Knowledge You Need
According to Jeff Williams of Microsoft, corporate privacy and security teams share many common goals. »Learn More

Privacy Best Practices
Watchfire is working to develop solutions to protect Web applications, not just the data they transmit. »Learn More

TRUSTe News
TRUSTe files new comment on CAN-SPAM, and welcomes a new VP of policy and legal. »Learn More

Privacy Resource
Concerned about ensuring the internal security of your company's data? Consult the international data security standards. »Learn More

Stay Current!
Privacy events around the world and on the Web. »Learn More

TRUSTe Tech Tip
Update your privacy statement with these new URLs for TRUSTe's Watchdog Dispute Resolution program and "Click to Verify" seal. »Learn More

Welcome New Members
The newest Web sites to display the TRUSTe seal. »Learn More

Data Privacy and Security: Two Facets of the Same Problem
By Jeff Williams

There is often a disconnect between professionals who focus on security and those who focus on privacy. Often, these groups are isolated from one another in their organization -- security is handled by IT, for example, and privacy is handled by audit, legal, or another governance group. This separation can lead to mistrust at worst. More frequently, though, it fosters misunderstanding between the two groups about just how common their goals are.

The long and the short of things is that you cannot have data privacy if you don't have security. Though this premise is simple, it isn't always obvious.

In my own work at Microsoft, I like to think of security as the "how" and privacy as the "why." They are different facets of the same problem: ensuring that data are protected. It doesn't matter if the data in question are customers' personally identifiable information, sensitive health data, source code, or other intellectual property. We want to ensure that only people with a legitimate business need have access to the data, and then only under the auspices of the appropriate laws and corporate policies.

Integrating our companies' privacy and security teams would show both how much the two have in common. Both teams must consider numerous legislative requirements: CA SB 1386, HIPAA, and the Gramm-Leach-Bliley Act, for example. Best practices documented in ISO 17799 and in Federal Information Processing Standard 199 are also of interest to both. The principle of defense in depth -- never relying on a single layer of protection for the mitigation of any particular risk -- applies to both arenas. The application of technology, the implementation of standard operating procedures, and the education of the masses will result in the success of both teams.

We want to protect our data not only when they are at rest on a computer's hard drive but also as they are processed in any application, when they are transmitted internally across our networks, and when they reach the perimeter between the network and a partner's or the Internet itself. Each of these areas represents a place where we can implement protections for any type of data. By layering multiple defenses, we will protect data better than if we solely focus on them when they are at rest.

My advice to any organization whose security and privacy teams are not harmonized would be to schedule some time to ensure that both teams' action plans are in sync, that they understand the risks you wish to avoid, that your training and awareness initiatives are intertwined, and that you focus on both the how and the why together.

Jeff Williams is services privacy officer at Microsoft.

Ensuring Security for Web Applications, Not Just the Data They Transmit
by Mike Weider

Web application security has become a growing concern that many organizations are not properly addressing. Web applications are used for most major Web site functions, including forms that collect personal information (credit cards, bank account information), classified information, medical history, email addresses, and user-satisfaction feedback.

Typically, hackers will exploit vulnerabilities in the architecture, design, configuration, or code of Web applications for the following reasons:

• Theft of information (including identity theft)
• Denial of service (shutting down Web sites)
• Defacement (public embarrassment)

Watchfire, provider of WebXM, the leading enterprise software platform for managing online business, recently acquired Sanctum, the pioneer in Web application security testing and firewall software. Sanctum's Web application security testing solution, AppScan, and application firewall, AppShield, enable enterprise users to secure business applications throughout the development lifecycle -- from development and testing through to auditing and deployment -- to prevent any attacks on current or emerging Web applications.

By combining Web application security with Watchfire's privacy solution, organizations can institute a comprehensive online risk management program. Watchfire's privacy solution helps ensure proper information is collected, while Web application security helps ensure that collected information is kept safe and secure. Reducing security defects before Web applications are deployed in a live production environment means that enterprise users are able to deploy applications quickly, reduce deployment costs, improve resource allocation, assure compliance, and minimize risk.

