Monday, June 29, 2009

Breaking News - SCOTUS

Reuters reports that the U.S. Supreme Court this morning refused to hear an appeal requested by two companies that want a New Hampshire prescription privacy law overturned. According to the article, the high court rejected without comment the request of Verispan and IMS Health, who argued that a law prohibiting companies from using physicians' prescribing records to boost drug sales violates their First Amendment rights to free speech. The Supreme Court's refusal means a 1st U.S. Circuit Court of Appeals decision to uphold the law stands. Last week, the companies asked the 2nd U.S. Circuit Court of Appeals to block implementation of a similar law in Vermont.   For further information about the New Hampshire and Vermont laws, see our advisories.


Friday, June 26, 2009

A "Wayback Machine" for Privacy Policies??

The typical "boilerplate" (lawyers' hate that word, BTW) in website Terms of Use goes as follows:  "We reserve the right to change these Terms of Use at any time.  You should check back to this page to view changes.  Continued use of this website is deemed acceptance of any such changes."   Ever wonder what "such changes" might have occurred?  

Wonder no more.  The Electronic Frontier Foundation (“EFF”) has launched the TOSBack website, which tracks changes to several different types of website policies, including Terms of Service, User Agreements, and Privacy Policies. The site's home page lists those policies with the most recent changes and the dates on which the changes took effect.  You can click on each entry or on the specific website and policy to see a side-by-side comparison of the old version and new versions of the policy with the changes highlighted. 

Go to the website for a full list, but it currently tracks changes to 44 separate policies including those of Amazon, eBay, Apple, Facebook, Whitehouse.gov and others. The EFF plans to track more agreements on the TOSBack site in the future, including agreements from credit card issuers, banks, and cable TV providers.  Fair warning.

Wednesday, June 24, 2009

FTC: BT Inquiry Coming "Soon"

Apparently, the FTC plans on stepping up the Commission's inquiries into online behavioral tracking. That's what an American Bar Association Antitrust Section conference on consumer protection heard last week from two senior FTC officials.

On his third day on the job, David Vladeck, director of the FTC's Bureau of Consumer Protection, said he plans to maintain, and even step up, the bureau's aggressive law enforcement
efforts, and has set his sights on companies' data collection practices, saying that "[n]otice and consent may have outlived its usefulness." Vladeck said the bureau will consider alternatives to privacy policies, at least as they exist today.

Stay tuned as we find out what form the FTC's promised hard look will take--another town hall meeting or perhaps a rulemaking proceeding. Eileen Harrington, deputy director of the FTC's Bureau of Consumer Protection, told the group that FTC action is imminent.

Tuesday, June 23, 2009

More on the Real Cost of Data Breaches -- $9.75 Million

Add another $9.75 million (plus - see below) to the cost of the TJX Cos. Inc. 2006 data breach.

The company has reached a settlement with 42 states over allegations that it failed to provide adequate security for its customers. $5.5 million of the settlement will be dedicated to data protection and consumer protection efforts by the states and another $1.75 million will be used to reimburse the costs and fees of the investigation.

Massachusetts AG Martha Coakley's office led the executive committee running the investigation. In a statement, AG Coakley said, "This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business. In addition to the monetary relief, this agreement requires TJX to implement and maintain a substantial data security program to ensure that this kind of data breach does not happen again." Massachusetts will get nearly $1 million in the settlement.

The parenthetical "plus" in my first paragraph refers to an additional cost included in the settlement agreement. TJX must implement major security improvements and report and must certify that its computer system meets detailed data security requirements specified by the states. The settlement also requires the company to encourage the development of new technologies to address weaknesses in the U.S. payment card system.

The other states participating in the agreement are Alabama, Arizona, Colorado, Delaware, Hawaii, Idaho, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Rhode Island, South Dakota, Texas, Washington, West Virginia, Wisconsin, and the District of Columbia.
Other links:

Not "Clear" What Happens to Passenger Data.....

Bad news if you were a frequent flyer who ponied up the $199 annual fee to participate in Verified Identity Pass, Inc.'s registered traveler program, branded as "Clear." Last night, the company announced that it was "unable to negotiate an agreement with its senior creditor" and shut down. Membership fees will not be refunded.

The bigger concern is what will happen to the (very) personal information of some 260,000 travelers who had registered and been "cleared." In order to receive a Clear card, you had to provide substantial background information, fingerprints and iris scans. In its announcement, Clear Lanes Are No Longer Available, the website says that the company will take "appropriate steps" to delete its customers' personal data. Given some of the prior history of the company with respect to securing that information, I am not reassured by that statement.

