The recently-released Pokémon Go has quickly emerged as a cultural phenomenon, with legions of players using their phones to “catch” Pokémon that emerge all around them, visible (thankfully) only to players. While catching Pokémon by phone is far less cumbersome than collecting boxes upon boxes of Pokémon cards, as some of us did in the early aughts, it does come with its own set of pitfalls. Specifically, users have learned that Niantic, the… More
Category Archives: Retail Industry & Customer Information Spotlight
In Case You Missed It: Ruling in FTC v. Amazon Suggests a Way Forward for Companies Responding to Actions Brought by the FTC after a Data Breach. The FTC’s recent actions in the realm of data security have been predicated on its claim of statutory authority to seek injunctive relief for the failure to maintain reasonable and appropriate data security practices. A U.S. District Court ruling last week casts some doubt on that authority. Although the court concluded against Amazon on the facts at issue (involving in app purchases not data security), it also cast doubt on the FTC’s… More
In Case You Missed It
The FTC settled with mobile advertising company InMobi for $950,000 in civil penalties, along with the implementation of a privacy program, based on the FTC’s charges that InMobi impermissibly tracked the locations of both adult and child consumers for the purpose of geo-targeted advertising. The latter, of course, also implicated allegations of violations of the Children’s Online Privacy Protection Act (COPPA) rule. The FTC alleged in particular that, when installing an application to which InMobi’s advertising was attached, even if a user declined to share location information with the application, InMobi’s software would… More
In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017. The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account. The definition is also expanded to include medical and health insurance information. However, if a company already complies with the data security elements of HIPAA and HITECH, then it will be deemed to comply with the Illinois law. Illinois’ amendments… More
The FBI recently released an article discussing the spate of ransomware attacks on a variety of different entities, including hospitals. In the article, the FBI warned that ransomware attacks and the cybercriminals carrying them out are growing increasingly sophisticated. The FBI opposes paying a ransom when hit by a ransomware attack, saying that doing do incentivizes more ransomware attacks, can inadvertently fund other illegal activity, and does not always result in the restoration of access. The FBI recommends that entities focus on prevention efforts like employee training, patching operating systems and software, and restricting access to files, directories, and/or… More
The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services.
The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. That guidance is essential reading for companies operating in the medical records space, as it sets forth OCR’s views on such topics… More
In Case You Missed It: US and EU officials signed on to the so-called “Privacy Umbrella” deal last week. The agreement is designed to protect the personal data of EU citizens when it is transferred to the US for law enforcement purposes — a sort of criminal counterpart to the sturdier-sounding Privacy Shield we discussed here last Thursday. And, like the Shield, the Umbrella has drawn its share of critics, who claim that it “effectively undoes” much of EU’s data protection.
News of Note: Zuckerberg Hacked. Demonstrating that no one is immune from a cybersecurity attack, Facebook founder… More
The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies. For example:
data controllers (companies collecting and using personal information) will have a wide range of new obligations, including: data breach notification; implementation of the right to be forgotten; appointment of a data protection officer; privacy impact assessment before processing data; and implementation… More
After the invalidation of the Safe Harbor by the European Court of Justice (“ECJ”) last October in the Schrems case, negotiations between the European Commission and US authorities led to a new agreement called the EU-US Privacy Shield. However, the EU’s 1995 Data Protection Directive provides that the Article 29 Working Party (“WP29”) has to issue an opinion on this kind of agreements and it did so on April 13. It concluded that the proposed version of the Privacy Shield does not offer a protection essentially equivalent to that offered under EU law. WP29 noted… More
Very interesting thought piece from the FTC’s Chief Technologist. Do mandatory password resets actually make us less secure? Not necessarily, but they could, if we do not train users to be aware of the subconscious pitfalls.
The new framework dedicated to the EU / US flow of personal data is in fact a combination of several documents issued by the US and the EU.
On the US side, we have a letter sent by the U.S. Secretary of Commerce Penny Pritzker on 23 February 2016 to EU Commissioner Věra Jourová including the “package of EU-US Privacy Shield materials” (of 128 pages) which is… More
The COPPA Rule requires website and online service operators to give notice to parents and obtain verifiable parental consent before collecting children’s “personal information” online. 16 CFR §§ 312.4, 312.5. The definition of “personal information” encompasses some obvious pieces of data – name and address, for example – and some less-obvious ones, such as screen names, geolocation data, and “persistent identifiers.” A “persistent identifier” is a piece of information “that can be used to recognize a… More
EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield
What follows below is the EU’s press release regarding the agreement on a replacement for the EU-US Safe Harbor. We are working to get details and will schedule a webinar on the new framework shortly.
The European Commission and the United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.
Today, the College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement. This new framework will protect the fundamental rights of Europeans where their… More
On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).
CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.
CISA: An Optional Opportunity
CISA does not require non-federal entities (private entities and state,… More
Amendment to the Annual Privacy Notice Delivery Obligations of Financial Institutions under the Gramm-Leach-Bliley Act contained in the FAST Act
On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. Although the FAST Act’s main focus is on improving the country’s surface transportation infrastructure, the law also contains a provision that modified the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).
Previously under the GLBA privacy regulations, financial institutions (which includes registered investment advisers, investment companies, broker-dealers and private funds) had to circulate to their customers an annual… More
As the Wall Street Journal noted yesterday, banks are being deluged with phishing attacks. These attacks are especially fierce around the holiday season, when more personnel are absent and normal procedures are ignored or bypassed. The FBI and other law enforcement agencies are focused on these attacks, but it only takes one employee to “believe” a phishing email for the trouble to start.
This is the time of year when we think of giving to others, but those gifts… More
Today, Wyndham and the FTC settled the enforcement action brought by the FTC that had led to a significant decision by the Third Circuit in August of this year. (Wyndham’s statement on the settlement can be found here; the FTC’s statement can be found here; my earlier analysis of the Third Circuit’s decision can be found here.) While the details of the settlement are interesting in their own right – Wyndham will not be paying anything by way… More
The scaffolding of the FTC’s powers in the realm of cybersecurity continues to be built. On Monday, the FTC’s Chief Administrative Law Judge D. Michael Chappell issued an initial decision in the FTC’s closely watched enforcement action against LabMD. The case involves a 2008 incident in which a data security company (Tiversa Holding Co.) discovered a LabMD document containing personal information of 9,300 patients was available on a P2P file sharing network. … More
Cybersecurity and Risk Management: “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers”
A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks. At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention, developing action plans, legal and regulatory challenges, the internet of things, and building readiness… More
The FTC’s Broad Authority and FTC v. Wyndham: Thinking about the Future of Data Privacy Regulations
What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses is its shape-shifting structure in the face of rapidly changing technology. The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the European Union and the U.S. handle questions of data privacy: whereas, generally speaking, in the EU data privacy standards are relatively uniform, in the U.S. there are as many different sets of regulations as there… More
This month’s edition of the Advanced Cyber Security Center’s newletter includes my discussion of lessons to be learned from the Wyndham decision:
Historically, security was an issue reserved in a back room for the IT department, if there were even a budget and ample resources. To the public, cybersecurity meant identity theft and proceeded with business as usual with the comfort of an anti-virus protection that may have come with their computer.
On the other hand, large enterprises, especially those that… More
By Martha Coakley and Jon Hurst
This entry originally ran as an op-ed in the September 25, 2015 edition of The Boston Globe.
Hardly a week goes by without a news report of a new cyberattack. As any consumer affected by fraud knows, the harm is real. The impact on businesses, government, and other targets is also real, and includes monetary harm and reputational damage that can devastate those so reliant on the trust of their customers.
Retailers recognize that… More
Delaware Attorney General Matt Denn is serious about online privacy, and aims to make Delaware “the safest state in America for kids to use the internet.” This August, Delaware Governor Jack Markell signed into law four online privacy bills drafted by the Attorney General, the most substantial of which is the Delaware Online Privacy and Protection Act.
Over one year ago, our colleague Chris Hart argued that the District of New Jersey court’s decision in FTC v. Wyndham Worldwide Corp. et. al., No. 13-1887-ES, “point[ed] to the possibility that the FTC has potentially broad power, and a far reach, to bring actions for data breaches as a general matter.” That possibility became substantially more concrete this week, when the Third Circuit affirmed Judge Esther Salas’ refusal to dismiss the Federal Trade Commission’s lawsuit against Wyndham that… More
The FTC’s COPPA (the Children’s Online Privacy Protection Act) Rule requires website operators to obtain “verifiable parental consent” prior to collecting, using, or disclosing personal information from children. Though the COPPA Rule enumerates several methods for obtaining consent, the FTC, sensitive to how fluid technological developments in this space can be, also allows pre-approval of new methods not listed in the Rule. 16 CFR 312.12(a). (As I previously blogged, the Rule also allows for… More
Seventh Circuit Allows Data Breach Class Action to Proceed Against Neiman Marcus, Despite Lack of Current Harm to Credit Card Holders
Data breaches are often followed by class action suits in which the affected individuals seek damages. Corporations defending against such suits have used a 2013 Supreme Court case, Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), to fight off such claims. In Clapper, the Supreme Court held that, in order for a plaintiff who alleges future harm to have the necessary Article III standing to sue in federal court, the plaintiff must meet a stringent bar for the suit to proceed:… More
Last week, the Cybersecurity Unit of the Department of Justice (DOJ) issued a list of “best practices” for companies concerning preparing for and responding to cyber-attacks. The report details the lessons federal prosecutors have learned while handling cyber investigations, as well as feedback from private sector companies. Some of the key pieces of advice are:
Identify Your “Crown Jewels”: Before creating a cyber-incident response plan, companies should first identify which data, services, and infrastructure warrants the most protection. Loss of some data or services might only result in a minor disruption, which loss of others could be devastating. A… More
We welcome this guest blog by Gene Fry, Compliance Officer, Scrypt, Inc.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. This means that any covered entity (CE) or business associate (BA) that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. The HIPAA Privacy Rule addresses the storage, accessing and sharing of PHI, whereas the HIPAA Security Rule outlines the security standards which protect health data created, received, maintained or transmitted electronically; known as electronic protected health… More
Smart grids – electrical grids that allow two-way communication between utilities and consumers – represent an exciting frontier in the Internet of Things, with ramifications for energy efficiency, weather resiliency and climate change, among others. As the Department of Energy writes, “[t]he Smart Grid represents an unprecedented opportunity to move the energy industry into a new era of reliability, availability, and efficiency that will contribute to our economic and environmental health.”
