ICANN is well on its way to the launch of new generic top-level domains (gTLDs) with the first ones being approved as early as April 23rd.  The handful of TLDs currently in use, such as “.com”, “.org”, and “.edu”, may soon be joined by over 1000 gTLDs ranging from “.book” to “.football”.   While we have previously focused on intellectual property concerns and objections to these new gTLDs, the launch perhaps raises another important consideration:  What implications might the new gTLDs have on the security of the Internet itself?

At the end of last month, VeriSign, longstanding operator of the “.com” top-level domain, issued a highly critical assessment of the new gTLD program.  In its March 29 report, VeriSign described a range of potential issues, all suggesting that the launch on ICANN’s current timetable could undermine the stability and security of the Internet.  For VeriSign, the problem seems to be the rapid speed at which the launch is progressing combined with ICANN’s unrealistic expectations that the existing Internet infrastructure will adapt.  Certificate authorities, root server operators, and VeriSign itself, are described as not being prepared for the technical implications the influx of new gTLDs will bring. According to VeriSign, this ultimately puts the “safety and security of Internet users, and the infrastructure itself” at risk. 

Due to the seriousness of these allegations, the Intellectual Property Owner’s Association has taken the position that the launch of the new gTLDs be delayed until these concerns have been properly evaluated and addressed.

Further, in a recent letter to the CEO of ICANN, PayPal expressed similar security concerns.  Specifically, PayPal raises the possibility that the new gTLD program might dangerously interfere with the security of private domains.  Private domains, as their name implies, exist outside the public Internet and for that reason are most often employed for security reasons. One of the most common examples of a private domain is a corporate intranet.  Corporate intranets are typically used to host services such as internal document management, email, or other web-based business applications.  Being private, they do not have to “resolve” or go to public top-level domain’s such as .com or .org, and can by-and-large choose their own top-level domains.  One of most common domains for a business intranet, and the example PayPal uses in its letter, is the “.corp” domain.

The crux of PayPal’s concern is what will happen when “.corp” becomes a generic TLD?   In some circumstances, they argue, it is possible a computer, smartphone, or other device could actually be deceived into connecting to the public .corp as if it were connected to the private .corp. Once connected, the possibility of confidential data being compromised could be serious. 

How serious of a problem could this be?  Statistics PayPal cite show nearly 10% of the total query load on public root servers represent just the top ten most frequently used private domains.  In other words, a large portion of internet traffic consists of devices trying to connect to a private address on the public internet.  This suggests that there is ample possibility for foul play should those traditionally private domain names be delegated to the public. 

PayPal’s recommendation is relatively straightforward: ICANN should take the most popular private domain names off the market. These include strings such as .corp, .local, .home, .internal, and .private.  Not doing so, PayPal claims, would put “millions of users and high-value systems at considerable risk.”  To date, there are outstanding gTLD applications for the .corp and .home domains.

For VeriSign, nothing short of a temporary halt to the process would be satisfactory.  In a recent interview, however, ICANN CEO Fadi Chehade indicated that ICANN had no intention of delaying the issuance of the new gTLDs.  Nevertheless, this past week, perhaps in response to VeriSign’s report, ICANN did announce some additional protections it would be employing—“Emergency Back-End Registry Operators” or EBEROs. These EBEROs will work to guarantee that websites hosted on new gTLDs will resolve in the event any gTLD fails. The EBEROs will be scattered across different regions of the globe to eliminate the possibility that any one natural disaster could affect all EBEROs at once. This is a measure VeriSign had suggested.

Ultimately, it remains to be seen what data security, privacy, or other concerns may be implicated by the influx of new gTLDs.  For the many businesses and entities that could be affected by the program, it is important to remain vigilant of the new top-level domains on the horizon and how they may impact existing systems.

On March 12, 2013, the FTC updated its online advertising guidelines to reflect this new environment releasing “.com Disclosures: How to Make Effective Disclosures in Digital Advertising” (“Guidelines”). The Guidelines reinforce that online ads must be disclosed and disclosures must be clear and conspicuous, highlighting the information businesses should consider as they develop ads for online media to ensure compliance with the FTC’s rules in space constrained screens and social media. The Guidelines are important because although they may not carry the force and effect of law, they are the FTC staff interpretations of the laws administered by the FTC and a person or entity that fails to comply with the Guidelines runs the risk of an FTC investigation or enforcement action. If there is one clear message for companies to glean from the Guidelines – it is that as much as things have changed in the digital marketplace, they remain the same for online advertising: Tell the truth, don’t mislead, and if you need to qualify your claims make sure that the disclosure is clear and conspicuous.

To that end, the Guidelines focus on the “clear and conspicuous” disclosures requirement in the online world, providing 26 pages of graphic screen shot examples of do’s and don’ts.  Clear and conspicuous disclosures are required to prevent an ad from being unfair or deceptive. And the FTC is taking a hard line: “If a disclosure is necessary to prevent an advertisement from being deceptive [or] unfair … and if it is not possible to make the disclosure clear and conspicuous, then either the claim should be modified or the ad should not be disseminated. Moreover, if a particular platform does not provide an opportunity to make clear and conspicuous disclosure, it should not be used to disseminate advertisements that require such disclosures.” In other words, the FTC is not sympathetic to the creative challenge of getting across a company’s message in 140 characters or less.

The good news is that the Guidelines provide a common sense approach to developing a clear and conspicuous disclosure and are generally consistent with how companies tend to provide other important information to their consumers. Here is an overview of five practical, high level takeaways from the Guidelines that companies should keep in mind when assessing their online ad campaigns:

1. Same screen, adjacent disclosures are the best practice.

Proximity and placement of the disclosure is critical.  Across any platform, a disclosure is most effective and consumers are most likely to notice it when placed on the same screen and as close as possible to the information it relates to. Here is an example from the Guidelines of a properly placed “imitation” disclosure in an online jewelry ad:

2. Consumers should not have to scroll to view disclosures, but where scrolling is necessary, steps should be taken to encourage consumer to scroll to the disclosure.

Generally speaking, wherever possible, avoid placing disclosures where consumers might have to scroll in order to view them. However, if scrolling is necessary because the disclosures are lengthy or difficult to place next to the claim they qualify, use text or visual cues to encourage consumers to scroll to the disclosure. For instance, an explicit instruction to “see below for information on restocking fees” would likely pass muster under the Guidelines as opposed to a vague “see details below.” Moreover, if scrolling is necessary, then the disclosure should be unavoidable, i.e., consumers should not be able to proceed with the transaction without scrolling to and then clicking through the disclosure.

3. Disclosures in space-constrained ads, i.e., Twitter ads, should simply say they are an ad.

For space-constrained ads such as those on Twitter or  mobile applications, the disclosure should be incorporated into the ad whenever possible and in certain circumstances short form disclosures may be sufficient under the Guidelines. For instance, in a Twitter advertisement, including the term “Ad:” or “Sponsored:” in front of the tweet should sufficiently disclose to the consumer the promotional nature of the tweet (and it is only three or ten characters, respectively). Notably, the Guidelines explain that a disclosure in a tweet should be included in each and every subsequent tweet with the ad requiring a disclosure. Here is a hypothetical Twitter ad from the Guidelines that adequately discloses that the speaker is a paid spokesperson and qualifies the nature of the product:

4. Hyperlinking to a disclosure is discouraged and, if necessary, should be carefully scrutinized to ensure compliance with FTC rules.

