Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

by Brian P. Bialas

At most restaurants, when the time comes to pay the check, you hand over your credit card and a waiter you’ve known for only about an hour takes off with your credit card. You trust that the waiter will only charge your meal and won’t make off with your card number.  But if you ever have been to a Legal Sea Foods restaurant, you will notice that the waiter brings a handheld electronic device to your table to swipe your credit card when you are ready to pay the bill. The credit card never leaves the customer’s sight.

The recent experiences of customers at certain high-end steakhouses show why all restaurants should consider adopting the table-side charge method.  Seven waiters at Smith & Wollensky’s, the Capital Grille, and other high-end restaurants were arrested along with many other co-conspirators, for copying the credit card numbers of restaurant customers with handheld, high-tech “skimmers” and then using those numbers to buy luxury goods that they resold. The waiters targeted credit cards with high or no spending limits so that big purchases would not be flagged. 

The Payment Card Industry Data Security Standard (PCI-DSS) quick reference guide for merchants does not provide any clear guidelines for card handling.  Nevertheless, this incident should serve as a wakeup call for all restaurants to adopt table-side systems to reduce the potention for misuse of customer credit cards.  It also serves as a reminder to anyone dealing with sensitive information to continually review handling procedures and processes and look for ways transmissions can be made more secure.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle "charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," according to the FTC's press release.

In its complaint, the FTC alleged, among other things, that Facebook “users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings,” despite Facebook's representations that users could impose such restrictions on their accounts.

In the extensive consent order Facebook entered with the FTC, Facebook agreed (among other things) to “obtain initial and biennial assessments and reports . . . from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession,” which assessments and reports will:

• set forth the specific privacy controls that [Facebook] has implemented and maintained during the reporting period;
   
• explain how such privacy controls are appropriate to [Facebook's] size and complexity, the nature and scope of [Facebook's] activities, and the sensitivity of the covered information;
   
• explain how the privacy controls that have been implemented meet or exceed the protections required by Part IV of this order; and
   
• certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the reporting period.

This consent order will last for an astoundingly long time:  20 years.  (Query whether this agreement's terms and length will become the standard for future FTC privacy settlements.) 

Facebook founder Mark Zuckerberg also released a blog post on the settlement, and in it he announced a split in the company's privacy officer role:  Erin Egan will become Facebook's Chief Privacy Officer, Policy, and Michael Richter, currently Facebook's Chief Privacy Counsel, will become Facebook's Chief Privacy Officer, Products.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Ensuring strong and efficient data storage and secured systems is the foundation of any successful business in today's global business environment; the continued migration to cloud computing only amplifies this need.  New England and Israel are global leaders in innovation and entrepreneurship and major players in the global software/IT industry, with the innovations of its companies earning international recognition and prestige.

The New England-Israel Data Storage & Security Summit is a one-day program featuring 10 of Israel's highly promising data storage and security companies, including Axxana, CloudLock, Kaminario, Scalebase and Tufin, that are looking to expand collaborations with local partners.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Please join Foley Hoag’s Labor and Employment attorneys on November 15 from 8:30 a.m. to 10:00 a.m. for a discussion of new challenges that employers face with social media. Topics to be reviewed include:

• Employer monitoring of employee activities on social media sites such as Facebook, Twitter and LinkedIn;
• Whether employers can discipline employees for their posts, including new developments at the National Labor Relations Board;
• Whether employers should have a social media policy; and
• The impact of social media on non-compete and non-solicitation agreements.

Click here for registration information.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Please join me and my friends at Co3 Systems for a free webinar,"Data Breaches & Compliance:  Understanding The Law and How You Can Prepare" to be held on Thursday, October 20, 2011 1:00 p.m. - 2:00 p.m. EDT. To add this webinar and the call-in information to your Outlook calendar, click here.  I will be presenting with Ted Julian of Co3; Ted brings a wealth of experience from working at Arbor Networks, Application Security, Inc. and @stake (which was acquired by Symantec), and he helped spearhead security practices with Forrester, IDC and Yankee Group.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20.  The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley.  As described by MassHighTech:

Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the government, industry and academia, the ACSC is also hosted at the five universities that make up the Massachusetts Green High Performance Computing Center – MIT, Harvard University, Boston University, Northeastern University and the University of Massachusetts.

The driving force behind the ACSC is Mass Insight Global Partnerships, and that organization’s president and founder William Guenther opened the event and acted as master of ceremonies during the day. But it was Gov. Deval Patrick who started the day off on a practical note, talking about jobs.

“The center represents an incredible employment opportunity for Massachusetts,” Gov. Patrick said. “I want you to see the opportunity.”