But like many aspects of the Internet of Things, smart grids also present privacy concerns. Few people fret about the privacy of their monthly electric bill, but smart meters… More
Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part III: Five Key Lessons for Business
Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.
Here are five takeaways for companies large and small:
Companies are only as secure as their most vulnerable employee. In the course of the panel discussion, Mike George, CEO of QVC, elaborated on how training and constant vigilance were at the… More
Medical Billing Provider and its Former CEO Settle FTC Charges That They Misled Consumers About Collection of Personal Health Data
In an age when many of us briskly scroll through website terms and conditions and check, “I agree” without thinking, how should businesses design their websites to obtain proper authorization to access users’ sensitive information? The announcement of the settlement of a pair of recent FTC complaints against PaymentsMD, a medical billing services provider and its former CEO, and the resulting settlement, provide some important guidance, at least with regard to health information practices. In that settlement, the Atlanta-based health billing company and its former CEO settled charges that they misled thousands of consumers who signed up for… More
With every swipe of a credit card this holiday season, consumers put their faith in the companies that process and store their information. Yet, it is no secret that data breaches are on the rise, hitting companies large and small. Massive data breaches recently struck Target and Home Depot, to just name a few, and these two breaches alone affected hundreds of millions of consumers and cost the companies hundreds of millions of dollars. Sony Pictures… More
I’ve looked at clouds from both sides now From up and down, and still somehow It’s cloud illusions I recall I really don’t know clouds at all
Until recently, many cloud users felt like Joni Mitchell in her classic song, “Both Sides Now.” No matter how you looked at clouds, you never really understood them, how they worked, or what happened inside them. Cloud storage and data processing were often (and with some justification) viewed as something of a digital Wild West, with few rules or standards for data protection, not much transparency… More
Our client, CloudLock, recently hosted an interesting webinar, “Moving to the Public Cloud: Whirlpool Case Study.” The webinar features John Bingham, CISO at Whirlpool Corporation, who shared Whirlpool’s story of moving into the public cloud and how their security team found the support for the company’s core business goals.
In a first for the FCC, it announced on October 24 that it intends to fine two telecom companies $10 million for data security violations:
The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was gathered to demonstrate eligibility for the Lifeline program, which is… More
Yelp’s $450,000 settlement with the FTC in September should serve as an important reminder for all owners and operators of websites or mobile apps – even if your site is not for kids, you need to know and abidge by what the Children’s Online Privacy Protection Act (COPPA), and the related COPPA Rule, requires.
Yelp allows registered users to write reviews of local businesses. A user can access Yelp through desktop and mobile websites, as well as apps on both iOS and Android. Once registered, a user can upload a profile picture and post photos to go along with reviews… More
Last week, the FTC announced approval of a new Safe Harbor Program under the Children’s Online Privacy Protection Act (COPPA), called iKeepSafe. The program was created by the Internet Keep Safe Coalition, a nonprofit organization that describes its goal as the “creation of positive resources for parents, educators and policymakers who teach youths how to use new media devices and platforms in safe and healthy ways.”
The COPPA Rule affords some flexibility in compliance through use of a safe harbor provision, 16 C.F.R. § 312.10. The provision allows that operators – that is, persons who operate… More
The FTC’s July 10, 2014 complaint filed against Amazon has left app developers with concerns about how to make apps that target kids and still comply with the law. The complaint, brought under Section 5(a) of the FTC Act, alleged that Amazon failed to obtain parents’ or account holders’ informed consent to in-app charges incurred by children. While the complaint was not brought under the Children’s Online Privacy Protection Act (COPPA), the increased scrutiny on child-targeted apps should have all app developers making sure they understand what COPPA requires when it comes to getting parental consent.
