Brad Smith, Senior Vice President and General Counsel
WASHINGTON, D.C., Nov. 3, 2005 – In a speech today before the Congressional Internet Caucus, Microsoft Senior Vice President and General Counsel Brad Smith detailed Microsoft’s support for a “comprehensive” legislation approach to data privacy at the federal level. In his remarks, Smith said that “the time has come” for a legislative approach that would provide meaningful protections for individuals, focused on preventing actual harm, and set clear guidelines for businesses while still allowing commerce to flourish
Because data privacy remains a focal point for any public discussion around information technologies and computer security, and because Microsoft’s call for a federal-level response is a new element in Microsoft’s broad range of activities around security and privacy, PressPass met with both Smith and Microsoft Chief Privacy Strategist Peter Cullen to learn why privacy laws are important and what it means for consumers and companies.
PressPass: Why is Microsoft publicly advocating the concept of a uniform national privacy standard today?
Cullen:The landscape has changed quite a bit over the last several years. Today, there is more personal information being collected for numerous, often very legitimate reasons. For example, some basic information can personalize a Web site or improve an online shopping experience. But, today there is also a greater risk of personal information being abused through social engineering scams like phishing, spam e-mails and identity theft. If we want the Internet to continue to be an exciting resource to communicate, play, shop or do business, we have to put some basic standards in place to ensure personal information is kept secure, that people’s privacy is protected and that they are protected from harm.
Smith: In the U.S. last year, over 10 million people were the victim of identity theft, and thousands of privacy-related bills were introduced in state legislatures and Congress to address the issue. These staggering statistics and the following key factors led us to advocate for one comprehensive legislative approach at the federal level to help protect consumers and businesses. First, as Peter notes, there’s a growing concern among consumers about privacy and identity theft; many surveys have shown that this is seen as a big impediment to people feeling comfortable about using the Internet for commerce. Secondly, an increasingly complex patchwork of federal and state laws around data and financial privacy makes it hard to have any consistency, and is confusing and contradictory for businesses and consumers. This also makes it hard for business to know what standard will be required in what area of the country. Activity that is legal in one jurisdiction may be illegal in another. This makes it challenging for a business to meet regulatory compliance requirements. The third major factor is that consumers, industry and governments all agree on the increasing need for comprehensive measures to improve not just security, but also consumers’ understanding and control over their personal information.
PressPass: Are there basic elements that Microsoft endorses with regard to this federal privacy legislation approach?
Smith: Absolutely. There are four elements that we believe federal privacy legislation should include, which are key to protecting consumer privacy, and to supporting businesses’ privacy policies and compliance efforts. First, there should be a uniform baseline standard that applies across all organizations and industries. This includes online and offline transactions, federal pre-emption over local laws, and international harmonization with global standards. Secondly, any legislation must increase the transparency regarding collection, use and disclosure of personal information. Thirdly, individuals must have meaningful control over the use and disclosure of personal information. Lastly, we believe there should be minimum-security requirements around the storage and transit of personal information.
PressPass: How does Microsoft believe the technology industry should increase transparency around the collection and use of personal information?
Peter Cullen, Chief Privacy Strategist
Cullen: People should be able to have a clear understanding of how their personal information may be collected and used. There are a number of ways in which this can be done. Two that I think are the most important are increasing the level of notice provided to individuals, and permitting them to access and correct data that is held by an organization. In the matter of notice, we have worked very hard to develop notification approaches that make it easier for consumers to understand how their information is being used with as little or as much information as you like. For example, much like food labels, MSN’s new “short-layered” privacy notices provide a clear summary of company’s essential online practices and empowers people to make educated choices regarding sharing information online. For more detail, you can click through and read the full, longer version. The second critical way to increase transparency is giving individuals access to their personal information stored on and offline, the ability to correct any inaccuracies, and the right to change their preferences for how their information is used.
Smith: Peter brings up an important point about notification. It is important for organizations to provide individuals with notice before they collect and use personal information; but it is often not enough. If an organization wishes to use or disclose personal information in a way that is materially different than that described in the notice at the time the information was collected, there should be additional notice and consent requirements. Organizations should also be required to follow standard notification requirements if a breach of certain sensitive data occurs. Building breach notification requirements that are appropriate to the scope, scale and severity of that breach into a federal legislative approach will set a clear standard for companies and will ensure that consumers are provided with essential information in cases where there is a significant risk of harm.
PressPass: What are the respective roles of the public and private sector around privacy issues?
Smith: Federal legislation – which would pre-empt the patchwork of local and state laws in place now – would be the foundation that would improve the transparency and predictability of consumers’ experiences. Much of the privacy regulation today in the U.S occurs as the state level, where many of the 50 states have enacted privacy laws that govern specific industries, issues or practices. More than 20 states have passed separate financial privacy laws just since 2004, for example. Often, state laws conflict, so that a set of business practices that is legal in one state may be prohibited in the next. Comprehensive federal legislation would then provide the private sector with a uniform standard on which they can more easily build and manage effective policies and compliance efforts that map to the needs of their specific businesses and customer requirements.
PressPass: Given the patchwork nature of regulations within the U.S and different standards around the globe, is a single standard or baseline for privacy protection an achievable goal?
Smith:Yes. We believe a core component of this legislative approach is the first step towards harmonization between the U.S. and international approaches. Commerce is, after all, increasingly global, and we feel it’s important to treat all our customers around the world with the same level of privacy protection.
PressPass: With the global reach of the Internet, how does this effort at the U.S. federal level map to Microsoft’s privacy work in other regions of the world?
Cullen:As a global company with customers located around the world, Microsoft made the decision early on to set privacy standards at a very high bar. We have a single policy and set of standards which result in a worldwide approach to privacy compliance that meets or exceeds privacy requirements from all parts of the globe. We believe a more standard, common, federal approach in the United States tracks to the way other regions of the world have approached affording privacy protection to users. We also believe this approach can provide consumers with better overall protection while at the same time facilitate global flows of information which also allow business to create more value for customers.
PressPass: How does Microsoft perceive the balance between people’s needs for both security and privacy? Is there a natural point of equilibrium?
Cullen:In many cases, customers see security and privacy as intertwined and interrelated. For example, a security event can lead to a misuse of personal information or a privacy incident; or a lack of focus on security can be an indication of a lack of control as to how personal information is both projected and used. We believe that dealing effectively with security can go a long way toward protecting personal information. This is one reason that we invest so heavily through our Trustworthy Computing initiative to build security and privacy into the DNA of the company and our products and services.
PressPass: Microsoft, its partners and various public agencies have put a lot of effort in the past two years into increasing awareness of the potential dangers of computer attacks. How will Microsoft and other interested parties work to encourage consumers to feel comfortable with sharing personal information in a responsible way?
As a technology company, we believe there are technological ways we can help make things safer, and we have been helping protect consumer data and helping customers protect themselves with the latest technologies. But we realize that technology alone can’t fully solve the problem. We believe that this approach will require the efforts of many – other companies, other industry leaders, the government and even consumers themselves – to make the Internet a safer place. Microsoft has been working in conjunction with many of these entities to promote online safety efforts. Having this legislation in place will increase awareness and access to personal information and will be springboard to even broader consumer awareness-building.
Smith:We absolutely believe that a uniform legislative approach, based on the core principles we’ve outlined, will not only give consumers more control and more access to their personal information, but will also increase their confidence in providing that information to legitimate businesses and other organizations.. It will provide a solid foundation going forward both for consumers and businesses around e-commerce.