Category Archives: Retail Industry & Customer Information Spotlight

Does Wyndham Confirm the FTC’s Role as Federal Privacy Enforcer?

Data breach law in the United States might have just become a lot less patchy, but a little more uncertain.  On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES.  This case arises out of a FTC action, brought under the deception and unfairness prongs of […]

FTC Provides Guidance on Heartbleed

I usually do not re-post directly from the FTC, but given the timeliness of the subject, the wide impact of the problem and the technical nature of the issue, I thought it was warranted to re-post the FTC’s guidance on Heartbleed.  Talk to your IT folks about this sooner rather than later: By Nicole Vincent Fleming […]

Health Insurer Hit With A Record HIPAA Penalty: What Does It Mean?

Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach.  Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach.  The penalty, which also […]

Parents’ NY Lawsuit Seeking to Block Cloud-Based Storage of Student Data Is Dismissed

In a previous post, I wrote about privacy concerns surrounding data storage nonprofit inBloom and its partnership with the New York State Education Department (“NYSED”).  On February 5, 2014, New York State Supreme Court Justice Thomas A. Breslin dismissed the lawsuit filed by parents seeking to block NYSED from sharing and storing student data with […]

Target Data Breach Escalates, Class Actions Begin

As previously discussed here, Target suffered a massive data breach that compromised the credit and debit cards of many of its customers.  Now that the dust has started to settle, the extent of the breach is becoming clearer.  In December, Target announced that 40 million credit and debit card numbers were stolen in this hack.  Further investigation […]

Privacy Concerns “Cloud” Storage of Student Data

Privacy concerns have threatened the plans of the New York State Department of Education to use third party contractor, inBloom, to store and integrate student data in a cloud-based system.  On January 10, the Department announced that it would delay release of additional student data to inBloom.  The delay, which the Department said is normal […]

Are You a “Target”? Business Implications of the Target Breach

Now that the initial media blitz about the massive Target breach has passed, it is time to look ahead at the implications: Legislation:  In the past, we have seen major breaches drive legislative change.  But now that most states have data security statutes, it seems unlikely that much will happen at the state level.  And […]

The Lasting (?) Impact of the Changes in the Ad Policies of Google and Facebook

Remember in late October, when Google and Facebook issued new policies enabling them to use adults’ and minors’ data for advertising purposes?  Initial reports suggested there could be a big hue and cry among consumers.  At the time, I was quoted by Law360 saying: “They’re absolutely testing the boundaries from not only a legal standpoint, but also from […]

Revised COPPA Rules Go Into Effect July 1, 2013

In order to “keep up with technology,” the FTC revised the Children’s Online Privacy Protection Rule (COPPA) in 2012.  As a result of those revisions, some companies that may not have been covered by COPPA may now be covered, and the effective date of those changes is today, given the July 1st effective date of the […]

FTC Issues Revised Business Guide on ‘Red Flags’ Identity Theft Rule

The Federal Trade Commission has issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft.  The guidance outlines which businesses – financial institutions and some creditors – are covered […]

Recent Massachusetts Supreme Judicial Court Case Starts a Wave of Lawsuits Against Retailers for Collecting Customer ZIP Codes

            In a recent decision, the Massachusetts Supreme Judicial Court (SJC) determined that customer ZIP Codes are “personal identification information” that retailers are prohibited from collecting during credit card transactions.  With this decision, the Massachusetts high court may have set off a wave of new class-action lawsuits against retailers that collected customer ZIP Codes.  Especially […]

Videogame Maker Sued Over Optional Two-Factor Authentication Service

Blizzard—maker of the video games Diablo III and World of Warcraft—was sued last week in California over its two-factor authentication service. The complaint seeks class action status. The concept of two-factor authentication should be familiar to anyone that has used RSA SecurID. When logging into an online service, users enter both a password and a single-use authentication code. Blizzard […]

Customers Recover Losses in Bank Security Breaches

A recent story in the Wall Street Journal discusses how small businesses can push back against banks which do not provide sufficient security for their bank accounts. The article focused on the recent First Circuit decision, Patco Construction Co. v. People’s United Bank, involving a bank account that had been drained by multiple fraudulent transactions. […]

On or off? Setting Defaults for Privacy Online

Interesting post by my colleague Vivek Krishnamurthy, on our Corporate Social Responsibility blog, about how software companies should set the default privacy settings on their products.  How should software companies set the default privacy settings on their products? Microsoft’s announcement earlier this month that the next version of its Internet Explorer web browser will ship with its […]

Survey Reveals Generation Gap in Employee Attitudes Toward Confidential Information

A recent Harris Interactive survey of 2,625 adult Americans reveals some interesting attitudes towards employer confidential information, including significant variations depending on an employee’s age: – 68% of 18-34 year olds responded that it is acceptable to remove confidential information from their place of employment. This contrasts with just half (50%) of those 55 years […]

FTC Counters Constitutional Challenge to Fair Credit Reporting Act

The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act. This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting […]

Governments Hire Hackers to Work for Them

Interesting article in Forbes, "The Zero-Day Salesmen," about "government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the ­explicit ­intention of invading or disrupting the computers and phones of crime suspects and intelligence targets."

