[109100] in Cypherpunks
dcsb story in bna
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Wed Mar 10 11:56:56 1999
Date: Wed, 10 Mar 1999 11:26:40 -0500
To: dcsb@ai.mit.edu, cypherpunks@cyberpass.net, cryptography@c2.net
From: Robert Hettinga <rah@shipwright.com>
Reply-To: Robert Hettinga <rah@shipwright.com>
--- begin forwarded text
From: mkessler@bna.com
Date: Wed, 10 Mar 1999 10:51:22 -0500
To: <rah@shipwright.com>
Subject: dcsb story in bna
Here is a copy of the story which appeared in BNA's Electronic Commerce
Report as you requested.
Thanks, Martha Kessler
Volume 4 Number 8
Wednesday, February 24, 1999
News
Privacy Privacy Expert: EU Directive Won't Halt Trade, If Privacy
Compliance Programs Are in Place
BOSTON--Entities engaged in doing business with firms and individuals in
the European Union should develop a compliance program to ensure they are
conforming with an EU directive on the privacy of data, a security
specialist said Feb. 2.
Speaking before the Digital Commerce Society of Boston, Roland Meuller,
director of network security technologies and Service for Austin,
Texas-based Secunet Inc., said the law should not prevent U.S. firms from
engaging in business with EU companies. But, he told participants, it is
important to examine the types of data being used and the protections in
place to guard that information.
Meuller was previously a technical manager for Daimler-Benz.
The EU's Privacy Data Protection Directive, which took effect Oct. 25,
gives European data privacy officials authority to prohibit the release of
personal data to non-EU countries unless those countries have in place
"adequate" measures to protect personal information. EU and U.S. officials
are currently negotiating the impact of the new law on trade relations and
hope to reach an agreement at the next EU-U.S summit that would avert a
potential trade dispute.
Meuller noted that the law applies to both governmental and private sector
operations. For example, he explained a merger between a U.S. and German
auto firm involves the transfer of employment files would be covered by the
privacy terms of the directive. He also noted that such information as the
booking records on flights to EU countries would be covered.
Meuller said the directive offers a number of implications for companies
seeking to do business with EU entities. For example, he said, under the
terms of the directive, when a company buys a set of data, the firm must
ensure that the individual about whom the data has been collected is
informed. It is therefore important for the purchasing company, he said, to
obtain a written guarantee from the seller that the individuals will be
notified of the purchase.
Privacy Compliance Programs Needed
Given the numerous ways in which the privacy directive impacts the
collection and processing of data, Meuller recommended that companies
install a program designed to ensure compliance with the law.
The first step in developing a compliance program is to perform a data
protection audit, he suggested. Under this audit the firm would analyze the
type of data being transferred from the EU, identify the collection
process, identify the data processing procedures and identify the people
who are involved at each stage of processing. This should be followed with
a review of data quality which determines the purpose for which the data is
used, the accuracy, amount and source of the data and matters of time
related to the use of the state.
The review should also examine the collection process to determine how the
data is gathered and what obligations and rights rule this process. An
examination of these procedures may call for a revision of the collection
process or redesign of collection forms. For example, Meuller said, one
large credit card company was forced to redesign its enrollment forms to
incorporate legal clauses related to the privacy of data requested on the
form.
Companies that use a non-automated process in their data collection
procedures need to consider other issues as well, he said. The more people
that see the data, the more important it is to ensure that workers are
trustworthy and that language regarding confidentiality be included in the
employment contract.
Meuller stressed that people involved in the data collection and processing
aspects must be made aware of the sensitivity of data. For example, if a
computer is sent out for repairs, it is necessary that workers be aware of
the need to ensure the confidentiality of any data held on the hard drive.
Processes must also be in place to ensure protection of data provided to
clients.
In addition to protecting data during use, companies must also ensure the
data is restricted both physically and logically. This should include
securing access to storage facilities, protecting the data during transfer
and ensuring a certain level of safety in the deletion and destruction of
data, he said. The law says such protection must be state of the art, he
said, but it is obvious they don't expect you to build another "Fort Knox,"
Meuller explained.
By Martha Kessler
Copyright c 1999 by The Bureau of National Affairs, Inc., Washington D.C.
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
