What Is Personally Identifiable Information

Published Date: 02 Nov 2017

In today’s generation where technology exist in everyday aspect of life online shopping has obviously part of our today’s life and grown in popularity over the existence, mainly because every people was finding of its own convenient and easiest way to bargain or shop without the hustle and no required to going to mall to shop. One of the greatest attractive factors about online shopping is the holiday season, is it lessens lines to wait for your turn from store to store just only to buy a particular item. In determining the customers of eBay let this paper define to you what is online shopping or online retailing? The Online shopping is a form of electronic commerce that basically customers must have access to a computer (like signing up first to a online auction sites like eBay) and a method of payment (like Paypal, MasterCard or any kinds of Credit cards depend on the required of the online auction site) and also allowing consumers to directly buy goods or services from the one who offered a particular product or services without an transitional service. An online shop or virtual store has a process which is called business-to-consumer (B2C) online shopping also including the business-to-business (B2B) online shopping which a business buys from another business. E-Bay and Amazon.com are the largest online retailing corporations. Which both of this online auction site are based in the United States. In knowing the customer they are very attracted to online shopping or online buying not just because of the assurance or security of availing products/or services with a high level of convenience, but also because its numerous or bigger selections, competitive pricing which they one of the most consider reason, and lastly greater access to all information. Then all customer needs and expectations are obviously not the same for all customers who buy online.it must be consider Age, gender, experience, culture are all important factors just to identify who are your real market. Demographic differences are detected in shopper involvement in online auctions. In the United States, rural shoppers buying from online auctions more often than urban buyers, but spend less on each buying. Woman buyers are more frequent purchasers from online auctions, but spend less on each buying than man buyers. This paper is relevant to the current research as consumers who visit online auction sites may constitute a virtual community linked by shared interest. A consumer’s motive for shopping can be observed as being either utilitarian. Utilitarian is the value resulting from receiving the goods one requires. When a shopper accepts a utilitarian reason for shopping, may be viewed as if it is a task, and the shopper is only contented when they have acquired all the goods on their shopping list. By compare, hedonic value is about gaining exciting and fun from shopping. When consumers accept a hedonic motive for shopping, they are spending because they enjoy it. Before you can do business online, you need to understand a little bit about the people that you'll be marketing to. The online world is a unique marketing environment because of the way users group themselves together. This is called segmentation of segmenting the market. If you've ever purchased a mailing list to use in a direct mail program, you might already know something about segmentation. When you order a list you can request names of people from a specific zip code, people with a specific income, people who work in certain occupations, or people who subscribe to a certain magazine or trade journal. All of these criteria can be used to create a single list of people that have similar interests and lifestyles. When you're marketing products or services, it's always more effective when you focus your marketing efforts on the most qualified group of people you can so the response will be high. One of the great things about the online world is that users tend to group themselves into highly defined groups all by themselves.

You can't go online and request a list of people to send an offer to, but if you know where to look, you might be able to find a place where those people hang out and then get a marketing message in front of them. One of the things that any online business owner needs to do before starting an online business is determine how well his products and services fit the interests and lifestyles of the typical online user. Keep in mind that people do the exact same things online they like to do off-line. If you like NBA Basketball, you would probably visit one of the NBA or general sports sites on the Internet or one of the online services. So targeting your message to a group of qualified prospects is easier in the online world than in any other advertising medium. So that you will better understand the nature of the online user, here's some information to consider. This information was gathered from information provided by online research studies. Since the online world changes rapidly, you may want to get a current look at online demographics by checking one of the sites listed at the bottom of this document.

Age:

The average age of all web users is 36 years old. European users are a bit younger at 30 years old. Unlike past years when the average age of women users is younger than their male counterparts, there is no longer an age discrepancy.

Gender:

The online world is still a predominately male environment. About 61% of the users are male. However more and more women are coming online to balance this out. Just a couple of years ago the percentage of women users was only about 15%. Women now account for nearly 39% of the users in the US. The percentage of women users in the US is nearly double that of Europe. Everywhere you look, the number of women users is on the rise.

Education:

A whopping 86% of online users have attended College with half having earned a degree. People online are smart and sophisticated.

Income:

One thing is for sure, online users have money. You might think this has something to do with the fact that you need a computer to access the online world and note everyone has one or knows how to use one. The average household income for online users is about $53,000.

We're seeing a decline in the income levels as more and more people come online. Just over a year ago, the average household income was almost $60,000. As you would expect, the younger the user, the lower the income. This is due to the high number of students who use high speed Internet. The average income of the higher are groups is actually much higher than the total average. If you are selling something online, it’s nice to know that the people you’re selling to have some money to spend. Wouldn’t you agree?

Location:

The US has the best phone system in the world and more computers per capital than any country in the world. So it's only fitting that 84% of all Internet users are in the US. About 7% are from Europe, and 8% from Canada and Mexico. Most people consider the Internet an International medium, but reality is still primarily a US medium. The Internet reaches every continent. The growth of Internet use is faster outside of the US than inside, but the shear number of new users is significantly higher in the US. Fast growing areas include Asia, Africa, the Middle East, and South and Central America.

Marital Status:

The online world is pretty split between married (40%) and unmarried (41%). The rest are either divorced or living with someone. As you would expect, the younger crowd (under 25) is about 75% single, while the older crowd (50+) are 75% married. Those in the middle (26-50) are about evenly split between married and single.

Careers:

About 23% of web users work in education to top the list of career choices. The next highest ranking occupation is Computer and Technical workers at 21%. A few years ago the ranking for these two occupations was just the opposite. Considering the penetration of the Internet into all levels of education, this is not too surprising. Now we know what all those teachers are doing during recess, right? Next in line are professionals and management occupations at 21% and 12% respectively. Overall, women are more likely to be involved in education career, while men are more likely to be in computer careers.

