Data Privacy Monitor - Commentary on Data Privacy, Security and Social Media Subjects

Authored by: David A. Einhorn and Alan Pate

ICANN is well on its way to the launch of new generic top-level domains (gTLDs) with the first ones being approved as early as April 23rd.  The handful of TLDs currently in use, such as “.com”, “.org”, and “.edu”, may soon be joined by over 1000 gTLDs ranging from “.book” to “.football”.   While we have previously focused on intellectual property concerns and objections to these new gTLDs, the launch perhaps raises another important consideration:  What implications might the new gTLDs have on the security of the Internet itself?

At the end of last month, VeriSign, longstanding operator of the “.com” top-level domain, issued a highly critical assessment of the new gTLD program.  In its March 29 report, VeriSign described a range of potential issues, all suggesting that the launch on ICANN’s current timetable could undermine the stability and security of the Internet.  For VeriSign, the problem seems to be the rapid speed at which the launch is progressing combined with ICANN’s unrealistic expectations that the existing Internet infrastructure will adapt.  Certificate authorities, root server operators, and VeriSign itself, are described as not being prepared for the technical implications the influx of new gTLDs will bring. According to VeriSign, this ultimately puts the “safety and security of Internet users, and the infrastructure itself” at risk. 

Due to the seriousness of these allegations, the Intellectual Property Owner’s Association has taken the position that the launch of the new gTLDs be delayed until these concerns have been properly evaluated and addressed.

Further, in a recent letter to the CEO of ICANN, PayPal expressed similar security concerns.  Specifically, PayPal raises the possibility that the new gTLD program might dangerously interfere with the security of private domains.  Private domains, as their name implies, exist outside the public Internet and for that reason are most often employed for security reasons. One of the most common examples of a private domain is a corporate intranet.  Corporate intranets are typically used to host services such as internal document management, email, or other web-based business applications.  Being private, they do not have to “resolve” or go to public top-level domain’s such as .com or .org, and can by-and-large choose their own top-level domains.  One of most common domains for a business intranet, and the example PayPal uses in its letter, is the “.corp” domain.

The crux of PayPal’s concern is what will happen when “.corp” becomes a generic TLD?   In some circumstances, they argue, it is possible a computer, smartphone, or other device could actually be deceived into connecting to the public .corp as if it were connected to the private .corp. Once connected, the possibility of confidential data being compromised could be serious. 

How serious of a problem could this be?  Statistics PayPal cite show nearly 10% of the total query load on public root servers represent just the top ten most frequently used private domains.  In other words, a large portion of internet traffic consists of devices trying to connect to a private address on the public internet.  This suggests that there is ample possibility for foul play should those traditionally private domain names be delegated to the public. 

PayPal’s recommendation is relatively straightforward: ICANN should take the most popular private domain names off the market. These include strings such as .corp, .local, .home, .internal, and .private.  Not doing so, PayPal claims, would put “millions of users and high-value systems at considerable risk.”  To date, there are outstanding gTLD applications for the .corp and .home domains.

For VeriSign, nothing short of a temporary halt to the process would be satisfactory.  In a recent interview, however, ICANN CEO Fadi Chehade indicated that ICANN had no intention of delaying the issuance of the new gTLDs.  Nevertheless, this past week, perhaps in response to VeriSign’s report, ICANN did announce some additional protections it would be employing—“Emergency Back-End Registry Operators” or EBEROs. These EBEROs will work to guarantee that websites hosted on new gTLDs will resolve in the event any gTLD fails. The EBEROs will be scattered across different regions of the globe to eliminate the possibility that any one natural disaster could affect all EBEROs at once. This is a measure VeriSign had suggested.

Ultimately, it remains to be seen what data security, privacy, or other concerns may be implicated by the influx of new gTLDs.  For the many businesses and entities that could be affected by the program, it is important to remain vigilant of the new top-level domains on the horizon and how they may impact existing systems.

The FTC last week announced the release of the Consumer Sentinel Network Databook for January – December 2012.  The “Consumer Sentinel Network” is the FTC’s platform for law enforcement collaboration on issues affecting consumers. The program collects data from a wide range of sources, providing a comprehensive, nationwide picture of consumer complaints. Given the possible existence of reporting biases and other factors, the FTC report should not be treated as a statistically valid survey of all consumer fraud. It is, nevertheless, an interesting and important part of the overall consumer-fraud picture.

This year’s Databook reports on over 2 million consumer complaints received, with identity theft as the top issue by a wide margin (369,132 complaints, 18% of complaints in all), followed by debt collection (199,721; 10%), banks and lenders (132,340; 6%), shop-at-home and catalog sales (115,184; 6%) and prizes, sweepstakes, and lotteries (98,479; 5%).

The total reported cost paid by consumers as a result of fraud was nearly $1.5 billion, or an average cost of $2,350 per affected consumer. However, this average is skewed by the existence of higher-dollar frauds affecting a minority of consumers. A close examination of the FTC-provided data reveals that most (54%) of consumers paid nothing as a result of fraud, with a median cost of $535 among victims who did pay. Thirteen percent of victims paid between $1,001 - $5,000, while only four percent paid more than $5,000,  rates which have remained fairly steady in each of the last three years.

It remains the case that most fraud originates in cyberspace, either via email (38%) or other web or internet exchanges (12%), although phone contact remains significant as well (34%).

Among reporting consumers, those aged 40 and above are at a higher risk of being victimized by fraud (66% v. 33% for those aged below 40). However, a complete look at the data undercuts any simple theory that susceptibility to fraud increases significantly with age. Considered as a whole, the under-40 group is helped by the fact that relatively few frauds target those 19 and under. And among reporting adults and broken down by decade, those aged over 70 are in fact the least likely of any group to be fraud victims.

In the category of identity theft fraud, most reported frauds are tax or wage related (43.4%), followed by credit card fraud (13.4%), and phone or utilities fraud (9.7%).

As reported here, the FTC earlier this month released a staff report on mobile privacy. The report, Mobile Privacy Disclosures: Building Trust Through Transparency, provides privacy practice recommendations to firms operating in the mobile app development "ecosystem." The report's recommendations are geared mainly toward developers and app store operators, such as Apple, Google, or Microsoft.

The report recommendations are not rules or regulations, and its contents do little to concretely signal new enforcement direction. Still, the report is a helpful indicator of agency thinking in general, and of the agency's increased interest in mobile privacy issues.

Distilled, the agency wants mobile app firms to provide:

• Clear, simple privacy policies;
• Complete and accurate disclosures of how information will be used, including just-in-time notice where appropriate; and
• Options for end-user control over the access to and use of private information

Just-in-time notice is notice offered to users immediately before the app accesses sensitive data. For example, users of Apple's iPhone may be familiar with the warning that appears when an app or website is attempting to use the phone's geolocation capabilities:

This is an instance of "just-in-time" notice.

The report's recommendations with respect to "just-in-time" notice are complicated, however, by its recommendation to increased policing by app platforms. Platforms -- the agency's word for app store operators associated with classes of mobile devices -- are in a privileged position to understand the functionality of the apps being offered in their respective app stores. Platforms can typically tell, for example, what parts of the mobile device an app will potentially be accessing. Based on this privileged knowledge, the staff report recommends that platforms develop and offer "platform-level" privacy disclosures that give app-store consumers the ability to understand the privacy-profile of a given app. This capability could be combined with other features such as, for example, allowing consumers access to app privacy policies in advance of downloading and installing a particular app on their mobile device. Platforms could also provide services that compared app privacy policies with the platform's own privileged knowledge about the app.

If recommended platform-level privacy measures like these are put in place, however, then the staff report suggests that "it is important that these app-level disclosures not repeat the platform-level disclosures." Here, the FTC discourages some forms of just-in-time disclosure as duplicative:

For example, an app should be able to rely on the platform's disclosure that geolocation data will be collected by the app . . . and need not repeat the same disclosure and consent process. If the app developer decides to share that geolocation data with a third party, the app developer should provide a just-in-time disclosure and obtain affirmative consent from users for that data sharing.

The agency report also supports "do not track" initiatives that would allow users to restrict ad networks from building targeted consumer profiles of particular users.

Operators in the mobile app development space should keep in mind the overarching emphasis of the staff report on the point of view of the end-user: does he know how his data is being treated? Can he find out easily? Does he have convenient control over that data's use?

Authorship Credit:  Tina Amin

China’s top legislature, the Standing Committee of the National People’s Congress, closed out 2012 with the approval of rules to enhance the protection of online personal information.  The “Decision of the Standing Committee of the National People’s Congress to Strengthen the Protection of Internet Data” (“Decision”), which took effect upon its December 28, 2012 passage, has the same legal effect as law and was enacted to “to protect network information security, protect the lawful interests of citizens, legal persons and other organizations, [and] safeguard national security and social order ....”  Though the Decision’s primary purpose is to protect the personal online information of Chinese citizens, it includes an identity management policy requiring Internet users to use their real names to identify themselves to service providers, including internet or telecommunications operators.