Foley Hoag is counsel to the ACSC and Foley Hoag partner Michele Whitham serves on its Strategic Advisory Board.  Conference materials and related security resources are available on the Foley Hoag website.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal's bill, "The Personal Data Protection and Breach Accountability Act," would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures, including risk assessment, regular testing of system controls, and paying for two years of credit monitoring for any customer whose data is breached. If adopted, this bill would permit the Justice Department to levy fines of $5,000 per violation per day, up to a total of $20 million per violation. The bill also includes federal data breach notification requirements.

Given the large numbers of such bills pending, the Senator's junior status, and the fact that his bill has no co-sponsors, it is unlikely that this particular bill will be adopted.  At present, at least 15 bills contain the phrase "data security" pending in Congress:

1. Data Security Act of 2011 (Introduced in Senate - IS)[S.1434.IS]
2. e-KNOW Act (Introduced in Senate - IS)[S.1029.IS]
3. BEST PRACTICES Act (Introduced in House - IH)[H.R.611.IH]
4. To facilitate implementation of title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, promote regulatory coordination, and avoid market disruption. (Reported in House - RH)[H.R.1573.RH]
5. Personal Data Privacy and Security Act of 2011 (Introduced in Senate - IS)[S.1151.IS]
6. To facilitate implementation of title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, promote regulatory coordination, and avoid market disruption. (Introduced in House - IH)[H.R.1573.IH]
7. Data Security and Breach Notification Act of 2011 (Introduced in Senate - IS)[S.1207.IS]
8. SAFE Data Act (Introduced in House - IH)[H.R.2577.IH]
9. U.S. Postal Service Improvements Act of 2011 (Introduced in Senate - IS)[S.353.IS]
10. METRICS Act (Introduced in Senate - IS)[S.1464.IS]
11. Data Accountability and Trust Act (DATA) of 2011 (Introduced in House - IH)[H.R.1841.IH]
12. Reform the Postal Service for the 21st Century Act (Introduced in House - IH)[H.R.1262.IH]
13. Data Accountability and Trust Act (Introduced in House - IH)[H.R.1707.IH]
14. Protecting the Privacy of Social Security Numbers Act (Introduced in Senate - IS)[S.1199.IS]
15. Postal Reform Act of 2011 (Introduced in House - IH)[H.R.2309.IH]

Given how many similar bills are pending, it seems likely that something like Sen. Blumenthal's bill will be adopted before this session of Congress is over.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy."  The program slides can be found at this link.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Wondering what your company might be able to do at the local level to help fight cybercrime? There are a growing number of public-private collaborations that are trying to get ahead of the bad guys.

One is the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).  The ACSC is a collaborative, cross-sector research facility working to address critical and sophisticated cyber security challenges. Based at the MITRE Corporation campus in Bedford, Massachusetts, the Center takes advantage of  university, industrial and research resources to develop next-generation solutions and strategies for protecting the nation's public and private IT infrastructure.

Another collaborative group is InfraGuard, a Federal Bureau of Investigation program that began in its Cleveland Field Office in 1996. It was a local effort to gain support from the information technology industry and academia for the FBI’s investigative efforts in the cyber arena.  InfraGard is an information sharing and analysis effort composed of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. InfraGard Chapters are geographically linked with FBI Field Office territories and each chapter has an FBI Special Agent Coordinator assigned to it..

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy --
Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers: 

• “Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. It comes down to someone doing something stupid,” said Colin Zick, a partner in the Boston office of Foley Hoag. “In the Mass General case, an employee took some records on the Red Line and lost them.”
   
• “When companies are bombarded with phishing emails, it’s akin to the notion of fighting off terrorism,” Zick says. “You only have to miss once to have a privacy breach. Education is important because the creativity of human beings often outpaces technology defenses.”

A subscription is required to access the entire article.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks."  (Subscription required.)  The brief discusses the following subjects:

• Could a Major Security Breach Be on the Horizon?
• The Smartphone Dilemma
• What Elements Are Currently Covered in Your Organization’s Security Awareness Program?
• Security Budgets Fare Well
• Implementing Risk Management Disciplines
• Do You Really Know Who Your Friends Are?
• Denial of Service Attacks: Who’s Next?

In the interest of full disclosure, I am quoted extensively on the prospects for new legislation in the privacy/security space.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies:  How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we noted back in May, digital copiers have caught the eye of government privacy enforcers.  If you have a digital copier at your business, you should review the FTC's Copier Data Security:
A Guide for Businesses.  In that Guide, the FTC suggests that "your information security plans .  . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Department of Homeland Security has released its latest update to its internal guide to handling personally identifiable information.  The "Handbook for Safeguarding Sensitive PII at DHS" has been around since 2008; even if you do not have direct dealings with DHS, it provides a useful point of comparison for your own policies and procedures. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Brian Bialas

I recently attended the 10th Annual Legal and Compliance Forum on Privacy & Security of Consumer and Employee Information in Washington, DC. It featured a particularly lively panel on “Oversight of Third-Parties and Vendors: Managing and Controlling Relationships Through Effective Due Diligence and Contract Negotiation.” Below are some  key points the panelists discussed; some may seem obvious, but they are nevertheless important measures to consider as part of your vendor relationships:

• Be able to terminate the relationship without cause.