Politics:

Most users consider themselves to be political moderates (30%), with 21% being conservative or very conservative, and 35%being liberal or very liberal. Women are more likely to be liberal and men more likely to be conservative. Democrats lead Republicans online at 25% to 21% respectively. Another 16% said they lean towards the Democrats, while 10% lean toward the Republicans.

Privacy Issues:

As a whole, online users don't like to say much about themselves and resent those that share personal demographic information with others for personal gain. What this really means is that Internet users don't like to have their names and email addresses sold to others for the sole purpose of sending an ad or offer. On the other hand, most realize the need for demographic information for designing an online business and marketing a site to advertisers. About half said they would give personal information in return for some value, like a reminder service, or to get access to private specialized information.

Access:

Over half (55%) of online users get their access at home. The 50+ crowd is more likely to be paying for their access and getting it at home, while the younger crowd is more likely to get free access at work or at school. This explains why the busiest days online are Monday-Thursday and why the weekends are about 20-30% slower traffic days than any other days. Many users only access the online world from work or school and both are out on the weekends.

Frequency:

About 72% of women who use the web, do so every day, while 87% of men are daily users. These numbers are on the rise , which is good news for online business. About 45% use the web 1-4 times per day, while 41% use it more frequently and 15% use it less.

Purpose:

This category illustrates that the online world is an entertainment medium as much as anything. The most common use of the web is to surf (79%), followed by entertainment (65%) and work (51%). I would even consider most surfing as entertainment, so that is really the number one use right now. Shopping is on the increase, going from 11% a year ago to 14% now. Older users do more work online, while younger users are playing online.

Complaints:

The biggest frustration of web users is speed. Online users don't like to wait for things download and even though modem speeds are increasing, the number of users complaining about speed keeps increasing. We're just never satisfied. Another big complaint is not being able to find information that they know is out there. Other problems cited are not being able to find a site after visiting it once and paying too much for access. Basically we're all impatient and cheap.

Connections:

The standard for connection speed continues to rise as new modems keep coming on the market and prices keep falling. The most common connection speed is now 33.6 followed by 28.8 Kbs. This is exact opposite of a year ago. About 40% of users have a connection faster than 28.8. This would be those who are using fast dedicated connections at work or at school. This type of high speed connection might include such things as T1's, DS3's, 56 Kbs lines, Frames relays and ISDN. Another interesting statistic is that about 60% of users also have an account with one of the online services, but only about 8% use it to access the web.

Technological forces:

The growth of broadband internet connections around the globe has undoubtedly boosted online shopping, simply by dramatically speeding up the process of accessing websites and buying goods. Broadband is at least ten times as fast as dial-up. Having access to broadband means that consumers are more likely to use the internet to purchase everyday items such as groceries. Traditionally, individuals and businesses have ordered goods or services online via computers, but the increase in data connection speeds on mobile phones with the introduction of 3G and 4G (3rd and 4th generation) technology has opened up another avenue for e-tailers. Certainly, e-tailers are now targeting the mobile phone. E-commerce is also making increasing inroads into areas where it was thought difficult to sell goods online. Historically, for example, it was thought difficult to sell clothes online because shoppers could not try on the goods. However, sites such as Asos, which targets 16 to 34-year-olds with outfits and accessories styled on those worn by celebrities, have shown that it is possible to successfully sell clothes online.

Electronic commerce, or e-commerce, involves the sale of goods and services via electronic means—principally over the internet, although sales via television (terrestrial, cable, and satellite) are also included. E-commerce can be further divided into the following sectors: business-to-business (B2B), business-to-government (B2G), consumer-to-consumer (C2C), government-to-business (G2B), government-to-citizen (G2C), and business-to-consumer (B2C). Retailers that rely primarily on e-commerce to sell goods or services are often referred to as e-tailers. Retailing over the internet generally takes one of two forms: Cybermalls—the most famous cybermall is eBay, which offers access to products from a variety of independent retailers. Individual websites—most major retailers now have their own websites, which complement their traditional "bricks-and-mortar" outlets. Some retailers operate solely over the internet.

In terms of television sales, programs on dedicated shopping channels generally feature a presenter who demonstrates products on air. Viewers can buy these products by telephoning an order line with their credit card details, or, in the case of interactive television services, by using their remote control. Recent years have seen the development of a variety of selling techniques, including on-air auctions.

E-commerce is most closely associated with the internet, and has developed in tandem with the growth of the medium. Indeed, e-commerce initially became possible with the opening up of the internet to commercial users in the early 1990s. However, it wasn’t until the latter half of the decade that companies really began to exploit the internet’s commercial potential.

A number of the start-up companies from that era, such as Amazon and eBay, have exploited the power of the internet to emerge as retailing behemoths in their own right. However, e-commerce has largely been developed by established large retailers, which regard it as simply another sales channel. The gigantic grocery retailers that have expanded away from food and into a wide variety of other areas, such as clothing and electronic goods, have been particularly quick to appreciate its potential. The medium has also created opportunities for very small businesses. It is now possible to buy over the internet a wide range of specialized products that are not available in shopping malls. Thus, the internet has provided a lifeline for many small producers, and has allowed entrepreneurs to enter the retailing sector without the need to invest heavily in physical retail outlets.