The Decision reflects China’s recent push to address the issue of online personal data protection, and follows a Chinese Ministry of Industry and Information regulation, which took effect in March 2012, requiring Chinese websites to follow stricter rules on user consent to the collection and sharing of their personal data.  Specific regulations regarding the protection of online data include the following:

• Internet service providers (ISPs), public service units (PSUs), and other organizations that collect or use an individual’s electronic information during business activities must clearly indicate the objectives, methods, and scope of collection and use of information and obtain consent for collection from the data subject.
• ISPs must strictly safeguard the privacy and strengthen the management of personal digital information. 
• Chinese citizens have the right to compel an ISP to delete personally identifying or private information about them or to take measures to terminate certain “harassing” activities.  
• ISPs are required to instantly stop the transmission of illegal information once it is spotted and take relevant measures, including removing the information and saving records, before reporting to supervisory authorities.
• Organizations and individuals are banned from obtaining personal digital information via theft or other illegal means, and prohibited from selling or illegally providing the information to others.
• “Supervising Departments” are empowered to take measures to prevent, stop, or punish those who infringe on online privacy, obtain personal digital information through illegal means, or sell or illegally provide information to others, and ISPs are required to give support during investigations.

Violators of the Decision rules are subject to liability including warnings, fines, confiscation of unlawful income, cancellation of permits or cancellation of fines, closure of websites, prohibition of relevant responsible personnel from future engagement in the in the network service business, and other civil, administrative and even criminal punishments.  Violations may also be recorded in the “social credibility files” and be made public. 

Still, questions remain about the implementation of the Decision.  Because the Decision itself is fairly broad and is meant to be more like a set of guiding principles than a law, many of the provisions lack the specificity essential for accurate understanding and compliance.  For example, there is no guidance regarding which governmental department or agency will supervise or enforce the rules.  Time will tell whether or not more implementing rules will clarify some of these ambiguities.

While continuing congressional inaction on the fiscal cliff is getting most of the ink/pixels in news headlines over the last couple weeks, several privacy bills have advanced in the House and Senate. Though only one is likely to become law before the 112^th Congress ends in a few days, they embody what will be the starting point for action on these issues next year.

GLBA Privacy Notices

The Eliminate Privacy Notice Confusion Act, H.R. 5817 passed the House by voice vote on December 12. As amended, the bill would remove the Gramm-Leach-Bliley annual privacy notice requirement of a financial institution if it has not, in any way, changed its privacy notice or procedures. After Rep. Ed Markey (D-MA) and others opposed a provision in the original bill that exempted State-licensed financial institutions subject to consumer privacy laws. The amended bill is substantially the same as the legislation that passed the House by voice vote in April 2010 and is supported by the Independent Community Bankers of America, the Credit Union National Association, the American Bankers Association, the National Association of Federal Credit Unions, and the Consumer Bankers Association, among others. As with its predecessor, however, the Senate is unlikely to take up H.R. 5817 in the little time remaining before year-end.

Location Privacy

The Senate Judiciary Committee approved the Location Privacy Protection Act of 2012, S. 1223, on December 13. Sponsored by Sen. Al Franken (D-MN), the bill would require mobile device (phones, tablets, car GPS) service providers to get prior consent from customers before collecting their geolocation information or sharing it with third parties. It also includes provisions designed to prevent so-called “cyberstalking”: Service providers that fall into one of the bill’s exceptions (to help a parent locate a child, provide emergency services, protect customers from fraud, etc.) must nonetheless notify the individual about the tracking and how to revoke consent. Further, the bill makes it a crime to intentionally operate a stalking application and provides for a study of the use of geolocation data in violence against women. The bill is enforceable by DOJ, state AGs, and a private right of action via a minimum of $2,500 in damages, plus punitives, and preempts only contrary, not stronger, state laws.

Despite passing committee with minimal opposition and having the support of “nearly every national domestic violence and consumer group in the country," Ranking Member Chuck Grassley (R-IA) and senior Democrat Chuck Schumer (NY) both expressed reservations about the bill’s potential negative impact on hi-tech, signaling further changes are likely before the bill would advance in the Senate. Grassley, citing a letter from the Interactive Advertising Bureau, also asked for a future hearing on technical aspects of the bill’s notice and consent requirements. Franken acknowledged the bill would not advance further this year, but expressed hope that the bill could make it through the Senate in 2013.

Of interest to the broader legal community, during committee consideration of the bill, Sen. Grassley offered an amendment to require state attorneys general pursuing ANY court action under federal law, including enforcement of S. 1223, to notify the court if they hired private counsel to represent the state, cite their authority to do so, and reveal the terms of any such agreement. Grassley said he’s troubled by firms hired on a contingent fee basis to enforce federal law. The amendment failed 8-9 on a party-line vote.

Video Privacy Protection Act

On December 18, by voice vote, the House passed a bill, H.R. 6671 “to clarify that a video tape service provider may obtain a consumer's informed, written consent on an ongoing basis and that consent may be obtained through the Internet.” In other words, the House passed the so-called “Netflix bill” to modernize the 1988 Video Privacy Protection Act to facilitate sharing one’s viewing information online. The bill included the enhanced video privacy protections from Senate Judiciary Committee Chairman Patrick Leahy’s (D-VT) version of the legislation (H.R. 2471), approved by the Committee in November, but excluded his provisions strengthening the Electronic Communications Privacy Act dealing with government access to communications. The former provision requires renewing consent to share video-viewing information every two years and a "clear and conspicuous" option to withdraw consent at any time. The latter would require the government to obtain a search warrant anytime it seeks individuals’ electronic communications such as email, regardless of how old they are, though notice to the individual could be delayed almost indefinitely in consecutive six month increments if it would jeopardize an investigation, endanger someone’s life, etc. Late yesterday, the Senate passed the House bill by unanimous consent and the President is expected to sign it into law. Judge Robert Bork, whose circumstances inspired the VPPA when a weekly newspaper in Washington, DC published his video rental history, passed away on December 19.

Identity Theft

Yesterday, the House considered the Medicare Identity Theft Prevention Act, H.R. 1509, which would simply eliminate the display (or coding or embedding) of Social Security numbers on Medicare cards within the next two years. It is expected to pass the House any day now with overwhelming bipartisan support. The Senate, however, has yet to act on similar legislation introduced by Richard Durbin (D-IL).

CFPB & Privileged Documents

Last but not least, the President is expected to sign into law any day now H.R. 4014, which clarifies that sharing attorney-client privileged information with the Consumer Financial Protection Bureau does not waive the privilege and potentially open up financial institutions to third-party subpoenas. Current law already preserves the confidentiality of information that financial institutions provide to most regulators, but Congress failed to make that explicit in the Dodd-Frank Wall Street Reform and Consumer Protection Act that created the CFPB.

Data Breach Reporting for DOD Contractors

Today, the Senate is expected to approve the Conference Report on the FY 2013 NDAA, one of the most important annual bills considered in Congress and the culmination of several months’ work. The Conference Report reflects a compromise between the House and Senate versions of the legislation and contains an entire Subtitle IX.D on “Cyberspace-Related Matters.” In addition to authorizing funds and setting policy parameters for cybersecurity planning and system development, the bill contains a provision directing DOD to establish a breach reporting mechanism for contractors. Section 941 of the legislation directs the Secretary of Defense to establish, within 90 days of enactment, procedures for “cleared defense contractors” to “rapidly” report successful penetrations of certain “networks and information systems” that meet criteria to be developed by the Secretary and other senior DOD officials. The procedures must include a mechanism for limited DOD access to contractor equipment and information for forensic analysis and must prohibit disclosure of non-DOD information outside the Department. The language is reportedly less onerous than provisions opposed by some business groups in the original Senate-passed bill. The House passed the Conference Report yesterday 315-107, so Senate passage will clear the legislation for the President’s signature. A broad overview of the NDAA is available on Armed Services Committee Chairman Levin’s website.

Earlier this week, Maureen Olhausen, the Federal Trade Commission’s newest commissioner, shared her perspective on “The Federal Role in Privacy: Getting It Right” in a discussion at the Hudson Institute, a conservative-leaning think tank in Washington, DC. Her straightforward comments indicated she intends to take a cautious and holistic approach toward any expansion of the FTC’s role in safeguarding consumer privacy – an approach informed by her 11 years of service at FTC, which she noted is more experience than any of her fellow commissioners.  That experience, which culminated in heading the Office of Policy Planning from 2004 to 2008 under Republican Chairwoman Deborah Platt Majoras, informed her broad view of FTC’s work on competition and economics, in addition to consumer protection. Among the views Olhausen expressed were:

• The core of the FTC’s mission is challenging deception, particularly fraud, and “should remain so.”
• Section 5 of the FTC Act – the “heart” of the Commission’s authority – is simple, but flexible and effective, as demonstrated by the recent settlement with DesignerWare, LLC and several rent-to-own stores for conduct that violated both the deceptive and unfairness prongs, and by the over one hundred spam and spyware cases and thirty-some data security cases brought by the FTC.
• She’s skeptical of calls for legislation to grant the FTC additional authority to protect privacy.  She criticized the Commission’s March report for not specifying what harms Section 5 can’t reach and for not considering the impact of reducing “information flow” in the marketplace, citing ABA Antitrust Section comments on the latter point.
• Nonetheless, she supports a uniform federal law for data security and breach notification because there are gaps that could be closed and because a single standard would be better for company compliance and consumer expectations than the current patchwork of state laws. A federal law must be carefully crafted to provide reasonable precautions for safeguarding various types of data to avoid imposing undue costs not justified by consumer benefits.
• In addition to using its enforcement authority, the FTC must continue to educate business and consumers and conduct/spur research to inform its policy development.