Web application security is a critical component of an overall online business management strategy. This combined solution will help organizations meet security and privacy standards and achieve regulatory compliance with internal corporate policies and external regulations, thereby minimizing the risks of doing business online.

Mike Weider is founder and chief technology officer of Watchfire.

In the most recent round of rulemaking for the CAN-SPAM Act, the U.S. Federal Trade Commission requested comment on how the act assesses the primary purpose of an email sent from an organization or company to an individual. The FTC defined three categories: "transactional" emails, "partially commercial" emails, and "commercial" (marketing-oriented) emails. The commission proposed subjecting emails in question to two tests. The first test is the net impression standard -- looking at the overall content and identifying what the average consumer would consider commercial. The second proposed test evaluates the text in the subject line.

On September 13, 2004, TRUSTe supplied comments to the FTC on the rulemaking. TRUSTe argued that the subject line of email messages should not be used as the sole criteria in determining whether an email is commercial, but only as part of an overall impression test that includes the content in the body of the email. TRUSTe felt that the use of subject line as a defining criteria for commercial messages was too broad from an enforcement perspective and exposed senders of commercial email -- businesses from small to large -- to great liability.

If you are interested in reading the full text of TRUSTe's comment, visit the legal and regulatory activities page on TRUSTe Web site. TRUSTe is monitoring future rulemakings on CAN-SPAM to ensure that our experience in this area can assist legitimate commercial emailers. We welcome your input and feedback.

TRUSTe Hires New Policy VP

TRUSTe is pleased to announce that Cathy Bump has joined our team as vice president of policy and legal.

An attorney specializing in privacy and data security issues, Ms. Bump has particular expertise in financial privacy -- including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the more recent FACT (Fair and Accurate Credit Transactions) Act. She has also dealt extensively with privacy topics related to direct marketing.

Prior to joining TRUSTe, Ms. Bump served as in-house privacy counsel for Intuit, a TRUSTe sponsor. Her public policy experience includes serving as a U.S. House of Representatives staff assistant as well as, more recently, working with the Federal Trade Commission on various compliance issues and participating in various federal rulemaking processes. She received her law degree at Hastings College of the Law in San Francisco. Contact Ms. Bump at cbump@truste.org.

Upcoming KnowledgeNet Luncheons

The Fall 2004 KnowledgNet lineup will feature expert speakers in each city. Watch your inbox for an email invitation to join us for these free networking luncheons, open to TRUSTe and IAPP members:

Bay Area
Time: Oct. 6, 11:30 a.m.
Location: Ernst & Young, 1001 Page Mill Road, Building 1, Suite 200, Palo Alto, CA 94304
Speaker: Tess Koleczek, Chief Privacy Officer, E-LOAN
Topic: "Privacy & Outsourcing: Disclosure Is Key to Success"

New York
Time: Oct. 12, 11:30 a.m.
Location: Ernst & Young, 5 Times Square, 23rd Floor, New York, NY 10036
Speaker: Peter Kosmala, Director of Certification, IAPP
Topic: "Certified Information Privacy Professional (CIPP): Defining the Profession"

Minneapolis
Time: Oct. 12, 11:30 a.m.
Location: Ernst & Young, 220 South Sixth Street, Suite 1400, Minneapolis, MN 55402
Speaker: Sagi Leizerov, Ernst & Young, and Michelle Hines, TRUSTe
Topic: "Emerging Best Practices in Privacy"

Philadelphia
Time: Oct. 13, 11:30 a.m.
Location: Marathon Grill, 2001 Market St., Philadelphia, PA 19103
Speaker: Gerald Lewis, senior counsel & chief privacy officer, Comcast Cable Communications
Topic: "State Law Privacy Update"

Additional luncheons are being held in Chicago (Nov. 10) and Atlanta (Nov. 18). Watch this space for details. For more information on these or other KnowledgeNet Luncheons, contact Krystal Putman, marketing associate, at kputman@truste.org or (415) 520-3421 or visit the recently relauched TRUSTe Web site.