Generally, COPPA… More
As previously discussed here, Target suffered a massive data breach at the end of last year that compromised the information of 70 million or more consumers. Within days of the announcement, class action lawsuits were filed against Target around the country, including in California, Massachusetts, Minnesota, Ohio, and Utah. These class actions fall into three general categories: (1) those brought by consumers whose information was compromised; (2) those brought by financial institutions such as banks and credit unions that service these consumers; and (3) derivative actions brought by Target shareholders.
In April,… More
The Revised COPPA Rule and “Personal Information” – One Example that Balances Anonymity and Interactivity
The revised Children’s Online Privacy Protection Act (“COPPA”) Rules, as discussed here previously were meant to bring regulations in line with, in the FTC’s words, the “rapid-fire pace of technological changes to the online environment” that have taken place since COPPA was passed in 2000. This week’s Boston Globe article about the new public television production, WGBH’s “Plum Landing,” provides an interesting illustration of the impact of the revised COPPA Rule.
Plum Landing is not a television show, but rather a series of videos, online games and activities spanning a variety of platforms (e.g., computers, tablets, and… More
Today’s decision by the European Court of Justice (ECJ) that individuals enjoy the right to have truthful yet unflattering information about them “forgotten” from online search results is generating a great deal of controversy in Europe and beyond. In a case brought by Spanish national Mario Costeja Gonzalez against Google demanding that the search giant remove results referring to a years-old newspaper notice of a tax auction of… More
In a 110 page report issued yesterday, the Federal Trade Commission suggested that data brokers operate without transparency and asked Congress to consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over personal information that is collected and shared by data brokers.
The report, “Data Brokers: A Call for Transparency and Accountability” is the result of a study of nine data brokers undertaken by the FTC to shed light on the data broker industry. The report found that data brokers collect and store billions of data elements covering nearly every… More
Data breach law in the United States might have just become a lot less patchy, but a little more uncertain. On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES. This case arises out of a FTC action, brought under the deception and unfairness prongs of Section 5(a) of the FTCA (15 USC s. 54(a)), against Wyndham Worldwide relating to a series of data breaches between April 2008 and January 2010. The question before the court, on a 12(b)(6) motion to dismiss brought by Wyndham,… More
I usually do not re-post directly from the FTC, but given the timeliness of the subject, the wide impact of the problem and the technical nature of the issue, I thought it was warranted to re-post the FTC’s guidance on Heartbleed. Talk to your IT folks about this sooner rather than later:
By Nicole Vincent Fleming
April 11, 2014 – 4:23pm
If you’re thinking “Heartbleed” sounds serious, you’re right. But it’s not a health condition. It’s a critical flaw in OpenSSL, a popular software program that’s used to secure websites and other services (like… More
Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach. Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach.
The penalty, which also is described in a securities filing, is based a breach involving 13,336 of Triple-S’s Dual Eligible Medicare beneficiaries. This penalty dwarfs the previous record fine of $4.3 million, which was related to non-cooperative behavior after a breach by Cignet Health in 2011.
In a previous post, I wrote about privacy concerns surrounding data storage nonprofit inBloom and its partnership with the New York State Education Department (“NYSED”). On February 5, 2014, New York State Supreme Court Justice Thomas A. Breslin dismissed the lawsuit filed by parents seeking to block NYSED from sharing and storing student data with inBloom. In his order, Justice Breslin ruled that the agreement between NYSED and inBloom did not violate New York state privacy law. Noting that the new storage system “can support more security features” than current systems used by New York… More
Sony Class Action Has A Few Lives Left; Most of Plaintiffs’ Claims Dismissed But Certain Consumer Claims Remain
On January 21, 2014, U.S. District Judge Anthony Battaglia issued a 97 page orderthat dismissed the majority of the claims in a putative class action against various Sony entities, claims relating to the 2011 hack into the computer network system that Sony used to provide online gaming and Internet connectivity through PSP handhelds and PS3 game consoles.
According to Judge Battaglia, “The fifty-one claims alleged in the FACC can be categorized into nine sub-groups: (1) negligence; (2) negligent misrepresentation; (3) breach of express warranty; (4) breach of implied… More
As previously discussed here, Target suffered a massive data breach that compromised the credit and debit cards of many of its customers. Now that the dust has started to settle, the extent of the breach is becoming clearer. In December, Target announced that 40 million credit and debit card numbers were stolen in this hack. Further investigation has uncovered that hackers also obtained the “names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.” While there is probably some overlap between the two groups, Target says that it still does not know the extent… More
Privacy concerns have threatened the plans of the New York State Department of Education to use third party contractor, inBloom, to store and integrate student data in a cloud-based system. On January 10, the Department announced that it would delay release of additional student data to inBloom. The delay, which the Department said is normal for a project of its size, comes after a class of parents filed suit in November and New York legislators proposed a bill requiring parental consent before sharing such data.
