In the FTC’s first case focused on the privacy and security of genetic information, the FTC alleges that San Francisco-based Vitagene, Inc. – now known as 1Health.io – failed to live up to its promises and unfairly changed material privacy terms without customers’ consent.
After consumers paid between $29 and $259, sent a saliva sample to Vitagene, and answered an online questionnaire about their health history,… More
It’s been several years since I have written about password hygeine. I have been hoping that a better security solution would be widely adopted and while I hear rumors in that regard, passwords still reign supreme. So when I saw that the SafetyDetectives website had listed the 30 most common passwords, it seemed like a good time to revisit the topic. Their study found that “123456” and “password”… More
In a very comprehensive post from the Federal Trade Commission’s Office of Technology, the FTC takes what it calls “[a] deep dive into the technical side of FTC’s recent cases on digital health platforms, GoodRx & BetterHelp.”
As most readers know, the FTC recently took enforcement action against GoodRx and BetterHelp, two digital healthcare platforms, for allegedly sharing user health data with third parties for advertising.… More
On August 22, 2022, the Federal Trade Commission (“FTC”) indicated through the Advanced Notice of Proposed Rulemaking its intent to limit commercial surveillance – the common corporate practice of collecting, analyzing, and monetizing consumers’ data. As slews of data breaches resulted in millions of dollars in settlement and countless consumers whose data had been jeopardized, 33 states, including Massachusetts, New York, and Texas, showed support for the FTC’s proposed rule through a comment letter dated November 17,… More
On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies. These online tracking technologies, like Google Analytics or Meta Pixel,… More
On September 19, 2022, a Massachusetts federal District Court denied Boston Globe Media Partners LLC’s motion to dismiss a consumer class action suit against it. This case is one of 47 proposed class actions filed since February 2022 against various companies, each based on a company’s use of Meta’s Pixel tracking tool.
Boston Globe Media Partners is a “multimedia organization that provides news, entertainment, and commentary across multiple brands and platforms”;… More
If your company creates health-related apps, the Federal Trade Commission (FTC) has set out some key considerations:
On July 7, 2021, Governor Jared Polis signed into law the Colorado Privacy Act (CPA), making Colorado the most recent state to enact comprehensive privacy legislation. While the CPA does not take effect until July 1, 2023, it contains robust provisions that businesses will need some time to prepare for.
The CPA draws many principles from and has a similar framework to the California Consumer Privacy Act (CCPA),… More
On October 1, 2019, China’s new regulation to protect personal data related to children – called the “Measures on Online Protection of Children’s Personal Data” – went into effect.
As we wrote in June, when a draft of the regulation was released by the Cyberspace Administration of China, the regulation contains elements similar to those found in both the United States’ Children’s Online Privacy Protection Act (“COPPA”) and the European Union’s General Data Protection Regulation (“GDPR”).… More
What do pumpkin spice lattes and National Cybersecurity Awareness Month have in common? Not much, other than both should be top of mind in October, but that doesn’t mean that it’s wrong to think about them both in August.
Held every October, National Cybersecurity Awareness Month is a collaborative effort between government and industry to ensure every American has the resources they need to stay safe and secure online while increasing the resilience of the Nation against cyber threats. … More
The EU Commission issued today a “Communication to the European Parliament and the Council” which is entitled “Data protection rules as a trust enabler in the EU and beyond- taking stock”, which outlines the current state of EU data protection, with particular focus on the impact of GDPR.
The Commission notes that all EU Member States have updated their national data protection laws except for three (Greece,… More
Local governments may not be in the headlines as much as their state and federal counterparts, but last week saw local governments getting their turn on the news. In politics, the Democratic presidential primary debates saw a total of 6 current or former mayors take the stage. (Free trivia fact: By comparison, only 3 presidents in American history have previously served as mayors!) And the City of Somerville, Massachusetts banned governmental use of facial recognition technology.… More
In early June, the Cyberspace Administration of China released for public comment new draft regulations applicable to the collection of personal information relating to children under 14 by online service providers.
The draft regulations share many of the same structures as those utilized by the Children’s Online Privacy Protection Act (“COPPA”) in the United States:
On May 9, 2019, a coalition of consumer groups submitted a complaint to the Federal Trade Commission (“FTC”) regarding Amazon’s Echo Dot Kids Edition, arguing that the device runs afoul of the Children’s Online Privacy Protection Act (“COPPA”). The Echo Dot Kids Edition is a child-focused version of Amazon’s popular voice-activated smart speaker device that utilizes Amazon’s Alexa digital assistant.… More
On 21 January 2019, the French Data Protection Authority (the “French DPA”) fined Google LLC 50 million euros for breach of the GDPR.
