“View from the Hill”

Data Security Legislation Remains Stalled by Jurisdictional Fight

Data security legislation remains stalled by a jurisdictional fight between House and Senate committees even as a recent report from the U.S. House Committee on Government Reform disclosed that 19 federal departments and agencies have reported hundreds of instances of lost personally identifiable information (PII) since January 2003. 

While many of these breaches involved a relatively small number of people, several breaches involved millions of people, such as the breach at the Veterans’ Affairs Department, which compromised the PII of 26.5 million veterans.

The type of information lost and potentially compromised included personal information such as names, home addresses, photographs, dates of birth, social security numbers, fingerprints, medical information, tax information, earnings records, user passwords, law enforcement information requests, and personal information on law enforcement employees.

Nevertheless, legislative progress is impeded by squabbles between the House and Senate Commerce Committee (which has primary jurisdiction over the Federal Trade Commission), Judiciary Committee (which has jurisdiction over the criminal penalties in the legislation) and the Banking Committee (which has jurisdiction over the credit freeze component of the legislation).

While we are not aware of a data breach involving a research organization, the amount of PII that researchers collect, store and transmit makes the probability of such an unintended disclosure quite high. Until Congress acts, such events will continue to be governed by disparate and often contradictory statutes and regulations promulgated by almost 40 states. Accordingly, CASRO will continue to push for comprehensive, federally preemptive data breach legislation.

Senators Push for Registry of Drug Makers’ Gifts to Doctors

Several Senators, including Chuck Grassley (R-IA), Claire McCaskill (D-MO) and Herb Kohl (D-WI) are pushing legislation to require drug makers to disclose the payments they make to doctors for services like consulting, lectures and attendance at seminars.

Minnesota, Vermont and Maine already have similar registries and other states are considering them.

According to a New York Times editorial on July 2, 2007:

 “The drug companies ply doctors with a wide range of gifts, everything from free lunches for busy doctors and their staffs while sales representatives extol the virtues of their latest drugs to subsidized trips to vacation spots for conferences billed as educational events. The companies also pay large sums to doctors for consulting or for conducting research. These payments, which can mount into the hundreds of thousands of dollars over a period of years, look suspiciously like inducements to promote or prescribe the companies’ drugs.”

The drug industry opposes such registries, saying they would discourage doctors from receiving needed education.  Further, drug makers fear that the registries would be a burden for the companies and might be misinterpreted.

Senate Committee Votes to Extend Do Not Call Registry

On August 2nd, the Senate Commerce, Science and Transportation Committee voted unanimously to reauthorize Do Not Call legislation.  Since the passage of the Do Not Call registry in 2003, more than 146 million phone numbers have been registered.  Nevertheless, 62% of Americans still think they are receiving unsolicited telemarketing calls and the FTC’s authority to fund the program through telemarketer fees expires at the end of this year.

The “Do Not Call Extension Act” (S.781), will reauthorize the FTC’s ability to collect fees from telemarketers to cover the operational costs of the program permanently.  Under the new legislation, telemarketers would pay $54 for each area code, with the first five area codes free and total fees capped at $14,850. They are required to search the registry every month and drop from their call lists the phone numbers of consumers who have registered.  All proceeds of the fees generated will be applied to the continued operation, maintenance, and enforcement of the Do Not Call registry. 

To date, the FTC has brought enforcement action against 52 individuals and 73 corporate defendants. Violating the Do Not Call regulations subjects telemarketers to civil penalties of up to $11,000 per violation. On April 10, 2007, FTC Chairman Deborah Majoras testified at a Senate Commerce Committee Hearing that the FTC has obtained settlements with orders requiring payment of approximately $9 million in civil penalties and more than $8.2 million in consumer redress.

According to Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection, unscrupulous telemarketers are still targeting the elderly in particular.  In the coming months, the FTC will consider increased protections for senior citizens.

In a July 31 hearing before the Committee, Richard Johnson, a member of the AARP’s Board of Directors, testified that Congress and the FTC must do more to protect seniors.  In particular, Mr. Johnson urged Congress and the FTC to:

1. Fully fund the Do Not Call registry;

2. Prohibit all unsolicited, pre-recorded marketing telephone calls;

3. Strengthen call abandonment rules; and,

4. Narrow the definition of “established business relationship.”

However, Jerry Cerasale, Senior Vice President of Government Affairs for the Direct Marketing Association (DMA) testified that the ability to contact consumers is a right that should be preserved.

Consideration of the bill by the full Senate is expected to occur after the Congress convenes from its August recess.