Now that the initial media blitz about the massive Target breach has passed, it is time to look ahead at the implications:
Legislation: In the past, we have seen major breaches drive legislative change. But now that most states have data security statutes, it seems unlikely that much will happen at the state level. And action at the federal level has been long promised, but remains a distant vision. Law enforcement: While the actual hackers may remain elusive, Target is an easy target. Expect significant investigations, record-setting financial penalties and a burdensome compliance agreement for Target. And, of course,… More
Remember in late October, when Google and Facebook issued new policies enabling them to use adults’ and minors’ data for advertising purposes? Initial reports suggested there could be a big hue and cry among consumers. At the time, I was quoted by Law360 saying:
“They’re absolutely testing the boundaries from not only a legal standpoint, but also from a public acceptance standpoint,” said Foley Hoag LLP privacy and data security practice co-chair Colin Zick. “With these sort of compliance issues and regulatory concerns, I’m always reminded of the Japanese proverb that the nail that sticks up gets hammered… More
In order to “keep up with technology,” the FTC revised the Children’s Online Privacy Protection Rule (COPPA) in 2012. As a result of those revisions, some companies that may not have been covered by COPPA may now be covered, and the effective date of those changes is today, given the July 1st effective date of the revised COPPA Rule. To streamline your response to these issues, the FTC has developed a six-step COPPA compliance guide:
The Federal Trade Commission has issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft.
The guidance outlines which businesses – financial institutions and some creditors – are covered by the Rule and what is required of businesses to protect consumers from identity theft. The Red Flags Rule was revised in late 2012 to more narrowly define the types of creditors subject to the rule’s requirements.
Recent Massachusetts Supreme Judicial Court Case Starts a Wave of Lawsuits Against Retailers for Collecting Customer ZIP Codes
In a recent decision, the Massachusetts Supreme Judicial Court (SJC) determined that customer ZIP Codes are “personal identification information” that retailers are prohibited from collecting during credit card transactions. With this decision, the Massachusetts high court may have set off a wave of new class-action lawsuits against retailers that collected customer ZIP Codes. Especially vulnerable are those retailers that collected customer ZIP Codes and used them to send unwanted marketing materials or sold the ZIP Codes or information derived from them to third parties. But any retailer that has collected ZIP Codes should be on… More
Blizzard—maker of the video games Diablo III and World of Warcraft—was sued last week in California over its two-factor authentication service. The complaint seeks class action status.
The concept of two-factor authentication should be familiar to anyone that has used RSA SecurID. When logging into an online service, users enter both a password and a single-use authentication code. Blizzard offers its customers the option of using authentication codes when logging into its Battle.net service. Players receive authentication codes via either a smartphone application or a key fob. While the authentication service and the smartphone application are free, Blizzard sells the optional key fob for $6.50.
A recent story in the Wall Street Journal discusses how small businesses can push back against banks which do not provide sufficient security for their bank accounts. The article focused on the recent First Circuit decision, Patco Construction Co. v. People’s United Bank, involving a bank account that had been drained by multiple fraudulent transactions. As described by the court in its opinion:
Over seven days in May 2009, [People’s United] Bank, a southern Maine community bank, authorized six apparently fraudulent withdrawals, totaling $588,851.26, from an account held by Patco Construction Company, after the… More
How should software companies set the default privacy settings on their products? Microsoft’s announcement earlier this month that the next version of its Internet Explorer web browser will ship with its "Do Not Track" functionality switched on has sparked a lively debate on this very issue.
"Do Not Track" is a technological standard being implemented in all major web browsers that allows users to tell web sites, advertising networks, and other online service… More
A recent Harris Interactive survey of 2,625 adult Americans reveals some interesting attitudes towards employer confidential information, including significant variations depending on an employee’s age:
– 68% of 18-34 year olds responded that it is acceptable to remove confidential information from their place of employment. This contrasts with just half (50%) of those 55 years old or older believing such behavior is acceptable.
– 86% of those 55 years old and over believe someone should be fired for taking confidential information, while 74% of those younger than 55 years old think the same.
– 40% of adults believe it… More
The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act.
This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x. (“FCRA”)." In her complaint, Ms. King brought suit "on behalf of thousands of employment applicants throughout the country who have been the subject of prejudicial, misleading and illegal background reports performed by the Defendant… More
Interesting article in Forbes, "The Zero-Day Salesmen," about "government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the explicit intention of invading or disrupting the computers and phones of crime suspects and intelligence targets."
