1 / 51

“Good Driver Safety Practice” in Fleet Risk Management versus Privacy Regulations and Driver Expectations

“Good Driver Safety Practice” in Fleet Risk Management versus Privacy Regulations and Driver Expectations. Driver Safety Trends.

moe
Download Presentation

“Good Driver Safety Practice” in Fleet Risk Management versus Privacy Regulations and Driver Expectations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. “Good Driver Safety Practice” in Fleet Risk Management versus Privacy Regulations and Driver Expectations 1248391

  2. Driver Safety Trends • The Fleet Risk Management Industry in the developed countries have for some time employed Driver Safety Programs that acquire driving data on each driver and train each driver based on their personal driving history and prior accidents. These Programs have lowered driving accidents, driving fatalities and benefited both business and their driving employees to avoid projected accident trends. • “Good Driver Safety Practice” now increasingly utilize additional driver personal data to assess each drivers historical driving trends; preemptively assess current driving skills of that individual driver and then before that driver goes on the road or has an accident; preemptively train that individual driver to avoid accidents to which they otherwise had been assessed to be prone. These preemptive assessments seek to further lower driving accidents and fatalities by orders of magnitude and eliminate them entirely. • These tools for improving driver safety are demonstratably effective and are evolving as the industry adopts industry best practices throughout the world driving down road fatalities and reducing the risks and costs of both employers and employees. • But governmental privacy regulations increasing seek to regulate the use of such personal data and for Driver Safety Programs to expand the use of personal data without recognizing this regulatory impact risks such Programs losing access to the data. 1248391

  3. Workshop Theme This Workshop seeks to model how Driver Safety Programs can obtain the best of both worlds by: First, continue to acquire additional and more personal driving data to power preemptive assessment “Good Driver Safety Practices”; Second upgrade the Processing of their Driver Safety Programs; and Third, obtain express employee consent for using such personal data in both the Corporate Fleet and the Grey Fleet so as to continue to fully comply with evolving privacy protection regulations and employee expectations. This Workshop will urge that these “Good Driver Safety Practices” be adopted broadly to both capturethe cost savings that arise in implementation and eliminate the loss to Gross National Product that inevitably takes place when driver safety is not promoted. 1248391

  4. STANLEY UNDERWOOD NORTH, IIIPartner • Mr. North is a Partner in the Firm’s Corporate Group and has been Chair of the International Trade and Investment Committee of the New Jersey State Bar Association for several years. He focuses his practice on international trade and investment, securities law, contracts, licensing, mergers, acquisitions and business combinations and other issues encompassing the full range of commercial transactions. He represents foreign and domestic companies, public and private, in their ongoing operations as well as in complex domestic and international business transactions in biotechnology, medical devices, fleet risk management, high-technology, health care and the environmental remediation industries, among others. Mr. North advises foreign companies in successfully establishing their presence in North America in accordance with applicable corporate, immigration, intellectual property, privacy and other regulatory requirements. 1248391

  5. STANLEY UNDERWOOD NORTH, IIIPartner • Of particular relevance, Mr. North has represented Interactive Driving Systems from inception as this preemptive driver risk assessment, fleet risk management company expanded from England to the United States over the last 10 years and now assesses over 1 million drivers in 30 countries on behalf of over 500 employers in the food, power, pharmaceutical, telecoms, trucking, retail and other industries; most recently to launch its Virtual Risk Manager® products into India in March 2009. 1248391

  6. Definition of Terms – “Corporate Fleet” and “Grey Fleet” • The scope of “Good Driver Safety Practices utilized in fleet risk management programs now extend beyond the “Corporate Fleet” into the “Grey Fleet”. • The “Corporate Fleet” consists of an employee in an employers vehicle used both during working hours and outside of business hours, whether on the employer’s business or not. Typically it extends to the spouse and driving age children’s use of the vehicle. • The “Grey Fleet” consists of an employee in his own vehicle using such vehicle on employer business and does not extend to personal use not related to the employer. 1248391