As we reported on this blog, just after GDPR became applicable, noyb.eu (None of Your Business), the non-profit privacy organization set up by Max Schrems, the Austrian lawyer who initiated the action against Facebook that led to the invalidation of the Safe Harbor,… More
On January 10, 2019, Massachusetts Governor Charlie Baker signed a new law that amends its data breach reporting law, and requires credit reporting agencies such as Equifax to provide a free credit freeze to consumers. The new law, “An Act Relative to Consumer Protection from Security Breaches,” also requires companies to offer up to three years of free credit monitoring to victims of a security breach,… More
Happy New Year! While you are making (and soon breaking) your resolutions, here’s another lifestyle change to consider for 2019: putting your car fob in foil at night before you go to sleep. Why? Because the fob’s signal can be hacked; thieves can hijack the signal to enter your car and steal it and/or its contents.
According to an article in the Detroit Free Press,… More
Allergy Associates of Hartford, P.C. (“Allergy Associates”), has agreed to pay $125,000 to the Office for Civil Rights (“OCR“) at the U.S. Department of Health and Human Services (“HHS”) and to adopt a corrective action plan to settle potential violations of the HIPAA Privacy Rule. Allergy Associates is a health care practice that specializes in treating individuals with allergies, and is comprised of three doctors at four locations across Connecticut.… More
Senator Mark Warner of Virginia has released a white paper outlining policy proposals for regulating social media and technology companies. The paper has gained significance in recent weeks as pressure builds on Congress to pass federal data privacy legislation. In the wake of Europe’s GDPR and California’s Consumer Privacy Act, industry groups, tech companies, and privacy activists alike have urged Congress to act.… More
As if having to deal with all the EU’s Data Protection Authorities wasn’t challenge enough for companies trying to comply with GDPR, the FTC has now asserted that it has a role in GDPR enforcement. In particular, the FTC says it has a role in making sure that US companies live up to the GDPR-related promises that they make. This position came to fruition in a proposed FTC settlement with California-based employment training company,… More
As noted in the FTC alert below from Lisa Weintraub Schifferle, an attorney with the FTC’s Division of Consumer & Business Education, thanks to a new federal law, soon you can get free credit freezes and year-long fraud alerts. Here’s what to look forward to when the law takes effect on September 21st:
Free credit freezes
It took three days, but I finally found a panel at BIO 2018 that addressed the current challenges in privacy and security regarding health data. This panel, Realizing the Potential of Clinical and Consumer Genomics, was focused on all the new genetic tests that are available (with more to come) and all the genetic data those tests are generating. I was particularly impressed with the approach of Mindstrong Health to privacy and security,… More
On Friday, May 25, the day when GDPR became effective, noyb.eu (None of Your Business), the non-profit privacy organization recently set up by Max Schrems, filed the first complaints based on GDPR.
Max Schrems is the Austrian privacy lawyer who had complained about the transfer of his data to the United States by Facebook: he argued that, in light of the Snowden revelations,… More
The litigation over Facebook’s Tag Suggestions feature in the United State District Court for the Northern District of California continues, with the court this week denying both sides’ bids for summary judgment in a ten-page order. The case, formerly captioned Patel v. Facebook and now going by the name of In re Facebook Biometric Information Privacy Litigation, is on course to proceed to trial in July.… More
The French National Assembly voted on May 14, 2018 to adopt changes that bring its existing Data Protection Act of 1978 in line with the EU’s General Data Protection Regulation (GDPR).
Paradoxically, while France was the first EU Member State to adopt a data protection act, it is one of the latest EU countries to adapt to GDPR,… More
In a recent ten-page order, a federal judge of the United States District Court for the Northern District of California declined to dismiss a lawsuit against Facebook alleging that Facebook’s “Tag Suggestions” feature violates the Illinois Biometric Information Privacy Act (BIPA). The ruling means that the case, Patel v. Facebook, Inc., Civil Action No. 3:15-cv-03747-JD, will proceed, but the long-term impact of the ruling is less clear.… More
Recently, Austrian privacy activist Maximilian Schrems won a partial victory in his continuing battles with Facebook. We discuss that case below. But first, we review his prior tilts with Facebook.
Schrems in Ireland’s Courts
When Schrems was a college student, he heard a Facebook representative at a conference talk about European privacy rules with a lack of consideration that shocked him. Since then, Schrems has been fighting Facebook on many fronts.… More
Those of our readers who frequent social media may have noticed a newly-popular juxtaposition between selfies and art (or perhaps one should say between selfies and other forms of art)—a feature in the Google Arts & Culture app that matches a user’s selfie to a portrait in Google’s database.
But not every aspiring selfie artist can compare their work with that of the great painters of yesteryear. … More
The FTC’s COPPA Guidance does an admirable job explaining the basics of what a business needs to do to comply with COPPA, but is vague as to how a business must protect personal information collected from children. The COPPA Guidance requires that a company use “reasonable procedures” to protect such information from unauthorized access or use, but does not explain what “reasonable procedures” means. This is,… More
As you enjoy the holiday weekend, and even some Cyber Monday shopping, keep in mind these online shopping tips from the FTC:
The new GDPR is much more detailed than the 1995 Directive. The GDPR has 99 articles, versus 34 in the Directive. And a few new key concepts clearly require new guidance.
Since the adoption of the Regulation on 27 April 2016, the Article 29 Working Party (with representatives of the Supervisory Authorities of all Member States) has issued 3 sets of guidance on “Data portability”,… More
As most are aware, the Massachusetts Attorney General has won the race to the courthouse and been the first regulator to file suit against Equifax.