The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011:
Through September 30, 2011, the largest share of breaches was not in the financial sector, but in the retail and healthcare industries, along with government. Since the Data Security law, c. 93H, went into effect, the Office of Consumer Affairs and Business… More
In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords. But despite the efforts of these researchers, the article’s conclusion is a gloomy one:
The upshot is that there is probably no right answer. All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple. While that tension persists, the hacker will always get through.
FTC Releases Final Report: “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”
FTC has today, at last, released the final version of its original 2010 Report — “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” As we have discussed previously, comments on the draft report were taken through January 31, 2011 and the final report had been expected in 2011.
The FTC received over 450 comments from businesses, privacy advocates, and consumers and claims that the final Report retains the basic principles outlined previously, but claiming it makes several important refinements. There’s also a brief new video explaining the FTC’s positions. … More
Ponemon “data breach” cost
Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, however, is subject to hot debate among the federal courts, as highlighted by a recent case from the District of Minnesota.
Here is a video discussion I had with LexBlog on the new White House Data Privacy report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In this conversation, we discussed the report’s four primary elements:
a Consumer Privacy Bill of Rights, a multistakeholder process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts, effective enforcement, and a commitment to increase interoperability with the privacy frameworks of our international partners.
Specifically, in the Consumer Privacy Bill of Rights,… More
Court Sides with Facebook, Finds Social Networking “Experience” Website Violated CAN-SPAM and Other Data Security Statutes
In a case brought by Facebook, a U.S. district court recently concluded that a website that offered to integrate multiple social networking accounts into a single social networking “experience” violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), the Computer Fraud and Abuse Act (“CFAA”), and California Penal Code § 502. Facebook, Inc. v. Power Ventures, Inc., 2012 WL 542586 (N.D. Cal. Feb. 16, 2012).
Power Ventures, which operated the “experience” website, began a “Launch Promotion” in December 2008 that promised users the chance to win $100 if… More
We are sharing this blog post by our colleague Vivek Krishnamurthy regarding an article in last weekend’s New York Times Magazine that discusses the powerful statistical techniques that some companies are using to analyze sales and other data in order to gain insights into their customers’ behaviors and needs. The article raises a number of interesting consent and privacy issues. Vivek’s practice focuses on corporate social responsibility, but increasingly, that subject crosses over into data privacy issues.
The White House has finally released its long-anticipated report on consumer privacy.The 60-page White House report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is the start of what promises to be a fascinating legislative and regulatory process.
It is curious that the Department of Commerce has been charged with "work[ing] with other Federal agencies to convene stakeholders, including our international partners, to develop enforceable codes of conduct that build on the Consumer Privacy Bill of Rights" since it has been the FTC that has… More
According to the letter:
If you haven’t Googled yourself in a while, this might be a good time. My own self-search reveals, among other things, a page at mylife.com. I didn’t put it there, and I’d rather it not be there. However, right now, there isn’t a right to have your personal or professional information be deleted from social media, review sites, and other types of websites that gather your personal information. However, legislation may be coming that will address this concern.
According to the Wall Street Journal,
Lawmakers and regulators are trying to do more to address consumer concerns. There is no U.S…. More
Interesting article in the Wall Street Journal about Google’s iPhone tracking.
Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.
The companies used special computer code that tricks Apple’s Safari Web-browsing software into letting them monitor many users. Safari, the most widely used browser on mobile devices, is designed to block such tracking by default.
A telling statement:
I was interviewed for this PC World piece on the potential impact of Facebook’s recently announced IPO on data privacy. My take: being a public company brings with it more transparency and more regulation, which will force Facebook to be more cautious and ultimately more open about its privacy policies. This seems obvious to me, but there are those who suggest that being public will add a profit motive that will push Facebook in the other direction.
A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer’s Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages.
Melissa Tyler brought suit against Michaels Stores for violation of Massachusetts General Laws, chapter 93, section 105(a) on behalf of herself and a putative class, claiming that Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation of… More
"From a legal perspective, I’m not seeing anything that’s much different in what’s being proposed to take effect on March 1 and what’s in place right now," Zick says. "In particular, the language about sharing across services has been in [Google’s policies] for a long time."
Zick points out that all the past versions of Google’s privacy policies are on the website, and the last two versions offer line-by-line comparisons to the previous version. Zick expects that Google will do… More
As many of you have probably seen already, Google is changing its privacy policies, effective March 1, 2012. These changes will be effective across all of Google’s platforms, and users will not be able to opt out. A user’s only choice to avoid these changes will be to leave Google’s search engine, Gmail, Calendar, Search, and YouTube; there is no "opt out" or selective acceptance/rejection of these new policies. In this regard, Google noted that it remains committed to data liberation, "so if you want to take your information elsewhere you can."