  7. What is Personal Data; How Does it Affect Driver Safety Assessment • Broadly speaking, personal data is any information about a identified or identifiable person such as his or her picture, a national ID #; age, salary and net worth; medical condition; prior convictions for crime; religious affiliation; and driving skills are just a few examples. • An employer’s Driver Safety Programs obtain selected personal data of their employees being given company cars and use it to assess their driver safety training needs. In current Good Driver Safety Practice, such personal data is used to preemptively project accidents anticipated to come from that individual driver leading to intensive personalized training to avoid such future accidents; • For Driver Safety purposes, the scope of useful personal data used for assessment purposes continues to evolve; now including the driver’s age, prior “Driving Under the Influence (“DUI”) convictions; use of real time global positioning systems to record location, use of “black boxes” to determine vehicle speed and reckless driving; • Although employees may consider this evolving data to be very personal and private; it is highly predictive of future driving results and remedial action taken in reliance upon assessing such personal data demonstratably saves lives and lowers costs. 1248391

  8. Sources of Privacy Regulation • Adopting “Good Driver Safety Practices” must be managed so as to avoid conflict with local country privacy regulations and local driver privacy expectations. The primary sources of such privacy regulations include: • The European Data Privacy Directive; • The US Driver Privacy Act, other “sector” privacy statutes and privacy at the federal, state and local level in other sectors; • Developed nations that follow either the EU or US models or their own paths; and • Emerging nations where privacy protection laws are sparse but such nations are attentive to developing trends of their trade partners. 1248391

  9. EU Privacy Directive • Europe’s broad protection of confidentiality of personal data can be viewed as a reaction against a history of past intrusive governments maintaining “secret files” on its citizens. • The EU Privacy Directive was adopted in 1995 with broad all encompassing “omnibus” effect which today arguably has the most momentum in both protecting individual privacy and the broadest reach in regulating the “Processing” of personal data about identifiable persons. Conceptually, it protects a person’s personal data as if that data was an intellectual property right such as a trademark or patent. • A key aspect of the Directive’s impact on the fleet risk management industry is that the Directive specifically prohibits sending personal data to any country outside the EU without a “level of protection” considered “adequate” by the Directive standards. • The Directive is binding on all 27 EU countries, each of which is required to adopt it as its own local law (transpose”) and empower its own Data Protection Agency (“DPA”). While purportedly consistent in broad policy, each country privacy regime can vary widely in implementation. 1248391

  10. Lore of DPA Implementation of EU Privacy Directive EU Member States have added their unique flavor of “transposing” including extra rights. • These can include registering the data controller/processor prior to “Processing” data [Denmark, UK, France]; • Requiring either a internal data protection officer to be appointed or register each “Processing” with DPA [Germany]; • Special notification to the DPA as to collection of genetic and biometric information or “Processing” to analyze and profile persons [Italy]; and • Prohibition of anonymous “whistleblower” hotlines [Spain]. 1248391

  11. Driver Safety Processing of Personal Data in the EU To “Process” Personal Data is Essential to Driver Safety and in the EU to “Process” consists of at least 8 distinct elements. • Collecting personal data; • Recording personal data; • Organizing personal data; • Storing personal data; • Retrieving personal data; • Using personal data; • Disclosing personal data by transmission; and • Dissemination of personal data. Thus, the mere act of holding EU personal data is itself a regulated activity. 1248391

  12. EU Directive Requirements • The EU Data Directive requires EU governments and corporations to “Process” personal data in accordance with “Data Quality Principles” and only then when it is either: • “Necessary”; or • When the person owning the personal data provides “Consent”. 1248391

  13. Driver Safety Programs Must MeetEU Data Quality Principles • The EU Data Quality Principles of Processing • Fairness [i.e. the data is fairly and lawfully processed]; • For a Specified Purpose; • In a “Restrictive Manner” that is adequate and relevant; • Accurate when collected and kept up to date; • “Securely Maintained” against unauthorized disclosure or access; • Automated Processing of the data can not be the sole determinate to personal outcomes; and • Destroy the data as soon as obsolete for its Specified Purpose. 1248391

  14. Is it “Necessary” to Process Personal Data in the EU or just “Convenient” It is “Necessary” to Process Personal Data when it accomplishes one of five objectives: • Performs a contract to which the person is a party; • Complies with a law; • Protects the person’s vital interests; • Advances the public interest or facilitates the exercise of official authority; or • Furthers an entity’s legitimate interests without infringing the person’s fundamental rights and freedoms. POINT OF CONCERN: Driver Safety Programs could perhaps be viewed as merely a convenience to the employer and using employee privacy data not strictly “Necessary”. Obtain consents to avoid this uncertainty. 1248391