Hyperlinks should not be used to communicate disclosures that are an integral part of a claim or inseparable from it, such as health/safety information or cost information. Do not simply hyperlink a single word or phrase in a text, just add the words “disclaimer” or “more information,” or use a subtle symbol or icon that a reasonable consumer would not view as something other than another graphic. At the end of the day, the consumer should be given a reason to click on the disclaimer not ignore it. Here is an example from the Guidelines of what not to do by simply adding a hyper link labeled “Important Health Information”:

That said, if the details of the disclosure are too difficult to place on the same screen as the claim, and a hyperlink is necessary, then the hyperlink should (a) be obvious and labeled to ensure that the consumer understands its relevance and importance; (b) be used consistently with consumer use of hyperlinks, (c) be placed as close as possible to the relevant information so consumers will notice it, and (d) take consumers from the hyperlink directly to the disclosure. Here is a screen shot of an FTC approved hyperlink to a return fee disclosure:

5. Advertisers should account for viewing of disclosures across all platforms and avoid technology that hinders viewing disclosures.

Websites should be designed so that disclosures are clear and conspicuous regardless of the device on which they are displayed –whether on a browser or smartphone. Advertisers should consider, for instance, whether a disclosure may be too small to read on a mobile device. Disclosures are more likely to be clear and conspicuous on websites that are optimized for mobile devices or created using responsive design, which automatically detects the kind of device the consumer is using to access the site and arranges the content on the site so it makes sense for that device.

In the above example from the Guidelines, the website is optimized for mobile devices, and both the information about the service plan and the hyperlink to the plan’s prices are immediately adjacent to the camera price they qualify.

Similarly, advertisers should not use pop-ups or other technology that could block the disclosure or otherwise make it difficult to view. For instance, companies should not disclose necessary information through the use of pop-ups that could be prevented from appearing by pop-up blocking software. Likewise, a disclosure requiring Adobe Flash Player should be avoided as it will not be displayed on mobile devices because many smart phones do not support that technology.

Companies advertising online and the marketers that promote their products and services should familiarize themselves with the Guidelines. Although the Guidelines are similar to the FTC’s May 2000 Dot Com Disclosures and confirm the application of general advertising rules to the online world, the Guidelines provide a pragmatic informative update of these basic principles to the constantly shifting social media and mobile ad tech spaces. The foregoing provides a good starting point to assess online advertising practices in light of the Guidelines, but a deeper dive is recommended as the Guidelines are rich in practical content and provide illustrative examples of complaint ads. The Guidelines are available here.

This year’s Databook reports on over 2 million consumer complaints received, with identity theft as the top issue by a wide margin (369,132 complaints, 18% of complaints in all), followed by debt collection (199,721; 10%), banks and lenders (132,340; 6%), shop-at-home and catalog sales (115,184; 6%) and prizes, sweepstakes, and lotteries (98,479; 5%).

The total reported cost paid by consumers as a result of fraud was nearly $1.5 billion, or an average cost of $2,350 per affected consumer. However, this average is skewed by the existence of higher-dollar frauds affecting a minority of consumers. A close examination of the FTC-provided data reveals that most (54%) of consumers paid nothing as a result of fraud, with a median cost of $535 among victims who did pay. Thirteen percent of victims paid between $1,001 - $5,000, while only four percent paid more than $5,000,  rates which have remained fairly steady in each of the last three years.

It remains the case that most fraud originates in cyberspace, either via email (38%) or other web or internet exchanges (12%), although phone contact remains significant as well (34%).

Among reporting consumers, those aged 40 and above are at a higher risk of being victimized by fraud (66% v. 33% for those aged below 40). However, a complete look at the data undercuts any simple theory that susceptibility to fraud increases significantly with age. Considered as a whole, the under-40 group is helped by the fact that relatively few frauds target those 19 and under. And among reporting adults and broken down by decade, those aged over 70 are in fact the least likely of any group to be fraud victims.

In the category of identity theft fraud, most reported frauds are tax or wage related (43.4%), followed by credit card fraud (13.4%), and phone or utilities fraud (9.7%).

The BakerHostetler Privacy and Data Protection Team has developed a prompt and practical approach. We have a comprehensive international network of experienced service providers who are responsive when clients require support and guidance through a data security event. This compendium represents our global experience in this field. While it is not a substitute for legal advice, it is a reference guide that outlines the basic requirements in place when dealing with an international data breach so that you can know what immediate steps to take and what questions you need to ask to minimize your company's exposure.

BakerHostetler's International Compendium of Data Privacy Laws is now accessible.

We hope you find the information practical and welcome your comments and suggestions. We encourage you to contact the authors of the compendium, Gerald J. Ferguson at gferguson@bakerlaw.com, Theodore J. Kobus III at tkobus@bakerlaw.com, or Gonzalo S. Zeballos at gzeballos@bakerlaw.com for further information.

The report recommendations are not rules or regulations, and its contents do little to concretely signal new enforcement direction. Still, the report is a helpful indicator of agency thinking in general, and of the agency's increased interest in mobile privacy issues.

Distilled, the agency wants mobile app firms to provide:

• Clear, simple privacy policies;
• Complete and accurate disclosures of how information will be used, including just-in-time notice where appropriate; and
• Options for end-user control over the access to and use of private information

Just-in-time notice is notice offered to users immediately before the app accesses sensitive data. For example, users of Apple's iPhone may be familiar with the warning that appears when an app or website is attempting to use the phone's geolocation capabilities:

This is an instance of "just-in-time" notice.

The report's recommendations with respect to "just-in-time" notice are complicated, however, by its recommendation to increased policing by app platforms. Platforms -- the agency's word for app store operators associated with classes of mobile devices -- are in a privileged position to understand the functionality of the apps being offered in their respective app stores. Platforms can typically tell, for example, what parts of the mobile device an app will potentially be accessing. Based on this privileged knowledge, the staff report recommends that platforms develop and offer "platform-level" privacy disclosures that give app-store consumers the ability to understand the privacy-profile of a given app. This capability could be combined with other features such as, for example, allowing consumers access to app privacy policies in advance of downloading and installing a particular app on their mobile device. Platforms could also provide services that compared app privacy policies with the platform's own privileged knowledge about the app.

If recommended platform-level privacy measures like these are put in place, however, then the staff report suggests that "it is important that these app-level disclosures not repeat the platform-level disclosures." Here, the FTC discourages some forms of just-in-time disclosure as duplicative:

For example, an app should be able to rely on the platform's disclosure that geolocation data will be collected by the app . . . and need not repeat the same disclosure and consent process. If the app developer decides to share that geolocation data with a third party, the app developer should provide a just-in-time disclosure and obtain affirmative consent from users for that data sharing.

The agency report also supports "do not track" initiatives that would allow users to restrict ad networks from building targeted consumer profiles of particular users.

Operators in the mobile app development space should keep in mind the overarching emphasis of the staff report on the point of view of the end-user: does he know how his data is being treated? Can he find out easily? Does he have convenient control over that data's use?

• Over 80 of the Fortune 100 responded, with the rate falling off after that.  Staff views the overall response rate as a “very positive sign that America’s largest companies and top business executives are taking the issue of cybersecurity seriously.” 
• All responses stated that they have developed cybersecurity practices to protect their infrastructure from cyber attacks, often based on legal compliance requirements.  Many companies rely on audit firms and sector-focused trade groups to benchmark and develop their practices.  Responses illustrated the federal government’s “ad hoc” approach to cybersecurity, involving sector-specific agencies and programs in the areas of chemicals, financial services, telecommunications and defense.
• Staff’s review found that opposition to the legislation by the US Chamber of Commerce and other groups, while shared by some, was not shared by many companies; that overall, the private sector is supportive of passing cybersecurity legislation.  Many companies support an increased government role, a voluntary federal program, and increased information-sharing between the private sector and the government.  A variety of companies support greater cybersecurity R&D and workforce training.
• Concerns raised about the legislation were about the specifics of the government’s role and what impact it would have on companies, such as whether voluntary requirements could become mandatory and would impact the ability to address cybersecurity issues in a flexible manner, or duplicate efforts already underway.  Another common concern was the need to adequately protect the confidentiality of information shared with the federal government during cyber threat assessments.  Companies in the financial and electric sectors expressed concern that existing regulatory relations would be disrupted.