These changes are likely to draw… More
My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA."
* * *
No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall — in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud.
General areas of concern surrounding the cloud are… More
At most restaurants, when the time comes to pay the check, you hand over your credit card and a waiter you’ve known for only about an hour takes off with your credit card. You trust that the waiter will only charge your meal and won’t make off with your card number. But if you ever have been to a Legal Sea Foods restaurant, you will notice that the waiter brings a handheld electronic device to your table to swipe your credit card when you are ready to pay the bill. The credit card never leaves the customer’s sight.
In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle “charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC’s press release.
In its complaint, the FTC alleged, among other things, that Facebook “users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings,” despite Facebook’s representations that users could impose such restrictions on… More
Late last week, the U.S. Court of Appeals for the First Circuit ruled that victims of a data breach could pursue compensation from the merchant whose systems were breached for their costs of credit card replacement and identify theft insurance, under theories of breach of implied contract and negligence. See Anderson v. Hannaford Brothers Co., — F.3d —, 2011 WL 5007175 (1st Cir. Oct. 20, 2011).
As alleged by the plaintiffs in their class-action complaint, the Hannaford Brothers grocery store chain suffered a data breach resulting in 1800 fraudulent charges worldwide and hackers stealing up to 4.2 million credit… More
I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:
Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,” he says. When companies are contemplating the definition of cyber-incidents, they should think expansively, he adds. “Think of data breach, data loss, and denial of… More
It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches.
Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys to open the front door. According to a statement by Sony, the attackers tested a “massive set” of log-in credentials, consisting of pairs of user IDs and passwords, against accounts on three of its networks. Even though the “overwhelming majority” of the log-in attempts failed,… More
The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures, including risk assessment, regular testing of system controls, and paying for two years of credit monitoring for any customer whose data is breached. If adopted, this bill would permit the… More
In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules. This follows on the heels of Massachusetts General Hospital’s $1 million settlement with OCR.
The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints… More
hackers Anonymous “Lulz Security”
On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining” activities. Justice Kennedy’s opinion in the closely-watched case of Sorrell v. IMS Health Inc. held that the Vermont statute was an unconstitutional regulation of commercial speech. In so doing, the Court found that the sale, disclosure,… More
The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy’s opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.
The first paragraph of Justice Kennedy’s opinion provides a brief summary of the posture of the case and of the Court’s decision:
We are six months into 2011, and it seems destined to be “The Year of the Breach.” In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:
Epsilon: breach of customer email addresses; RSA: compromise of security tokens (possibly impacting Lockheed Martin); Citigroup: breach of credit card numbers: Sony: multiple thefts of customer data; Sega: customer data theft; and ADP: breach of its benefits-administration business.
What does this mean? First, there are simply more breaches to report. Second, companies are being more open about… More
Does Briar Group’s Massachusetts Settlement Create a New Legal Standard That Businesses Must Meet to Protect Personal Information?
A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators.
The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar… More
On May 5, a consumer class action was filed against Sony, relating to the data breaches in its Sony PlayStation and related services. The complaint alleges negligence, invasion of privacy and misappropriation of confidential financial information, as well as breach of express and implied contract. No specific damages were alleged.
Sony Breach Update: The Scope Expands, While Consumers Wait for Answers About How and Why It Happened
The scope of the Sony data breach is growing, but the public focus continues to be on Sony’s actions following the breach, rather than on steps to prevent or mitigate events like these in the first place. As we noted earlier, this focus emphasizes a de facto burden-shifting, in which consumers bear the risk of using on-line or other services, and also are left to face the consequences of any resulting identity theft.
Sony last week announced that 77 million PlayStation and Qriocity accounts had been accessed by hackers in mid-April. This week, Sony discovered that an… More
In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy — Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers:
“Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. It comes down to someone doing something stupid,” said Colin Zick, a partner in the Boston office of Foley Hoag. “In the Mass General case, an employee took some records on the Red Line and lost them.” “When companies are bombarded with… More
On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:
The goal of NSTIC is to create an “Identity Ecosystem” in which there will be interoperable, secure, and reliable credentials available to consumers who want them. Consumers who want to participate will be able to obtain a single credential–such… More
Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies: How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller.
If you are like me, you may have received an email from TripAdvisor, alerting you that "an unauthorized third party had stolen part of TripAdvisor’s member email list." The text of that email was as follows:
To our travel community: This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member email list. We’ve confirmed the source of the vulnerability and shut it down. We’re taking this incident very seriously and are actively pursuing the matter with law enforcement. How will this affect you? In many cases, it won’t. Only a portion of… More
In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC:
Legislation to provide a stronger statutory framework to protect consumers’ online privacy interests should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protections—that is, a “consumer privacy bill of rights.” Second, legislation should provide the FTC with the authority to enforce any baseline protections. Third, legislation should create a framework that provides incentives for the development of codes… More
Targeted online advertising has been the focus of much discussion since the release of the FTC’s “Do Not Track” proposals late last year. User tracking for advertising purposes is also the focus of the FTC’s latest privacy enforcement action, which has resulted in a consent agreement with an online advertising company, Massachusetts-based Chitika, Inc., which creates ads for such major publishers as the Hearst Corporation and Salary.com.