  15. EU Privacy Effective Consent Guidance Consent is expressly provided for in the Directive (although not well defined); can be easily documented as having been obtained; and to be effective, such “Consent” should certainly include: • Disclosure prior to consent of the type of the personal data to be collected; and the purposes for which the data is to be Processed; • Confirm prior to consent that the person has continuing Access to the personal data and can review and correct incorrect data; • Consent is to be Expressly Given by the person and not by mere implication; • Consent is to be Freely Given with the understanding that the person may alternatively deny giving such consent. In EU, consent given as a condition of employment may be considered not freely given. • In the Fleet Risk Management industry, the employee driver must clearly understand that by not consenting to participate in the employers Driver Safety program, the employee will remain an employee but neither receive an employer vehicle in the “Corporate Fleet” nor be reimbursed for the use of the drivers own vehicle in the “Grey Fleet”. • I would urge that obtaining the employee’s affirmative written consent as a condition of having a employer vehicle is the bridge of “something more” that can bring such historic driver data into driver safety assessment models and seek to protect the employer and the public from accident prone drivers by targeted intervention training. 1248391

  16. Compliant EU Driver Safety Programs “Good Driver Safety Practices” in Fleet Risk Management is to seek ever improving Driver Safety. Employers of EU drivers can comply with the EU Directive by insuring that their Driver Safety Program has the following elements: • First, Confirm their Driver Safety Program complies with the EU Data Quality Principles [more later about “Maintain Security”]; • Second, Disclose to their drivers what personal data they collect in their Driver Safety Programs; how their Program Processes such data to establish training and safety programs; and how the drivers data can be accessed and corrected by the driver; • Third, Obtain an Effective Consent of the driver to be a part of the Driver Safety Program; and • Fourth, in managing the Driver Safety Program, Retain qualified third party vendors and experts that comply with the EU Directive and if outside the EU have “adequate” “level of protection” of data. 1248391

  17. Current Best Practices to “Maintain Security” of EU Privacy Data • Secure Employer Facilities [when not manned, the building should be locked; entry to personal data room only to authorized persons with swipe card and password recording who/when]; • Driver Safety Program to have user authentication protocols; monitor for unauthorized access; • Personal data that travel across public networks to be encrypted; firewalls, virus protection and system security constantly updated to best practice; robust to tolerate denial of service and filters to foil “phishing”; • Use only computer desktops, avoid making paper copies; prohibit use of mobile laptops that inevitably are lost and compromised ; • Perform a risk assessment as to identity theft; avoid keeping extraneous personal data [credit card data, national ID numbers, residential address are not needed to assess driver safety]; have a data breach notification procedure and have record retention/disposal policies; • Only use dedicated servers (not shared) that are located in your region [EU personal data stored on a US server is a violation without a more “adequate level of protection”]; • Pulverize computer hard drive before discarding; • Independent Security Audit of operations of both Employer and third party vendors [impose upon vendors by contract that they must meet the same standards above]; • Train staff periodically with disciplinary rules for violating employees; and • Periodically review the Driver Safety Program and adopt “Good Driver Safety Practices” as they evolve. 1248391

  18. Lore of Effective Consents-1 • Consents should be an express “Opt In” (not written as “opt out” or to arise by implication); • Expressly state that employee personal data can be used to investigate crime including that of the employee; • Consider causing the employee to annually update such consent as questions of enforceability can arise if it was only signed years ago before being married or having children. • Withdrawal of consent by employee should terminate access to company car and is not to be retroactive [i.e. continued use of anonymized employee personal data for historical data and research is permitted and limited use to demonstrate the employers conduct of care]. 1248391

  19. Lore of Effective Consents - 2 • Enforceable consents typically disclose to the employee the data being collected, describe the intended use of the data; provide mechanisms for data correction and if intended to be transmitted out of country, describe the means and assurances as to how such data will be held out of country. • Consents signed upon recruitment should typically remain in force for so long as the employer is employed. • If the employee spouse can use the Company vehicle, consider expanding the employee’s obligation to include providing the driving history of spouses and children such that the employer could potentially deny use of the Company vehicle if such persons constitute unreasonably risky drivers. “Good Driver Safety Practice” may now be to deny driving privileges of Company vehicles to children under age 25. • As individual driver data is often anonymized and then incorporated into historical and projected trends, Consents should expressly provide that the subsequent withdrawal of consent by the employee is prospective only and that historical anonymized data can continue to be used and that the employees individual data remains available to demonstrate the employers care in training its drivers and seeking to maximize road safety. 1248391