Olhausen’s point of view on the adequacy of FTC’s current authority would seem to be at odds with that of many privacy advocates in Congress, including Senate Commerce Committee Chairman John Rockefeller, who has a bill to empower the FTC to write and enforce “Do-Not-Track” online regulations and who recently opened an investigation into the business practices of data brokers. Rockefeller’s October 9 letter to 11 industry CEOs quotes the FTC report (regarding shortcomings of industry self-regulation) that Olhausen criticized and asks a series of detailed questions about data sources, collection mechanisms, product offerings, FCRA compliance, consumer access, etc. As information collection and targeted marketing become even more sophisticated, technology evolves – particularly with mobile devices, and data breaches increase, these differing points of view will almost certainly come to a head in the next Congress. How they are resolved - as with taxes, spending and so many other issues - may ultimately depend on what happens at the ballot box on November 6.

Listen to the audio of Olhausen’s presentation.

After several years where telemarketing fraud and exercise/weight loss products seemed to top the FTC’s agenda, the time has come when stepped up privacy enforcement against companies that are household names means that all consumer oriented firms need to take notice. This month, the FTC announced a settlement with Google that involves a $22.5 million civil penalty for privacy violations that had been prohibited in a prior settlement just last year. Google will pay the largest fine ever for violating a prior FTC order.

At the end of 2011, the FTC settled with Facebook for secretly disclosing personal information about customers that it had promised them it would keep securely. The cases are somewhat different, but both are based on the core principle that protections promised to consumers in privacy policies or otherwise define the company’s obligations to those customers.

The cases do have in common that both companies had provisions in their settlement agreements that plainly denied all alleged facts and conclusions of legal liability. Those clauses triggered a dissent by one commissioner who wanted to reject the settlements on that ground and a strong rebuttal by the other four commissioners. As noted at the end of this piece, it is a point that will interest mostly close followers of the FTC, but the last has not been heard of this tangential issue.

The cases illustrate why we tell clients, quite seriously, that “it is safer for you not to have a privacy policy than to have one that you do not follow.” Not only should companies post a clear and accurate policy, but they should review and update them on a regular basis in case new ways to collect or use information have arisen.

The FTC alleged that Google broke a promise to consumers by placing advertising tracking “cookies” on users’ computers equipped with Apple’s Safari® search engine. The FTC believed the practice to be an attempt to send “targeted” email ad messages to the account holders, a lucrative practice for the senders of the emails. This may not be a costly fraud on consumers, unlike taking money for telemarketing proposals that are worthless or do not exist. However, public policy is now recognizing that many consumers want a “privacy zone” around them that they do not want to have invaded without consent, whether they lose money or not.

In the Facebook case, the company found a way to capture and release personal information about consumers that it had promised to protect and keep private. Breaking promises to consumers about privacy is only one of the prongs of the FTC’s growing enforcement program.

There has been a dramatic rise in data breach cases—-as many by private parties as by the government. There real damage is done, especially because data breaches may be followed by ID theft unless consumers act quickly to protect themselves. Such cases are an enormous burden on the companies themselves. And money is only one part of the aggravation, which may include public notification, setting up new accounts for consumers, helping them monitor their consumer’s credit reports for a year or more to catch evidence of ID theft. It is also a public relations nightmare.

The FTC issued “Red Flags” rules in the last few years, by which most companies with consumer accounts and information must have a formal written plan, approved at the Board level and administered by high level employees, to “prevent, detect, and ameliorate” instances of identity theft. For the most part, compliance was not difficult and most companies seemed to get the point that such a program to deter theft of information would be among business “best practices” even if it were not required by law.

More and more companies, particularly those with sensitive customer information, should be considering periodic “privacy audits,” with or without outside help, to make sure their privacy policy is current and accurate, and that their efforts at protecting the information they do have is as aggressive as needed in a technologically complex world.

As to the Google and Facebook denials, they were unprecedented in FTC agreements. Instead, documents would state that the “the signing of the agreement does not constitute an admission of fact or law by the defendant or a finding by the court that a violation occurred.” A reader might wonder, like this writer, why the FTC thinks it makes a difference one way of the other, but for arcane interpretations of the century-old FTC Act. To the parties, the idea is to avoid anything that could be used in all-too-common class actions that piggy-back on the government’s case. In any event, it is clear that we have not seen the end of this debate.

The Children’s Online Privacy Protection Act (“COPPA”) was passed by Congress at the end of the last century to add protections when an internet site sought to collect “personally identifiable information” (“PII”) from children under 13. The Congress directed the Federal Trade Commission to issue Rules to implement the Act, which it did. Now the FTC on August 1 proposed amendments to its Rule to keep up with changes in communications and information gathering.

When the FTC Chairman announced its new COPPA Rules at a press conference in 1999, he explained how certain sites would have to request age information from users and require clear parental consent when the user was younger than 13 years old. The Rule raised a number of complicated issues at the time.

The very first media question was, “suppose a 12 year old child lies about his age and enters 14?” The Chairman answered with an air of resignation, “there is only so much a rule can accomplish.” Since that time, the FTC and others have struggled to keep the Rule relevant and current with changes in the world of technology.

It all seemed so simple in 1999. Child goes to computer and connects with internet. Child goes to website that seeks PII for some purpose-—getting a newsletter or becoming a member of a group sponsored by the site operator. It was hard to foresee that computers would be supplemented with various “smart” hand-held devices and that websites would routinely become linked to popular social networks where PII would often be entered, even when not solicited by the web operator itself.

As with other regulations that have faced obsolescence as commerce and communications advanced, the FTC again seeks public comment on a number of proposed changes to its COPPA Rule, which is published at 16 CFR Part 316. These are actually modified proposed changes based on comments the FTC received following a similar request in 2011.

The latest proposal is replete with subtle distinctions that, if approved, will require close scrutiny by operators of sites that attract young users. The full FTC proposal and instructions for submitting comments can be found here.

The FTC proposes to modify only certain definitions to clarify the scope of the Rule and strengthen its protections for children's PII. Specifically, the defined terms include: (1)"operator," and (2) "website or online service directed to children." The FTC proposal also would expand the meaning of "collected or maintained on behalf of" an operator and, importantly, would expand the definition of “personally identifiable information” to included “persistent identifiers” in certain circumstances.

The thread that runs through all of the proposed changes is that they are needed to keep pace with real world communications. For example, until now the person responsible for compliance was the “operator” of the website, presumably the party that was collecting the PII from children.

All of that has changed. A large number of websites contain links to Facebook and other social media, which may ask for and obtain PII even if the primary “operator” does not. Other devices, including pop-up ads on a web page, may also be used to gather PII.

As the FTC explains, this change makes clear that “an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered operator under the Rule.”

Similarly, the Commission proposes to modify the Rule's definition of "personal information" to reflect changes in online practices. Previously, a “persistent identifier” was used, without specific PII, to establish that the same person or computer was being used to access the website. Other uses were “internal,” that is, to improve the website rather than to interact with the user.

In time, it has become possible for operators to use some recurring bits of information to identify a specific person-—thereby making it PII. When that person is less than 13 years old, the same privacy issue comes into play as it once did with traditional PII. The FTC exempts from the expanded definition those identifiers that are used, as traditionally, only to "support for internal operations" of the website but not used or disclosed to contact an individual, including for example, through the controversial tool of “behavioral advertising.”

These two examples demonstrate the overarching purpose of the proposed changes, that is, to prevent the onset of obsolescence of Rules that were adequate at the time they were issued. It is a safe bet that the COPPA Rule is one that will be revisited periodically as long as website operators find new ways to extract PII from the youngest users among us.

The text of the Federal Register Notice for the proposal is available at the FTC's website. Public comments on the Supplemental Notice of Proposed Rulemaking will be accepted until September 10, 2012. Instructions for submitting comments are found in the Notice.

It is a common scenario—a company's computer system becomes infected with some variant of the Zeus Trojan with a key logger that sends key strokes out to a command and control server operated by a criminal. The criminal searches the key strokes to find login credentials to that company's Internet bank account, which are used to access the account and make wire transfers to accounts controlled by money mules. If the transactions are not blocked by the bank or detected by the company in time to block them, the company and the bank end up in a dispute over who bears the risk of loss. If the dispute leads to litigation, each side faces risk and litigation costs, in part due to the practical difficulties of meeting their burdens of proof.