Me and 143 million of my closest friends may have had our personal information inappropriately accessed through a breach at Equifax–is there no safe haven anywhere? Deferring that question for another day, here are the instructions from the FTC on how to check if your data is implicated. The first time I tried, I could not access the site:
I waited an hour and went back to the site. … More
In the 9th Circuit’s August 15, 2017 decision in Robins v. Spokeo, the latest in the long-running legal debate about when a consumer cause of action exists for a data breach, the 9th Circuit has declared that inaccuracies in a published credit report may sometimes constitute a “concrete injury” sufficient to confer Article III standing. This is a significant win for consumer protection advocates,… More
Privacy advocates in both the United States and Europe are urging regulators to take a hard look at the privacy ramifications of internet-connected toys, which are often conventional toys augmented by companion mobile applications.
In December, the privacy advocacy group Electronic Privacy Information Center (EPIC), joined by several other organizations, filed a complaint with the Federal Trade Commission regarding two firms that manufacture, sell, and operate internet-connected dolls. … More
Does your business collect and share consumer health information? Check out these tips from the FTC for complying with HIPAA and the FTC Act.
***
HIPAA
The HIPAA Privacy Rule applies to HIPAA covered entities— a health plan, most health care providers, or a health care clearinghouse. It also applies if you are a business associate – a person or company that helps a covered entity carry out its health care activities and functions.… More
Another day, another 500 million Yahoo accounts breached. Our friends at the FTC are right on top of this with guidance for individuals with Yahoo accounts. First and foremost, change your Yahoo password.
According to Yahoo, the breached information may have included names, email addresses, telephone numbers, dates of birth, passwords, and security questions. Yahoo believes this information was stolen in late 2014.… More
What the recent Amazon decision tells us
On 28 July 2016, the European Court of Justice rendered a decision in a dispute between an Austrian Consumer Protection organization known as VKI (Verein für Konsumenteninformation) and Amazon EU Sàrl, a subsidiary of Amazon registered in Luxembourg. The main issue in this case is whether Amazon General Conditions were enforceable under Consumer Law; however; one of the questions referred to the European Court was about the territorial scope (Article 4) of the 95/46/EC Directive on Data Protection.… More
The recently-released Pokémon Go has quickly emerged as a cultural phenomenon, with legions of players using their phones to “catch” Pokémon that emerge all around them, visible (thankfully) only to players. While catching Pokémon by phone is far less cumbersome than collecting boxes upon boxes of Pokémon cards, as some of us did in the early aughts, it does come with its own set of pitfalls. Specifically,… More
In Case You Missed It: Ruling in FTC v. Amazon Suggests a Way Forward for Companies Responding to Actions Brought by the FTC after a Data Breach. The FTC’s recent actions in the realm of data security have been predicated on its claim of statutory authority to seek injunctive relief for the failure to maintain reasonable and appropriate data security practices. A U.S. District Court ruling last week casts some doubt on that authority. … More
In Case You Missed It
The FTC settled with mobile advertising company InMobi for $950,000 in civil penalties, along with the implementation of a privacy program, based on the FTC’s charges that InMobi impermissibly tracked the locations of both adult and child consumers for the purpose of geo-targeted advertising. The latter, of course, also implicated allegations of violations of the Children’s Online Privacy Protection Act (COPPA) rule. … More
In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017. The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account. The definition is also expanded to include medical and health insurance information. … More
The FBI recently released an article discussing the spate of ransomware attacks on a variety of different entities, including hospitals. In the article, the FBI warned that ransomware attacks and the cybercriminals carrying them out are growing increasingly sophisticated. The FBI opposes paying a ransom when hit by a ransomware attack, saying that doing do incentivizes more ransomware attacks, can inadvertently fund other illegal activity, and does not always result in the restoration of access. … More
The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services.
The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. … More
In Case You Missed It: US and EU officials signed on to the so-called “Privacy Umbrella” deal last week. The agreement is designed to protect the personal data of EU citizens when it is transferred to the US for law enforcement purposes — a sort of criminal counterpart to the sturdier-sounding Privacy Shield we discussed here last Thursday. And, like the Shield, the Umbrella has drawn its share of critics,… More
After years of intense discussions, the EU General Data Protection Regulation (GDPR) was finally adopted on 14 April 2016.
The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies. For example:
After the invalidation of the Safe Harbor by the European Court of Justice (“ECJ”) last October in the Schrems case, negotiations between the European Commission and US authorities led to a new agreement called the EU-US Privacy Shield. However, the EU’s 1995 Data Protection Directive provides that the Article 29 Working Party (“WP29”) has to issue an opinion on this kind of agreements and it did so on April 13.… More
Very interesting thought piece from the FTC’s Chief Technologist. Do mandatory password resets actually make us less secure? Not necessarily, but they could, if we do not train users to be aware of the subconscious pitfalls. More
The content of the Privacy Shield was made public yesterday and today.