It’s clear from today’s release and the aspirational measure Rockefeller introduced with fellow Democratic Committee Chairmen last week, S. 21, the Cybersecurity and American Cyber Competitiveness Act of 2013 that he and his colleagues intend to pursue legislation this year.  It’s quite unclear how or when that will happen.  Readers will recall that last year the Senate failed to advance legislation repeatedly, prompting the President to consider issuing an Executive Order.  While it’s still quite early in the 113^th Congress, the political calculus post-November seems to favor a continued stalemate:  Democrats gained only a couple seats in the Senate, five votes short of a 60-vote, filibuster-proof majority.  Also, unlike certain other issues, arguably, the election was hardly a referendum on or endorsement of the Senate bill or the President’s plan for cybersecurity.  Nonetheless, hope springs eternal on Capitol Hill so we’ll continue to stay abreast of developments.

China’s top legislature, the Standing Committee of the National People’s Congress, closed out 2012 with the approval of rules to enhance the protection of online personal information.  The “Decision of the Standing Committee of the National People’s Congress to Strengthen the Protection of Internet Data” (“Decision”), which took effect upon its December 28, 2012 passage, has the same legal effect as law and was enacted to “to protect network information security, protect the lawful interests of citizens, legal persons and other organizations, [and] safeguard national security and social order ....”  Though the Decision’s primary purpose is to protect the personal online information of Chinese citizens, it includes an identity management policy requiring Internet users to use their real names to identify themselves to service providers, including internet or telecommunications operators.

The Decision reflects China’s recent push to address the issue of online personal data protection, and follows a Chinese Ministry of Industry and Information regulation, which took effect in March 2012, requiring Chinese websites to follow stricter rules on user consent to the collection and sharing of their personal data.  Specific regulations regarding the protection of online data include the following:

• Internet service providers (ISPs), public service units (PSUs), and other organizations that collect or use an individual’s electronic information during business activities must clearly indicate the objectives, methods, and scope of collection and use of information and obtain consent for collection from the data subject.
• ISPs must strictly safeguard the privacy and strengthen the management of personal digital information. 
• Chinese citizens have the right to compel an ISP to delete personally identifying or private information about them or to take measures to terminate certain “harassing” activities.  
• ISPs are required to instantly stop the transmission of illegal information once it is spotted and take relevant measures, including removing the information and saving records, before reporting to supervisory authorities.
• Organizations and individuals are banned from obtaining personal digital information via theft or other illegal means, and prohibited from selling or illegally providing the information to others.
• “Supervising Departments” are empowered to take measures to prevent, stop, or punish those who infringe on online privacy, obtain personal digital information through illegal means, or sell or illegally provide information to others, and ISPs are required to give support during investigations.

Violators of the Decision rules are subject to liability including warnings, fines, confiscation of unlawful income, cancellation of permits or cancellation of fines, closure of websites, prohibition of relevant responsible personnel from future engagement in the in the network service business, and other civil, administrative and even criminal punishments.  Violations may also be recorded in the “social credibility files” and be made public. 

Still, questions remain about the implementation of the Decision.  Because the Decision itself is fairly broad and is meant to be more like a set of guiding principles than a law, many of the provisions lack the specificity essential for accurate understanding and compliance.  For example, there is no guidance regarding which governmental department or agency will supervise or enforce the rules.  Time will tell whether or not more implementing rules will clarify some of these ambiguities.

The phenomenon of regulatory obsolescence is nothing new.  After much ado, the FTC in July 1975 announced its Mail Order Trade Regulation Rule, which governs disclosures of shipping dates, rights to cancel and timing of refunds for items ordered by mail.   By the time of its press conference, the market had changed so that there was a wave of direct sales being made via 800-numbers phone orders.  These were not covered by the Rule and there was almost no information in the rulemaking record about telephone sales.  The Commission acknowledged that it would have to amend the Rule in due course, which it finally did in 1994---just as the new marketing phenomenon was internet sales.

With COPPA, like other regulations involving the internet and technology, changes occur in months or a year---not a decade---so the need to change the Rule accelerates quickly.  For example:

--The original COPPA legislation, like the FTC’s Rule, defined a website “operator” as one that managed a website that obtained PII from children under 13.  Children could not jump from a website to Facebook or another social network that would collect their PII.

--The original Rule regarded PII as comprising name, address, URL, phone and other common information.  Nobody worried about face identification technology or so-called “persistent identifiers” that would not identify a child in the first instance, but could by repeated use over time.

--The original Rule anticipated that a child would be at a terminal and could get a parent or guardian to provide online permission so that the operator could obtain information from the child. Nobody anticipated that smart phones and other handheld devices could be moving terminals for children to receive requests for and deliver PII a long way from parents.

The 2012 Amendments address these and other recent changes to the electronic world.  It is clear that some of these changes will be obsolete in relatively short order, even if we cannot easily anticipate when that will be.  According to the FTC’s press announcement, the main final amendments:

• expand “PII” that needs parental consent to include geolocation information, photos, and videos;
• allow a streamlined, voluntary and transparent process for new ways of getting parental consent;
• stop third parties from  collecting  PII from children through plug-ins without parental consent;
• cover as PII persistent identifiers that recognize users, such as IP addresses and mobile device IDs;
• permit website operators to release PII only to those who can keep it secure and confidential;
• require covered website operators to adopt reasonable procedures for data retention and deletion; and
• strengthen the FTC’s oversight of self-regulatory safe harbor programs.

Full details are available at http://www.ftc.gov/opa/2012/12/coppa.shtm.  The FTC asserts that it tried to be flexible (allowing new ways for parental permission) while catching changes in technology that had to be covered.

A dissent from issuing one of the amendments shows the riskiness of changing technology regulation by statute.  Maureen Ohlhausen, the newest Commissioner but a long time senior staffer in Policy Planning, dissented on the ground that the FTC’s expansion of “website operator” to cover third parties using plug-ins was invalid because it went beyond the plain meaning of the term “website operator” in COPPA, on which the Rule is based.  She did not claim to disagree with the FTC’s policy decision, but only concluded that their hands were tied by the limited definition in the statute.

Whether she is right or wrong in this instance, the reasoning shows why it can be risky for Congress to regulate too many details in a statute that will likely restrict Rule amendments needed for rapidly changing technology.  In the 1975 Mail Order Rule, for example, no federal statute blocked the FTC from adding telephone orders when the world of marketing changed.  For privacy and other tech-related topics, Congress will have to consider in future legislation whether it is allowing leeway for changes that cannot be anticipated.

As for website operators that collect PII from children under 13, or who meet the new FTC standards, it is time to make sure that their internal policies are consistent with the new requirements and that they are spelled out clearly in Privacy Policies on their websites.

GLBA Privacy Notices

The Eliminate Privacy Notice Confusion Act, H.R. 5817 passed the House by voice vote on December 12. As amended, the bill would remove the Gramm-Leach-Bliley annual privacy notice requirement of a financial institution if it has not, in any way, changed its privacy notice or procedures. After Rep. Ed Markey (D-MA) and others opposed a provision in the original bill that exempted State-licensed financial institutions subject to consumer privacy laws. The amended bill is substantially the same as the legislation that passed the House by voice vote in April 2010 and is supported by the Independent Community Bankers of America, the Credit Union National Association, the American Bankers Association, the National Association of Federal Credit Unions, and the Consumer Bankers Association, among others. As with its predecessor, however, the Senate is unlikely to take up H.R. 5817 in the little time remaining before year-end.