  20. Preemptive Assessment of Personal Driving Data Saves Lives Lowers Costs • Obtaining from the employee such a written fully descriptive consent in my view permits the employer to access on an ongoing basis pertinent personal driving history data and in conjunction with ongoing driver assessments, effectively permits the employer to employ a fleet risk management program that can preemptively assess future driving risks and through training BEFORE an accident - demonstratively lowers the occurrence of accidents; lessens employee downtime; lowers costs and most importantly - saves lives. Vehicle fleet employers have announced that by adopting such fleet risk management programs, they have saved the lives of their employees and others and lowered their ongoing fleet management costs by as much as 50%. 1248391

  21. “Adequate Level of Protection” of EU Personal Data Compliant EU Driver Safety Programs that comply with the EU regime will generally comply with privacy requirements of other countries but employers can only share such data with such other non EU countries if that non EU country has a “level of protection” considered “adequate” by the Directive standards. The EU does not consider the US with its 50 state “patchwork” of privacy regulation to provide an “adequate level of protection”; [Argentina, Canada, Guernsey, Isle of Man, Switzerland, Iceland, Norway and Liechtenstein are considered “adequate”, thus, an “EU Data Zone”]. Employers seeking to operate Driver Safety Programs sharing EU and US data must either rely upon either the EU Model Data Use Contracts; the EU/US TransAtlantic Safe Harbor; or binding corporate rules. 1248391

  22. EU Model Data Use Contracts • The EU Commission has adopted three standard forms of Data Use Contracts, the terms of which provide “an adequate level of protection” through “sufficient safeguards” of personal data transmitted to any country outside the “EU data club”; • Parent companies located outside the EU are advised to enter into such Data Use Contracts with their EU subsidiaries so as to be able to comply with the EU Directive; the same advice holds for Parent companies inside the EU with non-EU subsidiaries [Some DPAs such as the French CNIL require these to be filed and approved before becoming effective]; • An employers non EU third party consultants and experts with access to EU privacy data of that employer should either enter into such Data Use Contracts; certify that they meet the EU/US Safe Harbor regime; or adopt binding corporate rules. 1248391

  23. EU/US TransAtlantic Safe Harbor As significant “Good Driver Safety Practices” have been designed in North America and the most proactive users are often US multinational employers with EU employees, the restrictions upon the data and assessment flows between the US and EU was recognized as soon as the EU Directive became effective in 1998. • The US Department of Commerce and the EU Commission in July 26, 2000 entered into the “Safe Harbor” compromise [Commission Decision 2000/520/EC]; • Applies only to personal data about EU persons coming to the US; unique to the US and not available to other non EU countries [technically, a safe harbor company can deny EU data rights to US persons, although such a denial is not viewed as a “best practice”]; • Under the “Safe Harbor” the Federal Trade Commission (“FTC”) has asserted that if US companies hold out to the market a privacy policy that by its terms complies with the EU Directive but the US company fails to adhere to such privacy policy, then the FTC will prosecute such US company for unfair or deceptive practices affecting commerce. 1248391

  24. Adopting the EU/US “Safe Harbor” If a US employer or vendor is considering joining the EU/US ‘Safe Harbor’, take the following steps: • Read the Safe Harbor Overview, including the Benefits of Joining the Safe Harbor Documents, the Safe Harbor Workbook, the Helpful Hints Before Certification, all found at www.export.gov/safeharbor; • Bring the employer/vendor’s privacy policies and practices into compliance with the Safe Harbor's Requirements that mirror the EU Data Quality Principles; Verify that the employer/vendor has done so; and then • “Self Certify” the adoption of the Safe Harbor by submitting the EU/US Safe Harbor Certification Form to the FTC. The list of Safe Harbor companies is found at http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list. As of February 8, 2009 there were 1,714 companies that had joined the Safe Harbor although several had subsequently withdrawn. An organization may withdraw from the list at any time by notifying the Department of Commerce. Withdrawal from the list terminates the organization's representation of adherence to the safe harbor, but this does not relieve the organization of its safe harbor obligations with respect to personal information received during the time the organization is on the safe harbor list. 1248391