A company’s contract with a vendor should include the ability to terminate the agreement without cause and should guarantee continuing assistance from the vendor after termination.

• Use experienced vendors.

Do not be the first (or even second) company to contract with a vendor for a particular service. There are too many bugs to work out of new services before you know they are safe and secure.

• Obtain and talk to references provided by the vendor.

Consider hiring a consultant to facilitate conversations with companies that have used a particular vendor and are not provided as references.

 

• Have the vendor explain its services in detail and down to the molecular level.

Vendors should be able to go into detail about their procedures—a company should understand what the vendor is doing with its data down to the IT level.
 

• Verify vendor data security measures.

The vendor’s laptops should be encrypted, along with USB drives, memory sticks, portable hard drives, etc.

 

• Insist on robust notice in the event of a breach.

The vendor should be obligated to provide immediate notice to the company of any actual or suspected breach of the company’s data.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

If you got a new smartphone over the holidays, you've probably figured out how to use it by now.  The next thing to worry about is security.  The good news is that wireless providers are working to fortify their phones against attacks, as explained in this Wall Street Journal article. 

There are some personal actions you should consider as well:

1. Set a password and make it a strong one.
2. Keep current on your updates.
3. Think of your phone like your computer when it comes to security. 
4. Make sure you know how to remotely lock and wipe your phone if it is lost or stolen.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In January, we provided some helpful hints about passwords, in our entry:  Is Your Password Still "123456"? If So, It's Time for a Change.

It's been nearly a year, so it's time to change your password again.  In case you need some help, we liked the guidance provided by the public radio program, Marketplace, in a recent broadcast.  Ironically, these recommendations come from an expert whose company's password databases had just been hacked.  

If you want to test the strength of your password, the expert recommended sites like Lastpass or 1Password.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This is a cross-posting of an interesting November 29 entry in Foley Hoag's Emerging Enterprise Center blog, by Patrick Connolly and Prithvi Tanwar:

If your start-up's website will collect user information.... and chances are it will, you need to start thinking about your website privacy policy. I have often spoken with founders who think that the website privacy policy is a "one size fits all, grab an example from a well know e-retailer or established company web-site that appears to have a similar business model, snip here, paste there and you're all set" deal. My wide eyed stare of horror in reaction to this is mostly dismissed as symptomatic of the overly cautious view of life that seemingly plauges my profession. I have discussed this with a colleague Patrick Connolly and he had the great idea to write a primer on the issue of Privacy Policies for websites. Now let me warn you, Patrick's primer is not short and it isn't meant to be because it highlights the issues that we step through and the risks and possible reprisals that we consider when we draft a privacy policy for a particular start-up. So without further ado, here's Patrick's well thought out "Primer on the Website Privacy Policies", hopefully once your done reading you'll agree that your privacy policy is not something to be taken lightly.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In the April 11, 2010, Boston Globe, there is an extended discussion of an article by Cormac Herley of Microsoft entitled, "So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users."  In his paper, Mr. Herley argues thoughtfully that compliance with even simple security measures, like changing your passwords, is so time-consuming that it is not worth the effort for most users.

This is an interesting argument and article (although it is a mite technical), as it poses an argument worthy of real consideration.  There is no dispute that security measures do decrease productivity to some extent.  The question that needs to be asked is how much does security actually impair productivity and is the cost in lost productivity less than the costs from an actual security breach?

As Mr. Herley suggests, the answers to this question are difficult, because of "externalities" -- economic costs that are visited on some people by the actions of others.   His solution is not simply to reject security measures, but to analyze them and determine what works and what does not, so that it is easier to determine what measures are worth users' time and what measures do not pay off.  In Mr. Herley's words, "security advice that has compelling cost-benefit trade-offs has a real chance of user adoption."  This trade-off analysis is a worthy exercise for any individual and for any organization.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to BNA reporter Martha Kessler, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has filed its final information security regulations and will be making them public this week.  BNA has released what they claim to be the final regulations (.pdf) [also available from BNA here (html)].  The final rules appear to have been tweaked only slightly from the draft regulations issued on August 17, 2009.  In a redline comparison (.pdf) against the last draft, two primary revisions emerge:

1. Entities affected by the regulations have been expanded to include businesses and individuals that merely store personal information; and
    
2. A clarification was made to the provision requiring affected businesses to negotiate written contracts with service providers that handle personal information.  The tweaks make clear that the grandfather provision that permits companies to rely on service provider contracts already in place will expire on March 1, 2012.

The March 1, 2010 deadline remains unchanged. 

While the final regulations have not been posted to the OCABR website, many are eagerly awaiting to see if the OCABR also provides additional guidance on how to comply, as Undersecretary Anthony promised at the public hearing on these regulations in September.

