Lessons Learned from Facebook's Terms of Service

Posted on February 28, 2009 by Foley Hoag LLP

* By Gabriel M. Helmer and Aaron Wright

When Facebook changed its official terms of service earlier this month, what ensued was an explosive public outcry over who owns what users post to social networking sites. Tens of thousands of Facebook's 175+ million users suddenly clicked that often-overlooked link at the bottom of the webpage and poured over the arcane and legalistic language comprising Facebook's terms of service. For many, this was no doubt the first time they had ever read the policy. Below, we recap the recent controversy and discuss the three lessons Facebook and the rest of us should have learned from this series of events. 

Recap: Facebook Revises Terms of Service, Ignites Massive Public Firestorm

On February 4, 2009 Facebook announced on its official blog that it had updated its terms of service and provided its customers with a link to those new terms of service. The revisions went little remarked upon until February 15th when The ConsumeristConsumer Reports' official blog, posted a story entitled “Facebook's New Terms Of Service: ‘We Can Do Anything We Want With Your Content. Forever.’” The post focused on a revised clause that provided Facebook with irrevocable rights to use its users’ likenesses and content:

You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof.

This most severe change from the original terms was that the revised clause excised a sentence that terminated Facebook's license to user content:

You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.

After the Consumerist broke the news, the post received over 300,000 hits in a single day (according to the New York Times) and after the post ignited a firestorm of criticism, blog posts and articles, one Facebook user created the user group “People Against the New Terms of Service (TOS)”.  Two days later, the Consumerist reported that more than 750 articles had been written on the subject and the People Against the New Terms of Service group had 64,000 members.  As of this posting, the group is over 141,000 members and growing.  This may make Facebook's recent revision the most controversial event that has ever occurred in the history of website usage policies. 

Facebook responded to the criticism within days.  First, on February 16, 2009, Facebook attempted to explain that they did not believe the new terms of service did what critics said they did.  Then, Facebook withdrew the revised terms of service two days later, on February 18, 2009, and created a user group to open up discussion on a Facebook Bill of Rights and Responsibilities. Facebook appears to be attempting to harness this controversy to power continued user debate and involvement in the site. 

Below we discuss three key lessons to learn from the controversy over Facebook’s terms of service.

Continue Reading...
Tags: , , , ,

Identity Theft Tops FTC's Chart of Top Consumer Complaints (Again)

Posted on February 27, 2009 by Gabriel M. Helmer

On Thursday, February 26, 2009, the FTC released its list of top consumer complaints and for the ninth year in a row, identity theft was the number one issue for consumers.  See here for the FTC's release.  Out of 1,223,370 complaints made to law enforcement organizations, identity theft accounted for 313,982 complaints, around 26% or all consumer complaints in 2008.  This represents a 20% increase in identity theft complaints since 2007. 

If the FTC's report is any indication of things to come, it could suggest that the FTC will be moving forward with aggressive plans to enforce federal identity theft regulations on May 1, 2009, as promised.  After Massachusetts revised its identity theft regulations to delay implementation until January 1, 2010 (which we reported here), many businesses have been hoping to see some relief from the looming federal deadline.  Given the sharp uptick in identity theft incidents (which we reported in detail here), indications that the Obama administration wants to aggressively pursue information security (which we reported here), and the fact that the federal regulations are less onerous than those adopted in Massachusetts, the FTC may be less inclined to postpone enforcement beyond May 1st.

Links:

Tags: ,

Text of American Recovery and Reinvestment Act, security and privacy provisions

Posted on February 25, 2009 by Colin J. Zick

For those who want to see the source document, we have provided this link to the text of the American Recovery and Reinvestment Act of 2009.  The health security and privacy provisions start at Section 13000, around page 112.

Tags: , , ,

Adding to the Patchwork: HITECH Act Sets New "Floor" for Data Breach Notification of Certain Patient Information

Posted on February 19, 2009 by Ramzi Ajami

On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations to non-HIPAA-covered vendors of personal health records and their business partners.

If you are hoping that federal lawmakers have used the HITECH Act to finally set a national standard for patient medical information, however, you will be disappointed.

The HITECH Act, like HIPAA, preempts any contrary state laws, but leaves intact any state laws and regulations that impose stricter requirements on the handling of patient information. As a practical matter, this means that if you are covered by HIPAA and the HITECH Act you must meet new minimum standards while continuing to monitor and comply with the ever-increasing patchwork of laws governing patient information in every state in which you operate.