E-commerce has proven so successful because it offers significant advantages to both consumers and retailers. Consumers can compare a vast array of retailers in a few minutes—something that it would be impossible to do physically. Online retailers often sell products and services at a significant discount to those offered by traditional outlets, and buying online is convenient: consumers can make their purchases from the comfort of their own homes, and have them delivered to their doors. Furthermore, online shopping appeals to the environmentally conscious. In March 2009, researchers at Heriot-Watt University in the United Kingdom revealed that online shopping is 24 times "greener" than taking the car to the shops, and seven times "greener" than taking the bus. The researchers compared the carbon footprint of a typical delivery from a local depot with average carbon footprints for shopping trips by car and bus, and found that home deliveries involved much lower levels of carbon emissions.

For businesses, the advantages of e-commerce lie mainly in the low cost of setting up and maintaining a business. Firms do not need to invest heavily in a physical presence, or in sales staff. However, they do have to organize payment systems, distribution, and returns.

Modern electronic commerce typically uses the World Wide Web at least at one point in the transaction's life-cycle, although it may encompass a wider range of technologies such as e-mail, mobile devices social media, and telephones as well.

Electronic mail, sometimes called email, is a computer based method of sending messages from one computer user to another. These messages usually consist of individual pieces of text which you can send to another computer user even if the other user is not logged in (i.e. using the computer) at the time you send your message. The message can then be read at a later time. This procedure is analogous to sending and receiving a letter.  Originally, email messages were restricted to simple text, but now many systems can handle more complicated formats, such as graphics and word processed documents. When mail is received on a computer system, it is usually stored in an electronic mailbox for the recipient to read later. Electronic mailboxes are usually special files on a computer which can be accessed using various commands. Each user normally has their individual mailbox.

A mobile device (also known as a handheld device, handheld computer or simply handheld) is a small, hand-held computing device, typically having a display screen with touch input and/or a miniature keyboard and weighing less than 2 pounds (0.91 kg). Apple, HTC, LG, Research in Motion (RIM) and Motorola are just a few examples of the many manufacturers that produce these types of devices. A handheld computing device has an operating system (OS), and can run various types of application software, known as apps. Most hand held devices can also be equipped with WI-FI, Bluetooth and GPS capabilities that can allow connections to the Internet and other Bluetooth capable devices such as an automobile or a microphone headset. A camera or media player feature for video or music files can also be typically found on these devices along with a stable battery power source such as a lithium battery. Early pocket sized ones were joined in the late 2000s by larger but otherwise similar tablet computers. As in a personal digital assistant (PDA), the input and output are often combined into a touch-screen interface. Smartphones and PDAs are popular amongst those who wish to use some of the powers of a conventional computer in environments where carrying one would not be practical. Enterprise digital assistants can further extend the available functionality for the business user by offering integrated data capture devices like barcode, RFID and smart card readers.

Social media refers to the means of interactions among people in which they create, share, and exchange information and ideas in virtual communities and networks. It definition of social media as "a group of Internet-based applications that build on the ideological and technological foundations of Web 2.0, and that allow the creation and exchange of user-generated content.

Telephone is an instrument that converts voice and other sound signals into a form that can be transmitted to remote locations and that receives and reconverts waves into sound signals. Telephone usage is to; (1.) To speak with (a person) by telephone. (2.) To initiate or make a telephone connection with; place a call to. (3.) To transmit (a message, for example) by telephone. To engage in communication by telephone.

Economic forces:

ROLE OF ECONOMIC INFLATION TO ONLINE SELLING

ROLE OF THE DOLLAR EXCAHNGE RATE

Political, Legal, and governmental forces:

The Federal Trade Commission (FTC) is the primary federal agency regulating e-commerce activities, including use of commercial emails, online advertising and consumer privacy. FTC's E-Commerce Guide provides an overview of e-commerce rules and regulations.

The following topics provide further information on how to comply with laws and regulations related to e-commerce.

Protecting Your Customers' Privacy

Most businesses collect and retain sensitive personal information from their customers and employees such as names, addresses, social security numbers, credit card numbers and other account numbers. Protecting personal information not only makes good business sense, it can also help you avoid legal problems. Depending on the type of data you are collecting, and who you are collecting it from, you may be subject to federal and state privacy laws. This guide explains which privacy laws apply to your business and how to comply with them.

Overview of Privacy Laws

Privacy laws federal, state, and local, affect most US companies. In addition, foreign privacy laws that impose restrictions on the transfer of personal data outside of their border, require US companies that do business with foreign entities to agree to other requirements and restrictions. US and foreign privacy laws may provide for stiff penalties in case of infringement. Government investigations and private litigation may result in the assessment of fines, damages or prison terms. Given this complex legal, regulatory, and judicial landscape, companies should not take privacy issues lightly or use a cookie-cutter approach.

What is Personally Identifiable Information?

Companies collect home addresses, unlisted phone numbers, names of spouse, house partners, children or dependents, employment history, salary, race or national origin, hobbies, personal interests or travels of their personnel, clients, and other third parties. This information often designated as "personally identifiable information" ("PII") is commonly stored in paper files or in electronic databases, stored on electronic address books, personal digital assistants, laptops, or servers accessible through LAN, WAN, intranets, extranets, or the Internet. PII may be crucial for many aspects of a company's operation, human resources (e.g., payroll, or company directory), interaction with clients and distributors, marketing, sales, or business development.