This scenario occurred in 2009 between Patco Construction Company and Ocean Bank (later acquired by People’s United Bank). Patco filed suit to recover $345,000 in fraudulent wire transfer losses, but the district court found that the bank had implemented reasonable security measures, allocated the risk of loss to Patco and dismissed all of Patco’s claims. On July 3, 2012, the First Circuit Court of Appeals reversed the district court upon finding that the bank failed to implement commercially reasonable security methods to prevent unauthorized transfers. The First Circuit’s decision offers valuable lessons, which are dependent on understanding how the law allocates risk and the security methods that were used.

The Law. Article 4A of the Uniform Commercial Code allocates the risk of loss for unauthorized commercial wire and ACH transfers to the bank that receives the transfer order unless the bank can show that it accepted the order in good faith and followed a commercially reasonable security procedure for verifying the transaction that was agreed to by the customer. The bank must show that the security procedure was reasonable for that specific customer and bank based on any express instructions from the customer, as well as the circumstances of the customer known to the bank (size, type and frequency of payment orders normally issued by the customer), alternative security procedures offered to the customer, and security procedures in general use by similarly situated banks and customers.

The Security Procedures. In October 2005, the FFIEC issued guidance for authentication in Internet banking, which recommended that banks implement multifactor authentication, layered security, or other controls to mitigate the risk of fraud associated with single-factor authentication (i.e. username and password). To meet the guidance, the bank purchased a “premium package” from a security vendor and implemented a multifactor authentication security procedure with six features: (1) user ID and password; (2) device authentication using a cookie; (3) risk profiling using an algorithm that assigned a risk score to each login and transaction based on factors such as location, IP address and size, type, and frequency of orders; (4) challenge questions; (5) dollar amount of the order that triggers challenge questions; and (6) blacklisting of IP addresses associated with known instances of fraud. The bank did not use out-of-band authentication or tokens.

The Fraudulent Transfers. For six years, Patco used Internet banking to make ACH transfers primarily for payroll. The payroll ACH transfers were always made on Fridays from a computer in Patco’s office with the same static IP address. Over six years, the largest ACH amount was $36,000 and the highest risk score was 214. In May 2009, an unauthorized person who supplied the correct user name, password and challenge question answers to access Patco’s Internet bank account made a series of daily fraudulent ACH transfers over the course of one week that totaled $588,851. All of the logins associated with the fraudulent transfers were from an unrecognized device and an IP address that Patco had never used. The daily fraudulent transfers were two and three times larger than any daily transfer Patco had requested in the prior six years, and they were assigned high-risk scores of 720 and 790. The payments were directed to accounts that had never before received payments from Patco. Even though the fraudulent transfer orders generated high-risk scores, the bank did not manually review any of the high-risk transactions.

The fraudulent transfers were only detected after Patco received notice by mail from the bank that some of the fraudulent transfers failed because they were sent to invalid account numbers. Even after Patco notified the bank of unauthorized transfers, another unauthorized transfer order was placed and initially processed by the bank. The bank was only able to recover or block some of the transfers, leaving a net loss of $345,000.

Commercially Unreasonable. In finding that the bank’s security procedures were commercially unreasonable, the First Circuit relied on the totality of the following “collective failures”: (1) prior to May 2009, the bank was aware of the increased fraud resulting from keylogger malware and had already experienced two other instances of fraud associated with keylogger malware; (2) the bank lowered its dollar threshold for the use of challenge questions from $100,000 to $1, which the court determined substantially increased the risk that a keylogger would capture the challenge question answers at the same time as the log-in credentials; (3) the bank introduced no additional security measures to counter its decision to lower the challenge question threshold; (4) other similarly situated banks had introduced the use of tokens or manual review and verification of uncharacteristic or suspicious transactions; and (5) the fraudulent transactions were flagged as uncharacteristic, highly suspicious, and potentially fraudulent from a “very high risk non-authenticated device,” but the bank did not use that information in processing the transactions.

Consumer Obligations. The First Circuit noted that there are open questions under Article 4A of the UCC as to what, if any, obligations a company has when the bank’s security system is commercially unreasonable. The court identified two factual issues that might affect this determination. First, Patco argued that it requested e-mail alerts from the bank but never received them, while the bank argued that it sent a general notice to all customers with instructions on how to change their “Alerts” to receive e-mail alerts and Patco never set its account to receive alerts; and (2) whether the fraud originated from keylogging malware because Patco was alleged to have failed to properly preserve available computer forensic evidence (the anti-virus scan that Patco’s IT consultant ran after the fraud was detected quarantined and deleted the encryption key necessary to see the configuration file, which could have shown whether the malware was configured to capture log-in credentials).

The lessons-learned and issues to consider based on this decision include:

(1) Implementing a one-size fits all security solution or failing to implement the solution as designed will leave a bank vulnerable to a finding of commercial unreasonableness, especially if the tools give the bank sufficient information to detect and prevent the fraud (e.g. reviewing high-risk transactions before processing) but the bank does not.

(2) When bank employees are contacted by customers who report suspected fraud, what instructions are being given to customers?

• Are customers instructed to engage a qualified computer forensic expert to examine their computer network and appropriately preserve relevant data?
• It may be beneficial to develop a standard set of recommendations that can be sent to customers in this scenario, and documentation of sending that communication should be preserved.
• Are there protocols that results in at least temporarily blocking or adding heightened monitoring to all orders on accounts where the customer reports suspicious activity to prevent fraudulent orders from being processed after the bank receives the first report of suspicious activity?

(3) If banks are communicating with customers regarding available features and options to enhance the security of Internet banking, are those communications being preserved and documented appropriately so that they may be properly introduced as evidence to show security options made available but not implemented by the customer?

(4) In addition to other security features and best-practices, are banks advising customers to use a dedicated computer that is used only for accessing their Internet banking account (e.g. the computer is not used to browse any other sites on the Internet or to check e-mail)?

(5) In deciding how to address the dispute with customers, one factor to consider is that the commercial reasonableness of the security will be judged by courts and juries several years after the incident occurred. And even though the security should be judged based on what was appropriate at the time of the incident, given the speed at which technology and attack vectors change, the passage of time will likely negatively impact the perception of whether the security was commercially reasonable.

Authorship Credit: Dave Taylor, Director, Information Technology, Baker & Hostetler LLP

We are seeing a dramatic increase in spam and email phishing schemes once again.  These schemes have become very sophisticated in their ability to mimic the multitudes of legitimate on-line transactions that occur every day.  Please consider the following when reading and reacting to emails.

1. The bad guys love playing off of our emotions.  So they have taken to all manner of “inspiring” a reaction (mouse click) from us.  You have likely seen at least one of the following recently:

• A purchase confirmation for something you didn’t buy. PayPal, and eBay top the list for spoofs lately.
• A password reset or other account activity that you didn’t actually do.  American Express, Verizon, Apple iTunes/App Store.
• A LinkedIn request from someone you don’t know.
• An enticing “offer” that seems to be based on something about you or that is actually legit or important to you – like a subscription offer to some compelling professional content.  This must be real because this offer is only coming to me because it relates to my profession…
• A text message or IM that has a web link in it, usually congratulating you on winning $100 or something better!

2. Please keep the following in mind:

• If your name or email address is not in the To: field of an email, it’s a fake.
• If there are other names in the To: or Cc: field of the email, it is a fake.  No company is going to send you private account info, receipts, or password reset requests AND send them to anyone else at the same time.
• No company or web site is going to send you an unsolicited password reset request via email.
• LinkedIn is being used more and more for phishing AND social engineering attempts.  Even if the LinkedIn request actually takes you to LinkedIn, do not automatically accept invitations or connect with anyone you don’t know.  Even if they appear to be connected with others you may know.  Hackers and cyber criminals are using every means available to them to build a facade of credibility.
• Blackberry, iPhone, and iPad are not immune to malware and phishing attacks.  In fact, because these devices are MOBILE, the bad guys are expecting that your guard is down when working from them.  Many attacks are now designed to exploit vulnerabilities specific to mobile devices.
• Text messaging is now being used to launch phishing and malware attacks almost as frequently as email.  And many of the mobile platforms are just now patching vulnerabilities that can be used to steal your personal information.

3. What can I do to protect myself and the firm from hackers and phishers?

• Pay close attention to any and every email you read.  Train yourself to question the legitimacy of any email that “feels” wrong.
• Remind yourself to delay reacting to such emails especially from your mobile devices.
• Look for your name, and JUST your name, in the header of the email.
• Update your mobile device software frequently.
• Do not click on links in emails, especially from a mobile device; but if you must, at least …
• Practice the “hover” …  by hovering your mouse cursor over a link, you will see the actual web address that you will be connected to.  If it appears to be completely unrelated to the content of the email – i.e. does not include even the web site or business name, then it’s a fake.  DO NOT CLICK on any such link.
• Read web links carefully.  You must scroll to the end of the link to see where it’s actually taking you.  Don’t be fooled by the first part of the web link.  For example, this link is actually not related to American Express in any way …  americanexpress.com.1243abc.badguy.com            The domain in this case is badguy.com.  They are not going to be as obvious as I am !  And from your mobile device, you might not even be able to scroll to the end.  What if you only saw the beginning of that link “americanexpress” or “americanexpress.com” and the rest was not visible because of the window size … It would look completely legitimate to you.  And guess what, the bad guys know this and hope that you don’t!!!