CASRO successfully requested the FTC to confirm that survey research was not covered by the original Do Not Call regulations, a protection for our industry that the DNC renewal legislation will preserve.

Study Finds Google Desktop Search Engine Source of Security Concerns

More than half of the IT security practitioners responding to a recent Ponemon Institute survey reported that they would not use the Google Desktop Search Engine because of various security concerns.

The national web-based survey by Ponemon was prompted by published reports questioning the security of the program, including a report by security researcher Robert Hansen of a man-in-the-middle attack against Google’s Desktop, which places an attacker between Google and someone launching a desktop search query. From this position, the attacker is able to manipulate the search results and possibly take control of or install other programs on the desktop. According to Hansen, this drives home the point “that deep integration between the desktop and the Web is not a good idea."

Two-thirds of respondents to the Ponemon survey agreed with Hansen that such integration creates a security problem for Google Desktop.

Additionally, a security research firm identified a cross-site scripting vulnerability that would allow an attacker to place malicious code on a Google Desktop user's computer and possibly to take full control of the computer. Google says that it fixed this particular flaw.

Despite this reassurance from Google, 71% of survey respondents believe that Google Desktop is still vulnerable to new cross-site scripting attacks.
 
Google Desktop includes a feature called “search across computers” that allows users to search their files and view web pages across multiple computers. To enable this feature, users transmit copies of their documents, spreadsheets, emails, photographs, and more to Google servers where Google stores the indexed files for up to 30 days.

Nearly three-quarters of survey respondents considered this transfer of data outside the enterprise to be an unacceptable security risk for enterprise users. And 83% said users with confidential or legally protected data such as legal, medical or educational records should avoid using Google Desktop with this “search across computers” functionality.

Considering these issues, half of respondents said they would not use Google desktop.

This survey was prepared by The Ponemon Institute in June 2007. In total, 23,512 people who reside in the United States received an invitation to participate. This resulted in 1,268 individuals responding (5.4% response rate).

If you have a legislative issue you'd like to discuss with Larry, contact him at: larry@ponemon.org.

CASRO Code Revision Keeps Privacy Protection On Pace
With Internet Research Technology
Free Webinar Scheduled for September 5th to Discuss Changes

In May, the membership of CASRO overwhelmingly approved a revision to the Internet Research section of the organization’s Code of Standards and Ethics for Survey Research.

The revision of the Code addresses the practice of online surveys, specifically the e-mail solicitation of survey respondents, use of “active agent” technology to capture behavioral data, and proper communication/disclosure with members of online survey panels.

All members are invited to participate in a free one-hour webinar to discuss the revisions with the members of the CASRO Online Research Task Force on Wednesday, September 5, 2007 at 1 p.m. Eastern Standard Time. To Register, visit: https://www.gotomeeting.com/register/888140132

Code Change Highlights:

Email Solicitation

• Research Organizations (ROs) are required to verify that individuals contacted for research by email have reasonable expectation that they will receive email contact for research.
  
  
• ROs are prohibited from using any subterfuge to obtain email addresses of potential respondents, such as collecting the data from public domains, or doing so without individuals’ awareness or under the guise of some other activity.

Active Agent Technology

Active agent technology is software or hardware that captures the behavioral data about data subjects in a background mode, typically running concurrently with other activities.

CASRO’s revised Internet Standards outlines unacceptable practices that ROs should strictly forbid or prevent, including:

• Downloading software without obtaining the subject’s informed consent, without providing full notice about the types of information collected; using keystroke loggers without consent; installing software that turns off anti-spyware, anti-virus or anti-spam software, delivers advertising content, or modifies computer settings beyond that which is necessary to conduct research.

CASRO’s revised Code also outlines practices that researchers should adopt if using Active Agent Technology, including timely disclosure of active agents, receiving permission prior to the download of such software, informing the subject of the types of data being collected, a pledge never to use personal information for secondary purposes or share with third parties, and have a method in place to receive queries from end users. 

The Code also strongly discourages ROs from collecting personal information. If collection is unavoidable, data should be destroyed immediately; if maintained, it should receive the highest level of data security available and should not be accessed for any purpose.

Online Panels

• RO’s must: disclose to panel members that they are part of a panel, and obtain panelist permission to collect and store information about them. Upon client request, ROs must disclose panel composition information, recruitment practices, member activity, and incentive plans.

• A privacy policy relating to use of data collected from or relating to the panel member must be in place and posted online.

• ROs should take steps to limit the number of survey invitations sent to targeted respondents by email solicitations.

To view the complete Code verbatim, visit: http://www.casro.org/codeofstandards.cfm