  25. Safe Harbor “Self Certification” A US employer or vendor “self certifies” to the Safe Harbor by • First, putting in place fully compliant systems to “Process” and “Securely Maintain” privacy data; • Second, publicly commit to comply with the EU Directive’s Data Quality Principles and rules; • Third, publicly disclose their privacy policy; • Fourth, accept jurisdiction of the FTC to prohibit unfair or deceptive practices affecting commerce. 1248391

  26. Binding Corporate Rules “BCRs” • A Corporate Code of Conduct that legally bind each entity of a conglomerate to a specific data handling system that meets the EU Privacy Directive; • The data handling system links the parent entity, its subsidiaries, its joint ventures and its third party partners both within and without the EU; • The BCR is described in a Standard Application which is filed with its “most appropriate” DPA; which after review and provisional approval is then sent to every other effected local DPA and the BCR becomes effective when all DPAs approve. • Although General Electric has had its BCR approved; BCRs should be viewed as still largely untested in the field. Having seen how the transition of the EU Directive to the US privacy data regime works, let us review some of the US Statutory privacy data requirements themselves. 1248391

  27. United States Sectorial Approach to Privacy The US approach to privacy first recognizes an express Constitutional right of free speech to discuss, print or place online anything about ourselves or others subject to post disclosure judicial causes of action for damages arising from slander, falsehood and invasion of privacy without consent. • Subject to freedom of speech, privacy regulation in the US then takes place at the three levels of the federal, state and local governments, each with their own scope of authority and subject to preemption [ie a federal law can be made binding on the states and state law can be binding on local governments] each governing body regulates those privacy aspects that it believes important thus creating a “patch work” of privacy regulation when such regulatory schemes differ. • As a result, US privacy regulation takes an almost laissez faire “sectorial” approach, where the federal and state governments regulate in detail sectors where they agree a persons personal information needs protection [i.e. a person’s driving record of accidents and convictions; a person’s medical information; an individual’s credit report; and third party electronic surveillance] but leaving most areas of personal data largely unregulated. 1248391

  28. Federal Regulation of Credit Reporting Agencies As America grew beyond its small towns, creditors to borrowers could no longer expect to know them personally and increasing relied upon third party credit reports that compiled a persons detailed financial history, bankruptcies, judgments, liens, and mortgage foreclosures. Credit Reporting Agencies were criticized for inaccurate reporting and being slow to correct errors. • Accordingly, the Fair Credit Reporting Act of 1970 was enacted to permit persons to access their credit files, limits how the files can be disclosed and permits the individual to correct data and sue for damages for violations of the Act. 1248391

  29. US Federal Regulation of Privacy The Federal Government as to itself recognized that the Federal Government was obtaining and storing personal data as to its citizens and increasing using computers to process such data in undisclosed ways for undisclosed purposes. • Privacy Act of 1974 was enacted to regulate the data gathering function of the Federal Government and permit individuals to access and correct their personal information. • The Act provides a broad exception for disclosing data for any “routine use” that is “compatible” for the purpose the federal agency collected the information. • The Act does not apply to State and local governments or to private industry and they continued to use the national social security number as a “standard universal identifier”. 1248391

  30. Federal Preemption of Sale of Individual Driving Histories by the State Prior to 1994, the States made it a practice to sell to third party marketers the motor vehicle records of individuals which contained their personal data. • The US Federal Government preempted such actions by enacting the Driver’s Privacy Protection Act of 1994 requiring the prior consent of the driver before disclosing such data. Today, an employers Driver Safety Program typically obtains the consent of its employee driver upon initial recruitment to permit the employer to access the drivers motor vehicle record on line (“to run the MVR”) each year for so long as the employee is employed. • In contrast, in the EU driver violations are typed onto the drivers license itself and available only by the employer physically viewing the original license on a periodic basis. 1248391

  31. Federal Preemption to Protect Privacy of Medical Records • The Health Insurance Portability and Accountability Act of 1996 is the first federal statute to directly address health privacy and required the US Department of Health and Human Services (“HHS”) to draft regulations to protect the privacy of medical records; • These regulations require a obtaining a patients consent prior to using and disclosing health information and in conjunction with consenting to the participation in clinical trials; provides a good comprehensive model for administering and maintaining an individual’s consent. 1248391