Compliance Requirements

The United States and many foreign countries have legal structures that affect the collection, use, transfer, or disclosure of PII. The United States uses a sectoral approach that relies on a mix of legislation, regulations, and self-regulation. These laws, regulations, industry best practices and other binding structures, which have been enacted at the federal, state and even local, pertain to such a variety of matters (e.g. financial information, video rentals, electronic communications, or healthcare information). As a result, it is certain that one or more privacy law or regulation, local, state, or federal, does affect and govern some portion of a company's activities. Outside of the United States, numerous countries have privacy or data protection laws, as well. These laws often restrict transborder transfers of personal information to countries that do not provide comparable privacy rights and protection, such as the United States. Thus, US companies intending to send or receive personally identifiable information about individuals protected by those foreign laws must ensure compliance. The local laws that control their foreign subsidiaries or distributors regulate the use and access of data that the subsidiary or distributor wants to share with the US company. As the recipient or processor of foreign PII protected by foreign law, the US company must be aware of the restrictions placed on the foreign source PII, and be prepared to assist and cooperate with its foreign counterpart to ensure cross-border transfer within the limits permitted by the applicable foreign law.

Selected United States Privacy Laws

In the United States, many federal or state laws address privacy issues. Recently, additional laws or local ordinances were passed at the county level to remedy the state legislature failure to enact privacy protection laws. The examples below are only a very limited sample of the privacy laws that populate the American legal landscape.

Financial Information

The privacy and confidentiality of financial information is highly regulated. The recent Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801- 6827, increased the nature and scope of protection to address, in particular, the dissemination of financial information in connection with marketing activities. The GLBA establishes a number of privacy-related provisions that apply to all "financial institutions." The law reaches most entities that engage in an activity that could be deemed financial in nature, such as companies in the banking, securities, and insurance industries. Numerous entities that perform services other than banking are considered financial institutions, such as travel agencies or tax preparation businesses. The privacy provisions also apply to third parties that receive nonpublic personal information from financial institutions. The privacy provisions in GLBA protect all information whether in electronic or paper form. Companies subject to GLBA must provide a consumer with periodic notices explaining the institution's privacy policies and practices and give consumers a reasonable opportunity to "opt out" of disclosures to third parties. Financial institutions are restricted from sharing consumer personal information outside the scope described in the privacy notice. Companies that own or use databases of PII must have in place security procedures to ensure the protection of the PII and limit the dissemination of the PII. While the privacy provisions in GLBA cover only a few pages, each federal agency that regulates the different "financial institutions" (e.g. FDIC, SEC) and the FTC have published more detailed regulations that expand on the GLBA provisions.

 

In addition, the GLBA allows states to enact or use laws that provide additional privacy protection to financial information. Since the enactment of GLBA, numerous states have enacted privacy laws that strengthen the protection set forth in the GLBA.

Medical Information

The HIPAA Privacy Rule, 45 CFR Subtitle A Subchapter C Parts 160 & 164 established in application of the mandate in the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. §§ 1320 et. seq., addresses the protection of health care information. The HIPAA Privacy Rule protects all information pertaining to the past, present or future provision of health services and the payment of such services, whether the information is in electronic or paper form. The HIPAA Privacy Rule applies to specific "covered entities," which are health plans, healthcare providers, and healthcare clearinghouses. In addition, any person or entity that provides services to the covered entities and handles or has access to patients' protected information is also subject to the HIPAA Privacy Rule as a "business associate." The HIPAA Privacy Rule came in effect as of April 21, 2003 for most covered entities. Small plans have one additional year to comply.

 

The HIPAA Privacy Rule imposes restrictions on the use and disclosure of patient information and outlines patients' rights, namely, the right to have access to their records, the ability to amend those records, the right to receive an accounting of disclosures, the right to limit the use and disclosure of the records, and the right to receive responses to their requests pertaining to their rights.

 

As a result, companies that qualify as a "covered entity" must ensure the security and integrity of these records, provide notices to patients of their rights, respond to patient inquiries, request for access or modification of their records and appoint a Chief Privacy Officer who will be responsible for the proper management of the protected health information. Companies that provide services to the covered entities as "business associates" must also have policies and procedures to assist the covered entity in responding to patients inquiries, and must, as well, ensure the security and integrity of the PII that to which they have access as part of their services to the covered entities.

 

HIPAA contains stiff penalties for violations, including fines and prison time. However, the law does not provide a private cause of action for patients who wish to sue under the act. Instead, complaints for violation of the HIPAA Privacy Rule must be brought to the Department of Health and Human Services, which will investigate the complaints and pursue the infringing "covered entity" as appropriate.

Information Regarding Children

The Children's Online Privacy Protection Act (COPPA) 15 U.S.C. sections 6501, et seq. governs information that online businesses collect about children under the age of thirteen. COPPA defines how business may collect such information, and the extent to which they can use that information. COPPA applies not just to websites specifically directed toward children; it also regulates the activities of websites with a general audience if companies have actual knowledge that they collect information from individuals under thirteen.

 

COPPA requires each site to provide a clear and conspicuous notice of its privacy practices on its website. In addition, before it may collect, use, or disclose children's personal information, a company subject to COPPA must obtain verifiable parental consent. COPPA also defines how and to which extent, once the children PII has been collected, the company may use such information.

Employment

Many laws govern those aspects of the employer-employee relationship that are confidential and require the handling of personal information. For example, the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., contains rules pertaining to background checks of prospective employees. Privacy law is also implicated when employers need access to employee offices, computers, etc., or when employers electronically monitor their employees' Internet usage and email. The Electronic Communications Privacy Act (ECPA), 15 U.S.C. § 1681 et seq., governs the interception of electronic and wire communications and limits access to certain networks and communications. There are also laws about permissible interview inquiries and state laws about inquiry into arrest records for prospective employees. Use of personnel records is governed by both federal and state rules. These privacy protection laws continue to apply even after the employment relationship is terminated.