Location Privacy

The Senate Judiciary Committee approved the Location Privacy Protection Act of 2012, S. 1223, on December 13. Sponsored by Sen. Al Franken (D-MN), the bill would require mobile device (phones, tablets, car GPS) service providers to get prior consent from customers before collecting their geolocation information or sharing it with third parties. It also includes provisions designed to prevent so-called “cyberstalking”: Service providers that fall into one of the bill’s exceptions (to help a parent locate a child, provide emergency services, protect customers from fraud, etc.) must nonetheless notify the individual about the tracking and how to revoke consent. Further, the bill makes it a crime to intentionally operate a stalking application and provides for a study of the use of geolocation data in violence against women. The bill is enforceable by DOJ, state AGs, and a private right of action via a minimum of $2,500 in damages, plus punitives, and preempts only contrary, not stronger, state laws.

Despite passing committee with minimal opposition and having the support of “nearly every national domestic violence and consumer group in the country," Ranking Member Chuck Grassley (R-IA) and senior Democrat Chuck Schumer (NY) both expressed reservations about the bill’s potential negative impact on hi-tech, signaling further changes are likely before the bill would advance in the Senate. Grassley, citing a letter from the Interactive Advertising Bureau, also asked for a future hearing on technical aspects of the bill’s notice and consent requirements. Franken acknowledged the bill would not advance further this year, but expressed hope that the bill could make it through the Senate in 2013.

Of interest to the broader legal community, during committee consideration of the bill, Sen. Grassley offered an amendment to require state attorneys general pursuing ANY court action under federal law, including enforcement of S. 1223, to notify the court if they hired private counsel to represent the state, cite their authority to do so, and reveal the terms of any such agreement. Grassley said he’s troubled by firms hired on a contingent fee basis to enforce federal law. The amendment failed 8-9 on a party-line vote.

Video Privacy Protection Act

On December 18, by voice vote, the House passed a bill, H.R. 6671 “to clarify that a video tape service provider may obtain a consumer's informed, written consent on an ongoing basis and that consent may be obtained through the Internet.” In other words, the House passed the so-called “Netflix bill” to modernize the 1988 Video Privacy Protection Act to facilitate sharing one’s viewing information online. The bill included the enhanced video privacy protections from Senate Judiciary Committee Chairman Patrick Leahy’s (D-VT) version of the legislation (H.R. 2471), approved by the Committee in November, but excluded his provisions strengthening the Electronic Communications Privacy Act dealing with government access to communications. The former provision requires renewing consent to share video-viewing information every two years and a "clear and conspicuous" option to withdraw consent at any time. The latter would require the government to obtain a search warrant anytime it seeks individuals’ electronic communications such as email, regardless of how old they are, though notice to the individual could be delayed almost indefinitely in consecutive six month increments if it would jeopardize an investigation, endanger someone’s life, etc. Late yesterday, the Senate passed the House bill by unanimous consent and the President is expected to sign it into law. Judge Robert Bork, whose circumstances inspired the VPPA when a weekly newspaper in Washington, DC published his video rental history, passed away on December 19.

Identity Theft

Yesterday, the House considered the Medicare Identity Theft Prevention Act, H.R. 1509, which would simply eliminate the display (or coding or embedding) of Social Security numbers on Medicare cards within the next two years. It is expected to pass the House any day now with overwhelming bipartisan support. The Senate, however, has yet to act on similar legislation introduced by Richard Durbin (D-IL).

CFPB & Privileged Documents

Last but not least, the President is expected to sign into law any day now H.R. 4014, which clarifies that sharing attorney-client privileged information with the Consumer Financial Protection Bureau does not waive the privilege and potentially open up financial institutions to third-party subpoenas. Current law already preserves the confidentiality of information that financial institutions provide to most regulators, but Congress failed to make that explicit in the Dodd-Frank Wall Street Reform and Consumer Protection Act that created the CFPB.

Data Breach Reporting for DOD Contractors

Today, the Senate is expected to approve the Conference Report on the FY 2013 NDAA, one of the most important annual bills considered in Congress and the culmination of several months’ work. The Conference Report reflects a compromise between the House and Senate versions of the legislation and contains an entire Subtitle IX.D on “Cyberspace-Related Matters.” In addition to authorizing funds and setting policy parameters for cybersecurity planning and system development, the bill contains a provision directing DOD to establish a breach reporting mechanism for contractors. Section 941 of the legislation directs the Secretary of Defense to establish, within 90 days of enactment, procedures for “cleared defense contractors” to “rapidly” report successful penetrations of certain “networks and information systems” that meet criteria to be developed by the Secretary and other senior DOD officials. The procedures must include a mechanism for limited DOD access to contractor equipment and information for forensic analysis and must prohibit disclosure of non-DOD information outside the Department. The language is reportedly less onerous than provisions opposed by some business groups in the original Senate-passed bill. The House passed the Conference Report yesterday 315-107, so Senate passage will clear the legislation for the President’s signature. A broad overview of the NDAA is available on Armed Services Committee Chairman Levin’s website.

Markey kicked things off with a pithy characterization of the current situation regarding technology and big data as both the best of times and the worst of times, with immense benefits and huge potential costs. He seemed pleased with companies’ “timely and detailed” responses to his request for information in July. Neither he, nor Barton wants to shut down targeted advertising. Nonetheless, existing law has “gaps” and he wants to “ratchet up” transparency and give consumers more control over their personal information. Commissioner Brill, who served as the moderator while Markey and Barton attended to floor votes, expressed several concerns about comprehensive data collection:

• Current sectoral laws, such as HIPAA, protect information only in limited circumstances; reacting to Markey’s hypothetical of a girl doing online research on anorexia, Brill suggested additional types of information may need protection.
• ‘E-scores’ or marketing scores that rank consumers by potential value have could have negative, discriminatory impacts on consumers, placing them in marketing “buckets,” i.e. for subprime loan advertisements, potentially based on incorrect information, from which there is no escape.
• Responding to industry concerns about capturing the thousands of diverse companies that use consumer data in defining the term “data-broker” and fears of a one-size-fits-all approach to regulation, Brill suggested a distinction between consumer-facing and non-consumer facing companies may be appropriate, due to the latter lacking transparency and consumer access.

Several company panelists argued for self-regulation, while others pointed to FCRA as a model that has withstood the test of time – a point with which the privacy advocates concurred. Ultimately, Brill and Markey seemed to agree that an appropriate starting point would be to address practices of the top 100-200 data-brokers, however that term is ultimately defined.

On kids’ privacy, Markey and Barton plan to reintroduce their Do Not Track Kids Act (H.R. 1895) next year and amass well beyond its current 45 cosponsors. In its current form, the bill would, among other things, amend COPPA to prohibit Internet companies from sending targeted advertising to children and minors. However, at the briefing, Barton suggested there be a flat prohibition on collecting information from kids under 13, while Markey suggested COPPA cover kids up to age 15. When pressed, several data-broker panelists were indifferent to the proposals, saying they simply don’t collect data from children. Others, however, noted difficulty with determining the age of online consumers. In response, FTC Chairman Jon Leibowitz strongly implied he disagrees with those who have argued for inclusion of an “actual knowledge” standard in any updates to COPPA, saying with kids, “the benefit of the doubt” has to be given to privacy over data collection. (In subsequent remarks, Brill indicated the FTC’s proposed changes to COPPA should be finalized by year-end.) Markey concluded the briefing saying that everyone should be able to agree on protecting kids; they should be protected first and then [industry, privacy advocates, and policy-makers] can return to work out other issues. As readers of this blog know by now, 2013 promises to be another banner year for privacy law and policy.