The new framework dedicated to the EU / US flow of personal data is in fact a combination of several documents issued by the US and the EU.
On the US side, we have a letter sent by the U.S. Secretary of Commerce Penny Pritzker on 23 February 2016 to EU Commissioner Věra Jourová including the “package of EU-US Privacy Shield materials” (of 128 pages) which is made of 6 letters issued by various US officials (see details at the end of this article).… More
The COPPA Rule requires website and online service operators to give notice to parents and obtain verifiable parental consent before collecting children’s “personal information” online. 16 CFR §§ 312.4, 312.5. The definition of “personal information” encompasses some obvious pieces of data – name and address, for example – and some less-obvious ones, such as screen names, geolocation data, and “persistent identifiers.” A “persistent identifier” is a piece of information “that can be used to recognize a user over time and across different web sites or online services,” such as “a cookie,… More
What follows below is the EU’s press release regarding the agreement on a replacement for the EU-US Safe Harbor. We are working to get details and will schedule a webinar on the new framework shortly.
***
The European Commission and the United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.
Today, the College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.… More
On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).
CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.… More
On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. Although the FAST Act’s main focus is on improving the country’s surface transportation infrastructure, the law also contains a provision that modified the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).
Previously under the GLBA privacy regulations, financial institutions (which includes registered investment advisers,… More
As the Wall Street Journal noted yesterday, banks are being deluged with phishing attacks. These attacks are especially fierce around the holiday season, when more personnel are absent and normal procedures are ignored or bypassed. The FBI and other law enforcement agencies are focused on these attacks, but it only takes one employee to “believe” a phishing email for the trouble to start.… More
Today, Wyndham and the FTC settled the enforcement action brought by the FTC that had led to a significant decision by the Third Circuit in August of this year. (Wyndham’s statement on the settlement can be found here; the FTC’s statement can be found here; my earlier analysis of the Third Circuit’s decision can be found here.) While the details of the settlement are interesting in their own right – Wyndham will not be paying anything by way of a fine or monetary damages and is not required to admit liability,… More
The scaffolding of the FTC’s powers in the realm of cybersecurity continues to be built. On Monday, the FTC’s Chief Administrative Law Judge D. Michael Chappell issued an initial decision in the FTC’s closely watched enforcement action against LabMD. The case involves a 2008 incident in which a data security company (Tiversa Holding Co.) discovered a LabMD document containing personal information of 9,300 patients was available on a P2P file sharing network. … More
A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks. At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention,… More
What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses is its shape-shifting structure in the face of rapidly changing technology. The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the European Union and the U.S. handle questions of data privacy: whereas, generally speaking, in the EU data privacy standards are relatively uniform,… More
This month’s edition of the Advanced Cyber Security Center’s newletter includes my discussion of lessons to be learned from the Wyndham decision:
Historically, security was an issue reserved in a back room for the IT department, if there were even a budget and ample resources. To the public, cybersecurity meant identity theft and proceeded with business as usual with the comfort of an anti-virus protection that may have come with their computer.… More
By Martha Coakley and Jon Hurst
This entry originally ran as an op-ed in the September 25, 2015 edition of The Boston Globe.
Hardly a week goes by without a news report of a new cyberattack. As any consumer affected by fraud knows, the harm is real. The impact on businesses, government, and other targets is also real,… More
Delaware Attorney General Matt Denn is serious about online privacy, and aims to make Delaware “the safest state in America for kids to use the internet.” This August, Delaware Governor Jack Markell signed into law four online privacy bills drafted by the Attorney General, the most substantial of which is the Delaware Online Privacy and Protection Act.
Over one year ago, our colleague Chris Hart argued that the District of New Jersey court’s decision in FTC v. Wyndham Worldwide Corp. et. al., No. 13-1887-ES, “point[ed] to the possibility that the FTC has potentially broad power, and a far reach, to bring actions for data breaches as a general matter.” That possibility became substantially more concrete this week,… More
The FTC’s COPPA (the Children’s Online Privacy Protection Act) Rule requires website operators to obtain “verifiable parental consent” prior to collecting, using, or disclosing personal information from children. Though the COPPA Rule enumerates several methods for obtaining consent, the FTC, sensitive to how fluid technological developments in this space can be, also allows pre-approval of new methods not listed in the Rule. 16 CFR 312.12(a).… More
Data breaches are often followed by class action suits in which the affected individuals seek damages. Corporations defending against such suits have used a 2013 Supreme Court case, Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), to fight off such claims. In Clapper, the Supreme Court held that, in order for a plaintiff who alleges future harm to have the necessary Article III standing to sue in federal court,… More
Last week, the Cybersecurity Unit of the Department of Justice (DOJ) issued a list of “best practices” for companies concerning preparing for and responding to cyber-attacks. The report details the lessons federal prosecutors have learned while handling cyber investigations, as well as feedback from private sector companies. Some of the key pieces of advice are:
We welcome this guest blog by Gene Fry, Compliance Officer, Scrypt, Inc.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. This means that any covered entity (CE) or business associate (BA) that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. The HIPAA Privacy Rule addresses the storage,… More
Smart grids – electrical grids that allow two-way communication between utilities and consumers – represent an exciting frontier in the Internet of Things, with ramifications for energy efficiency, weather resiliency and climate change, among others. As the Department of Energy writes, “[t]he Smart Grid represents an unprecedented opportunity to move the energy industry into a new era of reliability, availability, and efficiency that will contribute to our economic and environmental health.”