While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up. The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case: "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies, the American Osteopathic Association and the Medical Society of the District of Columbia, and joined by 26 national medical specialty societies, will now formally end."
As we noted back in May, digital copiers have caught the eye of government privacy enforcers. If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses. In that Guide, the FTC suggests that “your information security plans . . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft.”
I recently attended the 10th Annual Legal and Compliance Forum on Privacy & Security of Consumer and Employee Information in Washington, DC. It featured a particularly lively panel on “Oversight of Third-Parties and Vendors: Managing and Controlling Relationships Through Effective Due Diligence and Contract Negotiation.” Below are some key points the panelists discussed; some may seem obvious, but they are nevertheless important measures to consider as part of your vendor relationships:
Be able to terminate the relationship without cause. A company’s contract with a vendor should include the ability to terminate the agreement without cause and should guarantee continuing assistance from… More
Earlier this week, both Mozilla and Google announced new browser features aimed at giving users greater control over how their personal data is collected online. Microsoft announced a similar initiative in December.
The introduction of browser “Do Not Track” features follows the Federal Trade Commission’s preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which supports a “universal consumer choice mechanism for online behavioral advertising.” In its report, the FTC noted that “[t]he most practical method of providing uniform choice for online behavioral advertising would likely involve placing a… More
Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:
This is an area where bipartisan concensus is possible. The industry powers will fight against “Do Not Track” and will win that fight. Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”
We could see passage of a federal data security and privacy statute, not unlike those that the various states have been adopting. The states have already passed models for such legislation and… More
Microsoft announced yesterday in its IE blog that it will be adding a tracking protection feature to Internet Explorer 9. In particular, Microsoft promises that:
IE9 will offer consumers a new opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking. “Tracking Protection Lists” will enable consumers to control what third-party site content can track them when they’re online.
Together with the FTC’s jump into the tracking fray last week, have we reached the tipping point on tracking, so that this is the beginning of the end of it? Or might this be simply another skirmish in… More
FTC Proposes Privacy Framework That Will Impact the Business Model of All Online and Mobile Advertising Companies
Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which we posted on December 1. We are cross-posting the analysis from their blog below.
It seems likely that the next two years will bring significant changes to this area, either through legislation or regulation. During this period, businesses and consumers will continue to seek an equilibrium that balances business needs and consumer expectations. If they cannot find… More
FTC Releases Report: “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers”
Earlier today, the FTC released a preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The report is over 100 pages long and suggests that changes need to be made regarding consumer privacy, stating:
Industry must do better. For every business, privacy should be a basic consideration – similar to keeping track of costs and revenues, or strategic planning. To further this goal, this report proposes a normative framework for how companies should protect consumers’ privacy.
We’ll have our more detailed thoughts on this document posted shortly.
In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health.
The advocacy groups behind this complaint are the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World Privacy Forum. They allege (in 144 pages, complete with web page screen-shots) that:
"Digital marketing raises many distinct consumer protection and privacy… More
According to a recent entry on Google’s own European public policy blog, only a small minority of German’s have opted-out of its Street View service: “Out of a total of 8,458,084 households, we received 244,237 opt-outs, which equals 2.89% of households. Two out of three opt-ots [sic] came through our online tool.”
If you are interested in learning more about Street View, or opting out, the instructions are here.
In what is assuredly a sign of things to come, the Boston Public Schools have announced that they are piloting a smart card for students, called the BostONE Card. According to an article in today’s Boston Globe, the purpose of this card is to "make it easier for some public school students to use city services by providing them with one card they can use to ride the [subway], withdraw books from city libraries, play sports, attend after-school programs at community centers, and access meal programs at their schools. The so-called BostONEcard will also be used to take attendance… More
Interesting article in this week’s Economist about social network analysis, outlining how companies are using increasing sophisticated forms of data-mining on their customers, and how industry is spending billions to advance the process.
On August 18, a federal judge in the Southern District of New York entered an injunction forbidding Verified Identity Pass, Inc. (VIP) to sell or transfer any of the confidential customer information it compiled while operating the CLEAR express airport check-in program. The CLEAR program collected a range of customer biographic information (e.g., name, address, etc.) as well as biometric information, including the customer’s fingerprints and iris scan. This information was used to expedite the airport check-in process.