• The core of the FTC’s mission is challenging deception, particularly fraud, and “should remain so.”
• Section 5 of the FTC Act – the “heart” of the Commission’s authority – is simple, but flexible and effective, as demonstrated by the recent settlement with DesignerWare, LLC and several rent-to-own stores for conduct that violated both the deceptive and unfairness prongs, and by the over one hundred spam and spyware cases and thirty-some data security cases brought by the FTC.
• She’s skeptical of calls for legislation to grant the FTC additional authority to protect privacy.  She criticized the Commission’s March report for not specifying what harms Section 5 can’t reach and for not considering the impact of reducing “information flow” in the marketplace, citing ABA Antitrust Section comments on the latter point.
• Nonetheless, she supports a uniform federal law for data security and breach notification because there are gaps that could be closed and because a single standard would be better for company compliance and consumer expectations than the current patchwork of state laws. A federal law must be carefully crafted to provide reasonable precautions for safeguarding various types of data to avoid imposing undue costs not justified by consumer benefits.
• In addition to using its enforcement authority, the FTC must continue to educate business and consumers and conduct/spur research to inform its policy development.

Olhausen’s point of view on the adequacy of FTC’s current authority would seem to be at odds with that of many privacy advocates in Congress, including Senate Commerce Committee Chairman John Rockefeller, who has a bill to empower the FTC to write and enforce “Do-Not-Track” online regulations and who recently opened an investigation into the business practices of data brokers. Rockefeller’s October 9 letter to 11 industry CEOs quotes the FTC report (regarding shortcomings of industry self-regulation) that Olhausen criticized and asks a series of detailed questions about data sources, collection mechanisms, product offerings, FCRA compliance, consumer access, etc. As information collection and targeted marketing become even more sophisticated, technology evolves – particularly with mobile devices, and data breaches increase, these differing points of view will almost certainly come to a head in the next Congress. How they are resolved - as with taxes, spending and so many other issues - may ultimately depend on what happens at the ballot box on November 6.

Listen to the audio of Olhausen’s presentation.

The Senate Judiciary Committee was slated on Thursday to take up long overdue revisions to the Electronic Communications Protection Act (“ECPA”) and the Video Privacy Protection Act (“VPPA”), but the issue was held over by the committee.

Chairman of the committee, Senator Patrick Leahy (D-VT), who helped draft the ECPA back in 1986, has long been calling for updates that would bring the ECPA in line with the realities of the digital age. Senator Leahy first proposed changes back in May 2011 with the introduction of the ECPA Amendments Act of 2011 but refrained from bringing the bill up to committee while he gathered bi-partisan support.  In addition, Leahy had planned to offer an amendment that would update both ECPA and the video privacy bill to cybersecurity legislation earlier this summer; however, Senate Republicans blocked that bill in early August.

The committee announced late Monday that it would take up an update of the VPPA introduced by Rep. Bob Goodlatte (R-Va) that easily passed the House in December and attach provisions to that bill that would amend parts of the ECPA.  In his statement, Senator Leahy explained that "[t]he explosion of cloud computing, social networking sites, video streaming, and other new technologies in the years since, require that Congress take action to bring our privacy laws into the digital age."

The ECPA sets standards for law enforcement access to electronic communications. The proposed updates would eliminate the so-called 180-Day Rule, which provides that e-mail stored with a third-party provider (such as Google) that is older than 180 days can be accessed by law enforcement without a warrant.  The 180-Day Rule contrasts with other provisions of the ECPA, which provide that obtaining documents stored on a home computer would require a warrant.  This difference in treatment was a result of lawmakers’ assumptions that emails would not be stored for a long period of time.  Moreover, the ECPA currently treats digital information as simply a business record that can be gathered by law enforcement without a warrant, a result of the antiquated premise that sharing data was likely only something engaged in by big companies.

The VPPA was enacted in 1988 as a response to the leak of Supreme Court nominee Robert Bork’s video rental records and bars disclosure of video rental records absent written consent.  The changes to the VPPA would allow companies such as Netflix to obtain onetime consent to share consumers’ video rental information with others. The measure is strongly backed by Netflix, which recently settled several consolidated class action suits brought under the VPPA related to its retention and disclosure of customer records.  The proposed ECPA amendments would require law enforcement to obtain a warrant to access electronic communications.

At the end of 2011, the FTC settled with Facebook for secretly disclosing personal information about customers that it had promised them it would keep securely. The cases are somewhat different, but both are based on the core principle that protections promised to consumers in privacy policies or otherwise define the company’s obligations to those customers.

The cases do have in common that both companies had provisions in their settlement agreements that plainly denied all alleged facts and conclusions of legal liability. Those clauses triggered a dissent by one commissioner who wanted to reject the settlements on that ground and a strong rebuttal by the other four commissioners. As noted at the end of this piece, it is a point that will interest mostly close followers of the FTC, but the last has not been heard of this tangential issue.

The cases illustrate why we tell clients, quite seriously, that “it is safer for you not to have a privacy policy than to have one that you do not follow.” Not only should companies post a clear and accurate policy, but they should review and update them on a regular basis in case new ways to collect or use information have arisen.

The FTC alleged that Google broke a promise to consumers by placing advertising tracking “cookies” on users’ computers equipped with Apple’s Safari® search engine. The FTC believed the practice to be an attempt to send “targeted” email ad messages to the account holders, a lucrative practice for the senders of the emails. This may not be a costly fraud on consumers, unlike taking money for telemarketing proposals that are worthless or do not exist. However, public policy is now recognizing that many consumers want a “privacy zone” around them that they do not want to have invaded without consent, whether they lose money or not.

In the Facebook case, the company found a way to capture and release personal information about consumers that it had promised to protect and keep private. Breaking promises to consumers about privacy is only one of the prongs of the FTC’s growing enforcement program.

There has been a dramatic rise in data breach cases—-as many by private parties as by the government. There real damage is done, especially because data breaches may be followed by ID theft unless consumers act quickly to protect themselves. Such cases are an enormous burden on the companies themselves. And money is only one part of the aggravation, which may include public notification, setting up new accounts for consumers, helping them monitor their consumer’s credit reports for a year or more to catch evidence of ID theft. It is also a public relations nightmare.

The FTC issued “Red Flags” rules in the last few years, by which most companies with consumer accounts and information must have a formal written plan, approved at the Board level and administered by high level employees, to “prevent, detect, and ameliorate” instances of identity theft. For the most part, compliance was not difficult and most companies seemed to get the point that such a program to deter theft of information would be among business “best practices” even if it were not required by law.

More and more companies, particularly those with sensitive customer information, should be considering periodic “privacy audits,” with or without outside help, to make sure their privacy policy is current and accurate, and that their efforts at protecting the information they do have is as aggressive as needed in a technologically complex world.

As to the Google and Facebook denials, they were unprecedented in FTC agreements. Instead, documents would state that the “the signing of the agreement does not constitute an admission of fact or law by the defendant or a finding by the court that a violation occurred.” A reader might wonder, like this writer, why the FTC thinks it makes a difference one way of the other, but for arcane interpretations of the century-old FTC Act. To the parties, the idea is to avoid anything that could be used in all-too-common class actions that piggy-back on the government’s case. In any event, it is clear that we have not seen the end of this debate.

When the FTC Chairman announced its new COPPA Rules at a press conference in 1999, he explained how certain sites would have to request age information from users and require clear parental consent when the user was younger than 13 years old. The Rule raised a number of complicated issues at the time.

The very first media question was, “suppose a 12 year old child lies about his age and enters 14?” The Chairman answered with an air of resignation, “there is only so much a rule can accomplish.” Since that time, the FTC and others have struggled to keep the Rule relevant and current with changes in the world of technology.

It all seemed so simple in 1999. Child goes to computer and connects with internet. Child goes to website that seeks PII for some purpose-—getting a newsletter or becoming a member of a group sponsored by the site operator. It was hard to foresee that computers would be supplemented with various “smart” hand-held devices and that websites would routinely become linked to popular social networks where PII would often be entered, even when not solicited by the web operator itself.

As with other regulations that have faced obsolescence as commerce and communications advanced, the FTC again seeks public comment on a number of proposed changes to its COPPA Rule, which is published at 16 CFR Part 316. These are actually modified proposed changes based on comments the FTC received following a similar request in 2011.