Massachusetts Reports on Data Breaches for 2007-2011

The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011: Through […]

Good Advice that Bears Repeating: Toughen Up Your Passwords!

In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords.  But despite the efforts of these researchers, the article’s conclusion is a gloomy one: The upshot is that there is probably no right answer. All security is […]

New Case Highlights Split of Authority Interpreting the Computer Fraud and Abuse Act

Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, […]

Breaking Down the White House Privacy Framework–a Video Blog

Here is a video discussion I had with LexBlog on the new White House Data Privacy report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In this conversation, we discussed the report’s four primary elements: a Consumer Privacy Bill of Rights, a multistakeholder […]

Court Sides with Facebook, Finds Social Networking “Experience” Website Violated CAN-SPAM and Other Data Security Statutes

In a case brought by Facebook, a U.S. district court recently concluded that a website that offered to integrate multiple social networking accounts into a single social networking “experience” violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), the Computer Fraud and Abuse Act (“CFAA”), and California Penal Code § 502. […]

Predictive Analytics Informed Consent and Privacy: The Case of Target

We are sharing this blog post by our colleague Vivek Krishnamurthy regarding an article in last weekend’s New York Times Magazine that discusses the powerful statistical techniques that some companies are using to analyze sales and other data in order to gain insights into their customers’ behaviors and needs. The article raises a number of interesting consent […]

White House Releases Long-Anticipated Privacy Report

The White House has finally released its long-anticipated report on consumer privacy.The 60-page White House report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is the start of what promises to be a fascinating legislative and regulatory process.  It is curious that the […]

State Attorneys General Write to Google

In a letter sent earlier today, 37 state attorneys generals (or their equivalents) wrote to Larry Page, Google’s CEO, "to express our strong concerns with the new privacy policy that Google announced it will be adopting for all of its consumer products." According to the letter: Google’s new privacy policy is troubling for a number of reasons. […]

The Right To Be Deleted

If you haven’t Googled yourself in a while, this might be a good time. My own self-search reveals, among other things, a page at mylife.com.  I didn’t put it there, and I’d rather it not be there. However, right now, there isn’t a right to have your personal or professional information be deleted from social media, review sites, […]

Google Disables Its iPhone Tracking

Interesting article in the Wall Street Journal about Google’s iPhone tracking. Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked. The companies used […]

What Facebook’s IPO Means for Users

I was interviewed for this PC World piece on the potential impact of Facebook’s recently announced IPO on data privacy.  My take:  being a public company brings with it more transparency and more regulation, which will force Facebook to be more cautious and ultimately more open about its privacy policies.  This seems obvious to me, but […]

Retailer’s Request for Zip Code Violated Law, But Generated No Harm

A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer’s Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages. Melissa Tyler brought […]

More on Google’s Privacy Policy

Here is an excerpt from my interview yesterday with Jon Mitchell of ReadWriteWeb: "From a legal perspective, I’m not seeing anything that’s much different in what’s being proposed to take effect on March 1 and what’s in place right now," Zick says. "In particular, the language about sharing across services has been in [Google's policies] […]

Google Changes Its Privacy Policies

As many of you have probably seen already, Google is changing its privacy policies, effective March 1, 2012.  These changes will be effective across all of Google’s platforms, and users will not be able to opt out.  A user’s only choice to avoid these changes will be to leave Google’s search engine, Gmail, Calendar, Search, […]

“Performing Due Diligence Before Signing a Cloud SLA”

My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA."                                                                      *  *  * No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall — in […]

Facebook Settles FTC Charges that It Deceived Consumers, Agrees to 20 Year Consent Order

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle ”charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC’s press release. In its complaint, the FTC […]

“SEC’s Corp Fin Staff Attacks Cyber-Security Disclosure”

I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents: Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot […]

Most Recent Sony Breach Illustrates the Cascading Effect of Data Breaches

It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches. Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys […]

More Consumer Data Security and Privacy Legislation Introduced

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal’s bill, ”The Personal Data Protection and Breach Accountability Act,” would required businesses […]

Another Big HIPAA Settlement: The UCLA Health System Settles for $865,000

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with […]

Supreme Court Strikes Down Vermont Data Mining Law

The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy’s opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech. The first paragraph of Justice Kennedy’s opinion provides a […]

2011: The Year of the Breach

We are six months into 2011, and it seems destined to be “The Year of the Breach.”  In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach: Epsilon: breach of customer email addresses; RSA: compromise of security tokens (possibly impacting […]

What Law Applies In “the Cloud”?

Attached is my presentation given at a recent CloudCamp, on the subject:   What Law Applies In “the Cloud”?  (CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas.)

