I was interviewed for this PC World piece on the potential impact of Facebook's recently announced IPO on data privacy. My take: being a public company brings with it more transparency and more regulation, which will force Facebook to be more cautious and ultimately more open about its privacy policies. This seems obvious to me, but there are those who suggest that being public will add a profit motive that will push Facebook in the other direction.
A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer's Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages.
Melissa Tyler brought suit against Michaels Stores for violation of Massachusetts General Laws, chapter 93, section 105(a) on behalf of herself and a putative class, claiming that Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation
of the section 105(a). She alleged that the violation of section 105(a) amounted to a per se violation of the Massachusetts Consumer Protection law, chapter 93A, section 9, caused unjust enrichment, and entitled Tyler to declaratory relief pursuant.
Judge Young found that "a ZIP code can indeed be personal identification information under
Section 105(a)" but that no harm resulted (that Ms. Tyler's receipt of advertisements for the store was not sufficient to constitute harm):
In the area of identity fraud, a judge in this district has similarly held that where there were no instances of actual data loss or misappropriation, the failure to comply with minimum
statutory security standards did not cause cognizable injury because the added risk of identity fraud did not actually cause harm to the plaintiff. Katz v. Pershing, LLC, Civil Action No.
10–12227-RGS, 2011 WL 3678720, at *4 (D. Mass. Aug. 23, 2011) (Stearns, J)....[R]eceiving unwanted commercial advertising through the mail is simply not an injury cognizable under chapter 93A, since Section 105(a) was enacted to prevent fraud.
Here is an excerpt from my interview yesterday with Jon Mitchell of ReadWriteWeb:
"From a legal perspective, I'm not seeing anything that's much different in what's being proposed to take effect on March 1 and what's in place right now," Zick says. "In particular, the language about sharing across services has been in [Google's policies] for a long time."
Zick points out that all the past versions of Google's privacy policies are on the website, and the last two versions offer line-by-line comparisons to the previous version. Zick expects that Google will do the same with the new policy once it's officially issued.
"What we have is not a reaction to a change in legal language," Zick says, "but it's a change in perception. ... People are just reflexively reacting to the idea that Google is big."
The entire article can be viewed here, and our earlier post here.
As many of you have probably seen already, Google is changing its privacy policies, effective March 1, 2012. These changes will be effective across all of Google's platforms, and users will not be able to opt out. A user's only choice to avoid these changes will be to leave Google's search engine, Gmail, Calendar, Search, and YouTube; there is no "opt out" or selective acceptance/rejection of these new policies. In this regard, Google noted that it remains committed to data liberation, "so if you want to take your information elsewhere you can."
These changes are likely to draw FTC scrutiny, especially in light of the recent decision by Google to incorporate data from its social network, Google+, into search results, which has already resulted in a FTC antitrust investigation.
My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA."
* * *
No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall -- in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud.
General areas of concern surrounding the cloud are similar to those of traditional IT:
At most restaurants, when the time comes to pay the check, you hand over your credit card and a waiter you’ve known for only about an hour takes off with your credit card. You trust that the waiter will only charge your meal and won’t make off with your card number. But if you ever have been to a Legal Sea Foods restaurant, you will notice that the waiter brings a handheld electronic device to your table to swipe your credit card when you are ready to pay the bill. The credit card never leaves the customer’s sight.
The recent experiences of customers at certain high-end steakhouses show why all restaurants should consider adopting the table-side charge method. Seven waiters at Smith & Wollensky’s, the Capital Grille, and other high-end restaurants were arrested along with many other co-conspirators, for copying the credit card numbers of restaurant customers with handheld, high-tech “skimmers” and then using those numbers to buy luxury goods that they resold. The waiters targeted credit cards with high or no spending limits so that big purchases would not be flagged.