The latest proposal is replete with subtle distinctions that, if approved, will require close scrutiny by operators of sites that attract young users. The full FTC proposal and instructions for submitting comments can be found here.

The FTC proposes to modify only certain definitions to clarify the scope of the Rule and strengthen its protections for children's PII. Specifically, the defined terms include: (1)"operator," and (2) "website or online service directed to children." The FTC proposal also would expand the meaning of "collected or maintained on behalf of" an operator and, importantly, would expand the definition of “personally identifiable information” to included “persistent identifiers” in certain circumstances.

The thread that runs through all of the proposed changes is that they are needed to keep pace with real world communications. For example, until now the person responsible for compliance was the “operator” of the website, presumably the party that was collecting the PII from children.

All of that has changed. A large number of websites contain links to Facebook and other social media, which may ask for and obtain PII even if the primary “operator” does not. Other devices, including pop-up ads on a web page, may also be used to gather PII.

As the FTC explains, this change makes clear that “an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered operator under the Rule.”

Similarly, the Commission proposes to modify the Rule's definition of "personal information" to reflect changes in online practices. Previously, a “persistent identifier” was used, without specific PII, to establish that the same person or computer was being used to access the website. Other uses were “internal,” that is, to improve the website rather than to interact with the user.

In time, it has become possible for operators to use some recurring bits of information to identify a specific person-—thereby making it PII. When that person is less than 13 years old, the same privacy issue comes into play as it once did with traditional PII. The FTC exempts from the expanded definition those identifiers that are used, as traditionally, only to "support for internal operations" of the website but not used or disclosed to contact an individual, including for example, through the controversial tool of “behavioral advertising.”

These two examples demonstrate the overarching purpose of the proposed changes, that is, to prevent the onset of obsolescence of Rules that were adequate at the time they were issued. It is a safe bet that the COPPA Rule is one that will be revisited periodically as long as website operators find new ways to extract PII from the youngest users among us.

The text of the Federal Register Notice for the proposal is available at the FTC's website. Public comments on the Supplemental Notice of Proposed Rulemaking will be accepted until September 10, 2012. Instructions for submitting comments are found in the Notice.

Cookies are small units of code that website operators can send to Internet browsers accessing their sites. While cookies may be set to delete when a browsing session terminates, many cookies remain stored on a user’s browser. Each subsequent time that this browser uploads a webpage on the site, the operator can access data stored in those cookies to customize webpages based on the user’s browsing activities. The most controversial cookies are those that track a user’s activity across the Internet. The European Union has enacted regulations requiring website operators to more fully disclose how websites deploy cookies, and to give users more control over the cookies placed on the browsers. The FTC has issued a white paper calling on industry to adopt similar disclosure practices in the United States.

In Del Vecchio, the plaintiffs complained that Amazon placed cookies on their hard drives against their wishes, even after users had attempted to block cookies with their browser setting. Under the CFAA, a plaintiff can state a civil cause of action where a defendant intentionally accesses a computer without authorization, but only if such conduct causes the plaintiff loss or damages of at least $5,000 over a one-year period. In arguing that they met the damages threshold, the Del Vecchio plaintiffs claimed that Amazon derived substantial financial gain through its use of cookies to gather the plaintiffs’ personal information. Conversely, plaintiffs claimed that they lost the opportunity to realize such gain.

Assuming the factual allegations of the complaint to be true for the purposes of the motion, the court acknowledged that, in theory, a plaintiff’s lost opportunity to sell his computer usage data to marketers could constitute a monetary loss that satisfies the $5,000 damage threshold of the CFAA.  But here, the court found that the plaintiffs’ claims were entirely speculative because they did not allege facts showing that they had the capacity or opportunity to independently monetize their raw computer usage information. As a result, the court granted Amazon’s motion to dismiss for the plaintiffs’ failure to state a claim under the CFAA.

The court further found that the plaintiffs still might have a viable claim under Washington’s Consumer Protection Act (the “WCPA”). The WCPA requires a showing of injury, but, unlike the CFAA, does not require a plaintiff to demonstrate monetary damages in order to satisfy the requirement. In this case, the court stated that in order to allege an injury, the plaintiffs would need to demonstrate that Amazon accessed their computers or their information without authorization.

The court noted that Amazon’s “Conditions of Use and Privacy Notice” notifies visitors to Amazon sites that the company uses cookies and that the terms state that the plaintiffs’ use of Amazon was conditioned on their acceptance of those very terms. The court asked the parties to file additional briefings on the issues of: (1) whether plaintiffs had authorized Amazon’s use of cookies and (2) whether Amazon’s conduct was unfair or deceptive in light of Amazon’s terms.

In light of the Del Vecchio decision, the recent EU cookie regulation, and concerns raised by the FTC regarding cookies, website operators should re-evaluate the manner in which they disclose cookies deployed on their website and obtain consent from users for placing these cookies on users’ browsers. While it appears that the CFAA is not available as a vehicle for privacy class action claims, privacy class action attorneys are continuing to look for other legal bases for such claims, such as the WCDA. Increased regulatory scrutiny of cookie practices is likely to further stir such litigation.

But the Del Vecchio decision also issues a challenge for privacy advocates looking to protect consumer web browsing practices. Under the holding in Del Vecchio, if consumers could sell their web usage information to marketers, then they could invoke the CFAA to prevent third parties from deploying cookies to take this web usage information without their consent. Rather than more class actions, consumers may be better served by the development of marketplaces where they can sell their web usage information for marketing purposes, rather than giving it away to the websites they access.

This scenario occurred in 2009 between Patco Construction Company and Ocean Bank (later acquired by People’s United Bank). Patco filed suit to recover $345,000 in fraudulent wire transfer losses, but the district court found that the bank had implemented reasonable security measures, allocated the risk of loss to Patco and dismissed all of Patco’s claims. On July 3, 2012, the First Circuit Court of Appeals reversed the district court upon finding that the bank failed to implement commercially reasonable security methods to prevent unauthorized transfers. The First Circuit’s decision offers valuable lessons, which are dependent on understanding how the law allocates risk and the security methods that were used.

The Law. Article 4A of the Uniform Commercial Code allocates the risk of loss for unauthorized commercial wire and ACH transfers to the bank that receives the transfer order unless the bank can show that it accepted the order in good faith and followed a commercially reasonable security procedure for verifying the transaction that was agreed to by the customer. The bank must show that the security procedure was reasonable for that specific customer and bank based on any express instructions from the customer, as well as the circumstances of the customer known to the bank (size, type and frequency of payment orders normally issued by the customer), alternative security procedures offered to the customer, and security procedures in general use by similarly situated banks and customers.

The Security Procedures. In October 2005, the FFIEC issued guidance for authentication in Internet banking, which recommended that banks implement multifactor authentication, layered security, or other controls to mitigate the risk of fraud associated with single-factor authentication (i.e. username and password). To meet the guidance, the bank purchased a “premium package” from a security vendor and implemented a multifactor authentication security procedure with six features: (1) user ID and password; (2) device authentication using a cookie; (3) risk profiling using an algorithm that assigned a risk score to each login and transaction based on factors such as location, IP address and size, type, and frequency of orders; (4) challenge questions; (5) dollar amount of the order that triggers challenge questions; and (6) blacklisting of IP addresses associated with known instances of fraud. The bank did not use out-of-band authentication or tokens.

The Fraudulent Transfers. For six years, Patco used Internet banking to make ACH transfers primarily for payroll. The payroll ACH transfers were always made on Fridays from a computer in Patco’s office with the same static IP address. Over six years, the largest ACH amount was $36,000 and the highest risk score was 214. In May 2009, an unauthorized person who supplied the correct user name, password and challenge question answers to access Patco’s Internet bank account made a series of daily fraudulent ACH transfers over the course of one week that totaled $588,851. All of the logins associated with the fraudulent transfers were from an unrecognized device and an IP address that Patco had never used. The daily fraudulent transfers were two and three times larger than any daily transfer Patco had requested in the prior six years, and they were assigned high-risk scores of 720 and 790. The payments were directed to accounts that had never before received payments from Patco. Even though the fraudulent transfer orders generated high-risk scores, the bank did not manually review any of the high-risk transactions.