What follows is a more detailed discussion of the provisions of the HITECH Act and how it attempts to provide additional security for patients' health information.

Continue Reading...
Tags: , , , , , , , ,

ALERT: Massachusetts Gives Businesses Until January 1, 2010 to Adopt Information Security Programs To Comply With Recent Identity Theft Regulations

Posted on February 13, 2009 by Gabriel M. Helmer

On Thursday, February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a public statement indicating that it is extending the May 1, 2009 deadline to comply with recent Massachusetts identity theft regulations until January 1, 2010. 

The Massachusetts identity theft regulations affect entities that own, license, store or maintain personal information, including social security numbers, state identification numbers and financial account information, about any Massachusetts residents. Under amended regulations filed Thursday, individuals and businesses covered by the regulations must evaluate existing security measures and implement written information security programs on or before January 1, 2010. 

In the OCABR press release, Daniel C. Crane, undersecretary of the OCABR, indicated that the new deadline acknowledges that many businesses are having trouble complying with the new regulations in the wake of recent economic pressures. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.” 

The new deadline makes clear that the OCABR is willing to give businesses additional time to improve information security measures, but also that regulators want all affected businesses to meet the new security standards by 2010. For most affected businesses, the new deadline does not mean they should delay their compliance efforts. Many businesses will need the additional time to analyze existing security threats and implement the necessary administrative, physical and electronic security measures. 

Links:

  • The OCABR homepage
  • The OCABR's February 12, 2009 announcement
  • The amended Massachusetts Identity Theft Regulations (17 C.M.R. 17.00-17.05) are available here (.pdf) or from the OCABR's website here (.pdf)
Tags: , , , , , , , ,

A bad week for the government - data breaches at federal organizations on the rise

Posted on February 12, 2009 by Aaron Wright

 It has been a bad week for the federal government's own information security track record.

The first story comes from the FAA where hackers broke into the agency’s computer systems and stole personal information on some 45,000 individuals. The second story comes from Los Alamos National Laboratory, which confirmed the theft of 67 computers, 13 in the past year alone. In both instances the American people appear to have dogged a bullet. The electronic intrusion into the FAA appears to have been limited to a raid of personal information and did not interfere with air traffic control systems.  Also, the physical thefts at Los Alamos apparently did not result in the disclosure of any classified data (e.g., information on the U.S. nuclear stockpile), though what information was taken is still unknown. In both cases governmental entities that we hope would be heavily secured against  both electronic and physical thefts appear to have suffered embarassing breaches.  The moral (one hopes) is that while there may be no such thing as perfect security, all of us - including our friends in the government - may need to be working a bit harder and should have a plan in place ahead of time for managing any incidents that eventually arise.

Links:

Federal Aviation Administration website

Los Alamos National Laboratory website

Tags: , , , , , , , , ,

Trends in Data Breach Incidents, Part 2: Avoiding Accidental Exposure

Posted on February 8, 2009 by Aaron Wright

According to the Identity Theft Resource Center’s (ITRC) recently released report (.pdf) on data breaches in 2008, one of the top five causes of data breaches are what the ITRC labels “accidental exposure.”   [For our earlier coverage on the ITRC’s report see this link.] The ITRC reports that accidental exposure amount to 95 of the 656 data breaches in 2008.

ITRC considers “accidental exposure” to be those breaches caused by “inadvertent internet/web posting.” For example, consider the accidental exposure the ITRC labels as “ITRC20080709-02”. In this highly publicized case, an employee at Wagner Resource Group installed the peer-to-peer file sharing software, LimeWire, on a computer that contained personal information relating to the company’s clients. Presumably, the employee installed the software because he wanted to download an MP3, a movie or some piece of software (in violation of copyright law). However, by failing to properly configure the software, the employee inadvertently opened up company files on the computer to any LimeWire user on the Internet. This turned out to be especially disastrous from a public relations standpoint: the data exposed included a number of powerful Washington D.C. area attorneys as well as Supreme Court Justice Stephen Breyer. The story was published on the front page of the Washington Post and received attention from other national papers, such as the L.A. Times. While the breach exposed data involving only a relatively modest number of people, 2,000 individuals, the fact that the lapse involved some high profile victims created substantial bad press. Referring to the file-sharing software, Wagner Resource Group founder Phylyp Wagner stated "I didn't even know what peer-to-peer was. I do now."