Businesses Vulnerable to Employees’ Social Networking Activity

Authorship Credit: Greg Saikin

The FBI has issued a fresh warning to all users of internet-based social networking, informing them that hackers—ranging from con artists to foreign government spies—are looking for every opportunity to exploit the users’ identifying and related personal information.  The FBI reports that these tactics present serious risks to both the users and their workplace.

Per the FBI, hackers are carrying out two general tactics, which are often combined.  Hackers are: (1) exploiting personal connections through social networks—these hackers are also known as “social engineers” for their ability to manipulate users through social interactions over the phone, in writing or in person; and (2) writing and manipulating computer code to gain access or install unwanted software on your computer or phone.

“Once information is posted to a social networking site, it is no longer private,” the FBI warns.  “The more information you post, the more vulnerable you become…The more information shared, the more likely someone could impersonate you and trick one of your friends into sharing personal information, downloading malware, or providing access to restricted sites.”

In many cases, hackers are impersonating social networking users with the intent to target the user’s workplace. “Spear phishing,” for example, occurs when a hacker poses as the user in an email to the user’s co-workers. The hacker’s email contains a link or file with malware and only one recipient needs to open the email’s link or file to launch the malware in the business organization’s network.  In turn, the malware could provide the hacker with valuable information concerning the business’s security measures and trade secrets, as well as give the hacker an even greater ability to “social engineer” other employees within the organization.

In addition to “spear phishing,” the FBI also warns about other hacking schemes, including “baiting,” “click-jacking,” “cross-site scripting,” “doxing,” “elicitation,” and “pharming.”

To protect your business against these schemes, the FBI recommends implementing the following preventative measures:

• Use multiple layers of security throughout the computer network;
• Identify ways data has been lost in the past and mitigate those threats by changing behavior of company personnel;
• Constantly monitor data movement on the company’s network;
• Establish policies and procedures for intrusion detection systems on company networks;
• Establish and enforce policies concerning what company information employees can share on personal blogs and web pages;
• Educate employees about the impact of their behavior on the company and its employees;
• Provide yearly security training; and
• Ask employees to immediately report suspicious activity.

View the full FBI report.

Fifteen months after releasing its preliminary report, the Federal Trade Commission released its final Report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers.”  The much anticipated final report went further than the preliminary report by now calling for Congress to enact general privacy, data security and breach notification, and data broker legislation in addition to advocating that companies self-regulate by adopting the best practices set forth in the FTC’s privacy framework.  The mix of baseline privacy legislation and industry self-regulation tracks the Obama administration’s white paper recommendations for a “privacy bill of rights” and industry codes of conduct enforced by the FTC.

The three prongs of the FTC’s recommended “best practices” to protect consumers’ private information are:

1) Privacy by Design—building in privacy at every stage of product development;

2) Simplified Choice—simplifying consumers’ and businesses’ ability to make choices    about their information, such as through a “Do Not Track” mechanism; and

3) Greater Transparency—improving transparency in and consumer access to data       collection and use policies.  

In response to over 450 public comments to its preliminary report, which are heavily cited throughout the final report, the FTC altered some of its previous recommendations.  First, the FTC recognized the burden faced by small businesses in meeting the FTC’s recommendations.  Thus, the final framework does not apply to companies that collect non-sensitive data from fewer than 5,000 customers per year.  Additionally, in response to concern that data can be “reasonably linked” to consumers, and computers or devices, the Commission clarified that data is not “reasonably linked” where a company takes reasonable measures to ensure data is de-identified, publicly commits to not trying to identify data, and contractually prohibits downstream recipients from trying to re-identify the data.

Secondly, while the FTC previously proposed a list of five “commonly accepted” information collection and use practices, many commentators were concerned these practices could stifle innovation.  In response, the new guidelines state companies do not need to provide choice before collecting and using consumer data for practices consistent with the transaction, the company’s relationship with the consumer, or as required by law.  Thirdly, the Commission now recommends that any legislation addressing the practices of information brokers include procedures for consumers to access and dispute personal data held by information brokers.

The final report summarized the enforcement actions brought by the FTC since it issued the preliminary report, highlighting enforcement priorities that involve website privacy policies and practices, online behavioral advertising, COPPA, FCRA, and data security.  The FTC also identified five key areas it plans to focus its policymaking efforts on in the next year to promote the implementation of its privacy framework:

• Do Not Track—implementing an easy-to-use, persistent, and effective Do Not Track system;
• Mobile—improving privacy protections through short, meaningful disclosures; 
• Data Brokers—supporting targeted legislation that would require data brokers to create a centralized website that would identify brokers to consumers and detail access rights and choices consumers have;
• Large Platform Providers—exploring issues related to comprehensive tracking of online activities by ISPs, operating systems, browsers, and social media; and
• Promoting Enforceable Self-Regulatory Codes—working with the Department of Commerce and industry stakeholders to develop sector-specific codes of conduct, with the carrot that compliance with such codes will be viewed favorably by the FTC when it comes to enforcement.

The FTC cautioned that, to the extent the framework exceeds existing legal requirements, it is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.  However, expect to see the principles of the privacy framework continue to appear as requirements of consent orders the FTC enters into to resolve the enforcement actions it brings.  Indeed, the FTC did just that the day after releasing its final report when it announced that it had entered into a proposed settlement agreement with social game site operator RockYou (prior coverage here) to resolve the FTC’s claims that RockYou failed to protect the privacy of its users when hackers gained access to the user names and passwords of 32 million users and violated COPPA by collecting information from 179,000 children.   

 Authorship Credit: Craig A. Hoffman & Jennifer D. Johnson

Earlier this year, the European Commission proposed a comprehensive reform to the EU's 1995 data protection rules, with the stated purposes of strengthening online privacy rights and boosting Europe's “digital economy.”

Still rooted in the European concept that privacy in one’s personal data is a human right, the updated EU directive is intended to modernize the principles enshrined in the 1995 Directive to ensure privacy rights in the future.  The suggested reforms include legislative proposals, including a regulation setting out a general EU framework for data protection.

According to the press release announcing the reforms, key changes include:

• A single set of rules on data protection, valid across the EU, with unnecessary administrative requirements, such as notification requirements for companies, removed;
• A strengthening of independent national data protection authorities, including granting them the power to issue fines to companies that violate EU data protection rules, in order to improve enforcement of the EU rules;
• Increased responsibility and accountability for those processing personal data, including almost immediate breach notification requirements to supervisory authorities for “serious” breaches;
• Organizations will be required to deal with a single national data protection authority in the EU country where they have their main establishment;
• Clarification that wherever consent is required for data to be processed, it must be explicit rather than assumed;
• A right of data portability to make it easier to transfer personal data from one service provider to another;
• A “right to be forgotten” that will allow people to delete their data if there are no legitimate grounds for retaining it; and
• EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.

While the Commission's proposals will not have an immediate impact – they must be passed on to the European Parliament and EU Member States for discussion and will take effect two years after they have been adopted – there can be little doubt that privacy and online security will be a hot topic in 2012 and beyond. The full proposed Directive may be seen here.

Last week in Washington, DC, officials from the U.S. Federal Trade Commission, the Department of Commerce, major trade associations and key stakeholders from around the world gathered at a global privacy summit convened by the International Association of Privacy Professionals.  During the two day conference, panels covered a broad range of topics from mobile device privacy to the outlook for federal legislation to global corporate compliance programs.  Several themes emerged, including:

• Rapid technological change is prompting an evolution in traditional notions of privacy.  While the law – state, federal, EU – is evolving much more slowly, changes are underway and regulators and legislators need (and want) to hear from stakeholders;
• No one wants to stifle technology and the new economy jobs it creates, but many current privacy disclosures and practices (or the lack thereof) risk making the “privacy bargain” (personal information in return for free content/services) so one-sided that prescriptive regulation becomes inevitable; 
• Companies lacking a robust compliance program governing collection, protection and use of personal information (be they customers, employees, vendors, or others) may face significant risk of a data breach or legal violation, resulting litigation, and a hit to their bottom lines.