The Payment Card Industry Data Security Standard (PCI-DSS) quick reference guide for merchants does not provide any clear guidelines for card handling. Nevertheless, this incident should serve as a wakeup call for all restaurants to adopt table-side systems to reduce the potention for misuse of customer credit cards. It also serves as a reminder to anyone dealing with sensitive information to continually review handling procedures and processes and look for ways transmissions can be made more secure.
In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle "charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," according to the FTC's press release.
In its complaint, the FTC alleged, among other things, that Facebook “users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings,” despite Facebook's representations that users could impose such restrictions on their accounts.
In the extensive consent order Facebook entered with the FTC, Facebook agreed (among other things) to “obtain initial and biennial assessments and reports . . . from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession,” which assessments and reports will:
This consent order will last for an astoundingly long time: 20 years. (Query whether this agreement's terms and length will become the standard for future FTC privacy settlements.)
Facebook founder Mark Zuckerberg also released a blog post on the settlement, and in it he announced a split in the company's privacy officer role: Erin Egan will become Facebook's Chief Privacy Officer, Policy, and Michael Richter, currently Facebook's Chief Privacy Counsel, will become Facebook's Chief Privacy Officer, Products.
Late last week, the U.S. Court of Appeals for the First Circuit ruled that victims of a data breach could pursue compensation from the merchant whose systems were breached for their costs of credit card replacement and identify theft insurance, under theories of breach of implied contract and negligence. See Anderson v. Hannaford Brothers Co., --- F.3d ---, 2011 WL 5007175 (1st Cir. Oct. 20, 2011).
As alleged by the plaintiffs in their class-action complaint, the Hannaford Brothers grocery store chain suffered a data breach resulting in 1800 fraudulent charges worldwide and hackers stealing up to 4.2 million credit and debit card numbers, expiration dates, and security codes of its customers. Id. at *1. Plaintiffs claimed they were victims of the breach and brought various claims against the chain, alleging they suffered losses including replacement card fees, fees for accounts overdrawn by fraudulent charges, fees for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, emotional distress, and time and effort spent reversing unauthorized charges and protecting against further fraud. Id. at *2. The lower court rejected these claims and entered judgment for Hannaford. Id. at *3.
On appeal, the First Circuit held that plaintiffs could proceed on two of their claims: breach of implied contract and negligence. Id. at *5, *13. In particular, “a jury could reasonably find an implied contract between Hannaford and its customers that Hannaford would not use the credit card data for other people’s purchases, would not sell the data to others, and would take reasonable measures to protect the information.” Id. Further, on the question of damages, the Court ruled that Maine law allowed recovery of nonphysical damages that were reasonably foreseeable, and incurred during a reasonable effort to mitigate, so long as the efforts constituted a legal injury, such as actual money lost, rather than time or effort expended. Id. at *8-*9. The Court concluded that it was foreseeable, “on these facts, that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach, would replace the card to mitigate against misuse of the card data.” Id. *11. It also was deemed foreseeable “that a customer who had experienced unauthorized charges to her account . . . would reasonably purchase insurance to protect against the consequences of data misuse.” Id.
Continue Reading...I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:
Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,” he says. When companies are contemplating the definition of cyber-incidents, they should think expansively, he adds. “Think of data breach, data loss, and denial of service on your Websites when an attack occurs. The [SEC staff] wants you to do this risk assessment so you will understand what this is about,” he said.
It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches.
Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys to open the front door. According to a statement by Sony, the attackers tested a “massive set” of log-in credentials, consisting of pairs of user IDs and passwords, against accounts on three of its networks. Even though the “overwhelming majority” of the log-in attempts failed, they successfully breached about 93,000 user accounts. This indicates that the attackers used stolen log-in credentials, and did not resort to brute force or dictionary attacks.
How did the attackers obtain this trove of log-in information? Sony says it is “likely” they were stolen from elsewhere and not from its own networks, based on the low success rate. This may well be true, given the numerous incidents reported of late, some of which gave rise to our post referring to 2011 as The Year of the Breach.