  32. Federal Preemption of Financial “Nonpublic Personal Information” • US financial institutions obtain significant “nonpublic personal information” about their customers and as they expanded into other services [mortgages, title services, credit cards] they would share this data with their affiliates and sell it to third party marketers; • In 1999, the Federal Government passed the Gramm-Leach Bliley Act (“GLB Act”) which required financial institutions to inform customers of that the institution’s privacy policy permitted sharing with affiliates [without the customer having a right to stop such sharing]; • Sharing such information with third parties was subjected to the customers right to “opt-out” and deny such third party sharing. • The result was a mass mailing of privacy policies giving customers a number to call or form to mail in to “opt-out” from sharing data with third parties. • States still regulate financial institutions having state resident “nonpublic personal information” but can do so in a way not conflicting with the GLB Act. 1248391

  33. Federal Limited Regulation of Credit Card Fraud and Identity Theft • In the 30 years since enacting the Fair Credit Reporting Act, it became recognized that the expanding use of credit cards by consumers was leading to increasing credit card fraud and identity theft. Thieves would steal a consumers credit card; purchase goods or services running up charges on the credit card. Although the consumer liability would be limited to $50, the unpaid bills would be reported by credit reporting agencies adversely effecting the consumers credit score and access to credit; • As states began to individually address this problem, the Federal Government preemptively enacted the Fair and Accurate Credit Transactions Act of 2003 amending the Fair Credit Reporting Act to require credit reporting agencies to provide consumers with a free credit report each year; to disclose the consumers credit score and permit victims of fraud to alert just one credit reporting agency which then must notify the others. 1248391

  34. Today the US Has No Country Wide Policy as to Identity Theft or Privacy • President’s Identity Theft Task Force established in May 2006. • Task Force issues 31 recommendations in April 2007 [report is athttp://www.idtheft.gov/reports/IDTReport2008.pdf]. • Federal Trade Commission issues its report December 2008 [report is at http:ftc.gov/os/2008/12/P075414ssnreport.pdf] • Pending such a national system, the FTC may consider failure to implement reasonable authentication procedures as actionable. 1248391

  35. Without US National Privacy Standards, “Patch Work” State Privacy Laws Sow Confusion • Federal government is unlikely to become involved in privacy as it is very busy on other things [the economy, the economy, the economy]; • In the absence of a preemptive federal privacy policy, “patch work” State Privacy Laws continue to evolve and are areas of concern to employers with a nation wide business. • State regimes are likely to control the privacy agenda for the near future and are getting more aggressive so as to begin to impact fleet risk management companies at a national level. 1248391

  36. US State Privacy Laws • Over 43 US States, District of Columbia, Puerto Rico and New York City have personal data security laws that purport to be imposed on “foreign” businesses. • Simply having the personal data of a citizen of a State subjects an employer to that State’s jurisdiction. • Thus, a physical presence by a business in a particular State is often not required for that business to be subject to that State’s personal data security laws. 1248391

  37. Selected State Personal Data Security Laws-”Maintain Security” Fragment -1 • Connecticut State Law effective October 1, 2008 provides: • “Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal”. • “Any person who collects Social Security numbers (“SSN”) in the course of business shall create a privacy protection policy which shall be published or publicly displayed”. • Penalties include fines of $500 per violation not to exceed $500,000. NOTE: Here is an instance where a fragmented portion of the EU “Maintain Security” obligations are imposed and keeping SSNs which are not needed for “Good Driving Safety Practices” exposes employers to additional requirements of publishing their privacy policies. 1248391

  38. Selected State Personal Data Security Laws-”Maintain Security” Fragment-2 • Massachusetts now requires a business that holds “Personal Information” of a state resident to maintain a 12 point Program of “minimum standards to safeguard personal information in both paper and electronic records”; • Personal Information is defined as a state resident’s initial/name in combination with SSN, Drivers License, State ID #; or financial account or credit/debit card#; • Law applies even if business is not in the State. 1248391