IAPP Privacy & Data Security Academy
Location: Marriott, New Orleans
Dates: October 27-29, 2004

The International Association of Privacy Professionals' Privacy & Data Security Academy & Expo will provide attendees with answers to daily operational challenges with input from frontline experts. Through plenary sessions from internationally recognized privacy leaders and a wide array of industry tracks, you will gain the background and knowledge you need on healthcare privacy, financial privacy, data security, technology, marketing privacy, and spam issues. For a detailed brochure, registration information, and conference updates, visit the IAPP Web site or contact the IAPP conference office at (800) 266-6501.

INBOX East 2004
Location: Atlanta
Dates: Nov. 17-19, 2004

INBOX East covers the latest in spam, phishing, real-time collaboration, data storage, compliance, marketing, and the business and strategy of messaging systems. The conference will focus on security issues such as spammers' tactics, combating phishing attacks, instant messaging threats, digital signatures, and reputation systems. Hear from industry insiders from TRUSTe, MX Logic, MailFrontier, CipherTrust, Yahoo!, IBM Lotus Division, Microsoft, and more. Features:

• 30 conference sessions
• 4 keynotes and plenaries
• 5 symposia
• Numerous in-depth workshops
• Exhibit hall

Sign up today and use the TRUSTe member discount code BOXTSTE to save $100 on registration fees!

TRUSTe has made improvements to its internal databases. As a result, the complaint Web form URL for our Watchdog Dispute Resolution program has changed, along with the URL for TRUSTe's "Click to Verify" seal.

While we have temporarily redirected the previous Watchdog URLs to allow the outdated URLs to resolve to our new Watchdog complaint Web form, we are now asking licensees to update their privacy statement. Please replace the current Watchdog URL on your privacy statement to the following URL: http://www.truste.org/consumers/watchdog_complaint.php.

In addition, the TRUSTe "Click to Verify" seal (clicksealbox.gif) that is on your privacy statement should no longer link to https://www.truste.org/validate/12345. This format is no longer valid. Please link the seal to http://www.truste.org/ivalidate.php?url=www.truste.com. Please note that TRUSTe no longer links to "https://www", and the URL now begins "http://www." In addition, you will need to replace "www.truste.com" in the new seal URL with your organization's actual URL.

By updating these URLs sooner rather than later, you will ensure that your validation page will load quickly and that consumers are only one click away from TRUSTe's Watchdog form when they visit your privacy statement. Please note that these updates will be required prior to completion of your renewal certification.

If you have any questions regarding updating the URLs on your Web site, please contact your account manager directly. He or she will be able to assist you with the update process.

-- Carlos Gil Jr., compliance analyst

TRUSTe would like to congratulate the following new members on successfully completing our certification process:

Allstateforms.com, Bidswin, Card Avenue, CrediClear, Citrix Systems, CWMin, Discounted Properties, Excedent Technologies, Foncentral.com, Fujitsu Computer Systems, Goldstar Events, Gratis Internet, Houston Association of Realtors, Jpay, Limabeli, Mail.com Corporation, MarketTools, Mortgage Equities Group, MyWeather, Obsidian Technologies, One Wired World, and Paramax Productions.

Got Feedback?
We would like to hear what you think of the TRUSTe Advocate. Send an email with your comments and suggestions to newsletter@truste.org.

TRUSTe is an independent, nonprofit organization that administers the Internet's first and largest privacy seal program.

685 Market Street, Suite 560
San Francisco, CA 94105
(415) 618-3400
Email: privacyseals@truste.org
Web: www.truste.org

The views and opinions expressed in this newsletter are those of the contributing authors. TRUSTe presents these views as a service to our members, and does not necessarily share or endorse these views.