If that scenario holds, it highlights the secondary effects of data breaches, and the relationship among user accounts on different on-line services. It has long been known that individuals often reuse the same username and/or password across multiple on-line services. As a result, if any one of those services suffers a breach that exposes its log-in information, corresponding accounts on the other services become open to the attackers. It is very much a “weakest link” situation.
This risk was also raised in the immediate aftermath of the data breaches at Sony this past Spring. The company initially reported the loss of unencrypted account passwords, which could have had the same cascading effect on its users’ other accounts. Sony later stated that the passwords were in fact hashed. As we described at the time, “hashing” differs from “encryption,” but storing passwords in a hashed form can be an effective way to keep an attacker from seeing or using the plain-text passwords of account holders. Password hashing is a known security technique that apparently was not in place at the “weak link” among the on-line services shared by those 93,000 users.
The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal's bill, "The Personal Data Protection and Breach Accountability Act," would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures, including risk assessment, regular testing of system controls, and paying for two years of credit monitoring for any customer whose data is breached. If adopted, this bill would permit the Justice Department to levy fines of $5,000 per violation per day, up to a total of $20 million per violation. The bill also includes federal data breach notification requirements.
Given the large numbers of such bills pending, the Senator's junior status, and the fact that his bill has no co-sponsors, it is unlikely that this particular bill will be adopted. At present, at least 15 bills contain the phrase "data security" pending in Congress:
Given how many similar bills are pending, it seems likely that something like Sen. Blumenthal's bill will be adopted before this session of Congress is over.
I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy." The program slides can be found at this link.
In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules. This follows on the heels of Massachusetts General Hospital's $1 million settlement with OCR.
The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without legitimate reasons looked at the electronic protected health information of these patients. OCR's subsequent investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.
The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years. All in all, a very expensive proposition for UCLAHS.
Interesting article in The Economist, focusing on hackers like Anonymous and Lulz Security.
As promised in our earlier entry, here is our detailed discussion of the Supreme Court's decision in Sorrell v IMS Health, Inc.,written by Colin J. Zick, Pat A. Cerundolo, Tad Heuer
On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining” activities. Justice Kennedy’s opinion in the closely-watched case of Sorrell v. IMS Health Inc. held that the Vermont statute was an unconstitutional regulation of commercial speech. In so doing, the Court found that the sale, disclosure, and use of redacted pharmacy records containing physician prescribing information constituted “speech in aid of pharmaceutical marketing” and therefore enjoyed First Amendment protection. This case is an important victory for the pharmaceutical, medical device, biotechnology, and related sectors, The following summarizes this ruling and its potential consequences to those involved in these industries.
Continue Reading...The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy's opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.
The first paragraph of Justice Kennedy's opinion provides a brief summary of the posture of the case and of the Court's decision:
Vermont law restricts the sale, disclosure, and use of pharmacy records that reveal the prescribing practices of individual doctors. Vt. Stat. Ann., Tit. 18, §4631 (Supp. 2010). Subject to certain exceptions, the information may not be sold, disclosed by pharmacies for marketing purposes, or used for marketing by pharmaceutical manufacturers. Vermont argues that its prohibitions safeguard medical privacy and diminish the likelihood that marketing will lead to prescription decisions not in the best interests of patients or the State. It can be assumed that these interests are significant. Speech in aid of pharmaceutical marketing, however, is a form of expression protected by the Free Speech Clause of the First Amendment. As a consequence, Vermont’s statute must be subjected to heightened judicial scrutiny. The law cannot satisfy that standard.
We will be publishing a more extensive analysis shortly; watch this space for a link to it.
We are six months into 2011, and it seems destined to be “The Year of the Breach.” In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:
· Epsilon: breach of customer email addresses;
· RSA: compromise of security tokens (possibly impacting Lockheed Martin);
· Citigroup: breach of credit card numbers:
· Sony: multiple thefts of customer data;
· Sega: customer data theft; and
· ADP: breach of its benefits-administration business.