Last year, the company acknowledged temporarily losing an unencrypted laptop at San Francisco International Airport that contained the personal data of approximately 33,000 of its customers. In a press release, the Transportation Security Administration announced at the time that it was temporarily suspending Verified Identity Pass' operations of the Clear program until VIP got its security house in order. The question is: now what? Does a bankruptcy judge decide what happens to the data? Will those whose information is in the database be informed in a manner other than a post on the company website? What methods will this now-defunct company use to "delete" the wealth of personal data it has on 260,000 Americans and how can those people be assured that any such deletion is reliable (I'll be interested in hearing about that...)?

Tip of the iceberg...............



See also: Clear's Privacy Policy

Friday, June 19, 2009

Technorati Profile

Congress to Bring "Law and Order" to the Internet??

In February, the Federal Trade Commission released its report on behavioral advertising "guidelines," with strong suggestion over the recent weeks from Commissioner Jon Liebowitz that without significant self-regulation, the online advertising industry could see regulation or legislation.  We discussed the FTC report at that time here.

Yesterday, two House committees came together to look at privacy implications of online advertising and discuss such esoteric topics as deep packet inspection. The joint hearing of the House Communications, Technology and the Internet Subcommittee and the Subcommittee on Commerce, Trade, and Consumer Protection on Behavioral Advertising: Industry Practices and Consumers' Experiences was webcast.

Republican Joe Barton of Texas, ranking member of the House Energy & Commerce Committee, had the soundbite of the day. Although he commended industry for some measure of self-regulation, Barton said that it may be time for Congress to "to bring some law and order" to what is "still a bit of a Wild West area."   "I think it's a big deal if somebody tracks where you go and what you look at without your personal approval," Barton continued.  "We wouldn't like that in the non-Internet world, and I personally don't like it in the Internet world."

"Opt-in" Coming to the US?

Democrat Rick Boucher of Virginia chairs one of the subcommittees and is expected to introduce a general privacy bill with other committee members.  In the hearing, Boucher called for what he called "baseline" consumer protections.  In that group, he included a requirement that consumers be allowed to "opt in" to use of their personal information by third parties.  The shift from "opt out" to "opt in" would be a significant change for US online advertisers and retailers, but would actually bring the US in line with practices in Canada and the European Union.  

Both Boucher and ranking communications subcommittee member Rep. Cliff Stearns (R-FL) acknowledged the need to balance consumer-centric privacy protection regulation with the potential for negative economic impact on a $300 billion US industry in a time of economic downturn.  Boucher said that he had "no intention of disrupting this business model."  Stearns echoed that sentiment:  "We want to do no harm here."

The FTC's letter is available here

Testimony is available on the committee's web site at Hearing Webcast



Thursday, June 18, 2009

Security Bits and Bytes

  • The Wall Street Journal reports that the CEO of Heartland Payment Systems "gets religion" on security. You'll recall that Heartland reported what has been called the "largest security breach ever" earlier in the year.
  • Researchers have uncovered a new platform used by cybercriminals to buy and sell batches of zombie PCs and other tools used to carry out attacks. The scheme is exposed in detail by Elinor Mills here and Robert Westervelt here.
  • Reports from Illinois state auditors indicate that the Department of Financial and Professional Regulation cannot account for 52 computers. The department is responsible for regulating the banking and insurance industries as well as several professions, including accounting, medicine, and engineering. The agency cannot say if the missing computers held confidential information. The machines may have been transferred to other agencies, but there are no records indicating such transfers.

FTC Issues Consent Order for GLBA Violations

In the run-up to the enforcement deadline for the Identity Theft Red Flag Rule (August 1, 2009 - more on that in another post), enforcement of the Gramm-Leach-Bliley Privacy Rule and Safeguards Rule has not been forgotten by the Federal Trade Commission.

This week, the FTC issued a consent order against mortgage lender James B. Nutter & Company for violations of GLBA resulting from the company's lack of an adequate information security program and safeguards.

This consent order, like similar orders issued by the FTC of late, provides a blueprint for executives and compliance officers: there are consequences that directly result from the failures to implement reasonable information security and privacy programs. The FTC order requires, among other things, that James B. Nutter & Company implement a comprehensive security program, and engage a third-party professional to perform an initial assessment of that program, followed by biennial assessments for 10 years. Compliance with an FTC consent order is more costly than establishing a compliance program from the start.


Links:

The FTC announcement
The FTC complaint
The Agreement and Consent Order