The fraudulent transfers were only detected after Patco received notice by mail from the bank that some of the fraudulent transfers failed because they were sent to invalid account numbers. Even after Patco notified the bank of unauthorized transfers, another unauthorized transfer order was placed and initially processed by the bank. The bank was only able to recover or block some of the transfers, leaving a net loss of $345,000.

Commercially Unreasonable. In finding that the bank’s security procedures were commercially unreasonable, the First Circuit relied on the totality of the following “collective failures”: (1) prior to May 2009, the bank was aware of the increased fraud resulting from keylogger malware and had already experienced two other instances of fraud associated with keylogger malware; (2) the bank lowered its dollar threshold for the use of challenge questions from $100,000 to $1, which the court determined substantially increased the risk that a keylogger would capture the challenge question answers at the same time as the log-in credentials; (3) the bank introduced no additional security measures to counter its decision to lower the challenge question threshold; (4) other similarly situated banks had introduced the use of tokens or manual review and verification of uncharacteristic or suspicious transactions; and (5) the fraudulent transactions were flagged as uncharacteristic, highly suspicious, and potentially fraudulent from a “very high risk non-authenticated device,” but the bank did not use that information in processing the transactions.

Consumer Obligations. The First Circuit noted that there are open questions under Article 4A of the UCC as to what, if any, obligations a company has when the bank’s security system is commercially unreasonable. The court identified two factual issues that might affect this determination. First, Patco argued that it requested e-mail alerts from the bank but never received them, while the bank argued that it sent a general notice to all customers with instructions on how to change their “Alerts” to receive e-mail alerts and Patco never set its account to receive alerts; and (2) whether the fraud originated from keylogging malware because Patco was alleged to have failed to properly preserve available computer forensic evidence (the anti-virus scan that Patco’s IT consultant ran after the fraud was detected quarantined and deleted the encryption key necessary to see the configuration file, which could have shown whether the malware was configured to capture log-in credentials).

The lessons-learned and issues to consider based on this decision include:

(1) Implementing a one-size fits all security solution or failing to implement the solution as designed will leave a bank vulnerable to a finding of commercial unreasonableness, especially if the tools give the bank sufficient information to detect and prevent the fraud (e.g. reviewing high-risk transactions before processing) but the bank does not.

(2) When bank employees are contacted by customers who report suspected fraud, what instructions are being given to customers?

• Are customers instructed to engage a qualified computer forensic expert to examine their computer network and appropriately preserve relevant data?
• It may be beneficial to develop a standard set of recommendations that can be sent to customers in this scenario, and documentation of sending that communication should be preserved.
• Are there protocols that results in at least temporarily blocking or adding heightened monitoring to all orders on accounts where the customer reports suspicious activity to prevent fraudulent orders from being processed after the bank receives the first report of suspicious activity?

(3) If banks are communicating with customers regarding available features and options to enhance the security of Internet banking, are those communications being preserved and documented appropriately so that they may be properly introduced as evidence to show security options made available but not implemented by the customer?

(4) In addition to other security features and best-practices, are banks advising customers to use a dedicated computer that is used only for accessing their Internet banking account (e.g. the computer is not used to browse any other sites on the Internet or to check e-mail)?

(5) In deciding how to address the dispute with customers, one factor to consider is that the commercial reasonableness of the security will be judged by courts and juries several years after the incident occurred. And even though the security should be judged based on what was appropriate at the time of the incident, given the speed at which technology and attack vectors change, the passage of time will likely negatively impact the perception of whether the security was commercially reasonable.

Privacy / Do Not Track

On June 19, the House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet held a hearing on, "New Technologies and Innovations in the Mobile and Online space, and the Implications for Public Policy,” featuring witnesses from eBay, the Association for Competitive Technology (app developers), TRUSTe, and NYU Law School. Lawmakers on both sides of the aisle expressed serious concerns about the over-collection of consumers’ private information by various online businesses and the quality, or complete lack of, privacy notices for mobile apps, among other issues. They were clearly grappling with whether to legislate, potentially imposing a one-size-fits-all policy on the internet economy, or to let industry regulate itself, with company-by-company policies, leaving no mechanism for enforcement and potentially allowing a patchwork of state regulations to fill the void. No consensus was reached - among the witnesses or the subcommittee members.

On the same day, two senior members of the House Energy and Commerce Committee and co-Chairmen of the House Privacy Caucus, Ed Markey (D-MA) and Joe Barton (R-TX), wrote the World Wide Web Consortium (W3C) Tracking Protection Working Group in support of default Do-Not-Track browser settings and urging them to “commit to user control over both data collection and use.” Read the letter here.

Not to be outdone, on June 28, the Senate Committee on Commerce, Science, and Transportation held a hearing on “The Need for Privacy Protections: Is Industry Self-Regulation Adequate?,” at which witnesses from the Association of National Advertisers, TechFreedom (non-profit, non-partisan think tank), Mozilla, and Ohio State Law School testified. In the case of Chairman Rockefeller, to ask the question to answer it: Self-regulation is inadequate and Do-Not-Track legislation is needed because “companies will always be tempted to misuse the consumer information they collect.” Industry disagrees and wants more time to develop a consensus self-regulatory approach and innovate new mechanisms to meet consumer privacy demands.

National/Cyber-security

In the last two weeks, H.R. 5949, legislation to reauthorize the FISA (Foreign Intelligence Surveillance Act) Amendments Act of 2008, a law that permits warrantless wiretapping for antiterrorism purposes, was approved by the House Judiciary and Intelligence Committees. The bill would simply extend the FISA Amendments Act, set to expire at the end of the year, for another five years. Similar legislation, S. 3276, was approved by the Senate Intelligence Committee on June 7 but has stalled due to objections by Sen. Ron Wyden (D-OR) over a lack of information on how many Americans’ communications have been collected to date under the law.

Senate Majority Leader Harry Reid (D-NV) has announced that the Senate will take up cybersecurity legislation (S. 2105) in July in an attempt to flush out positions and force a vote, despite no apparent majority support for a particular bill. On June 27, seven Senate Republicans reintroduced their voluntary, non-regulatory cybersecurity bill, the SECURE IT Act, S. 3342 with new language to tighten the definition of cyber threat information and to address privacy and civil liberties concerns among other changes. In the meantime, Sen. Sheldon Whitehouse (D-RI) continues to work on reaching a compromise with certain other Republican colleagues. July election year politics don’t bode well for cyber legislation notwithstanding its national security implications.

Data Breach

If cybersecurity legislation does in fact make it to the Senate floor, it will draw a host of amendments on other privacy and data security issues. Count on data breach amendments to be among them: On June 22, Sen. Pat Toomey and other Republican members of the Commerce, Science, and Transportation Committee introduced legislation, S. 3333, to preempt a “patchwork” of state laws and create a national standard requiring companies to protect and secure consumers' electronic data. Toomey’s bill would require companies to take unspecified “reasonable” steps to protect personal data, but would not give the FTC power to write new regulations. In the event of a data breach, businesses would need to notify affected consumers “as expeditiously as practicable,” though delay would be allowed if notification could impede a civil or criminal investigation. Democratic attempts to garner bipartisan support for a version of their broader data breach bill, S. 1207, have been unfruitful.

On June 27, Sen. Al Franken introduced the “Protect Our Health Privacy Act,” S. 3351 to require health providers to encrypt portable devices that store health information and to restrict Business Associates’ use of protected health information. The bill stems from a particular data breach incident affecting Minnesotans and has the support of several consumer-oriented and civil liberties groups.