What does this mean? First, there are simply more breaches to report. Second, companies are being more open about reporting breaches, both because they are legally required to and because such disclosures are expected by consumers and regulators. Third, these breaches and the resulting publicity will bring legal and corporate reactions.
On a legal/regulatory level, we are even more likely to see federal data security legislation and stepped-up enforcement. On the corporate side, more and more resources are going to be poured into prevention of breaches. For corporate CIOs, it’s the best of times and the worst of times: they are getting access to more resources, but are facing more and different challenges.
Attached is my presentation given at a recent CloudCamp, on the subject: What Law Applies
In “the Cloud”? (CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas.)
By Brian Bialas
A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators.
The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar Group violated Massachusetts’s Consumer Protection Statute by failing to comply with the Payment Card Industry Data Security Standards (PCI DSS), standards created by the Payment Card Industry Security Standards Council that apply to all organizations that collect payment card data. To settle this suit, the Briar Group entered into a consent judgment pursuant to which it would pay $110,000 in civil fines.
What is interesting about this settlement is that it requires the Briar Group to “maintain PCI DSS compliance,” over and above Massachusetts’ own strict legal requirements. Does the AG’s action against the Briar Group signify that all merchants are legally required to comply with both state regulations and PCI DSS? It’s too early to tell.
Continue Reading...On May 5, a consumer class action was filed against Sony, relating to the data breaches in its Sony PlayStation and related services. The complaint alleges negligence, invasion of privacy and misappropriation of confidential financial information, as well as breach of express and implied contract. No specific damages were alleged.
The scope of the Sony data breach is growing, but the public focus continues to be on Sony’s actions following the breach, rather than on steps to prevent or mitigate events like these in the first place. As we noted earlier, this focus emphasizes a de facto burden-shifting, in which consumers bear the risk of using on-line or other services, and also are left to face the consequences of any resulting identity theft.
Sony last week announced that 77 million PlayStation and Qriocity accounts had been accessed by hackers in mid-April. This week, Sony discovered that an additional 24.7 million Sony Online Entertainment (SOE) accounts were compromised during the same timeframe. In the SOE breach, Sony confirmed that the compromised information included the bank account, credit card and debit card numbers of thousands of non-U.S. account holders.
It is now up to account holders to deal with the consequences. Sony’s response to the SOE breach has been to engage a third-party email distributor to send a Customer Service Notification. The notice places the onus on account holders to look out for email and other scams, to obtain credit reports, to consider contacting U.S. credit bureaus in order to place a “fraud alert” on their credit file, and to contact various federal and state agencies for information about preventing identity theft. This repeats Sony’s previous advice to its PlayStation and Qriocity users.
Continue Reading...In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy --
Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers:
A subscription is required to access the entire article.
On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:
The goal of NSTIC is to create an “Identity Ecosystem” in which there will be interoperable, secure, and reliable credentials available to consumers who want them. Consumers who want to participate will be able to obtain a single credential--such as a unique piece of software on a smart phone, a smart card, or a token that generates a one-time digital password. Instead of having to remember dozens of passwords, the consumer can use their single credential to log into any website, with more security than passwords alone provide. Since consumers will be able to choose among a diverse market of different providers of credentials, there will be no single, centralized database of information. Consumers can use their credential to prove their identity when they're carrying out sensitive transactions, like banking, and can stay anonymous when they are not.
The White House document is mostly a vision statement, punctuated by text boxes throughout that urge the reader to “Envision it!” but with no real guidance on how to accomplish it. The document suggests how these frameworks might be built, does not promise to build them. Precisely how this vision statement gets turned into action and results will depend on the reception it receives from the public and private sectors, both within the U.S. and abroad. The NSTIC anticipates that the U.S. will meet its interim benchmarks in 3-5 years, and the long term benchmarks in 10 years. As such, it is unlikely that we will see anything concrete on the front in the near future.
Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies: How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller.
If you are like me, you may have received an email from TripAdvisor, alerting you that "an unauthorized third party had stolen part of TripAdvisor's member email list." The text of that email was as follows:
To our travel community:
This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor's member email list. We've confirmed the source of the vulnerability and shut it down. We're taking this incident very seriously and are actively pursuing the matter with law enforcement.
How will this affect you? In many cases, it won't. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.
The reason we are going directly to you with this news is that we think it's the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously.
I'd also like to reassure you that TripAdvisor does not collect members' credit card or financial information, and we never sell or rent our member list.
We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologize for this incident and appreciate your membership in our travel community.
Steve Kaufer
Co-founder and CEO
We all get these notices from time to time, but this one seems worth highlighting, for the forthright way in which it addresses the issue, without being alarmist, and answers all your questions without resorting to jargon.
In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC:
Legislation to provide a stronger statutory framework to protect consumers’ online
privacy interests should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protections—that is, a “consumer privacy bill of rights.” Second, legislation should provide the FTC with the authority to enforce any baseline protections. Third, legislation should create a framework that provides incentives for the development of codes of conduct as well as continued innovation around privacy protections, which could include providing the FTC with the authority to offer a safe harbor for companies that implement codes of conduct that are consistent with the baseline protections.
This testimony was presented by a Commerce Department official, Lawrence E. Strickling, Assistant Secretary for Communications and Information, National Telecommunications and Information Administration.
As we have observed previously, Congress is very interested in such legislation. Now that the legislative battle is fully joined, it's time to start thinking about who the potential winners and losers might be if such legislation is adopted:
By Sam Hudson
Targeted online advertising has been the focus of much discussion since the release of the FTC’s “Do Not Track” proposals late last year. User tracking for advertising purposes is also the focus of the FTC’s latest privacy enforcement action, which has resulted in a consent agreement with an online advertising company, Massachusetts-based Chitika, Inc., which creates ads for such major publishers as the Hearst Corporation and Salary.com.
Chitika uses cookies to track Internet users, so as to display behavioral advertising to them. Chitika allowed users to opt-out of receiving these cookies, but what Chitika didn’t disclose was that the opt-out only lasted for 10 days. The FTC alleged that such a short opt-out period was deceptive and a violation of the FTC Act. The FTC has reached a settlement with Chitika in which Chitika has agreed to honor any user opt-out of tracking for at least 5 years. Chitika has also agreed to display more prominent opt-out mechanisms. The consent agreement prohibits Chikita from misrepresenting the extent of its data collection about consumers or the extent to which consumers can control the collection, use or sharing of their data.
Continue Reading...While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up. The American Bar Association's suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case: "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies, the American Osteopathic Association and the Medical Society of the District of Columbia, and joined by 26 national medical specialty societies, will now formally end."
As we noted back in May, digital copiers have caught the eye of government privacy enforcers. If you have a digital copier at your business, you should review the FTC's Copier Data Security:
A Guide for Businesses. In that Guide, the FTC suggests that "your information security plans . . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft."
By Brian Bialas
I recently attended the 10th Annual Legal and Compliance Forum on Privacy & Security of Consumer and Employee Information in Washington, DC. It featured a particularly lively panel on “Oversight of Third-Parties and Vendors: Managing and Controlling Relationships Through Effective Due Diligence and Contract Negotiation.” Below are some key points the panelists discussed; some may seem obvious, but they are nevertheless important measures to consider as part of your vendor relationships:
A company’s contract with a vendor should include the ability to terminate the agreement without cause and should guarantee continuing assistance from the vendor after termination.
Do not be the first (or even second) company to contract with a vendor for a particular service. There are too many bugs to work out of new services before you know they are safe and secure.
Consider hiring a consultant to facilitate conversations with companies that have used a particular vendor and are not provided as references.