The huge attendance at this year’s summit by a wide range of companies, technical professionals, and inside and outside counsel from all over the world reflects the growing importance of these issues.  Following are highlights from some of the conference panels I attended featuring the FTC:

Collection Versus Use

Regulation of data collection versus data usage was a central theme at a panel that had hoped to discuss the FTC’s final version of its 2010 framework for protecting consumer privacy (still no word on when the final report will be issued).  Disagreeing with a fellow panelist from George Washington University who said the FTC should simply focus on how collected consumer data is used, FTC Commissioner Julie Brill expressed serious concerns about the “unmitigated collection” of consumer data for all manner of purposes that then exists in perpetuity.  Referencing a recent New York Times article about the ability to predict whether someone is pregnant out of “relatively innocuous information,” Brill said she is most concerned about vast amounts of information being collected and then used to compile profiles of consumers.  Brill urged companies not to think about privacy just in terms of compliance but to think about it as “risk management” at the corporate executive level, pointing out that the more information a company collects the greater the potential liability if it is breached.  Brill also emphasized the collection versus usage theme in the context of “do-not-track” proposals being developed by industry, saying it is very important that do-not-track address both the collection and use of consumer information; to ignore the collection element would only yield a “do-not-target” mechanism, which is not what the FTC called for in its preliminary framework. 

Liability and Proactivity

Brill also said that failure to have a “privacy by design” program in place would not be automatic grounds for a violation of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices.” Brill said that the FTC looks at companies’ practices and processes when evaluating a potential privacy-related enforcement action, insisting over her co-panelist that such actions are not subject to strict liability.  Nonetheless, Brill encouraged companies to be forward-thinking, saying that standards in the realm of privacy and data security have evolved and the reasonable steps a company is expected to take will become more comprehensive in the future.  Similarly, Brill encouraged privacy professionals to help their clients realize that privacy and data security issues are not going away; ignore a problem and you’ll end up sitting across from the FTC in an enforcement action.  Finally, Brill also warned that many data brokers do not even realize that they come under the Fair Credit Reporting Act.

COPPA and Mobile Privacy

The FTC is continuing to review its rules with respect to children’s growing use of mobile devices and online services.  Referring to the “long tail” in the app industry and the fact that so many apps lack privacy policies as found in FTC’s February report, Commissioner Brill said she wanted to get the message out that the Children’s Online Privacy Protection Act applies to mobile device applications.  Brill described COPPA, which requires parental consent for collection and use of children’s personal information, as an appropriate “speed bump” for particular types of users, while private sector panelists characterized COPPA as more of an obstacle to the possibilities created by new online and mobile platforms that requires fine tuning.  The issue of how to treat teens, currently not covered by COPPA, was also discussed.  Brill could not comment on specifics due to the review underway, but thinks that teens require some sort of special protection and said some commenters believe COPPA should be extended up to age 18.

In a separate panel, Christopher Olsen, assistant director of privacy and identity protection in the FTC's Bureau of Consumer Protection, similarly warned that companies need to do a better job providing information about their mobile apps’ data collection; that the same privacy and security principles apply in the mobile and non-mobile environments.  The FTC undertakes its own inspections of mobile apps, testing developers’ claims, in addition to considering consumer and NGO complaints and congressional concerns.  With all the different players involved in the mobile device space – from app developers to telecom carriers to add networks to device manufacturers – contract provisions play a large role in how information is collected and used.  Olsen stressed that compliance with such provisions – making sure someone is actually monitoring – will be an important issue going forward.

Finally, the FTC will hold a mobile payments workshop on April 26 and a “Public Workshop to Explore Advertising Disclosures in Online and Mobile Media” on May 30.  The latter will inform FTC’s thinking on updating guidance to businesses about disclosures in online advertising.

Reports of the demise of Internet innovation in the UK, as a result of the UK’s implementation last May of the new European Directive governing the use of "cookies" , were greatly exaggerated. That said, the impact of the Cookies Directive was delayed when the UK Information Privacy Office ("IPO") announced that it would abstain from enforcement of the Cookies Directive for a year, in order to give website operators an opportunity to adapt to the new requirement that (with some specific exceptions) website operators must obtain express consent before placing a "cookie" (a small text file that can be used to identify a device and track its activity) on a user's device. Given the almost universal use of cookies to enhance functioning and user experience on websites, critics have complained that compliance with the Cookie Directive will result in an Internet slowed to a crawl by a proliferation of pop-up boxes seeking consent every time cookies are deployed.

The May 2012, deadline for commencing enforcement draws ever closer. Any website operator with a significant user base in Europe should at this point be developing a strategy for compliance. If you have a substantial Internet presence in Europe, and are ignoring the Cookie Directive and hoping it goes away, you do so at your peril. In a Guidance issued last month, the ICO warned that companies disregarding the Cookie Directive should "be assured" that, after May 26, 2012, the ICO will be enforcing compliance.

The ICO's website offers one example what compliance with the EU Cookie Directive might involve. When you first access the site, you see a boxed message at the top of the page stating:

The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.

Below this statement, users are asked to check a box next to the statement: "I accept cookies from this site."

If you click on the "Privacy Notice" referred to in the disclaimer, you are directed to a chart that: (i) lists 8 different types of cookies employed the ICO site, (ii) provides detailed descriptions as to when and how these cookies are used, and (iii) provides links where you can obtain more information about these cookies.

We are not saying that your website must imitate what the ICO has done. In its recent Guidance, the ICO made it clear that it was not advocating one approach for every website or that it was expecting perfect compliance by May 26, 2012. But the ICO also made it clear that if it receives complaints, or is otherwise investigating a site, it will expect the website operator to be able to identify the steps that the website had taken towards compliance with the Cookie Directive.

In order to have a good answer to this question if the ICO comes calling, we recommend the following:

1. Examine whether there are ways in which your privacy policy can more specifically identify the different types of cookies employed and whether you can better explain when and why they are used.
2. Examine the feasibility of incorporating an express "opt-in box" to your use of cookies into the architecture of your website, and the extent that such a box would interfere with the user experience.
3. Pay attention to how peer websites are disclosing their cookie practices—particularly over the next few months as companies prepare for the May 26^th enforcement deadline. You don't want to be the only website in your industry that has failed to adopt disclosure practices which have become an industry standard.

While plaintiffs continue to face an uphill battle proving damages in privacy litigation - regulatory actions and investigations seem to be increasing.  During 2011, we saw activity from many government agencies—both state and federal—including the Federal Trade Commission (FTC), Department of Education (DOE), Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Office of Inspector General (OIG), Security Exchange Commission (SEC), state Attorneys General, and the California Department of Public Health (CaDPH).

FTC 

The FTC has a long history of being proactive in promoting consumer protection and in preventing anti-competitive business practices.  The FTC has the power to regulate against unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.  In 2011, there were several noteworthy FTC actions in the privacy sector.

• Google Buzz:  The settlement with Google arose out of alleged violations of Google’s privacy promise related to the sharing of Gmail user account information to populate Google’s new social network, Google Buzz.  The settlement bars the company from future privacy misrepresentations.  Google is also required to implement a comprehensive privacy program and submit to independent audits for the next 20 years.  Additionally, for the first time, the FTC alleged violations of the U.S.-EU Safe Harbor Framework (which has privacy requirements for the transferring of personal information from the EU to the U.S.).
• Playdom:  Playdom, an online game developer, was accused of collecting and disclosing information about hundreds of thousands of children under 13 without parental consent.  The FTC announced on May 12, 2011 that it had reached the largest civil penalty settlement under the Children’s Online Privacy Protection Act (COPPA) with Playdom for $3,000,000.  COPAA  prohibits owners of websites and online services directed to children (including general audience websites) from collecting or maintaining personal information about children under 13 without verifiable parental consent (including name, address, email address, telephone number, social security number, etc.).  The FTC has online resources for those interested in learning more about COPPA.
• Facebook:  Ending the FTC’s 18-month investigation into Facebook’s user privacy practices, the FTC and Facebook reached a settlement [pdf] in November of 2011.  As we reported here, by adding Facebook to the list of major social media entities subject to an FTC consent order—a list that includes Google and Twitter—the FTC has loudly signaled its leading role in regulating the online privacy practices of businesses.  The focus of the FTC seemed to be on sharing user information and making certain user information available without clear consent.  Similar to the Google Buzz settlement, Facebook agreed to not misrepresent its privacy controls.  Independent audits for the next 20 years are also part of the settlement.

With the FTC’s recent workshop on facial recognition technology as it relates to privacy and security concerns, it is clear that we will continue to see FTC activity in 2012.  The question remains—will we see any enforcement activity relating to the Red Flag Rules, which we talked so much about between 2008 and 2010?

DOE 

We have seen investigations by the DOE following data breaches involving educational institutions pursuant to Family Educational Rights and Privacy Act (FERPA).  While there is currently no duty to report a breach to the DOE, the agency is reading news reports and utilizing online resources to track breaches that have been made public.  We expect that this activity will continue in the new year, particularly since the DOE has been more focused on privacy issues in the past few years with the addition of a new Chief Privacy Officer, establishment of the Privacy Technical Assistance Center (PTAC), and the enhancement of FERPA regulations.