We are seeing a dramatic increase in spam and email phishing schemes once again.  These schemes have become very sophisticated in their ability to mimic the multitudes of legitimate on-line transactions that occur every day.  Please consider the following when reading and reacting to emails.

1. The bad guys love playing off of our emotions.  So they have taken to all manner of “inspiring” a reaction (mouse click) from us.  You have likely seen at least one of the following recently:

• A purchase confirmation for something you didn’t buy. PayPal, and eBay top the list for spoofs lately.
• A password reset or other account activity that you didn’t actually do.  American Express, Verizon, Apple iTunes/App Store.
• A LinkedIn request from someone you don’t know.
• An enticing “offer” that seems to be based on something about you or that is actually legit or important to you – like a subscription offer to some compelling professional content.  This must be real because this offer is only coming to me because it relates to my profession…
• A text message or IM that has a web link in it, usually congratulating you on winning $100 or something better!

2. Please keep the following in mind:

• If your name or email address is not in the To: field of an email, it’s a fake.
• If there are other names in the To: or Cc: field of the email, it is a fake.  No company is going to send you private account info, receipts, or password reset requests AND send them to anyone else at the same time.
• No company or web site is going to send you an unsolicited password reset request via email.
• LinkedIn is being used more and more for phishing AND social engineering attempts.  Even if the LinkedIn request actually takes you to LinkedIn, do not automatically accept invitations or connect with anyone you don’t know.  Even if they appear to be connected with others you may know.  Hackers and cyber criminals are using every means available to them to build a facade of credibility.
• Blackberry, iPhone, and iPad are not immune to malware and phishing attacks.  In fact, because these devices are MOBILE, the bad guys are expecting that your guard is down when working from them.  Many attacks are now designed to exploit vulnerabilities specific to mobile devices.
• Text messaging is now being used to launch phishing and malware attacks almost as frequently as email.  And many of the mobile platforms are just now patching vulnerabilities that can be used to steal your personal information.

3. What can I do to protect myself and the firm from hackers and phishers?

• Pay close attention to any and every email you read.  Train yourself to question the legitimacy of any email that “feels” wrong.
• Remind yourself to delay reacting to such emails especially from your mobile devices.
• Look for your name, and JUST your name, in the header of the email.
• Update your mobile device software frequently.
• Do not click on links in emails, especially from a mobile device; but if you must, at least …
• Practice the “hover” …  by hovering your mouse cursor over a link, you will see the actual web address that you will be connected to.  If it appears to be completely unrelated to the content of the email – i.e. does not include even the web site or business name, then it’s a fake.  DO NOT CLICK on any such link.
• Read web links carefully.  You must scroll to the end of the link to see where it’s actually taking you.  Don’t be fooled by the first part of the web link.  For example, this link is actually not related to American Express in any way …  americanexpress.com.1243abc.badguy.com            The domain in this case is badguy.com.  They are not going to be as obvious as I am !  And from your mobile device, you might not even be able to scroll to the end.  What if you only saw the beginning of that link “americanexpress” or “americanexpress.com” and the rest was not visible because of the window size … It would look completely legitimate to you.  And guess what, the bad guys know this and hope that you don’t!!!

The advent of social media and the prevalence of mobile communications devices challenge employers seeking to prevent unlawful conduct in the workplace.  Employees are no longer constrained by the need for physical proximity, or lack of access to a bulletin board, a telephone landline, or a fax machine.  Bullying and harassment, misappropriation of an employer’s trade secret or proprietary information, or  disclosures that run afoul of securities or consumer protection laws, all may take place “away” from the workplace, and without the need for or use of workplace computers or equipment controlled by the employer.

Legitimate concerns about the power of these new media may drive some employers to monitor employee postings or comments via Facebook or Twitter.  In so doing, employers may unwittingly run afoul of the National Labor Relations Act (the "Act").

The Act protects the rights of employees to engage in concerted activities “for the purpose of collective bargaining or other mutual aid or protection . . . ."  The Act further protects the rights of employees to engage in protected concerted activity free from unlawful surveillance by their employers.  This is true whether or not employees are represented by a union or seek to be.  Employees communicating with each other to address a shared concern related to their employment, or trying to encourage concerted activity on a matter related to their employment, may be engaging in activity protected by the Act.

Recent decisions of the National Labor Relations Board (the “Board”) make clear that employers must tread carefully when it comes to monitoring or intercepting employees’ communications via the Internet or social media.  Employers do not have unfettered rights to act upon everything they see.  While the Board’s positions are evolving, the cases do provide some guidance.

Friending – Employees sometimes “friend” their supervisors or otherwise include supervisors in their social network.  Information obtained in this way is fair game for the employer; NLRB decisions have concluded that an employee who “friends” a supervisor is inviting observation by the employer.  See Advice Memorandum dated July 28, 2011 regarding Buel, Inc., Case 11-CA-22936 (summarized in January 24, 2012 Report of the Acting General Counsel Concerning Social Media Cases).  The same may not be true, however, where the supervisor is acting at the direction of the employer.  Thus, employers should not encourage supervisors to seek out employees as social media contacts, such as Facebook friends.   See Id., relying on Donaldson Bros. Ready Mix, Inc. and International Union of Operating Engineers, Local 400 AFL-CIO, 341 NLRB 958, 961 (2004).

Trolling – Employers should not encourage or suffer supervisors to troll employee sites on social media sites such as Facebook or to follow employee Tweets for the sole purpose of monitoring concerted activity by employees. This, too, could be viewed as unlawful surveillance.  Id.

Use of proxies – Creation of an impression of surveillance is also unlawful interference with employees’ rights under the Act.  An impression of surveillance is created where an employer makes a statement from which an employee would reasonably assume that his or her concerted activity was under surveillance. See Target Corporation and United Food & Commercial Workers Local 1500 2012 WL 1830340 (NLRB Div. of Judges, May 18, 2012).  Thus, by way of example, a supervisor may not use employee proxies to collect information and then fail to disclose where the information came from.   Id.  (Employer found to have violated the Act where supervisor told employee that employer was aware of protected activity but would not disclose how employer learned of the conduct).  Employers should not, therefore, encourage non-supervisory employees to do by proxy what employers may not do themselves, nor should they encourage anonymous “tipping” about employee gripes or complaints.

What’s an employer to do?

The bad news for employers is that decisions addressing surveillance have not yet begun to grapple with the power of the Internet and social media.  The good news is that the rules for employers are not more complicated or different simply because employees have new means of communicating with each other.  Thus, employers may use the same tools that have always worked to encourage good employee behavior without employers having to resort to unlawful surveillance.  Following are two examples:

• Policies that clearly proscribe communications or conduct in a way that does not run afoul of employee rights under the Act.  The Acting General Counsel’s reports on social media cases make clear that such policies must clearly define the context, or need, giving rise to the proscription, and the policy must be narrowly tailored for that context.  By way of example, a policy against unlawful harassment that proscribes “offensive” conduct will pass muster even though a stand-alone policy with the same language would be overly broad and violate the Act.
• Policies encouraging employees to bring complaints or concerns to their supervisors, and allowing employers to use these policies to evaluate employee behavior.  In a recent decision of the Second Circuit Court of Appeals, the employer used such a practice to show that its decision to terminate a union activist employee did not constitute unlawful retaliation under Section 8(a)(3) of the Act.  See N.L.R.B. v. Starbucks Corp, --- F.3d --- , 2012 WL 1624276 (C.A.2) (May 10, 2012) (employee termination lawful where based on noted deficiencies in “communicating changes in partner attitude (concerns, compliments, complaints) to management”).

In conclusion, employers should avoid the temptation to use social media to monitor employee communications in ways that would be proscribed for other, more traditional types of concerted activity.  The tried and true – well-written, thoughtful policies and good management practices, are still the best means of preventing unlawful employee behavior.