But like many aspects of the Internet of Things,… More
Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.
Here are five takeaways for companies large and small:
In an age when many of us briskly scroll through website terms and conditions and check, “I agree” without thinking, how should businesses design their websites to obtain proper authorization to access users’ sensitive information? The announcement of the settlement of a pair of recent FTC complaints against PaymentsMD, a medical billing services provider and its former CEO, and the resulting settlement, provide some important guidance,… More
With every swipe of a credit card this holiday season, consumers put their faith in the companies that process and store their information. Yet, it is no secret that data breaches are on the rise, hitting companies large and small. Massive data breaches recently struck Target and Home Depot, to just name a few, and these two breaches alone affected hundreds of millions of consumers and cost the companies hundreds of millions of dollars.… More
I’ve looked at clouds from both sides now
From up and down, and still somehow
It’s cloud illusions I recall
I really don’t know clouds at all
Joni Mitchell, “Both Sides Now”
Until recently, many cloud users felt like Joni Mitchell in her classic song, “Both Sides Now.” No matter how you looked at clouds,… More
Our client, CloudLock, recently hosted an interesting webinar, “Moving to the Public Cloud: Whirlpool Case Study.” The webinar features John Bingham, CISO at Whirlpool Corporation, who shared Whirlpool’s story of moving into the public cloud and how their security team found the support for the company’s core business goals. More
In a first for the FCC, it announced on October 24 that it intends to fine two telecom companies $10 million for data security violations:
The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names,… More
Yelp’s $450,000 settlement with the FTC in September should serve as an important reminder for all owners and operators of websites or mobile apps – even if your site is not for kids, you need to know and abidge by what the Children’s Online Privacy Protection Act (COPPA), and the related COPPA Rule, requires.
Yelp allows registered users to write reviews of local businesses. A user can access Yelp through desktop and mobile websites,… More
Last week, the FTC announced approval of a new Safe Harbor Program under the Children’s Online Privacy Protection Act (COPPA), called iKeepSafe. The program was created by the Internet Keep Safe Coalition, a nonprofit organization that describes its goal as the “creation of positive resources for parents, educators and policymakers who teach youths how to use new media devices and platforms in safe and healthy ways.”
The COPPA Rule affords some flexibility in compliance through use of a safe harbor provision,… More
The FTC’s July 10, 2014 complaint filed against Amazon has left app developers with concerns about how to make apps that target kids and still comply with the law. The complaint, brought under Section 5(a) of the FTC Act, alleged that Amazon failed to obtain parents’ or account holders’ informed consent to in-app charges incurred by children. While the complaint was not brought under the Children’s Online Privacy Protection Act (COPPA),… More
As previously discussed here, Target suffered a massive data breach at the end of last year that compromised the information of 70 million or more consumers. Within days of the announcement, class action lawsuits were filed against Target around the country, including in California, Massachusetts, Minnesota, Ohio, and Utah.… More
The revised Children’s Online Privacy Protection Act (“COPPA”) Rules, as discussed here previously were meant to bring regulations in line with, in the FTC’s words, the “rapid-fire pace of technological changes to the online environment” that have taken place since COPPA was passed in 2000. This week’s Boston Globe article about the new public television production, WGBH’s “Plum Landing,” provides an interesting illustration of the impact of the revised COPPA Rule.… More
(This was originally posted May 13, 2014 on CRS and the Law.)
Today’s decision by the European Court of Justice (ECJ) that individuals enjoy the right to have truthful yet unflattering information about them “forgotten” from online search results is generating a great deal of controversy in Europe and beyond. In a case brought by Spanish national Mario Costeja Gonzalez against Google demanding that the search giant remove results referring to a years-old newspaper notice of a tax auction of his property,… More
In a 110 page report issued yesterday, the Federal Trade Commission suggested that data brokers operate without transparency and asked Congress to consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over personal information that is collected and shared by data brokers.
The report, “Data Brokers: A Call for Transparency and Accountability” is the result of a study of nine data brokers undertaken by the FTC to shed light on the data broker industry. … More
Data breach law in the United States might have just become a lot less patchy, but a little more uncertain. On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES. This case arises out of a FTC action, brought under the deception and unfairness prongs of Section 5(a) of the FTCA (15 USC s.… More
I usually do not re-post directly from the FTC, but given the timeliness of the subject, the wide impact of the problem and the technical nature of the issue, I thought it was warranted to re-post the FTC’s guidance on Heartbleed. Talk to your IT folks about this sooner rather than later:
By Nicole Vincent Fleming
April 11, 2014 –… More
Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach. Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach.