UPDATE: On Wednesday, November 4th, the OCABR released the final Massachusetts information security regulations (.pdf) to the public, as predicted.  In its new release, the OCABR also announced the publication of its report on consumer data breaches between 2007 and 2009 (.pdf).  The report indicates that since the Massachusetts data breach notification law (M.G.L. ch. 93H) went into effect in 2007, over 1 million Massachusetts residents have been affected by a noticed breach.  Among the many practices mentioned in the report, the OCABR has warned against: (1) "poor employee handling;" (2) documents sent to the wrong recipient; and (3) not  taking steps to prevent access by terminated employees.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last month, Facebook announced plans to simplify its users' ability to control privacy settings. Facebook will standardize privacy settings, remove overlapping settings, and put all settings on the same page. In an effort to give users more control over how their information is shared, Facebook will allow users to decide, on a post-by-post basis, with whom to share their content. Users will have the option of sharing their posts with: 1) only specific friends, 2) all friends, 3) friends and people in the user’s network, 4) friends of friends, or 5) everyone. According to media reports, the "everyone" option will soon expand to include anyone on the internet – a move widely seen as an attempt to compete with Twitter. Facebook will launch a Transition Tool that will prompt users to set their level of sharing, and will carry over previous privacy settings.  

The announcement carefully explained that the changes would not affect the information Facebook provides to its advertisers – a topic related to the controversy earlier this year surrounding proposed revisions to the Facebook terms of service.  Instead, Facebook will continue to provide advertisers with only that information that users have authorized.

 With the changes, Facebook will provide users with more options for controlling access to their content.  As one might predict given the current climate favoring increased user control over privacy, Facebook's proposed changes have largely been well received. Only time will tell whether most users will exercise this control to share their data or whether they will favor keeping their information private.

Links:

• Facebook blog announcement
• PC World Article
• Previous post

• Email This
• Print
• Comments
• Trackbacks
• Share Link

When, in June, the City of Bozeman, Montana sought to change its job application to require municipal job seekers to disclose usernames and passwords for popular social networking sites, it immediately drew widespread criticism.  Specifically, Bozeman asked applicants to "Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc."  In the aftermath of media exposure, Bozeman has decided to "suspend its practice of reviewing candidate’s password protected internet information until the City conducts a more comprehensive evaluation of the practice."

On June 19, 2009, city manager Chris Kukulski officially apologized (.pdf) for the intrusive application, stating “[t]he extent of our request for a candidate’s password, user name, or other internet information appears to have exceeded that which is acceptable to our community.”

This controversy is another indication that social networking sites and other digital media are coming under greater scrutiny as employers conduct background checks. For example, the application for high-level political positions in the Obama transition phase required applicants to include copies of e-mails that might embarrass the President, copies of all blog posts, a link to one’s Facebook page, and a list of “all aliases or ‘handles’ . . . used to communicate on the Internet.”

The Bozeman application would have required applicants to violate Facebook’s Terms of Use, which state that “You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.” In addition, Bozeman’s request apparently was limited to obtaining usernames and passwords and did not seek authorization to access applicants’ sites. Consequently, any access by city officials might have run afoul of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C), which prohibits intentionally accessing a “protected computer” without authorization.

Links:

• Local news article
• City of Bozeman press release (.pdf)
• New York Times article
• Facebook Terms of Use
• Computer Fraud and Abuse Act, 18 U.S.C. § 1030

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 4, 2009, the Electronic Frontier Foundation (EFF) launched TOSBack – a site that tracks changes in the terms of service for major websites such as Facebook, Google, Apple, and eBay. If you're wondering why anyone would be interested in such a thing, you may want to revisit the controversy that accompanied the revisions to the Facebook terms of service. 

At TOSBack, users can click on one of over two dozen organizations to identify changes to the organization’s terms of service and/or privacy policies. TOSBack allows users to compare new and older versions of those policies, with a side-by-side view that shows additions and deletions to the policies. Users can also subscribe to an RSS feed that will alert them to new changes in the policies. TOSBack will undoubtedly help consumers identify changes that have been made to the policies of websites they visit. Nevertheless, because TOSBack exhaustively documents all changes to the policies it tracks, some users may find themselves spending considerable time sifting through immaterial changes.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to "assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking" on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).  Some of the highlights from the FAQ are:

• The agencies clarified that "all banks, savings associations and credit unions are covered by the Red Flags Rules and Guidelines as 'financial institutions,' whether or not they hold a transaction account belonging to a consumer," and including "those whose powers are limited to trust activities;"
   
• Brokers, dealers, investment advisors or investment or insurance companies (including those that are subsidiaries of a bank or savings association) are covered by the Rules and Guidelines if they are a "financial institution" or creditor" under the Fair Credit Reporting Act.
   
