access become limited or meaningless altogether. Consequently, any privacy policy must begin with a "clear and conspicuous notice" of the entity's information practices. This information would include an identification of the specific information collected. In addition, consumers would be informed about the manner in which the entity collects the information. The policy also would include a disclosure about how the entity uses the information collected. The entity must also indicate whether it discloses the information to other entities (through shared resources or commercial sales). The privacy policy also must articulate the manner in which the entity provides choice, access, and security to consumers. Again, this information should be provided in clear and unambiguous language. Moreover, the policy should be accessible from major entry points and at the points of collection.

Choice also must be provided to consumers. This principle enables consumers to decide how the entity may use the information collected. First, the disclosure of the privacy policy enables the consumer to determine whether to proceed any further within the entity's web site. Second, the policy would enable a consumer to determine how the information is used internally (beyond the initial transaction by which the information is obtained) and externally (disclosure to other entities). Many privacy advocacy groups argue that in providing consumers with this choice, entities should adopt an opt-in approach. This approach precludes any entity from collecting any information from the consumer unless explicit permission has been granted to the entity by the consumer. However, the industry tends to employ the more dominant opt-out approach. This approach allows the entity to collect, use, and store consumer information unless and until the consumer explicitly informs the entity to stop. In either case, the entity must provide consumers with a relatively simple means by which to choose the manner in which their information is used.

Access allows a consumer to review any information an entity has collected about that individual. In doing so, the entity must provide a means by which the consumer can reasonable correct inaccuracies and/or delete information.

Finally, an entity must provide consumers with reasonable assurances that it takes reasonable measures to protect the security of their information. A violation of this principle may not only expose an entity to civil penalties pursuant to an enforcement provision of the legislation, but it also may expose the entity to civil liability through actions pursued by the consumers hurt by a breach in security. Recently, a group of individuals formed a working group within the American Bar Association to address issues surrounding online security and potential causes of action. The extent to which entities will face liability for breaches of security have yet to be seen. However, it is quite clear that reasonable efforts to protect the privacy of any consumer personal information would be prudent with or without the FTC's recommended legislation.

Congress
Although certain members of Congress have considered privacy to be a significant issue and have introduced privacy legislation over the past several years, the 106th Congress has addressed privacy in somewhat of a bipartisan collective on several privacy fronts this year. In February 2000, Senators Richard Shelby (R-AL) and Richard Bryan (D-NV) and Representatives Ed Markey (D-MA) and Joe Barton (R-VA) announced the formation of the Congressional Privacy Caucus. The Caucus subscribes to the principles of notice, choice, and access. In addition, it adheres to the position that states may enact broader protection than federal statutes. Since its formation, the Caucus has held hearings on Internet privacy and heard testimony from a number of witnesses. However, the impact of the Caucus remains to be seen.

In addition, a significant number of bills have been introduced which address a variety of privacy issues. These legislative proposals include the creation of a Privacy Commissioner, the protection of genetic privacy, increased penalties for computer crimes, the establishment of a Privacy Protection Study Commission, the establishment of a private right of action for privacy violations, and much more. Whether these initiatives will be referred out of committee remains to be seen. Nonetheless, Congress has increased the momentum for privacy legislation. Therefore, some of the more significant bills in Congress may make their way to the President before the Second Session of the 106th Congress concludes.

HIPAA and the HHS
Before the end of the year, the HHS will likely reveal its final proposed regulations addressing the confidentiality and privacy of consumer health information. In 1996, Congress and the President enacted HIPAA. This law requires the HHS to promulgate regulations protecting the privacy of consumer health information if Congress failed to enact similar legislation prior to August 21, 1999.

Congress failed to enact the legislation. Consequently, the HHS issued its proposed regulations in October of 1999. In addition to the proposed regulations, the HHS also recommended that Congress enact medical privacy legislation that extends beyond the scope of HIPAA. At present, the 106th Congress has before it several items of legislation addressing the privacy of health and medical information.

Conclusion
The next year will see a number of regulations promulgated and statutes enacted that address the privacy of consumer personal information. It will be imperative for entities that use consumer personal information to be aware of these policies and their requirements to avoid civil liability and penalties. For example, the HHS privacy regulations would permit a penalty of up to $25,000 for each provision violated. Moreover, as consumers become more aggressive in protecting their privacy, they will become less tolerant of entities that either seem disinterested or dismissive. This intolerance will more than likely manifest itself in the utilization of the courts to obtain restitution for real or perceived harm. Consequently, attorneys must remain aware of the developing privacy policies to adequately represent clients and avoid their own civil liability for malpractice.

Commerce Department "Safe Harbor" Preserves Trans-Atlantic Data Flows
-William B. Baker, Wiley, Rein & Fielding, Washington, D.C. and Chair, Communications Law Division

[Mr. Baker gratefully acknowledges the assistance of John Reynolds and Amy Worlton (D.C. bar admission pending) also of Wiley, Rein & Fielding, Washington, D.C.]

Under the existing European Union ("EU") Directive on Data Protection, the transfer of personal data from EU countries to the United States is generally not permitted unless the receiving entity complies with the local privacy laws of the individual EU countries. This exposes U.S. companies who obtain such data from Europe to as many as fifteen different sets of local laws. For two years, trans-Atlantic data flows have continued while the EU and the U.S. negotiated a means by which U.S. firms could comply with the generally more stringent privacy laws in the EU.