HHS OCR

Since the enactment of HITECH, and with its enforcement authority of the HIPAA Privacy and Security Rules in place, OCR has been quite active following data breaches involving healthcare organizations.  Typically, the organization receives a laundry list of document requests (and often supplemental requests as well) during the course of the investigation.  While penalties are available, we have not seen significant activity in this regard.  Still, there were two civil penalties assessed in 2011 that may be a warning call that the HHS is looking carefully at the safeguards in place to protect protected health information (PHI) at healthcare organizations.   The first penalty was for $1M and involved Massachusetts General Hospital.  There, records of 192 patients of the Infectious Disease Associates outpatient practice were lost on public transportation—some containing diagnoses of HIV/AIDS.  The second incident involved a $4.3M penalty against Cignet for refusing to provide 41 patients access to medical records.  Additionally, it was alleged that Cignet did not cooperate with HHS’s investigation.  With the audits of covered entities commencing just recently, the occurrence of major healthcare breaches in 2011, and the fact that over 30,000 healthcare breaches have been reported since HITECH, we expect that OCR activity will increase in 2012.

State AGs

2011 brought additional activity by state AGs.  AGs have enforcement authority of their own state data breach laws in most cases, as well as enforcement authority under HITECH.  Two actions came out of Massachusetts that should be closely followed. The first involved the Briar Group, LLC (“Briar Group”), a restaurant chain.  On March 28, 2011, the Briar Group was the first company to be fined  under the Massachusetts Data Privacy Law.  In addition to the $110,000 in penalties, the Briar Group will have to prove compliance with the Commonwealth’s data security regulations as well as the Payment Card Industry Security Standards.  The second action involved Belmont Savings Bank and a $7,500 fine.  The fine may seem small, but the incident involved only 13,000 customers, and the back-up tapes at issue were known to be discarded in a trash can by a cleaning company.  The focus of this action seems to be an allegation of poor information security practices, including security procedures for handling computer tapes and customer information.  Also, in Indiana, the Attorney General settled with Wellpoint, Inc. for $100,000 after the company allegedly delayed in notifying approximately 32,000 residents about a data breach.  Wellpoint was also required to provide up to 2 years of credit monitoring and identity theft protection services to Indiana consumers affected by the breach, and reimbursement to any WellPoint consumer of up to $50,000 for any losses that result from identity theft due to the incident.  The Indiana Attorney General’s Office interprets the timeliness requirement of the Indiana Disclosure of Security Breach Act to require notice to affected individuals within 30 days.

In addition, the HHS conducted training sessions for HITECH enforcement this year to state AGs.  Now that the training has been completed, we expect to see increased activity in 2012.

These are some of the 2011 regulatory highlights.  Other agencies have been active as well.  No matter which agency may have enforcement power over your organization, do not wait until a breach occurs to think about how you will respond to an investigation.  As we discussed here, regulators expect a prompt and thorough response, transparency and involvement by the C-Suite. 

Facebook and the FTC announced an agreement on November 29, 2011, ending the FTC’s 18-month investigation into Facebook’s user privacy practices.  By adding Facebook to the list of major social media entities subject to an FTC consent order—a list that includes Google and Twitter—the FTC has loudly signaled its leading role in regulating the online privacy practices of businesses.  Indeed, shortly after announcing the settlement, the FTC posted a list of seven key lessons for businesses based on its recent consumer privacy enforcement actions.

The FTC’s eight-count complaint included allegations regarding Facebook’s statements about user privacy controls, including whether Facebook shared user information with third party applications, despite representations that users could control their privacy settings.  For example, a user’s personal privacy settings in some instances were ineffective against “Friends’” applications.  Additionally, the FTC alleged that Facebook engaged in retroactive privacy changes that overrode users’ previous levels of privacy in December 2009 by making certain information, such as name, profile picture, city, gender and friend list, public.  Though Facebook admitted to no wrongdoing in the settlement agreement, as Mark Zuckerberg explained in a blog post, the agreement establishes certain requirements for Facebook’s management of users’ information and privacy settings—many of which Facebook has implemented.

In the consent order, Facebook agrees that it will not misrepresent the extent to which it maintains privacy or security of “covered information” (user provided information, including name, address, e-mail address, phone number, IP address, photos and videos, or physical location).  Specifically, Facebook agreed not to misrepresent the following aspects of its privacy controls: 

• the extent to which it maintains the privacy or security of such information in the collection or disclosure of covered information;
• the extent to which a consumer can control the privacy of any covered information maintained by Facebook and the steps a consumer must take to implement such controls;
• the extent to which Facebook makes or has made covered information accessible to third parties;
• the steps Facebook takes or has taken to verify the privacy or security protections that any third party provides;
• the extent to which Facebook makes or has made covered information accessible to any third party following deletion or termination of a user’s account with Facebook or during such time as a user’s account is deactivated or suspended; and
• the extent to which Facebook is a member of, adheres to, complies with, is certified by, endorsed by or otherwise participates in any privacy, security or any other compliance program sponsored by the government or any third party, including but not limited to, the U.S.-EU Safe Harbor Framework.

Other highlights of the agreement include that Facebook must clearly convey what user information is “nonpublic” and the extent to which it is shared to third parties by disclosing the identity of third parties, the extent that sharing such information may exceed the boundaries of a user’s established privacy controls, and by obtaining a user’s informed consent. The agreement also limits use of a Facebook user’s covered information to a 30 day window after a user has terminated or deleted his or her account.  Facebook must also designate a comprehensive privacy program, obtain privacy audits every two years for the next 20 years, and keep certain records of its communications or policy changes regarding privacy.

Jennifer Johnson contributed to this post. 

The Interagency Voluntary Working Group on Food Marketed to Children released Preliminary Proposed Nutrition Principles to Guide Industry Self-Regulatory Efforts to improve the nutritional profile of foods marketed to children in April 2011.  Today, FTC Commissioner David Vladeck addressed 12 myths about the recommendations, including: (1) providing reassurance that the guidelines do not provide a basis for regulatory enforcement by the FTC; (2) noting that the proposal does not ban any marketing or specific food—it only recommends that certain products marketed to children meet nutritional principles; and (3) confirming that the proposal does not mean the end of chocolate Easter bunnies or the banishment of Toucan Sam from the Froot Loops box.  

In May 2011, Rep. Edward J. Markey (D-Mass.) and Rep. Joe Barton (R-Texas) introduced a children’s online privacy bill, the “Do Not Track Kids Act of 2011.”  The bill would amend and expand the protection offered by the Children’s Online Privacy Protection Act of 1998 (COPPA).  COPPA, which was created before Facebook and the proliferation of smartphones, only prohibits the collection of personally identifiable information from children under 12 without parental consent (read the FTC’s FAQs about COPPA here).  The bill would expand the protection of COPPA by covering online and mobile applications, unique persistent identifiers like IP addresses, and it would establish new privacy rules for minors under 18.  According to the press release from Rep. Markey:

  The “Do Not Track Kids Act of 2011” strengthens privacy protections for children and teens by:

• Requiring online companies to explain the types of personal information collected, how that information is used and disclosed, and the policies for collection of personal information;
• Requiring online companies to obtain parental consent for collection of children’s personal information;
• Prohibiting online companies from using personal information of children and teens for targeted marketing purposes;
• Establishing a “Digital Marketing Bill of Rights for Teens” that limits the collection of personal information of teens, including geolocation information of children and teens;
• Creating an “Eraser Button” for parents and children by requiring companies to permit users to eliminate publicly available personal information content when technologically feasible.

The bill adopts many of the principles set forth in the Common Sense Media white paper, Protecting Our Kids’ Privacy in a Digital World.

The FTC has been collecting comments on the costs and benefits of the regulations implementing COPPA since April, including whether COPPA is broad enough to apply to mobile applications, mechanisms for obtaining parental consent, and Safe Harbor.  The FTC is also seeking public comment on a proposed safe harbor program submitted by Aristotle International, Inc. for Commission approval under COPPA.

California SB 242 (Social Networking Privacy Act), which we covered here, would require social networking websites to design default privacy settings that prevent information about a user from being displayed without affirmative consent from the user.  On May 27, 2011, the bill failed to receive enough votes to pass the California Senate.     

The bill faced strong opposition from social networking sites.  After the bill failed, Facebook spokesman Andrew Noyes issued the following statement: "Lawmakers rejected Sen. Ellen Corbett's bill today because it was a step in the wrong direction for California's growing Internet industry at a time when the state's economy can least afford it.  Sen. Corbett is arguing for unnecessary regulations that ignore the extraordinary lengths that companies like ours go to in order to protect individuals' privacy and give them the tools to determine for themselves how much information they wish to share online."

State Senator Ellen Corbett, who proposed the bill, vowed to bring the bill back for another vote this week.  The bill was five votes short of a majority, and seven Democrats declined to vote on the bill last week. 

UPDATE: Two California senators published an opinion article in the San Francisco Chronicle on June 1, 2011, voicing their opposition to SB 242 as bad policy because: (1) it would "hamstring a global, billion-dollar, interstate industry"; (2) it is "constitutionally unsound"; and (3) it would cause California businesses to relocate to other states. 