The penalty, which also is described in a securities filing, is based a breach involving 13,336 of Triple-S’s Dual Eligible Medicare beneficiaries. … More
In a previous post, I wrote about privacy concerns surrounding data storage nonprofit inBloom and its partnership with the New York State Education Department (“NYSED”). On February 5, 2014, New York State Supreme Court Justice Thomas A. Breslin dismissed the lawsuit filed by parents seeking to block NYSED from sharing and storing student data with inBloom. In his order,… More
On January 21, 2014, U.S. District Judge Anthony Battaglia issued a 97 page orderthat dismissed the majority of the claims in a putative class action against various Sony entities, claims relating to the 2011 hack into the computer network system that Sony used to provide online gaming and Internet connectivity through PSP handhelds and PS3 game consoles.
According to Judge Battaglia, “The fifty-one claims alleged in the FACC can be categorized into nine sub-groups: (1) negligence;… More
As previously discussed here, Target suffered a massive data breach that compromised the credit and debit cards of many of its customers. Now that the dust has started to settle, the extent of the breach is becoming clearer. In December, Target announced that 40 million credit and debit card numbers were stolen in this hack. Further investigation has uncovered that hackers also obtained the “names,… More
Privacy concerns have threatened the plans of the New York State Department of Education to use third party contractor, inBloom, to store and integrate student data in a cloud-based system. On January 10, the Department announced that it would delay release of additional student data to inBloom. The delay, which the Department said is normal for a project of its size, comes after a class of parents filed suit in November and New York legislators proposed a bill requiring parental consent before sharing such data.… More
Now that the initial media blitz about the massive Target breach has passed, it is time to look ahead at the implications:
Remember in late October, when Google and Facebook issued new policies enabling them to use adults’ and minors’ data for advertising purposes? Initial reports suggested there could be a big hue and cry among consumers. At the time, I was quoted by Law360 saying:
“They’re absolutely testing the boundaries from not only a legal standpoint, but also from a public acceptance standpoint,” said Foley Hoag LLP privacy and data security practice co-chair Colin Zick.… More
In order to “keep up with technology,” the FTC revised the Children’s Online Privacy Protection Rule (COPPA) in 2012. As a result of those revisions, some companies that may not have been covered by COPPA may now be covered, and the effective date of those changes is today, given the July 1st effective date of the revised COPPA Rule. To streamline your response to these issues, the FTC has developed a six-step COPPA compliance guide:
Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.… More
The Federal Trade Commission has issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft.
The guidance outlines which businesses – financial institutions and some creditors – are covered by the Rule and what is required of businesses to protect consumers from identity theft. … More
In a recent decision, the Massachusetts Supreme Judicial Court (SJC) determined that customer ZIP Codes are “personal identification information” that retailers are prohibited from collecting during credit card transactions. With this decision, the Massachusetts high court may have set off a wave of new class-action lawsuits against retailers that collected customer ZIP Codes. Especially vulnerable are those retailers that collected customer ZIP Codes and used them to send unwanted marketing materials or sold the ZIP Codes or information derived from them to third parties. … More
Blizzard—maker of the video games Diablo III and World of Warcraft—was sued last week in California over its two-factor authentication service. The complaint seeks class action status.
The concept of two-factor authentication should be familiar to anyone that has used RSA SecurID. When logging into an online service, users enter both a password and a single-use authentication code. Blizzard offers its customers the option of using authentication codes when logging into its Battle.net service. … More
A recent story in the Wall Street Journal discusses how small businesses can push back against banks which do not provide sufficient security for their bank accounts. The article focused on the recent First Circuit decision, Patco Construction Co. v. People’s United Bank, involving a bank account that had been drained by multiple fraudulent transactions. As described by the court in its opinion:
Over seven days in May 2009,… More
Interesting post by my colleague Vivek Krishnamurthy, on our Corporate Social Responsibility blog, about how software companies should set the default privacy settings on their products.
How should software companies set the default privacy settings on their products? Microsoft’s announcement earlier this month that the next version of its Internet Explorer web browser will ship with its "Do Not Track" functionality switched on has sparked a lively debate on this very issue.… More
A recent Harris Interactive survey of 2,625 adult Americans reveals some interesting attitudes towards employer confidential information, including significant variations depending on an employee’s age:
– 68% of 18-34 year olds responded that it is acceptable to remove confidential information from their place of employment. This contrasts with just half (50%) of those 55 years old or older believing such behavior is acceptable.
–… More
The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act.
This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting Act,… More
Interesting article in Forbes, "The Zero-Day Salesmen," about "government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the explicit intention of invading or disrupting the computers and phones of crime suspects and intelligence targets." More
The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011:
In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords. But despite the efforts of these researchers, the article’s conclusion is a gloomy one:
The upshot is that there is probably no right answer. All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple.… More
FTC has today, at last, released the final version of its original 2010 Report — “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” As we have discussed previously, comments on the draft report were taken through January 31, 2011 and the final report had been expected in 2011.