Foreign Data Protection Laws

US companies that do business internationally, have subsidiaries or distributors abroad, or sell on foreign markets must be aware of the requirements in the foreign privacy laws that are in place in those countries whose courts may have jurisdiction over the US company or its local subsidiaries or contractors. Many foreign laws restrict transfers of personal information outside of their borders to countries. As a result, US corporations with operations in other countries or receiving data from foreign companies may need to conform to these laws to some extent, so that they can receive PII from their subsidiaries, distributors, and other contractors established abroad.

 

For example, European Union member states rely on comprehensive legislation that requires the creation of government data protection agencies, registration of databases with those agencies, and, in some instances, prior approval before personal data processing may begin. Privacy laws in all E.U. member states prohibit the transfer of PII outside the E.U. to countries that do not offer an adequate level of privacy protection. Since the E.U. commission has declared that the United States does not offer adequate privacy protection, transfer of PII from a subsidiary, distributor, or other co-contractor is restricted. Special precautions must be taken, and permissions obtained. Many countries outside the E.U. have enacted privacy laws that are very similar to the model and structure used in the European Union.

Self-Regulation Programs

Most companies have adopted privacy policies, tailored to their own business purposes and ethics, which they frequently post on their website. Many companies, in addition, register with seal programs such as BBB Online, http://www.bbbonline.com, or TRUSTe, http://www.truste.com. To obtain a seal under these programs, companies must agree to follow specific privacy guidelines.

Self-Certification under Safe Harbor

Because the US currently has no privacy legislation of general applicability, the E.U. deems the US as a whole to lack adequate protection, thereby constraining companies that transfer data from the E.U. To help US companies (or their subsidiaries or contractors) comply with the laws of the E.U. Member States and to facilitate international business transactions, the US Department of Commerce (DoC) has implemented a Safe Harbor privacy program. A US company that adheres to the Safe Harbor Principles may complete the DoC's self-certification program, and receive a presumption from all 15 E.U. Member States that such company will provide the required adequate privacy protection to personally identifiable data from the E.U. However, the foreign company that would be transferring information to the US company still needs to comply with its own Data Protection Law. In addition, since the United States does not have a similar agreement with other foreign countries with privacy laws that restrict trans-border data transfers, and preclude transfers to countries that are deemed not to offer sufficient protection, there is currently no alternative to companies that do business abroad in the remainder of the world. Participation in the E.U. Safe Harbor program has no effect on compliance with the requirements of privacy laws outside the E.U. area.

Noncompliance Risks

Too many companies act on the wrong impression that privacy awareness equates to posting a privacy policy on their website. Privacy protection concepts, however, apply to much more than the collection of data from a website. Privacy policies are complex and must reflect actual company practices. Promising more than what one is prepared to give could be costly. Thus, cutting and pasting a privacy policy from another company is foolish and could create much harm.

 

Most privacy laws contain civil and/or criminal penalties. Some include a private right of action. For example, violation of the HIPAA Privacy Rule may result in civil or criminal penalties for failure to comply with the requirements and for wrongful disclosure of confidential information. Civil and criminal penalties may be assessed for violations of a patient's privacy rights. The civil penalties are up to $100 for each violation, with a cap of $25,000 for all violations of an identical requirement or within a calendar year. There may be lower penalties if the covered entity can provide that it did not know of any violation; or had reasonable cause, and did not willfully neglect to comply with the requirements; or if the failure is corrected within 30 days. Criminal penalties may be assessed if the covered entity knowingly obtained and disclosed protected information. Fines may be up to $50,000; and may be combined with a prison term up to one year. If information was obtained under false pretenses, there may be fines up to $100,000 and/or prison up to 5 years. If protected information was obtained with intent to sell, transfer, use information for commercial advantage, personal gain, or malicious harm, then higher fines and prison terms may be assessed against the violators, up to $250,000; prison up to 10 years.

 

In addition to the penalties provided for by the applicable statute, there may be additional damages assessed for deceptive or unfair practices under Section 5 of the FTC Act and the state law equivalent. In recent years, there has been increased attention to the protection of PII, domestically and abroad. Privacy-related complaints have been filed. Numerous government actions (e.g. FTC, State agencies) and private actions (individual or class action) against well-known companies targeting violations of privacy have taken place. Foreign Data Protection Agencies have investigated subsidiaries of US companies. In addition to the embarrassment of being the target of investigations, complaints or lawsuits reported in the press, these actions generally have resulted in the assessment of damages and penalties, the obligation to pay plaintiff's attorneys' fees, and the requirement to implement strict privacy and security procedures. In other instances, government action has prohibited a contemplated transaction.

 

For example, the FTC recently investigated Microsoft's Passport Single Sign-in (Passport), Passport Express Purchase (Passport Wallet) and Kids Passport. Under the September 2002 consent decree, Microsoft has agreed to implement and maintain a comprehensive information security program, have its security program certified as meeting or exceeding the standards in the consent order every 2 years, and pay a civil penalty of $10,000 for each future violation of the order.

 

Double-Click has also been the target of several investigations and class action suits, which ended up in costly damages. To end a 30-month privacy investigation by the FTC and ten states, Double-Click agreed to pay $1.8 million in plaintiff's cost in a class action suit, pay $450,000 in fines, and agreed to adhere to specific practices and policies, which included the following requirements: display 300 million consumer privacy banner ads that invite consumers to learn more about how to protect their online privacy; provide easy to read explanation of its ad-serving services; provide opt-in before it can combine PII and clickstream; ensure that Internet user's online data will not be used in a manner inconsistent with the privacy policy under which it was collected; develop internal policies to ensure protection and routine purging of data collected online; limit the life of new ad serving cookies to five years. In addition, Double Click must submit to two annual reviews for the next 2 years, by an independent accounting firm, to verify compliance with the settlement.

