The Federal Trade Commission has again extended the enforcement deadline for the Red Flags Rule, according to an agency press release. Creditors and financial institutions now have until November 1, 2009 to come into compliance with the rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003. Meanwhile, the commission will redouble efforts to educate businesses affected by the rule on what they must do to comply. The Red Flags Rule requires entities to implement programs for identifying, detecting and responding to harbingers of identity theft, or "red flags." Hospitals and retailers had been especially vocal about lack of knowledge as to whether they should be required to comply. In addition, the American Bar Association had been threatening to take legal action if the FTC did not clarify that the rule should not apply to lawyers before August 1.
Wednesday, July 29, 2009
BREAKING NEWS -- FTC Delays Enforcement of "Red Flag" Rules ---Again
BREAKING NEWS:
Friday, July 24, 2009
Do you market to 'tweens?? Better watch out for the new Maine law.....
Maine Governor John Baldacci has signed a sweeping new law called "An Act to Prevent Predatory Marketing Practices to Minors." While that is a laudatory effort and responsible marketers would not want to be predatory, it is not difficult to see this law as overreaching. It goes beyond restrictions in federal law under the Children's Online Privacy Protection Act, where the cutoff age is 13 and applies to "minors" -- not otherwise defined in the Maine law, but the age of majority in that state is 18.
The law prohibits "marketers" -- which is anyone promoting a product or service - from knowingly collecting, receiving or using personal information of minors without obtaining verifiable parental consent. Additionally, even with verifiable parental consent, the law still prohibits the of personal information regarding a minor in the marketing of products or services or in promoting a course of action to a minor. This Act then seemingly cuts off "minors" from being marketed to about colleges and universities, testing services such as the SAT and ACT, test prep services, and financial aid services, along with any other kind of marketing. The law contains a private right of action with injunctive relief and recovery of actual damages for each violation, and allows for civil fines over $20,000 for repeat offenses.A link to the legislation is below. The law takes effect September 12, 2009. It is likely to be challenged, and interest groups are gearing up to try and force an amendment, because of its breadth and scope, but the law will be in effect come September and the Maine Legislature does not reconvene until January of 2010. Clear to see that this will create some major compliance issues....
Maine Act to Prevent Predatory Marketing Practices to Minors: http://www.mainelegislature.org/legis/bills/bills_124th/chapters/PUBLIC230.asp
Tuesday, July 14, 2009
New E-Discovery Rules in California
It's not necessarily a "privacy" issue, per se, but electronic discovery (known as "e-discovery") rules of litigation require that companies plan ahead with respect to document retention. Here is the latest on the new California e-discovery rules just enacted.
Update from ComputerWorld on Denial of Service Attacks
Article says that likely source of last week's massive DDOS attacks was the U.K. and not North Korea.
Link here
Link here
Seminar today on compliance with Massachusetts Data Security Regulations
Twitter feed from the event -- http://twitter.com/ITcompliance
Monday, July 13, 2009
Privacy and Security Bits and Bytes
There's a report out of the UK that a proposed (and highly controversial) mobile directory has so many people opting-out, that the system has crashed. I guess no one really wants those telemarketers to be able to find them via mobile....UK Mobile Directory Crashes
A good summary from the Edmonton Sun regarding the stunning breach of the Alberta Health Services database - lessons for the US race to electronic medical records....
Privacy breach shocker Alberta News Edmonton Sun
BusinessWeek had a real "heart-to-heart"with Heartland Payment Systems CEO Robert Carr on the data security breach his company experienced late last year. In the article, Carr details the series of events leading up to the breach, and those that followed--the board meeting, the disclosure, damage containment, and the drop in stock price, among others. It's a fascinating look at the inside of a massive data breach and what happens while the company is spinning the disclosure.
A good summary from the Edmonton Sun regarding the stunning breach of the Alberta Health Services database - lessons for the US race to electronic medical records....
Privacy breach shocker Alberta News Edmonton Sun
BusinessWeek had a real "heart-to-heart"with Heartland Payment Systems CEO Robert Carr on the data security breach his company experienced late last year. In the article, Carr details the series of events leading up to the breach, and those that followed--the board meeting, the disclosure, damage containment, and the drop in stock price, among others. It's a fascinating look at the inside of a massive data breach and what happens while the company is spinning the disclosure.
State BT Legislation
Much as it is with general federal privacy legislation, nature abhors a vacuum, and the states take up the "hot potato."
In the same realm as the last post, Massachusetts and several other states have legislation working their way through the current legislative session dealing with BT. The Massachusetts bill, H 313, heads for a hearing tomorrow before the Joint Committee on Consumer Protection and Professional Licensure.
H 313 is similar to behavioral advertising bills that have been introduced in New York(probably dead for the session) and Connecticut. It would establish a broad notice and consent regime for personally identifiable information and non-personally identifiable information that is used for behavioral advertising. Note that the Massachusetts legislation only applies to online behavioral advertising and would not apply to behavioral advertising campaigns that are conducted offline.