Vendors should be able to go into detail about their procedures—a company should understand what the vendor is doing with its data down to the IT level.
The vendor’s laptops should be encrypted, along with USB drives, memory sticks, portable hard drives, etc.
The vendor should be obligated to provide immediate notice to the company of any actual or suspected breach of the company’s data.
By Katie Perry
Earlier this week, both Mozilla and Google announced new browser features aimed at giving users greater control over how their personal data is collected online. Microsoft announced a similar initiative in December.
The introduction of browser “Do Not Track” features follows the Federal Trade Commission’s preliminary staff report, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which supports a “universal consumer choice mechanism for online behavioral advertising.” In its report, the FTC noted that “[t]he most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements.” We discussed the FTC's proposal's in an entry last month.
The recent announcements by Mozilla, Google and Microsoft signal the beginning of a larger trend towards the voluntary implementation of “Do Not Track” mechanisms, as companies try to preempt the legislative and regulatory efforts likely to flow from the FTC’s proposed framework.
Continue Reading...Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:
1) This is an area where bipartisan concensus is possible.
2) The industry powers will fight against “Do Not Track” and will win that fight.
3) Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”
We could see passage of a federal data security and privacy statute, not unlike those that the various states have been adopting. The states have already passed models for such legislation and have shown that these increased protections can be implemented without too much opposition from the business sector. Also, adoption of a single standard for data security and privacy could actually relieve some of the regulatory burden on business: instead of having to comply with 50 different state laws, there would just be one federal law. This is the very same logic that led to the passage of HIPAA (and its standards for health information privacy) in 1996.
The other day at Mass TLC’s Mobility Summit I had a brief conversation with Mark Herrmann (an entrepreneur here in Boston) that touched on the FTC’s recent proposal for protecting consumer privacy online. We were talking about the “do not track” proposal and the consensus in the tech industry that it just won’t fly.
Mark’s comment:
“It is creepy that ‘they’ can and do track you out in the net, but ‘creepy is the new cool.’” There is just no question that some people accept the fact that they are being tracked and fed targeted online advertising. It is not just OK by them; it’s a value add. I don’t disagree. But, for anyone who has read “1984” (and even a lot of people who haven’t) the notion of being tracked is creepy. There are a lot of these folks – perhaps a significant majority of the U.S. population – that feel this way.
In 2011 the FTC and Congress are going to pay attention to these concerns. It is good politics.
Prediction #1: Legislation in this area will be one of the few places where we will see bipartisan consensus in the next Congress.
Why: No Congressperson wants to be opposed to consumer privacy, and they all want to have supported some legislation that passed, when running in the next election. Mark (and others) made the point that if you really end tracking, you will end Facebook. So, whatever happens it won’t be that. However, the political snowball is rolling down the mountain - there will be regulatory activity around consumer privacy. The only question is: What will be the nature and scope of the activity? The big boys (those with well established businesses that either make money or have ready access to capital) are going to be lobbying hard for a regulatory framework that does not dent their current business model.
Prediction #2: The big boys will fight anything that disrupts tracking and they are going to win this battle – no one in Congress wants to run on the platform that they put Facebook (or others) out of business. But the big boys are going to have to trade something. The easy things for them to trade are procedural protections for the consumer.
Prediction #3: The big boys will trade lots of procedural protections for the consumer to prevent substantive regulation that will directly affect their business models.
Why: The big boys can afford the administrative burden implicit in procedural protections. It is just a matter of more money, more people and more oversight. A company that is well established and profitable or that has easy access to capital can afford to write the code, hire an army of new engineers, consultants, lawyers etc. and create an entire Department of Privacy Compliance and Protection. In fact, to the extent that having to do all that makes it harder for start-ups, it may even be helpful to the established companies. Some folks I talk to have expressed real concern about this looming regulatory push and how it might affect the entire ecosystem for digital media start-ups. There is still a chance to influence the inevitable regulation that is upcoming and I am working on assembling a group of industry leaders to do just that. I recently sent out a letter (here’s a link) to people I thought might be concerned enough to actually do something.