UPDATE NO. 2: As promised, Senator Corbett brought SB 242 up for a second vote on June 2, 2011.  It garnered three additional votes, leaving it two short of a majority.  Senatory Corbett said she plans to meet with leaders of social networking companies and consumer groups this summer.    

Although the world did not come to the end on Saturday, as one millennial group had predicted, some in Europe worry that the end is near for European Internet start-ups when the new EU cookie directive goes into effect on May 25, 2011.  The concern is that European-based web sites will become littered with pop-up windows seeking consent to the use of cookies, while sites in the U.S. will continue benefit from cookies without having to get a user’s express consent for every cookies placed on a user’s machine.

And while European-based web sites fear they will bear the brunt of enforcement, U.S.-based website with users in Europe are potentially subject to these rules.

Website operators install cookies (small digital files) on user’s computers to store and retrieve information on a user's activity on the site.  Cookies are an important tool for measuring the appeal of content, improving user services and targeting advertising.   Traditionally, website operators have disclosed their use of cookies on their website privacy policy.  Users were deemed to consent to having cookies installed on their computer in accordance with this posted policy.   As the UK Information Commissioners Office (“ICO”) has explained in recently-issued Guidance, this passive consent is no longer generally permitted under the new EU rules.  With certain limited exceptions, a user must affirmatively “opt in” to accepting cookies before a website can install cookies (or any similar file) on a user’s computer.

The potential fines for violation of the EU cookies rule are high – up to £500,000 in the UK – but it is unclear whether or when EU authorities will commence enforcement of this new rule.  The ICO has said it will delay enforcement to give website operators the time to adjust their practices.  The ICO has also held out the possibility that the ultimate solution will be more advanced web browser technology.  The ICO advocates widespread adoption of web browsers that give users more control over the types of cookies that they allow to be placed on their computer.  But until this technological solution arrives, website operators with users in Europe must confront the question of how and how soon they will bring their sites into compliance with the EU directive.

A December 2009 SQL injection attack against social network application maker RockYou.com’s database resulted in the breach of 32 million log-in credentials ( e-mail address and password).  Not only did RockYou.com store the log-in credentials of its users in plain text, it also stored those user’s log-in credentials for social networking sites like Facebook and MySpace in plain text as well.

After the RockYou.com breach was disclosed by the hacker and RockYou.com notified its users, a RockYou.com user filed a putative class action complaint in U.S. District Court for the Northern District of California (Claridge v. Rockyou, Case No. 4:09-cv-06032-PJH).  The amended complaint asserted nine claims, including violations of the Stored Communications Act, three different California statutory claims, breach of contract, and negligence.   The amended complaint, to demonstrate the existence of some tangible harm caused by the breach, alleged RockYou.com users “pay”  RockYou.com for its product and services by providing RockYou.com with their personally identifiable information (PII) with the promise from RockYou.com that it would use commercially reasonable methods to secure their PII .  The amended complaint further alleges that as a result of RockYou.com’s role in allowing  the breach that exposed users’ PII, the users’ lost the “value” of their PII. 

RockYou.com moved to dismiss all of the claims.  In its April 18, 2011, decision,  as an initial matter, the court found that the plaintiff had standing to file the suit (by alleging an injury in fact) in the form of the loss of value of PII.  The basis for refusing to find that the plaintiff lacked standing  was the “paucity of controlling authority regarding the legal sufficiency of plaintiff’s damages theory” as well as the court’s determination that “the unauthorized disclosure of personal information via the Internet is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.”  The court did indicate that  it “has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.”  

With regard to the nine claims, the court dismissed the Stored Communications Act claim and all three claims based on California statutes.  The court, however, declined to dismiss the breach of contract and negligence claims by finding that: “at the present pleading stage, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified “value” and/or property right inherent in the PII.”  The court also concluded that “plaintiff’s allegations that he was injured by defendant’s actions in permitting the unauthorized and public disclosure of his PII, which had some unidentified but ascertainable value, are sufficient to allege an actual injury at this stage.”

The court’s decision also provides a practical consideration when drafting limitation of liability clauses for website privacy policies.  RockYou.com’s privacy policy provided that: “RockYou! . . . assumes no liability or responsibility for . . . (III) any unauthorized access to or use of our secure serversand/or any and all personal information and/or financial information stored therein . . .”  RockYou.com argued that this provision barred the plaintiff’s breach of contract claims.  The court, however, found that the policy language did not automatically preclude the claim because the plaintiff alleged that the servers were not secure. 

The FTC—in its December 2010 online privacy report and testimony before Congress—discussed the need for a browser-based “Do Not Track” mechanism to give consumers greater control over behavioral advertising.  Under the “Do Not Track Me Online Act of 2011” (H.R. 654)—introduced by Rep. Speier (D-CA) on February 11—the FTC will have 18 months to establish regulations for an online opt-out mechanism.  The opt-out mechanism must “allow a consumer to effectively and easily prohibit the collection or use of any covered information and to require a covered entity to respect the choice of such consumer to opt-out of such collection or use.” 

The new regulations will apply to any person engaged in interstate commerce that stores or collects any of the following online data regarding an individual: (1) online activity, including web sites visited and time of access; (2) IP address; and (3) personal information, including name, e-mail address, phone number, or financial account information.  Covered entities would have to disclose their collection and sharing practices, including identifying by name who they share information with.  The bill would allow the FTC to exempt commonly accepted commercial practices like the collection of information for billing purposes.

Failure to comply with the new regulations would constitute an unfair or deceptive trade practice.   In addition to the FTC, state attorneys general would have the authority to bring a civil action to enforce violations of the new Do Not Track regulations.  Civil penalties would be calculated by multiplying the number of days a covered entity was not in compliance by an amount up to $11,000 per day, up to a maximum total liability of $5,000,000.      

Speier also introduced the “Financial Information Privacy Act of 2011” on February 11.  According to her press release:

“The Financial Information Privacy Act of 2011 would finally give consumers the ability to control the sharing of their own financial information. The bill mirrors legislation Speier successfully steered to passage in California that prevents financial institutions from sharing or selling personally identifiable nonpublic information with affiliates without an opportunity to opt-out, or in the case of unaffiliated third parties, a requirement that consumers opt-in. This bill gives consumers control of their personal financial information and provides meaningful but workable privacy protection.”

The Commerce Department on Thursday released a green paper, Commercial Data Privacy and Innovation in the Internet Economy: a Dynamic Policy Framework, recommending the consideration of a new framework to address online privacy issues in the U.S.  The goal of the 88 page report, created by the department’s Internet Policy Task Force, is to improve consumer online privacy protection while continuing to foster online business growth.

One of the key recommendations of the report calls for the creation of a set of “Fair Information Privacy Principles”, a sort of privacy Bill of Rights for the online consumer.  These principles would act as a baseline for online data privacy protection, and make usage of online consumer data much more transparent.  The goal would be to establish clearer online data usage limits and enhanced audit requirements, with policy violations enforceable by the Federal Trade Commission.

In addition, the report recommends the creation of a Privacy Policy Office in the Department of Commerce. The role of the new office would be to, among other tasks, work with the FTC, examine commercial uses of online data, and determine where gaps in privacy protection existed.

The report also recommends the enactment of a federal data security breach notification law. The report goes on to add, “A comprehensive national approach to commercial data breach would provide clarity to individuals regarding the protection of their information throughout the United States, streamlining industry compliance, and allow businesses to develop a strong nationwide data management strategy.”

The Commerce Department seeks public comment on the report by January 28, 2011, with a white paper on the subject planned for release in 2011.

Savvy internet users know that their movements on the Internet are tracked by the use of “cookies” placed on their computers and used by marketing firms to study consumer patterns and target advertising.  They also think that their internet browsers are equipped to remove those cookies.

What many users—even vigilant users—do not know, is that Local Shared Objects, commonly known as “flash cookies,” can survive this deletion process and remain on their computers in perpetuity.  Some flash cookies are programmed to surreptitiously “re-spawn” when deleted by a user.  This “re-spawning” is done without the user’s knowledge and, arguably, outside the consent given under various end user agreements and privacy policies.  The flash cookies can result in the transmission of personally identifying information and other data useful to a marketer or retailer.

In August 2009, researchers at the University of California at Berkeley published an article that revealed the prevalent use of flash cookies by major websites.  The research showed that more than half of the sites sampled store user information through flash cookies.

U.S. consumers have fought back against the creators of flash cookies and their customers by filing class actions.  The following four complaints (Aguirre, LA, Valdez, White) (.pdf) all filed in the Central District of California, were brought under the federal Computer Fraud and Abuse Act and state privacy and computer statutes.  The complaints allege that the defendants installed flash cookies on users’ computers without their knowledge or consent, and that that the defendants then tracked and sold personally identifiable information about consumers (including health and financial information).

Flash cookies were discussed at the U.S. Federal Trade Commission’s second Privacy Roundtable discussion on January 28, 2010.  The FTC is expected to release its report this fall regarding the Privacy Roundtable discussions it hosted.