These negotiations have been necessary because the EU Directive instructs EU member states to prevent the transfer of personal data to third countries where laws safeguarding privacy are not deemed "adequate." Because the United States has lacked, at least in European eyes, sufficient privacy protections, there has existed a danger that data transmissions from Europe to the U.S. relating to either employees based in Europe or European customers could be shut down. Such a drastic measure could significantly impair the ability of trans-national companies to transact business, as well as dampen demand for international data communications services.

This summer, the U.S. and the EU successfully concluded an agreement that will allow U.S. firms to receive transmissions of personal data from the EU. As a result, since November U.S. companies have had the option of filing a single certification concerning its privacy policies with the U.S. Department of Commerce under the new "Safe Harbor" program. This offers participating firms simplified compliance, administrative convenience, and enforcement by U.S., rather than EU, authorities.

At the same time, however, both the EU Directive on Data Protection and the terms of the U.S. Safe Harbor place a substantial onus on the U.S. firm to comply with the generally more restrictive European requirements. Under the agreement, a firm that participates in the "Safe Harbor" must comply with particular substantive obligations (although compliance with these terms is easier than having to comply with the specific privacy laws in each of the E.U. countries). Although firms could subscribe to the Safe Harbor immediately (and some did), it is likely that an enforcement standstill currently in effect between the U.S. and the EU will likely persist until at least early summer 2001.

While certifying one's participation in the Safe Harbor can be completed quickly, the real challenge is implementing a privacy policy that conforms to the Safe Harbor's requirements, termed the Safe Harbor Principles, without impinging upon a company's business and human resources goals. In so doing, a firm contemplating the Safe Harbor must understand (1) how the program operates, (2) which data transfers from Europe are affected by EU privacy law, and (3) what a Safe Harbor-compliant privacy policy must contain. First, the Safe Harbor opportunity allows U.S. firms to take steps to keep trans-Atlantic data flows open. It offers the opportunity to avoid data transfer disruptions by establishing a voluntary mechanism that the EU considers "adequate." Furthermore, the Safe Harbor privacy principles establish a single set of obligations on participating firms, rather than the separate privacy laws of the fifteen EU member states.

Enforcement of Safe Harbor commitments is through U.S. rather than EU data protection authorities. Primary responsibility for enforcing privacy obligations lies with verification and dispute resolution bodies in the United States that operate within the private sector. However, where a firm fails to live up to its privacy commitments, it becomes subject to possible prosecution by federal law enforcement authorities. Under the Safe Harbor, a U.S. regulatory authority must accept jurisdiction over privacy violations arising from EU data transfers, and have the EU agree to its authority. As of this writing, only the Federal Trade Commission (in most cases) and the Department of Transportation (for air carriers) are part of the Safe Harbor program.

Importantly, some industries are not eligible for the Safe Harbor program. As of this writing, the Safe Harbor eligibility gap affects telecommunications common carriers, land-based transportation common carriers, banks, savings and loans, credit unions, insurance companies generally, and some non-profit organizations. The U.S. and the EU are continuing to negotiate a framework for the free flow of personal financial data to firms, such as banks, not currently eligible for the Safe Harbor. For now, those enterprises excluded from FTC or Department of Transportation jurisdiction cannot enter the Safe Harbor and must find other ways to comply with the requirements of the EU Directive on Data Protection.

Second, a firm contemplating the Safe Harbor should determine what information it receives from sources in the European Union, whether the information received includes "personal data," and how these data are used. In general, if a U.S. company receives information from the EU that identifies a person or could identify a person with a reasonable effort, then the Directive's restrictions on data transfers apply to that information. Identifying information includes names, addresses, telephone numbers, unique identification numbers, and factors specific to an individual's physical, mental, economic, cultural, or social identity if such could be used to identify that person. The Directive reaches exports of both customer and employee records from the EU.

The EU Data Protection Directive generally does not distinguish among techniques used to collect, store, or transfer personal data. Nor does the business relationship between the EU transferor and the U.S. recipient matter. Transfers of personal data between affiliates, parties at arm's length, a parent company and its subsidiary, and even within a single multinational firm all fall within the Directive's scope. Even a company's private Intranet can be subject to the Directive if a trans-Atlantic transmission occurs. No exceptions exist for de minimis levels of transfers or for non-profit organizations.

Third, no U.S. data recipient can publicly join the Safe Harbor without first having in place a privacy policy that conforms to the Safe Harbor Principles. Under the Safe Harbor, a U.S. firm must provide individuals with notice about the prospective uses of their information, choice over such uses (such as whether the data can be transferred to third parties), and access to confirm data accuracy. Individuals will have the right to seek enforcement of these privacy protections. The Safe Harbor also obligates companies to take steps to prevent the misuse of data and ensure its accuracy. Finally, participating firms must verify their compliance with the Safe Harbor Principles.

The level of privacy protection the Safe Harbor Principles require can vary depending on the type of data transferred and the identity of the intended data recipient. For example, although the Choice Principle generally requires only an opt-out opportunity, an "opt-in" is required when "sensitive data" are transferred. Sensitive data include information about a person's health, medical history, race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, or sex life. At this time, financial information is not considered "sensitive" within the Safe Harbor framework. Different rules apply to agents. If an intended data recipient is an agent of a company within the Safe Harbor, the company need not provide notice and choice regarding data transfers to its agent. The company remains responsible, however, for its agent's failure to protect the privacy of data subjects.

With the opening of the U.S. Safe Harbor, a means now exists by which most trans-Atlantic data communications can continue. However, for U.S. companies, the Safe Harbor introduces new compliance obligations, and in some instances may require changes to internal operating procedures. At the least, the Safe Harbor may introduce U.S. companies to a previously unknown intersection of communications, privacy law, and consumer protection legal regimes domestically and abroad.