Read it and let me know what you think.
Microsoft announced yesterday in its IE blog that it will be adding a tracking protection feature to Internet Explorer 9. In particular, Microsoft promises that:
Together with the FTC's jump into the tracking fray last week, have we reached the tipping point on tracking, so that this is the beginning of the end of it? Or might this be simply another skirmish in the battle between Microsoft and Google (since Google's primary revenue source is online ads)?
Our colleagues in Foley Hoag's Emerging Enterprise Center have summarized the FTC preliminary staff report, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers," which we posted on December 1. We are cross-posting the analysis from their blog below.
It seems likely that the next two years will bring significant changes to this area, either through legislation or regulation. During this period, businesses and consumers will continue to seek an equilibrium that balances business needs and consumer expectations. If they cannot find it, one will likely be imposed on them.
* * *
The Federal Trade Commission (FTC) just published its preliminary Staff report setting out its proposed framework for protecting privacy in the digital economy. View the FTC’s press release here. The FTC is seeking comments on its proposed framework by January 31, 2011 and expects to issue a final report in 2011.
Every digital media business that attracts advertising revenue online and/or through mobile devices, as well as the venture capital and private equity funds that invest in them, has a stake in the outcome of this proposed framework. It can affect current business models, future financial performance and potential exit opportunities for current and potential companies that rely on collecting data from consumers.
The final report, and possible new regulations and/or federal legislation to follow, will help shape substantive law, enforcement policies and commercial best practices regarding consumer privacy practices that will need to be followed.
Notably, the FTC staff cites flaws in commercially available, privacy-related plug-ins and browser features, and supports a more uniform and comprehensive consumer choice mechanism for online behavioral advertising than currently exists. This is often called “Do Not Track,” in a nod to the currently mandated “Do Not Call” registry that restricts the activities of telemarketers. FTC staff identified and requested comment on a number of issues concerning the formulation and adoption of any such “Do Not Track” mechanism.
Other important components of the proposed framework include:
Before this framework is submitted in final form to the FTC for a vote by its commissioners, which will accelerate the process further, the FTC is requesting comment by interested parties on a variety of key related issues, including:
Earlier today, the FTC released a preliminary staff report entitled, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers." The report is over 100 pages long and suggests that changes need to be made regarding consumer privacy, stating:
Industry must do better. For every business, privacy should be a basic consideration –
similar to keeping track of costs and revenues, or strategic planning. To further this goal, this report proposes a normative framework for how companies should protect consumers’ privacy.
We'll have our more detailed thoughts on this document posted shortly.
This is a cross-posting of an interesting November 29 entry in Foley Hoag's Emerging Enterprise Center blog, by Patrick Connolly and Prithvi Tanwar:
If your start-up's website will collect user information.... and chances are it will, you need to start thinking about your website privacy policy. I have often spoken with founders who think that the website privacy policy is a "one size fits all, grab an example from a well know e-retailer or established company web-site that appears to have a similar business model, snip here, paste there and you're all set" deal. My wide eyed stare of horror in reaction to this is mostly dismissed as symptomatic of the overly cautious view of life that seemingly plauges my profession. I have discussed this with a colleague Patrick Connolly and he had the great idea to write a primer on the issue of Privacy Policies for websites. Now let me warn you, Patrick's primer is not short and it isn't meant to be because it highlights the issues that we step through and the risks and possible reprisals that we consider when we draft a privacy policy for a particular start-up. So without further ado, here's Patrick's well thought out "Primer on the Website Privacy Policies", hopefully once your done reading you'll agree that your privacy policy is not something to be taken lightly.
In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health.