In the same realm as the last post, Massachusetts and several other states have legislation working their way through the current legislative session dealing with BT. The Massachusetts bill, H 313, heads for a hearing tomorrow before the Joint Committee on Consumer Protection and Professional Licensure.
H 313 is similar to behavioral advertising bills that have been introduced in New York(probably dead for the session) and Connecticut. It would establish a broad notice and consent regime for personally identifiable information and non-personally identifiable information that is used for behavioral advertising. Note that the Massachusetts legislation only applies to online behavioral advertising and would not apply to behavioral advertising campaigns that are conducted offline.
Trade Groups Release BT "Self-Regulatory" Standards
Nearly missed in the long Fourth of July holiday weekend was the announcement of "behavioral advertising" standards by a coalition of industry trade groups. These standards are in response to the FTC's public statements that regulation would soon follow if industry did not step up.
The standards have now been released and are as follows:
The Education Principle calls for participation in efforts to inform individuals and businesses about online behavioral advertising. The industry intends, in a major educational campaign involving over 500 million ad impressions over the next 18 months.
The Transparency Principle calls for clearer and easily accessible disclosures about data collection and use practices. The result will be a new notice on the page where data is collected and will occur via links embedded in or around advertisements, or on the Web page itself.
The Consumer Control Principle expands the consumer's ability to opt-out of data collection. The opt-out will occur via a link on the page where data is collected. This principle also requires service providers such as Internet access providers and desktop application software companies to obtain consent of users before engaging in online behavioral advertising.
The Data Security Principle calls for reasonable security and limited retention of data.
The Material Changes Principle calls for the acquisition of consent for any material change to data collection and use policies as well as practices to data collected prior to any change.
The Sensitive Data Principle requires parental consent for consumers known to be under 13 on child-directed Web sites. This Principle also calls for heightened protections to certain health and financial data when attributable to a specific individual.
The Accountability Principle calls for the development of programs to monitor and report uncorrected non-compliance to appropriate government agencies. The Council of Better Business Bureaus and Direct Marketing Association will work cooperatively to establish accountability mechanisms under the Principles.
For more:
Interactive Advertising Bureau Release
Google Public Policy Blog
http://www.ftc.gov/opa/2009/06/behavadvert.shtm
The standards have now been released and are as follows:
The Education Principle calls for participation in efforts to inform individuals and businesses about online behavioral advertising. The industry intends, in a major educational campaign involving over 500 million ad impressions over the next 18 months.
The Transparency Principle calls for clearer and easily accessible disclosures about data collection and use practices. The result will be a new notice on the page where data is collected and will occur via links embedded in or around advertisements, or on the Web page itself.
The Consumer Control Principle expands the consumer's ability to opt-out of data collection. The opt-out will occur via a link on the page where data is collected. This principle also requires service providers such as Internet access providers and desktop application software companies to obtain consent of users before engaging in online behavioral advertising.
The Data Security Principle calls for reasonable security and limited retention of data.
The Material Changes Principle calls for the acquisition of consent for any material change to data collection and use policies as well as practices to data collected prior to any change.
The Sensitive Data Principle requires parental consent for consumers known to be under 13 on child-directed Web sites. This Principle also calls for heightened protections to certain health and financial data when attributable to a specific individual.
The Accountability Principle calls for the development of programs to monitor and report uncorrected non-compliance to appropriate government agencies. The Council of Better Business Bureaus and Direct Marketing Association will work cooperatively to establish accountability mechanisms under the Principles.
For more:
Interactive Advertising Bureau Release
Google Public Policy Blog
http://www.ftc.gov/opa/2009/06/behavadvert.shtm
Thursday, July 9, 2009
Major Consumer Protection Actions at FTC
There is increased activity at the Federal Trade Commission on the consumer protection front. David Vladeck, the FTC's new director of the Bureau of Consumer Protection is wasting no time in getting down to business. With less than a month on the job, Vladeck announced two major enforcement actions: one involving a nationwide crackdown against scammers, and the other resulting in a $3.7 million penalty for CAN-SPAM violations.
Mintz Levin colleague Farrah Short writes that "Director Vladeck was named to the position in April and began his new role in June, after a handful of consumer watchdog groups called for the FTC Chairman to appoint someone with “a track record as a genuine champion of consumer rights.” If these early announcements are any indication, Director Vladeck may be on his way to fulfilling that wish."
For more:
CAN-SPAM action
FTC scammer action
Mintz Levin colleague Farrah Short writes that "Director Vladeck was named to the position in April and began his new role in June, after a handful of consumer watchdog groups called for the FTC Chairman to appoint someone with “a track record as a genuine champion of consumer rights.” If these early announcements are any indication, Director Vladeck may be on his way to fulfilling that wish."
For more:
CAN-SPAM action
FTC scammer action
Google on Trial in Italy
Friends at the Norton Rose law firm have published a great Update on Google Italian prosecution. The trial of the Google executives has been delayed, but the Norton Rose piece outlines the background of the proceedings and the current status.
North Korea behind denial of service attacks?