• IRAs will generally be considered "covered accounts" and thus subject to the Rules and Guidelines;
   
• The term "covered account" includes accounts established in the United States by non-U.S. residents;
   
• Check forgery or use of a stolen credit card constitutes "identity theft" because it involves a fraud using the identifying information of another person without authority;
   
• The Rules and Guidelines do not require a financial institution or creditor to educate consumers regarding the risk of identity theft, although such programs "may be helpful as part of an overall effort to address the problem of identity theft"
   
• Financial institutions may, but are not required to, use automated systems to detect red flags, but may have to supplement such a systems with non-automated procedures;
   
• The Rules and Guidelines required financial institutions or creditors to oversee all service provider arrangements that relate to the opening or accessing of a covered account, not just those with providers that offer fraud detection services;

While it is certainly laudable for the agencies to put together a list of answers to various FAQs in order to facilitate the transition to when the Rules and Guidelines go into effect, I found many of the answers to be fairly unhelpful.  For starters, most of the questions and answers deal with the Rules and Guidelines only as they relate to financial institutions, even though they will apply to numerous other types of institutions.   Moreover, much of the guidance given was extremely vauge.  For example, many of the answers to questions regarding covered accounts could be summarized as "it depends on whether the institution determines that there is a foreseeable risk of identity theft."  It would have been helpful for the agencies to provide some examples or other more concrete information.  Hopefully the agencies will expand on the FAQ in the near future to address concerns of entities beyond financial institutions and perhaps provide more concrete guidance.

Links:

• Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies (.pdf), also available from the FTC here (.pdf)
• June 11, 2009 Joint Release: Agencies Issue Frequently Asked Questions on Identity Theft Rules

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, May 13, 2009, the FTC released a "template" identity theft prevention program (.pdf) to guide businesses subject to a "low risk" of identity theft through the process of complying with federal Red Flags Rules.  The FTC template was first announced on May 1, 2009 when the agency postponed enforcement of the general purpose Red Flags Rules until August 1, 2009 (see our posting here or our more detailed client alert here).

The FTC template is divided into two parts.  The first section outlines how businesses should evaluate whether they are at low risk for identity theft.  Under the FTC's guidance, low risk businesses include:

• Businesses, such as doctor or lawyer practices, that are personally familiar with their customers and therefore are unlikely to be fooled by impostors.
• Businesses that provide services at customers' homes.
• Businesses that have never received a complaint or discovered an incident of identity theft.
• Industries in which identity theft is uncommon.

While the template does not discuss this point, those businesses that do not fall into the category of "low risk" presumably are required to undertake a more in depth review of the risks and implement a substantially more detailed identity theft prevention program. 

The second section of the template is essentially an identity theft prevention program checklist that requires the business to fill in the procedural and administrative blanks.  Anyone using the FTC template should recognize that the template is a guide for performing the assessments required by the federal regulations - it does not excuse low risk businesses from compliance.  For instance, the template requires that a business identify any red flags it is aware of in addition to a mandatory red flag: receiving a notice from a customer or law enforcement.  While the template provides helpful structure to the process of compliance, low risk businesses appear to be subject to the same requirements.  In particular, the template program requires a business to identify applicable red flags, identify procedures it will take to detect these warning signs, identify a coordinator, develop a training program, identify key service providers who will need to be appropriately vetted and keep the program up to date.  The template does help us understand what level of compliance the FTC will be looking for at many smaller businesses.

Links:

• The FTC announcement
• The FTC "template" identity theft prevention program (.pdf), also available from the FTC website here (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009.  Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a "template" identity theft prevention program.  "For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law."  The FTC indicates that it will make the template available through their website.

In delaying enforcement, the FTC continues to maintain that the Red Flags Rules apply broadly to any business that bills its customers (i.e., "all entities that regularly permit deferred payments for goods or services").  In particular, the FTC specifically mentions that the statutory term "creditor" encompasses "businesses that provide services and bill later, including many lawyers, doctors, and other professionals."  The notice conceeds that considerable confusion has surrounded the preliminary question of who is covered under the new rules.  The FTC directs businesses looking for more information to the FTC's new microsite on the Red Flags Rules.

Links:

• FTC's 4.30.2009 Notice delaying enforcement of Red Flags Rules until August 1, 2009
• FTC's microsite on the Red Flags Rules

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

As the May 1, 2009 deadline for compliance with federal Red Flags Rules nears, the FTC's staff has mentioned informally that helpful guidance would be forthcoming.   As of today, the FTC has launched its new Red Flags Rule website and with it, a Red Flags Rule "How-To" guide (.pdf). 

The website is a good collection of the FTC's materials on this issue and it includes official press releases and statements directed to various industries (including the FTC's letter to the healthcare industry (.pdf), the FTC's guide for telecom companies (.pdf) and the FTC's guide for utility companies (.pdf)). 