The advocacy groups behind this complaint are the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World Privacy Forum. They allege (in 144 pages, complete with web page screen-shots) that:
"Digital marketing raises many distinct consumer protection and privacy issues, including an overall lack of transparency, accountability and personal control, which consumers should have over data collection and the various interactive applications used to track, target, and influence them online (including on mobile devices). The use of these technologies by pharmaceutical, health product, and medical information providers that directly affect the public health and welfare of consumers requires immediate action."
Any business that has a web presence should read this complaint; it will show you what these (and other) advocacy groups are complaining about. While I do not expect the FTC to jump into action based on this complaint alone, it would not surprise me to see an increase in the discussion of regulation and enforcement in this patch of cyberspace during 2011. It is only a matter of time until a consumer health web site has a significant data breach. Traditionally, such breaches bring increased inforcement activity.
Continue Reading...If you haven't been reading the Wall Street Journal's "What They Know" series, you should be. It's a great ongoing investigation of privacy issues, along with a compilation of privacy tools, like this one on how to control your online privacy.
Continue Reading...
In what is assuredly a sign of things to come, the Boston Public Schools have announced that they are piloting a smart card for students, called the BostONE Card. According to an article in today's Boston Globe, the purpose of this card is to "make it easier for some public school students to use city services by providing them with one card they can use to ride the [subway], withdraw books from city libraries, play sports, attend after-school programs at community centers, and access meal programs at their schools. The so-called BostONEcard will also be used to take attendance and may eventually serve as a debit card, among other potential uses."
Since we already know that the Boston-area transit smart cards have been hacked by MIT students, is it really a good idea to put more information in one place? Would they be better served to use cell phone technology, since most students in the upper grades already have these devices and know how to use them (and someone else has already worked out the security and technology issues)?
Interesting article in this week's Economist about social network analysis, outlining how companies are using increasing sophisticated forms of data-mining on their customers, and how industry is spending billions to advance the process.
On August 18, a federal judge in the Southern District of New York entered an injunction forbidding Verified Identity Pass, Inc. (VIP) to sell or transfer any of the confidential customer information it compiled while operating the CLEAR express airport check-in program. The CLEAR program collected a range of customer biographic information (e.g., name, address, etc.) as well as biometric information, including the customer's fingerprints and iris scan. This information was used to expedite the airport check-in process.
In June, VIP announced that it would be discontinuing the program due to its inability to “negotiate a settlement” with its creditor. At the time, VIP assured its customers that “[t]he personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.”
Despite this assurance from VIP, many customers expressed concern over the handling of the personal data they had provided to CLEAR. In addition, customers objected to VIP's statement that it would not issue refunds to customers, some of whom had paid in advance for years of service.
A week after VIP’s announcement of its discontinuation of the program, CLEAR customers brought a putative class action against VIP in the Southern District of New York. As amended, plaintiffs’ claims include breach of contract, negligence, and unjust enrichment. Plaintiffs also sought a preliminary injunction, explaining that "VIP’s cessation of the CLEAR program and other factors indicate a significant risk that the confidential information of Plaintiffs . . . will be compromised.” Plaintiffs expressed concern that VIP would not honor its contractual obligation not to disclose or sell its customers’ data. In the same motion, plaintiffs also sought an order requiring the preservation of evidence.
Judge Holwell agreed, and issued an order enjoining VIP from 1) selling any confidential information obtained from Clear members of applicants, 2) disclosing any such information to any other entity, and 3) maintaining or storing information in a manner that permits disclosure of the information. Judge Holwell also ordered that VIP take all necessary steps to preserve evidence relevant to the case. As news outlets have reported, however, VIP’s lawyers may challenge the order on the grounds that the judge failed to give them an opportunity to respond to plaintiff’s motion.
Regardless of whether this particular order remains in place, the controversy surrounding VIP’s cessation of CLEAR service underscores the security and privacy issues that arise when companies entrusted with customers’ personal information are no longer financial viable.
Enter keywords:
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
The Foley Hoag Security, Privacy and the Law Blog focuses on the security and privacy issues encountered by businesses thatMore...