Because accidental exposures are caused by human error, a prime problem with this type of breach is that they generally make the company look much worse than a breach caused by a hacker or an ill-intentioned insider. A consumer can understand a company being outsmarted by a thief, even being compromised by a disgruntled ex-employee, but there is often much less forgiveness for companies who appear to have disclosed their information through sheer carelessness. (See the link for the Breach Blog’s candid response to the news that personal data may have been exposed by an employee of Vonage placing it online in a Google Notebook).

Protecting against accidental exposure usually does not require expensive solutions. An appropriate computer usage policy prohibits the installation of unauthorized software, like LimeWire and other peer-to-peer file sharing programs that have come under intense fire from the recording and motion picture companies in the last decade. Educating staff, whether through training programs or the occasional reminder, about what to do and what not to do may often be the least expensive solution to accidental exposure. In addition, system administrators need to make sure they are taking appropriate steps to block or monitor peer-to-peer network traffic originating from inside the company network. 

Links:

Tags: , , , , , , , ,

Economy Delivers A Perfect Storm In Information Security: Data Crimes Rising As Economy Stumbles

Posted on February 6, 2009 by Jeff Bone

According to a recently-released report from McAfee, the downturn in the economy is creating a “perfect information security risk storm.” The report, entitled “Unsecured Economies: Protecting Vital Information,” can be found here [Note: MacAfee requires registration to downloade the report]. McAfee bases its findings on a worldwide survey of 1,000 IT decision makers.

The McAfee Report makes four key findings:

  1. Increasingly, important digital information is being moved between companies and across continents and is being lost.
  2. The global economic crisis is increasing pressure on companies to cut spending across the board, including spending on data security, which leads to increased opportunities from outside threats of cybercriminals. Moreover, increasing layoffs are increasing incentives for insiders to steal confidential information.
  3. Elements in certain countries are emerging as the main threats to data security.  According to the report, “[g]eopolitical perceptions are influencing data policy reality, as China, Pakistan, and Russia were identified as trouble zones for various legal, cultural and economic reasons.”
  4. Cybercriminals have evolved beyond basic hacking and stealing of data.  They are becoming more organized and sophisticated.

In many ways, the global economic crisis could not have come at a worse time for companies attempting to keep their data secure. As layoffs fueled by the troubled economy increase, the number of employees with the motive, means and opportunity to steal valuable data or to sabotage their employer with a damaging data breach are clearly on the rise. According to the McAfee Report, 68% of those surveyed cited “insider threats” as the top threat to essential information. “Data thefts by insiders tend to have greater financial impact given the higher level of data access.” 

Coinciding with the increased threat from insiders is a growing and increasingly sophisticated threat from outside groups of cybercriminals. For example, the McAfee report notes that “malware writers now have R&D departments and test departments” and that malware programs are “regularly updated by its developers as to which vulnerabilities to exploit.” According to one source, the number of malicious programs on the internet tripled in September 2008. 

And while the expansion of information crime has led to increased government regulation, it is clear that the complex demands of various state and federal regulatory schemes are increasing the burden on companies already struggling in the weakening global economy. According to the National Conference of State Legislatures, 44 states have enacted legislation requiring notification of security breaches. This leaves companies with the unenviable task of determining what state laws apply and how to make sure they are complying with scores of overlapping, potentially inconsistent state rules. This quagmire has led to calls for Congress to set a single federal standard for information security. A group called the Consumer Privacy Legislative Forum, which includes companies such as eBay, Microsoft and Hewlett Packard, released a statement calling for “comprehensive harmonized federal privacy legislation” and will be outlining recommendations for such legislation next month. The FTC also has recommended in its recent report on Social Security numbers that Congress set federal standards for information security. 

Between the increasing threats to information assets and the confusing morass of new regulations governing information security, business are stuck between a rock and a hard place while the funds and personnel needed to address the threats and comply with increased regulation are dwindling. Given recent reports that “[o]rganizations that experienced a data breach in 2008 paid an average of $6.6 million last year to rebuild their brand image and retain customers,” the only way through this perfect storm may be to push ahead with efforts to evaluate the increasing security threats and adopt reasonable measures to combat these threats, as regulators appear to be demanding.

Links:
Tags: , , , , , ,