The FTC's advice in the How-To Guide may be somewhat general (e.g., "Just getting something down on paper won't reduce the risk of identity theft."), but it does simplify compliance into four steps:

1. Identify Red Flags.
2. Develop procedures for detecting Red Flags.
3. Develop responses for Red Flags once you have detected them.
4. Re-evaluate your Identity Theft Prevention Program as circumstances change.

For more specific information on threats and security measures, the FTC's webpage on information security is a useful resource drawn from the FTC's experience with companies that have had lapses in information security.  In particular, the FTC's Protecting Personal Information: A Guide for Business (.pdf) lays out five key principles for developing reasonable security procedures:

1. Take Stock. Know what personal information you have in your records.
2. Scale Down. Keep only what you need for your business.
3. Lock It.  Protect the information that you keep.
4. Pitch it.  Properly dispose of what you no longer need.
5. Plan ahead. Create a plan to respond to security incidents.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested positive for steroid use in 2003 remains undecided. And the outcome of a motion now before the United States Court of Appeals for the Ninth Circuit may affect not only those 103 baseball players, but numerous athletes from other sports whose drug test results were seized by government investigators in 2004. Yet the entire story might never have existed had good OPSEC practices been in place. 

OPSEC – an acronym for Operations Security – is one of the cornerstones of counterintelligence strategy. The Department of Defense definition of OPSEC (.pdf) is “a process of identifying critical information and analyzing friendly actions . . . and other activities to (1) identify actions that can be observed by adversary intelligence systems, (2) determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical intelligence in time to be useful to adversaries, and (3) selecting and executing measures that eliminate or reduce… the vulnerabilities of friendly actions to adversary exploitation.” But OPSEC does not just apply to military organizations. It should be a foundational principle for all security architecture. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” -- the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you -- then they probably do.  In this post, we will recap the FTC's recent guidance on who should be complying with the Rules.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA Privacy & Security Law Report, 8 PVLR 331, the CPLF “has decided to abandon efforts to develop a set of principles for omnibus U.S. privacy legislation” and is instead “now focused on crafting an industry-wide self-regulatory framework that can be tested over time with a broad range of organizations.” The group has also changed its name to the Business Forum for Consumer Privacy, although it “is still working out legal issues involved with officially becoming a new organization.”

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

* By Gabriel M. Helmer and Aaron Wright

When Facebook changed its official terms of service earlier this month, what ensued was an explosive public outcry over who owns what users post to social networking sites. Tens of thousands of Facebook's 175+ million users suddenly clicked that often-overlooked link at the bottom of the webpage and poured over the arcane and legalistic language comprising Facebook's terms of service. For many, this was no doubt the first time they had ever read the policy. Below, we recap the recent controversy and discuss the three lessons Facebook and the rest of us should have learned from this series of events. 

Recap: Facebook Revises Terms of Service, Ignites Massive Public Firestorm

On February 4, 2009 Facebook announced on its official blog that it had updated its terms of service and provided its customers with a link to those new terms of service. The revisions went little remarked upon until February 15th when The Consumerist, Consumer Reports' official blog, posted a story entitled “Facebook's New Terms Of Service: ‘We Can Do Anything We Want With Your Content. Forever.’” The post focused on a revised clause that provided Facebook with irrevocable rights to use its users’ likenesses and content:

You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof.

This most severe change from the original terms was that the revised clause excised a sentence that terminated Facebook's license to user content:

You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.

After the Consumerist broke the news, the post received over 300,000 hits in a single day (according to the New York Times) and after the post ignited a firestorm of criticism, blog posts and articles, one Facebook user created the user group “People Against the New Terms of Service (TOS)”.  Two days later, the Consumerist reported that more than 750 articles had been written on the subject and the People Against the New Terms of Service group had 64,000 members.  As of this posting, the group is over 141,000 members and growing.  This may make Facebook's recent revision the most controversial event that has ever occurred in the history of website usage policies. 

Facebook responded to the criticism within days.  First, on February 16, 2009, Facebook attempted to explain that they did not believe the new terms of service did what critics said they did.  Then, Facebook withdrew the revised terms of service two days later, on February 18, 2009, and created a user group to open up discussion on a Facebook Bill of Rights and Responsibilities. Facebook appears to be attempting to harness this controversy to power continued user debate and involvement in the site. 

Below we discuss three key lessons to learn from the controversy over Facebook’s terms of service.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to a recently-released report from McAfee, the downturn in the economy is creating a “perfect information security risk storm.” The report, entitled “Unsecured Economies: Protecting Vital Information,” can be found here [Note: MacAfee requires registration to downloade the report]. McAfee bases its findings on a worldwide survey of 1,000 IT decision makers.