  39. Relevant Good Practices in PrivacyAre Not Just in Fleet Risk Management • Note that relevant good practices in data privacy can also arise outside of the Fleet Risk Management industry. • Here in the US, the Fleet Risk Management industry should consider the Financial Industry regulations, personal medical data HIPPA statute and the actively considered E-Health Data Initiatives. 1248391

  40. Security of Driver Safety Programs • As important as privacy is, regulatory agencies and drivers alike must realize that there is no such thing as perfect security even when an employer has taken every reasonable precaution. • Accordingly, the Fleet Risk Management Industry needs to design its Driver Safety Programs both to use the smallest data “footprints” where possible and to be more robust so as to permit employers to avoid unnecessary risk in using the sensitive personal information to improve Driver Safety. 1248391

  41. Breach of Privacy Data Exposes Employee Drivers to Risk of ID Theft • In a US context, more than 44 states require businesses to disclose when sensitive information may have been accessed by an unauthorized party; • In the US, 2008 656 such incidents were reported up from 446 incidents in 2007; • One of the 2007 incidents involved TJX, owner of the TJ Maxx and Marshalls retail discount chains where hackers stole 45.7 million credit/debit card and driver license numbers; TJX agreed to pay $65 million to cover fraud losses and the costs of drivers replacing their licenses and paid a large fine to the FTC for stating on its privacy policy that it used state of the art security measures when it clearly in fact did not; • In January 2009, cyber criminals compromised the computer network of Heartland Payment Systems, the credit card processor for over 250,000 US businesses and gained access to customer information disclosed from the 100 Million card transactions Heartland handles each month. • “Good Driver Safety Practices” seek to avoid recording any personal data that could lead to identity theft or fraudulent transactions that has no safety assessment benefits and imposes a risk of employee Identity Theft. 1248391

  42. Good Driver Safety Practice Includes a Security Notification Plan • Driver Safety Programs should have a pre-existing Notification Plan to disclose if employee sensitive information may have been accessed by an unauthorized party. • The Notification Plan should provide for a dedicated Incident Response Team to assess type of data breached; who are the affected employees; how the data was accessed; and institute corrective measures to avoid reoccurrence. • In parallel, the Team should assess the applicable regulatory notification requirements and implement the notification to affected parties. • Such notification includes sending a letter or email to affected employees [but not an “Eli Lily e-mail’]; communication with regulatory authorities; possible press releases; and follow up as to further developments. • Resources should be made available to affected employees [free credit reports, credit monitoring, etc.] and there should be a post incident assessment as to possible improvements to the Notification procedures themselves. Even if no incidents occur, undertake periodic review and make plan updates as local laws change and “Good Driver Safety Practices” evolve. 1248391

  43. “Good Driver Safety Practices” as to Personal Data Consider eliminating the retention of the national identification number of drivers, it can be damaging to the driver if compromised and is not predictive of driving ability; In lieu of home address, merely retain zip code of residence and other pertinent accident predictors [i.e. driveway has blind access; driver route to common destinations has poor route infrastructure]; Do track seat belt use, cell phone use, convictions of “driving under influence” (“DUI”) which although each is increasingly personal, can be highly predictive of future behavior unless there is intervention through training. 1248391

  44. In a Perfect Fleet Risk Management World • In a perfect fleet risk management world, knowing the employees historical driving history and driving assessment results, the employer can provide training to the employee not only to insure the employee driver understands Company policy as to his or her use of the employer’s vehicle; but also to train the employee on general driver safety topics as well as compensating as to specific individual driving safety weaknesses. • Thus, the employer would train employees that employer policy prohibits using a cell phone while driving; that employees in a region must be aware as to unique regional driving risks [deer crossings in New Jersey; cows and elephants in the streets of India]; that driver’s individual shortcomings can be overcome [ie; a history of accidents while backing up a vehicle needs specialized training; accelerating across an intersection as soon as the traffic light turns “green” raises the probability of hitting vehicles running the intersection’s red light and may require training the driver to learn to wait one more second] . 1248391

  45. In the Real World Privacy StatutesCan Put the Employer at Risk • But the fleet risk management world is not perfect. • In the EU, privacy attorneys would advise that without anything more, such relevant driver history information although highly predictive of a pending accident is personal to the individual and should not be accessed by third non-governmental parties such as the employer. • Thus if an employee or his or her spouse or children are demonstrably at risk as a driver due to their driving history but the employer is not permitted to learn of this relevant driver history, when such a driver repeats their past history leading to an accident, it can then be the employer who is held liable to injured third parties for exposing this unreasonable risky driver upon the public. 1248391