Ponemon “data breach” cost
Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, however, is subject to hot debate among the federal courts,… More
Here is a video discussion I had with LexBlog on the new White House Data Privacy report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In this conversation, we discussed the report’s four primary elements:
In a case brought by Facebook, a U.S. district court recently concluded that a website that offered to integrate multiple social networking accounts into a single social networking “experience” violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), the Computer Fraud and Abuse Act (“CFAA”), and California Penal Code § 502. Facebook, Inc. v. Power Ventures,… More
We are sharing this blog post by our colleague Vivek Krishnamurthy regarding an article in last weekend’s New York Times Magazine that discusses the powerful statistical techniques that some companies are using to analyze sales and other data in order to gain insights into their customers’ behaviors and needs. The article raises a number of interesting consent and privacy issues. Vivek’s practice focuses on corporate social responsibility,… More
The White House has finally released its long-anticipated report on consumer privacy.The 60-page White House report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” is the start of what promises to be a fascinating legislative and regulatory process.
It is curious that the Department of Commerce has been charged with "work[ing] with other Federal agencies to convene stakeholders,… More
In a letter sent earlier today, 37 state attorneys generals (or their equivalents) wrote to Larry Page, Google’s CEO, "to express our strong concerns with the new privacy policy that Google announced it will be adopting for all of its consumer products."
According to the letter:
Google’s new privacy policy is troubling for a number of reasons. On a fundamental level, the policy appears to invade consumer privacy by automatically sharing personal information consumers input into one Google product with all Google products.… More
If you haven’t Googled yourself in a while, this might be a good time. My own self-search reveals, among other things, a page at mylife.com. I didn’t put it there, and I’d rather it not be there. However, right now, there isn’t a right to have your personal or professional information be deleted from social media, review sites, and other types of websites that gather your personal information. However, legislation may be coming that will address this concern.… More
Interesting article in the Wall Street Journal about Google’s iPhone tracking.
Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.
The companies used special computer code that tricks Apple’s Safari Web-browsing software into letting them monitor many users.… More
I was interviewed for this PC World piece on the potential impact of Facebook’s recently announced IPO on data privacy. My take: being a public company brings with it more transparency and more regulation, which will force Facebook to be more cautious and ultimately more open about its privacy policies. This seems obvious to me, but there are those who suggest that being public will add a profit motive that will push Facebook in the other direction. … More
A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer’s Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages.
Melissa Tyler brought suit against Michaels Stores for violation of Massachusetts General Laws,… More
Here is an excerpt from my interview yesterday with Jon Mitchell of ReadWriteWeb:
"From a legal perspective, I’m not seeing anything that’s much different in what’s being proposed to take effect on March 1 and what’s in place right now," Zick says. "In particular, the language about sharing across services has been in [Google’s policies] for a long time."
Zick points out that all the past versions of Google’s privacy policies are on the website,… More
As many of you have probably seen already, Google is changing its privacy policies, effective March 1, 2012. These changes will be effective across all of Google’s platforms, and users will not be able to opt out. A user’s only choice to avoid these changes will be to leave Google’s search engine, Gmail, Calendar, Search, and YouTube; there is no "opt out" or selective acceptance/rejection of these new policies. … More
My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA."
* * *
No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall — in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud. … More
At most restaurants, when the time comes to pay the check, you hand over your credit card and a waiter you’ve known for only about an hour takes off with your credit card. You trust that the waiter will only charge your meal and won’t make off with your card number. But if you ever have been to a Legal Sea Foods restaurant, you will notice that the waiter brings a handheld electronic device to your table to swipe your credit card when you are ready to pay the bill. … More
In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle “charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC’s press release.
Late last week, the U.S. Court of Appeals for the First Circuit ruled that victims of a data breach could pursue compensation from the merchant whose systems were breached for their costs of credit card replacement and identify theft insurance, under theories of breach of implied contract and negligence. See Anderson v. Hannaford Brothers Co., — F.3d —, 2011 WL 5007175 (1st Cir. Oct. 20, 2011).
As alleged by the plaintiffs in their class-action complaint,… More
I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:
Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,”… More
It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches.
Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys to open the front door. According to a statement by Sony,… More
The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures,… More
I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy." The program slides can be found at this link. More
In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules. This follows on the heels of Massachusetts General Hospital’s $1 million settlement with OCR.… More
hackers Anonymous “Lulz Security”
As promised in our earlier entry, here is our detailed discussion of the Supreme Court’s decision in Sorrell v IMS Health, Inc.,written by Colin J. Zick, Pat A. Cerundolo, Tad Heuer
On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining”… More
The Supreme Court this morning voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical data mining activities. Justice Kennedy’s opinion in the closely-watched case of IMS v. Sorrell held that the Vermont statute was an unconstitutional regulation of commercial speech.
The first paragraph of Justice Kennedy’s opinion provides a brief summary of the posture of the case and of the Court’s decision:
Vermont law restricts the sale,… More
We are six months into 2011, and it seems destined to be “The Year of the Breach.” In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:
Attached is my presentation given at a recent CloudCamp, on the subject: What Law Applies In “the Cloud”? (CloudCamp is an unconference where early adopters of Cloud Computing technologies exchange ideas.) More
A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators.