 

In some cases, a suit or investigation may occur because of an inadvertent error. For example, Eli Lilly was sued for privacy violation both at the federal and state levels after an error by one of its employees caused the individual email addresses of Prozac patients to be published in an email sent to the entire listserv. The email, which was meant to be sent in a confidential manner, instead prominently displayed the email addresses of more than 600 addressees in the "recipient" box. After a lengthy investigation, the company settled with the FTC in January 2002, and agreed to take steps to ensure the security of data, follow a specific four-stage information security program, and submit to an annual review "by qualified persons" of its information security program. Although the FTC settlement did not provide for any fine, the July 2002 settlement with eight states for the same event included a $160,000 payment to these states and required the company to strengthen its internal standards relating to privacy protection, training, and monitoring.

 

Even if there is no specific privacy law applicable, once a company has published its privacy policy, it is bound by the public statements made. Publishing a privacy policy exposes the company to prosecution if it fails to perform according to the representations made in the public privacy policy. For example, Toysmart and Microsoft were subject to investigations by the FTC and state attorney generals because of their alleged failure to perform according to the representations made in the privacy policies published on their websites. Similarly, a company that self-certifies with the DoC about its privacy protection policies and procedures in connection with the E.U. Privacy Safe Harbor Program must carry out these practices in the United States. Making inaccurate statements about its actual data collection practices, or making promises that it does or cannot keep would otherwise expose the company to prosecution from the FTC or state attorney general based on misrepresentation or deceptive practices under Section 5 of the FTC Act or state equivalent unfair and deceptive practices acts.

 

Problems could occur, as well, when a company tries to transfer certain databases in connection with the sale of the company's assets in a manner inconsistent with its published privacy policy. For example, one of the early cases in this area related to the bankruptcy of the Toysmart company. In re Toysmart.com, LLC, No. 00-13995- CJK (U.S. Bankr. Ct. Mass.) filed in May 2000 and FTC v Toysmart.com, LLC, No. 00- 11341-RGS (U.S.D.C., D.Mass) filed July 10, 2000. Toysmart's online privacy policy stated that the company would "never share" its information with a third party. Toysmart ultimately sought bankruptcy protection and offered to sell its database of customer information. The FTC objected, and in a first settlement, Toysmart agreed that any buyer would have to be in the same business as Toysmart and agree to follow all of the requirements of Toysmart's privacy policy. Ultimately, after many months of additional transactions with the FTC and the bankruptcy court, a shareholder of the company purchased the customer list and agreed to destroy it promptly thereafter. Altogether, something that could have been a "simple" sale of assets, delayed the database owner by more than one year.

Identity Theft - Business Owner's Responsibilities

What Are Identity Theft and Identity Fraud?

The short answer is that identity theft is a crime. Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. These Web pages are intended to explain why you need to take precautions to protect yourself from identity theft. Unlike your fingerprints, which are unique to you and cannot be given to someone else for their use, your personal data especially your Social Security number, your bank account or credit card number, your telephone calling card number, and other valuable identifying data can be used, if they fall into the wrong hands, to personally profit at your expense. In the United States and Canada, for example, many people have reported that unauthorized persons have taken funds out of their bank or financial accounts, or, in the worst cases, taken over their identities altogether, running up vast debts and committing crimes while using the victims's names. In many cases, a victim's losses may include not only out-of-pocket financial losses, but substantial additional financial costs associated with trying to restore his reputation in the community and correcting erroneous information for which the criminal is responsible.

In one notorious case of identity theft, the criminal, a convicted felon, not only incurred more than $100,000 of credit card debt, obtained a federal home loan, and bought homes, motorcycles, and handguns in the victim's name, but called his victim to taunt him -- saying that he could continue to pose as the victim for as long as he wanted because identity theft was not a federal crime at that time -- before filing for bankruptcy, also in the victim's name. While the victim and his wife spent more than four years and more than $15,000 of their own money to restore their credit and reputation, the criminal served a brief sentence for making a false statement to procure a firearm, but made no restitution to his victim for any of the harm he had caused. This case, and others like it, prompted Congress in 1998 to create a new federal offense of identity theft.

What are the Most Common Ways To Commit Identity Theft or Fraud?

Many people do not realize how easily criminals can obtain our personal data without having to break into our homes. In public places, for example, criminals may engage in "shoulder surfing" watching you from a nearby location as you punch in your telephone calling card number or credit card number or listen in on your conversation if you give your credit-card number over the telephone to a hotel or rental car company.

Even the area near your home or office may not be secure. Some criminals engage in "dumpster diving" going through your garbage cans or a communal dumpster or trash bin -- to obtain copies of your checks, credit card or bank statements, or other records that typically bear your name, address, and even your telephone number. These types of records make it easier for criminals to get control over accounts in your name and assume your identity.

If you receive applications for "preapproved" credit cards in the mail, but discard them without tearing up the enclosed materials, criminals may retrieve them and try to activate the cards for their use without your knowledge. (Some credit card companies, when sending credit cards, have adopted security measures that allow a card recipient to activate the card only from his or her home telephone number but this is not yet a universal practice.) Also, if your mail is delivered to a place where others have ready access to it, criminals may simply intercept and redirect your mail to another location.

In recent years, the Internet has become an appealing place for criminals to obtain identifying data, such as passwords or even banking information. In their haste to explore the exciting features of the Internet, many people respond to "spam" unsolicited E-mail that promises them some benefit but requests identifying data, without realizing that in many cases, the requester has no intention of keeping his promise. In some cases, criminals reportedly have used computer technology to obtain large amounts of personal data.