The McAfee Report makes four key findings:

1. Increasingly, important digital information is being moved between companies and across continents and is being lost.
2. The global economic crisis is increasing pressure on companies to cut spending across the board, including spending on data security, which leads to increased opportunities from outside threats of cybercriminals. Moreover, increasing layoffs are increasing incentives for insiders to steal confidential information.
3. Elements in certain countries are emerging as the main threats to data security.  According to the report, “[g]eopolitical perceptions are influencing data policy reality, as China, Pakistan, and Russia were identified as trouble zones for various legal, cultural and economic reasons.”
4. Cybercriminals have evolved beyond basic hacking and stealing of data.  They are becoming more organized and sophisticated.

In many ways, the global economic crisis could not have come at a worse time for companies attempting to keep their data secure. As layoffs fueled by the troubled economy increase, the number of employees with the motive, means and opportunity to steal valuable data or to sabotage their employer with a damaging data breach are clearly on the rise. According to the McAfee Report, 68% of those surveyed cited “insider threats” as the top threat to essential information. “Data thefts by insiders tend to have greater financial impact given the higher level of data access.” 

Coinciding with the increased threat from insiders is a growing and increasingly sophisticated threat from outside groups of cybercriminals. For example, the McAfee report notes that “malware writers now have R&D departments and test departments” and that malware programs are “regularly updated by its developers as to which vulnerabilities to exploit.” According to one source, the number of malicious programs on the internet tripled in September 2008. 

And while the expansion of information crime has led to increased government regulation, it is clear that the complex demands of various state and federal regulatory schemes are increasing the burden on companies already struggling in the weakening global economy. According to the National Conference of State Legislatures, 44 states have enacted legislation requiring notification of security breaches. This leaves companies with the unenviable task of determining what state laws apply and how to make sure they are complying with scores of overlapping, potentially inconsistent state rules. This quagmire has led to calls for Congress to set a single federal standard for information security. A group called the Consumer Privacy Legislative Forum, which includes companies such as eBay, Microsoft and Hewlett Packard, released a statement calling for “comprehensive harmonized federal privacy legislation” and will be outlining recommendations for such legislation next month. The FTC also has recommended in its recent report on Social Security numbers that Congress set federal standards for information security. 

Between the increasing threats to information assets and the confusing morass of new regulations governing information security, business are stuck between a rock and a hard place while the funds and personnel needed to address the threats and comply with increased regulation are dwindling. Given recent reports that “[o]rganizations that experienced a data breach in 2008 paid an average of $6.6 million last year to rebuild their brand image and retain customers,” the only way through this perfect storm may be to push ahead with efforts to evaluate the increasing security threats and adopt reasonable measures to combat these threats, as regulators appear to be demanding.

• McAfee Unsecured Economies Report
• SA Today Article: Data Scams Have Kicked Into High Gear As Markets Tumble
• National Conference of State Legislatures: State Breach Notification Laws
• CPLF Statement of Support of Comprehensive Consumer Privacy Legislation
• CSO Online Article: Industry Giants Weigh in on Privacy Laws
• FTC Report: Security in Numbers: SSNs and ID Theft
• Washington Post Article: Data Breaches Are More Costly Than Ever

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

A number of high-profile Massachusetts businesses and industry groups have sent Massachusetts governor Deval Patrick a letter requesting that the governor reissue existing identity theft regulations and give battered businesses two additional years to develop information security programs. This comes as a prelude to the public hearing scheduled today before the Massachusetts Office of Consumer Affairs and Business (OCABR) regarding the upcoming May 1, 2009 deadline for businesses to comply with recent Massachusetts identity theft regulations (201 C.M.R. 17.00 et seq.).  The companies and organizations signing the letter included the Massachusetts Business Roundtable, the Massachusetts Package Store Association, the Massachusetts Hospital Associations, Google, Comcast, CitiGroup, AOL, Microsoft, The Gap, Verizon and Wal-Mart.

Mass High Tech's story on this event can be found here. 

Testimony of the Greater Boston Chamber of Commerce at the January 16, 2009 hearing can be found here.

The Privacy & Security Law Report reports that, at the hearing, representatives of employers, small businesses, financial institutions and universities asked the OCABR to extend the deadline for compliance beyond May 1st. According to these representatives, it will be “virtually impossible” for most of the covered entities to reach compliance by May 1, 2009. In addition, they urged the OCABR to review the new regulations again and make changes.   Whether the OCABR will be swayed by the views of those attending the hearing remains to be seen. Given the economic climate the costs associated with upgrading systems to meet the new regulations, it is a safe bet that most covered entities would breathe a sigh of relief if the OCABR decides to extend the compliance deadline.

2.13.2009 UPDATE: As we report in our alert, OCABR has responded to this request by filing amended regulations that postpone the compliance deadline by eight months, to January 1, 2010. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers - SSNs and ID Theft. The new report articulates a series of FTC recommendations with respect to the handling of Social Security numbers (SSNs) based upon the work of the President’s Identity Theft Task Force, which was established in May 2006 and led to an extensive fact finding effort summarized in the FTC’s November 2007 staff summary report (which can be found here [.pdf]). For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, when the FTC will begin enforcing federal identity theft regulations. 