  46. Driver Safety Privacy Issuesto Consider • User Authentication: In a web based system, how does one seek to ensure that the person taking a driver safety assessment test is in fact the employee in question??? • Is Black Box/GPS tracking necessary?? In a “hands free” manner, it can track stolen vehicles, track vehicle use and mileage leading to oil life assessment and savings; identify unsafe turns and high speeds that waste fuel and indicate need for retraining; identify airbag deployment and provide precise accident location, speeding assistance to accident victims. • DUI Drivers: Can an employer require its employee to disclose DUI incidents and require use of a breathe analyzer prior to starting a company car??? • Cell Phones: Can an employer require its employee to not use cell phones while driving a company car during non work hours??? • Decal Laws: Should the State require novice drivers to affix identification labels to their vehicles ??? 1248391

  47. “Good Driver Safety Practices” Are Urgently Needed The recent dramatic drop in driving fatalities in the State of New Jersey is has occurred by adopting Good Driver Safety Practices” such as requiring repeat drunk drivers to install breath analyzers in their vehicles. But driving fatalities are not dropping in the developing world. • In 2004, China with 3% of the world’s vehicles accounted for 21% of the world’s traffic fatalities [2004 WHO Report]. • In 2007, India suffers 130,000 traffic fatalities, 60% more than China, which then has put on their roads 4 times as many cars. It is predicted that the fatality rates will increase as the country continues its modernization. [New Delhi is currently adding 1,000 cars a day]. • Annual driving fatalities in the developing nations are estimated to subtract 1.5% of their annual GNP just as the current recession cuts into their growth rate. • Without adopting Good Driver Safety Practices now, developing nations are projected to suffer dramatically higher driving fatalities, further miring their citizens in forgone prosperity for decades still to come. 1248391

  48. Just Imagine Big and Small Steps Order of Magnitude Changes in Good Practices: In 2008 on US roads, about 5,000 young adults are killed and about 450,000 young adults are injured due in large part to driver distraction, low risk awareness and the inadequate learner driving standards of young adults: • To focus on this disproportionate loss of the US’s most promising resources, web based interactive driver safety programs are in process of being made available with appropriate privacy protections at no cost to young adults with their parents consent to seek to reduce these losses by an order of magnitude [over 5,000 lives saved and 400,000 accidents avoided]. Just imagine what effect such programs could have on the world if such privacy protected programs were widely adopted with similar effect. Incremental Changes in Good Practices: In the US, the NHTSA estimates that over 270 lives are saved for every 1% increase in seat belt use. • Compared to 2007, there was an incremental 1% increase in seat belt use from 82% to 83% so on that basis alone, over 270 lives were saved. • Just imagine, if in India alone a similar 1 % increase could be accomplished, this would be expected to save over 1,000 lives and a 10% increase could save 10,000 lives. 1248391

  49. Good Driver Safety Practices Are Not Just for the Developing World • Adoption of driver safety best practices for one company in Italy was able in a year to generate a 92% reduction in road accidents (69 collisions per million miles driven reduced to under 7 collisions per million miles driven). • In the EU, a utility employer upgraded its fleet risk management program and over a five year period reduced its annual fleet management costs by 50%. • A US multinational that incurred “bent metal” costs in the EU of over $45M projects that it can reduce these costs by half in 2009 by adopting Good Driver Safety Practices”. 1248391

  50. We Can Do It • Good Driver Safety Practices in Fleet Risk Management will increasingly be employed to “Process” highly personal driver data to preemptively assess each drivers historical and current driving trends; and then before that driver goes on the road at the risk of an accident; preemptively train that individual driver to avoid accidents to which they otherwise had been assessed to be prone. • These Driver Safety Programs benefit both employers and their driving employees by lowering projected accident trends by orders of magnitude and these Programs seek to eliminate accidents in their entirely. • Governmental privacy regulations regulating the use of such personal data can be complied with by Driver Safety Programs when the Program benefits to be achieved are explained to their driver employees. • Such informed drivers can provide their Effective Consent to the Program and privacy regulators, employers and driver employees will share the same expectations and benefits to be gained. 1248391

More Related