Reports today are indicating that several South Korean Web sites have been attacked again. Several officials have voiced speculation that North Korea was behind both today's denial of service attacks and last week's wave of outages that hit sites in both the U.S. and South Korea. No comment from Pyongyang.
The official news agency in South Korea says that today, seven sites - one belonging to the government and the others to private entities - were attacked.
The U.S. targets included the White House, Pentagon, Treasury Department and the Nasdaq stock exchange.
These attacks demonstrate the vulnerability of the global government and commercial web infrastructure to outside attack. The Obama Administration may want to reconsider the position of cyberczar and elevate it to Cabinet-level status.
For more:
FT.com / Global Economy - Fresh cyber attacks hit S Korea and US
New York Times
MSNBC
Wall Street Journal
(registration may be required to access some articles)
The official news agency in South Korea says that today, seven sites - one belonging to the government and the others to private entities - were attacked.
The U.S. targets included the White House, Pentagon, Treasury Department and the Nasdaq stock exchange.
These attacks demonstrate the vulnerability of the global government and commercial web infrastructure to outside attack. The Obama Administration may want to reconsider the position of cyberczar and elevate it to Cabinet-level status.
For more:
FT.com / Global Economy - Fresh cyber attacks hit S Korea and US
New York Times
MSNBC
Wall Street Journal
(registration may be required to access some articles)
Wednesday, July 8, 2009
What is happening with Registered Traveler data? It's not "Clear"....
As I blogged a few weeks back, the "Clear" Registered Traveler program abruptly ended because the service provider ceased operations. The announcement at the time raised the questions of what happens to the vast trove of personal information and biometric data that the company collected in order to "clear" frequent fliers who ponied up the $199 annual fee. Those questions have still not been completely answered, and just before the holiday, the Chairman of the House Committee on Homeland Security sent a letter to the Transportation Security Administration asking the same questions........and giving TSA until July 8th to explain how the agency plans to ensure the security of the data.
Chairman Thompson wants TSA to explain what role it will take in ensuring that "adequate privacy protections are in place prior to any disposition of the personally identifiable information." The TSA has posted an FAQ on its website directing questions about Clear back to the vendor.
We have learned a bit more from Verified Identity Pass (VIP), the company that operated the Clear program. VIP has issued a statement regarding the handling of existing data on hardware -- airport kiosks and computers assigned to VIP employees. According to VIP, all such equipment was being cleared using a process known as "triple wiping," which is a reliable method for clearing hard disks of data. Once the information has been wiped, Clear says that it will send members one final email confirming that their information has been deleted from the kiosks and computers.
None of this addresses the issue of the central database. What we do not know -- and will not know until it happens -- is whether the data will be sold. VIP has not filed for protection under the Bankruptcy Code and is presumably trying to sell itself to another Registered Traveler service provider (there are 8 approved by TSA). In the FAQ, the company's response was that "(t)he personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider." Short answer, if it can find a buyer that is a TSA-authorized RT provider, your data will most certainly be sold. Clear says nothing about informing members that their information will be transferred to another provider in a sale of what is left of the company, or obtaining consent to such a transfer.
All of this illustrates a ticking time bomb in difficult economic times --- what happens to the myriad of personal and financial data that a failing or failed company has collected during the time it was in business?? Databases and customer lists are assets that can be converted to cash to pay creditors. Hardware is often sold for scrap without "triple wiping" or is just transferred to a new buyer.
Good discussion of the Clear program issues at ComputerWorld.
Chairman Thompson wants TSA to explain what role it will take in ensuring that "adequate privacy protections are in place prior to any disposition of the personally identifiable information." The TSA has posted an FAQ on its website directing questions about Clear back to the vendor.
We have learned a bit more from Verified Identity Pass (VIP), the company that operated the Clear program. VIP has issued a statement regarding the handling of existing data on hardware -- airport kiosks and computers assigned to VIP employees. According to VIP, all such equipment was being cleared using a process known as "triple wiping," which is a reliable method for clearing hard disks of data. Once the information has been wiped, Clear says that it will send members one final email confirming that their information has been deleted from the kiosks and computers.
None of this addresses the issue of the central database. What we do not know -- and will not know until it happens -- is whether the data will be sold. VIP has not filed for protection under the Bankruptcy Code and is presumably trying to sell itself to another Registered Traveler service provider (there are 8 approved by TSA). In the FAQ, the company's response was that "(t)he personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider." Short answer, if it can find a buyer that is a TSA-authorized RT provider, your data will most certainly be sold. Clear says nothing about informing members that their information will be transferred to another provider in a sale of what is left of the company, or obtaining consent to such a transfer.
All of this illustrates a ticking time bomb in difficult economic times --- what happens to the myriad of personal and financial data that a failing or failed company has collected during the time it was in business?? Databases and customer lists are assets that can be converted to cash to pay creditors. Hardware is often sold for scrap without "triple wiping" or is just transferred to a new buyer.
Good discussion of the Clear program issues at ComputerWorld.
Subscribe to:
Posts (Atom)
Posts