The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. … More
On May 5, a consumer class action was filed against Sony, relating to the data breaches in its Sony PlayStation and related services. The complaint alleges negligence, invasion of privacy and misappropriation of confidential financial information, as well as breach of express and implied contract. No specific damages were alleged. More
The scope of the Sony data breach is growing, but the public focus continues to be on Sony’s actions following the breach, rather than on steps to prevent or mitigate events like these in the first place. As we noted earlier, this focus emphasizes a de facto burden-shifting, in which consumers bear the risk of using on-line or other services, and also are left to face the consequences of any resulting identity theft.… More
In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy —
Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers:
On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:
The goal of NSTIC is to create an “Identity Ecosystem”… More
Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies: How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller. More
If you are like me, you may have received an email from TripAdvisor, alerting you that "an unauthorized third party had stolen part of TripAdvisor’s member email list." The text of that email was as follows:
To our travel community:
This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member email list. We’ve confirmed the source of the vulnerability and shut it down.… More
In March 16, 2011 testimony before the Senate Committee on Commerce, Science, and Transportation, the Obama Administration formally asked Congress to pass a "consumer privacy bill of rights" enforced by the FTC:
Legislation to provide a stronger statutory framework to protect consumers’ online
privacy interests should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protections—that is, a “consumer privacy bill of rights.”… More
Targeted online advertising has been the focus of much discussion since the release of the FTC’s “Do Not Track” proposals late last year. User tracking for advertising purposes is also the focus of the FTC’s latest privacy enforcement action, which has resulted in a consent agreement with an online advertising company, Massachusetts-based Chitika, Inc., which creates ads for such major publishers as the Hearst Corporation and Salary.com.… More
While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up. The American Bar Association’s suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case: "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies,… More
As we noted back in May, digital copiers have caught the eye of government privacy enforcers. If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses. In that Guide, the FTC suggests that “your information security plans . . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands,… More
I recently attended the 10th Annual Legal and Compliance Forum on Privacy & Security of Consumer and Employee Information in Washington, DC. It featured a particularly lively panel on “Oversight of Third-Parties and Vendors: Managing and Controlling Relationships Through Effective Due Diligence and Contract Negotiation.” Below are some key points the panelists discussed; some may seem obvious, but they are nevertheless important measures to consider as part of your vendor relationships:
Earlier this week, both Mozilla and Google announced new browser features aimed at giving users greater control over how their personal data is collected online. Microsoft announced a similar initiative in December.
The introduction of browser “Do Not Track” features follows the Federal Trade Commission’s preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which supports a “universal consumer choice mechanism for online behavioral advertising.” In its report,… More
Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:
We could see passage of a federal data security and privacy statute,… More
Microsoft announced yesterday in its IE blog that it will be adding a tracking protection feature to Internet Explorer 9. In particular, Microsoft promises that:
Together with the FTC’s jump into the tracking fray last week,… More
Our colleagues in Foley Hoag’s Emerging Enterprise Center have summarized the FTC preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which we posted on December 1. We are cross-posting the analysis from their blog below.
It seems likely that the next two years will bring significant changes to this area,… More
Earlier today, the FTC released a preliminary staff report entitled, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The report is over 100 pages long and suggests that changes need to be made regarding consumer privacy, stating:
Industry must do better. For every business, privacy should be a basic consideration –
similar to keeping track of costs and revenues,… More
This is a cross-posting of an interesting November 29 entry in Foley Hoag’s Emerging Enterprise Center blog, by Patrick Connolly and Prithvi Tanwar:
If your start-up’s website will collect user information…. and chances are it will, you need to start thinking about your website privacy policy. I have often spoken with founders who think that the website privacy policy is a “one size fits all,… More
In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health.
The advocacy groups behind this complaint are the Center for Digital Democracy,… More
If you haven’t been reading the Wall Street Journal’s “What They Know” series, you should be. It’s a great ongoing investigation of privacy issues, along with a compilation of privacy tools, like this one on how to control your online privacy. More
According to a recent entry on Google’s own European public policy blog, only a small minority of German’s have opted-out of its Street View service: “Out of a total of 8,458,084 households, we received 244,237 opt-outs, which equals 2.89% of households. Two out of three opt-ots [sic] came through our online tool.”
If you are interested in learning more about Street View, or opting out,… More
In what is assuredly a sign of things to come, the Boston Public Schools have announced that they are piloting a smart card for students, called the BostONE Card. According to an article in today’s Boston Globe, the purpose of this card is to "make it easier for some public school students to use city services by providing them with one card they can use to ride the [subway],… More
Interesting article in this week’s Economist about social network analysis, outlining how companies are using increasing sophisticated forms of data-mining on their customers, and how industry is spending billions to advance the process. More
On August 18, a federal judge in the Southern District of New York entered an injunction forbidding Verified Identity Pass, Inc. (VIP) to sell or transfer any of the confidential customer information it compiled while operating the CLEAR express airport check-in program. The CLEAR program collected a range of customer biographic information (e.g., name, address, etc.) as well as biometric information, including the customer’s fingerprints and iris scan. This information was used to expedite the airport check-in process.… More