Consumer Class Action Filed Against Sony for Data Breach

On May 5, a consumer class action was filed against Sony, relating to the data breaches in its Sony PlayStation and related services.  The complaint alleges negligence, invasion of privacy and misappropriation of confidential financial information, as well as breach of express and implied contract.  No specific damages were alleged.

“Pressure Point: Online Privacy — Privacy is Potentially a Costly Workplace Issue”

In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy – Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers:  “Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. […]

White House Releases Framework for National Strategy for Trusted Identities in Cyberspace

On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in […]

TripAdvisor Reports Data Breach

If you are like me, you may have received an email from TripAdvisor, alerting you that "an unauthorized third party had stolen part of TripAdvisor’s member email list."  The text of that email was as follows:  To our travel community: This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member […]

Obama Administration Seeks “Consumer Privacy Bill of Rights”

In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC: Legislation to provide a stronger statutory framework to protect consumers’ online privacy interests should contain three key elements. First, the Administration recommends that legislation […]

FTC Red Flags Suits Come to an End as Lawyers and Doctors Are Exempted

While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up.  The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case:  "The lawsuit filed by the Litigation […]

FTC Publishes Copier Data Security Guide

As we noted back in May, digital copiers have caught the eye of government privacy enforcers.  If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses.  In that Guide, the FTC suggests that ”your information security plans .  . . should cover the digital copiers your company […]

Some Tips for Protecting Your Data when Dealing with Vendors

I recently attended the 10th Annual Legal and Compliance Forum on Privacy & Security of Consumer and Employee Information in Washington, DC. It featured a particularly lively panel on “Oversight of Third-Parties and Vendors: Managing and Controlling Relationships Through Effective Due Diligence and Contract Negotiation.” Below are some  key points the panelists discussed; some may seem obvious, […]

Mozilla and Google Announce “Do Not Track” Browser Features

Earlier this week, both Mozilla and Google announced new browser features aimed at giving users greater control over how their personal data is collected online. Microsoft announced a similar initiative in December. The introduction of browser “Do Not Track” features follows the Federal Trade Commission’s preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change:  […]

Will 2011 Bring Us “Do Not Track” Legislation?

Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws: This is an area where bipartisan concensus is possible. The industry powers will fight against “Do Not Track” and will win that fight. Industry will […]

Tracking Protection to be Included in Internet Explorer 9: Is This the Tipping Point?

Microsoft announced yesterday in its IE blog that it will be adding a tracking protection feature to Internet Explorer 9.  In particular, Microsoft promises that: IE9 will offer consumers a new opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking. “Tracking Protection Lists” will enable consumers to control what third-party site content […]

FTC Proposes Privacy Framework That Will Impact the Business Model of All Online and Mobile Advertising Companies

Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers,” which we posted on December 1.  We are cross-posting the analysis from their blog below. It seems likely that the next two years will bring significant changes to this […]

FTC Releases Report: “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers”

Earlier today, the FTC released a preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers.”  The report is over 100 pages long and suggests that changes need to be made regarding consumer privacy, stating: Industry must do better. For every business, privacy should be a basic […]

Website Privacy Policies – an extensive primer…..

This is a cross-posting of an interesting November 29 entry in Foley Hoag’s Emerging Enterprise Center blog, by Patrick Connolly and Prithvi Tanwar: If your start-up’s website will collect user information…. and chances are it will, you need to start thinking about your website privacy policy. I have often spoken with founders who think that the website […]

Advocacy Groups File FTC Complaint Over Online Consumer Health Sites and Health-Related Marketing

In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health.  The advocacy groups behind this complaint are the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World […]

Nearly 250,000 Opt Out of Google’s Street View in Germany

According to a recent entry on Google’s own European public policy blog, only a small minority of German’s have opted-out of its Street View service: “Out of a total of 8,458,084 households, we received 244,237 opt-outs, which equals 2.89% of households. Two out of three opt-ots [sic] came through our online tool.” If you are […]

Will a Smart Card Make Students Smarter or Is It a Dumb Idea?

In what is assuredly a sign of things to come, the Boston Public Schools have announced that they are piloting a smart card for students, called the BostONE Card.  According to an article in today’s Boston Globe, the purpose of this card is to "make it easier for some public school students to use city […]

“Network Analysis” and Privacy: Does Anybody Care?

Interesting article in this week’s Economist about social network analysis, outlining how companies are using increasing sophisticated forms of data-mining on their customers, and how industry is spending billions to advance the process.

Federal Judge Prevents Sale of CLEAR Customers’ Personal Data

On August 18, a federal judge in the Southern District of New York entered an injunction forbidding Verified Identity Pass, Inc. (VIP) to sell or transfer any of the confidential customer information it compiled while operating the CLEAR express airport check-in program.  The CLEAR program collected a range of customer biographic information (e.g., name, address, […]