With enough identifying information about an individual, a criminal can take over that individual's identity to conduct a wide range of crimes: for example, false applications for loans and credit cards, fraudulent withdrawals from bank accounts, fraudulent use of telephone calling cards, or obtaining other goods or privileges which the criminal might be denied if he were to use his real name. If the criminal takes steps to ensure that bills for the falsely obtained credit cards, or bank statements showing the unauthorized withdrawals, are sent to an address other than the victim's, the victim may not become aware of what is happening until the criminal has already inflicted substantial damage on the victim's assets, credit, and reputation.

What's the Department of Justice Doing About Identity Theft and Fraud?

The Department of Justice prosecutes cases of identity theft and fraud under a variety of federal statutes. In the fall of 1998, for example, Congress passed the Identity Theft and Assumption Deterrence Act . This legislation created a new offense of identity theft, which prohibits "knowingly transfer[ring] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law."

18 U.S.C. § 1028(a)(7). This offense, in most circumstances, carries a maximum term of 15 years' imprisonment, a fine, and criminal forfeiture of any personal property used or intended to be used to commit the offense.

Schemes to commit identity theft or fraud may also involve violations of other statutes such as identification fraud (18 U.S.C. § 1028), credit card fraud (18 U.S.C. § 1029), computer fraud (18 U.S.C. § 1030), mail fraud (18 U.S.C. § 1341), wire fraud (18 U.S.C. § 1343), or financial institution fraud (18 U.S.C. § 1344). Each of these federal offenses are felonies that carry substantial penalties in some cases, as high as 30 years' imprisonment, fines, and criminal forfeiture.

Federal prosecutors work with federal investigative agencies such as the Federal Bureau of Investigation, the United States Secret Service, and the United States Postal Inspection Service to prosecute identity theft and fraud cases..

What Can I Do About Identity Theft and Fraud?

To victims of identity theft and fraud, the task of correcting incorrect information about their financial or personal status, and trying to restore their good names and reputations, may seem as daunting as trying to solve a puzzle in which some of the pieces are missing and other pieces no longer fit as they once did. Unfortunately, the damage that criminals do in stealing another person's identity and using it to commit fraud often takes far longer to undo than it took the criminal to commit the crimes.

Where Can I Find Out More About Identity Theft and Fraud?

A number of government and private organizations have information about various aspects of identity theft and fraud: how it can occur, what you can do about it, and how to guard your privacy. To help you learn more about the problem and its solutions, we've attached a list of Web sites that you might find interesting and informative on identity theft and related topics.

Note: All Web sites to which these pages cross-link are included as a service for the reader. Cross-links to non-governmental sites do not constitute an endorsement or approval of their content, or of the organizations responsible for that content, by the Department of Justice.

Using Consumer Credit Reports

In 1949 Diner’s Club launched the first charge-card company. Fifty-five years later, Americans spend more using credit cards than they spend with cash, according to a study by Dove Consulting. With more than $2 trillion worth of credit card transactions each year, the creditworthiness of card users is an increasingly important issue to creditors and consumers alike. While most people realize that their personal creditworthiness is tracked on something called a credit report, few know much about it or their scoring. The score, known as a FICO score, was developed by Fair Isaac & Co. to evaluate the likelihood that consumers will pay their bills. FICO scores range from a low of 300 (highest risk) points to a high of 850 points (lowest risk) and are used as the deciding factor on more than 75% of credit applications, according to Equifax, one of the three major credit bureaus in the United States. In 2003, nearly 50% of Americans had a FICO score between 700 and 800. (See the article The Importance Of Your Credit Rating.) 

In determining the FICO score, mathematical models are used to analyze the data on an applicant’s credit report, taking into consideration five factors: previous credit performance, current level of indebtedness, time credit has been in use, types of credit available and pursuit of new credit.

What's on The Report and Why Should I Care? 

An in-depth look at a credit report provided by Equifax provides a good overview of the type of information that can be obtained from any of the major credit reporting bureaus. The Equifax report is divided into seven sections.  The first section contains personal data, such as current and previous addresses, social security number and employment history. This is crucial data to identity thieves, so be sure to protect it by making sure this information is correct and accurate, and if you discard it, shred thoroughly.  The second section of the Equifax report provides a summary of the applicant’s credit history. It includes the number of accounts (both open and closed) held by the applicant, the type of accounts (mortgage, installment, revolving, or others), the number of credit inquiries over the last 12 months, the number of accounts that are past due as well as those in good standing. Intuitively, it may seem like the more accounts you have open, the higher your credit score will be, but when it comes to credit, more is not necessarily better. 

When financial institutions review your credit report prior to approving a loan, they often assume that you will use all of the available credit on your credit cards and factor-in the monthly payments that would be required to service that debt. If you have a dozen credit cards, all with zero balances, you might have no problem making a $2,000 mortgage payment each month, but the bank might look at the situation differently. If the bank factors in your ability to make monthly payments on a dozen credit cards in addition to a $2,000 mortgage, your creditworthiness may be diminished. 

The third section provides detailed account information. It includes the name, account type, account number, date opened, balance and status of every account on the applicant’s record. A breakdown of each account provides payment history, date of last activity and contact information for the credit issuer. The section also includes a summary of past-due accounts and accounts with a negative credit history. If you disagree with any of this information, you have the right to challenge it. Under federal law, the credit reporting agency then has 30 days to respond to your challenge. If your challenge is successful, the offending information will be removed from your report. 