 The FTC Report first makes two key recommendations that should be considered when developing an identity theft prevention programs:

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In September, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued broad identity theft regulations that require virtually every business that retains information on Massachusetts residents to develop comprehensive policies and procedures to address the risk of identity theft by January 1, 2009. 

On Friday, November 14, 2008, OCABR announced that it will give businesses until May 1, 2009 to comply with the new regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same date, May 1, 2009. 

In conjunction with the recently enacted Massachusetts identity theft statute, Mass. Gen. Laws ch. 93H, the Massachusetts identity theft regulations published as 201 CMR 17.00 set specific standards for businesses that own, license, store or maintain personal information about any Massachusetts residents. There are several key provisions in the new regulations:

• Businesses subject to the regulations include any company, whether or not based in Massachusetts, that owns, licenses, stores or maintains “personal information” about Massachusetts residents.

• “Personal information” is defined to include a resident’s name in combination with a Social Security number, driver’s license number, credit card or bank account information.

• Affected businesses are required to develop, implement, maintain and monitor a comprehensive information security program that would identifying and mitigate the risks of potential identity theft.

• Businesses are required to set limits on when employees may access, keep and transport records containing personal information outside of company offices and impose disciplinary measures on employees that violate the information security policies.

• The regulations also specifically require that computer systems containing personal information are protected by encryption, secure user logins, firewall systems, virus and malware protection and reasonably up-to-date system software. 

The Massachusetts Attorney General is authorized to enforce these regulations, but at this stage, as with any new regulatory framework, the form and level of government enforcement is unclear. However, the new regulations direct the Attorney General to take into account the size and nature of the business, as well as the resources available to it, when assessing compliance.

2.13.2009 UPDATE: As we report in our client alert, the OCABR has filed amended regulations to extend the deadline for compliance with Massachusetts identity theft regulation to January 1, 2010.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.  This delay does not apply to users of consumer reports handling notices of address discrepancies, which still has a November 1, 2008, deadline. Likewise, enforcement against banks, credit unions and other financial institutions by the U.S. Treasury, Federal Reserve, Federal Deposit Insurance Corporation and other agencies is not affected by the FTC’s action.

The “Red Flag” rules had their genesis in 2003, when Congress enacted the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681 (“FACTA”). FACTA required the FTC and a group of other regulatory agencies and committees to adopt regulations to help consumers avoid the growing epidemic of identity theft. Under the final “Red Flags” regulations that came into effect on January 1, 2008, U.S. companies that maintain customer accounts used to make periodic payments, transfers or transactions were initially given until November 1, 2008 to develop formal policies to detect the warning signs or “Red Flags” of potential identity theft and set up procedures to prevent and mitigate the harm caused by identity theft. The FTC’s latest announcement provides businesses with an additional seven months, until May 1, 2009, to assess whether they are covered by the “Red Flags” regulations and put in place a compliant Identity Theft Prevention Plan.

While the language of the regulations covers “financial institutions” and “creditors” maintaining “covered accounts,” the FTC has made clear that the “Red Flag” regulations are intended to cover a broad range of businesses, many of which may not consider themselves traditional “financial institutions”. In particular, the FTC maintains that the new regulations apply to: (1) businesses that maintain any type of account that permits multiple payments or transactions or any other account that presents a reasonably foreseeable risk of identity theft, (2) credit card issuers, and (3) companies that use or receive consumer credit reports. 

The FTC estimates that the new regulations apply to over 11 million businesses in the U.S., including lenders, mortgage brokers, and brokerage firms, but also automobile dealers, utilities and telecommunications companies, collection agencies and other businesses that participates in credit decisions about their customers. Any business that provides customers with any type of account that permits the customer to make repeated payments or enter into regular financial transactions needs to assess whether they are subject to the new “Red Flags” regulations.

If your business is covered by the new “Red Flag” regulations, you will need to develop an Identity Theft Prevention Plan containing procedures to:

1. Identify any indicators of a possible risk or existence of identity theft in their business — what federal regulators are calling “Red Flags” — such as discrepancies in customer information and suspicious account activity.
2. Respond appropriately to any Red Flags in order to prevent identity theft from occurring, including by monitoring suspicious activity, contacting customers and notifying law enforcement.
3. Continually assess the identity theft risks to customers and update the company’s Identity Theft Prevention Plan as necessary.

In addition, the new Red Flag regulations require an affected business to obtain approval from its board of directors for the Identity Theft Prevention Plan, train staff to administer the program and exercise oversight over any service providers retained to manage customer accounts and information. 

At present, it is still unclear what form the FTC’s enforcement of the “Red Flags” regulations will take. The regulations do provide for enforcement actions, regulatory penalties and fines, but do not provide individuals with a right to sue for failure to comply with the new rules.

• Email This
• Print
• Comments
• Trackbacks
• Share Link