Private Cloud Hosting

The fourth section addresses inquiries into the applicant’s credit history. Inquiries are classified as "hard" or "soft". Hard inquiries are "generated when you authorized a company listed to request a copy of your credit report". The number of inquiries over a twelve-month period is tracked and taken into account when your FICO score is calculated. An excessive number of hard inquiries have a negative impact on your score. Soft inquiries are generated by your current creditors checking on your status, credit card issuers reviewing your file to see if they wish to extend an unsolicited offer and you personally checking your own credit. Potential lenders don’t see these inquirers when they review your credit report, and these inquiries do not impact your credit report.  The fifth section details any accounts that have been turned over to a credit agency. If you failed to make payments and any of your accounts were sent to collection, information about the delinquent accounts appears here. Similarly, the sixth section of the report provides information about liens, wage garnishments or other judgments that appear against you in federal, state or county court records. 

The seventh section of the report provides information on how to dispute any of the information on your credit report. When it comes to delinquent accounts and other damaging information, the only way to repair your credit is to wait. Despite the claims of those late-night infomercials, once negative information appears on your credit report, there is little you can do to clear it up if the information is truthful and accurate. The Federal Trade Commission says such information remains on your report for seven years, with several exceptions. Bankruptcy remains on your report for ten years. Lawsuit-related information remains until the suit is settled. To avoid these problems, make all payments on time and don’t ignore any issues that arise with creditors. 

How That Information Impacts Your Score?

Factors such as payment history, the length of time an individual has had credit and the individual’s employment history all play a role in determining your FICO score. So, even though you may have an excellent source of income and pay all of your bills on time and in-full, if you don’t have a mortgage, car payments or revolving debt of any kind, it is unlikely that your FICO score will be 850. 

Equifax cites late payments, or lack thereof, length of credit history and the size of account balances in relation to your credit limits as major factors that impact your FICO score. Even if you pay off the full amount owed on your credit cards each month, the size of the bill has an impact on your score, as large balances are frowned upon. 

Privacy Rules for Financial Companies

From national banks to local mortgage lenders, any business that handles personal financial information must comply with the Gramm-Leach-Bliley (GLB) Act.

Children's Online Privacy

TITLE XIII-CHILDREN'S ONLINE PRIVACY PROTECTION

SEC. 1301. SHORT TITLE.

This title may be cited as the "Children's Online Privacy Protection Act of 1998".

SEC. 1302. DEFINITIONS.

In this title:

(1) CHILD.—The term "child" means an individual under the age of 13.

(2) OPERATOR.—The term "operator"—

(A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce—

(i) among the several States or with 1 or more foreign nations;

(ii) in any territory of the United States or in the District of Columbia, or between any such territory and—

(I) another such territory; or

(II) any State or foreign nation; or

(iii) between the District of Columbia and any State, territory, or foreign nation; but

(B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

(3) COMMISSION.—The term "Commission" means the Federal Trade Commission.

(4) DISCLOSURE.—The term "disclosure" means, with respect to personal information—

(A) the release of personal information collected from a child in identifiable form by an operator for any purpose, except where such information is provided to a person other than the operator who provides support for the internal operations of the website and does not disclose or use that information for any other purpose; and

(B) making personal information collected from a child by a website or online service directed to children or with actual knowledge that such information was collected from a child, publicly available in identifiable form, by any means including by a public posting, through the Internet, or through—

(i) a home page of a website;

(ii) a pen pal service;

(iii) an electronic mail service;

(iv) a message board; or

(v) a chat room.

(5) FEDERAL AGENCY.—The term "Federal agency" means an agency, as that term is defined in section 551(1) of title 5, United States Code.

(6) INTERNET.—The term "Internet" means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/ Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.

(7) PARENT.—The term "parent" includes a legal guardian.

(8) PERSONAL INFORMATION.—The term "personal information" means individually identifiable information about an individual collected online, including—

(A) a first and last name;

(B) a home or other physical address including street name and name of a city or town;

(C) an e-mail address;

(D) a telephone number;

(E) a Social Security number;

(F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or

(G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.

(9) VERIFIABLE PARENTAL CONSENT.—The term "verifiable parental consent" means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator's personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.

(10) WEBSITE OR ONLINE SERVICE DIRECTED TO CHILDREN.—

(A) IN GENERAL.—The term "website or online service directed to children" means—

(i) a commercial website or online service that is targeted to children; or

(ii) that portion of a commercial website or online service that is targeted to children.

(B) LIMITATION.—A commercial website or online service, or a portion of a commercial website or online service, shall not be deemed directed to children solely for referring or linking to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link.

(11) PERSON.—The term "person" means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.

(12) ONLINE CONTACT INFORMATION.—The term "online contact information" means an e-mail address or an-other substantially similar identifier that permits direct contact with a person online.

SEC. 1303. REGULATION OF UNFAIR AND DECEPTIVE ACTS AND PRACTICES IN CONNECTION WITH THE COLLECTION AND USE OF PERSONAL INFORMATION FROM AND ABOUT CHILDREN ON THE INTERNET.

(a) ACTS PROHIBITED.—

(1) IN GENERAL.—It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).

(2) DISCLOSURE TO PARENT PROTECTED.—Notwithstanding paragraph (1), neither an operator of such a website or online service nor the operator's agent shall be held to be liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of per-sonal information under subsection (b)(1)(B)(iii) to the parent of a child.

(b) REGULATIONS.—

(1) IN GENERAL.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate under section 553 of title 5, United States Code, regulations that—

(A) require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child—

(i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator's disclosure practices for such information; and

(ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children;

(B) require the operator to provide, u