*This section ended up longer than I anticipated. If you already have a base knowledge of cyber coverage or don’t want to bother with some historical background, please skip ahead to this section: "Where Privacy and Security Risk Breaks Down in Cloud Computing Contracts"

In the early 2000s, just around the “DotCom Bust”, some insurers began developing a product designed to address the financial loss that might arise out of a data breach. This was a time where most “brick and mortar” companies were just beginning to leverage the economic potential of the Internet. At that time insurers wanted to target the big “dotcom” companies like Amazon, Yahoo, eBay, Google, etc., and other companies pioneering e-commerce and online retailing. At some point, somebody dubbed this type of insurance “cyber insurance.”

The early cyber policies included liability and property components. The liability coverages addressed claim expenses and liability arising out of a security breach of the insured’s computer systems (some early policies only covered “technical” security breaches, as opposed to policy violation-based security breaches). The property-related components covered business interruption and data asset loss/damage arising out of a data breach (during the holiday season many online retailers suddenly developed a tasted for business interruption coverage after realizing just how negatively their business would be impacted by a denial of service attack).  Additional first party coverages included cyber-extortion coverage and crisis management/PR coverage.

Unfortunately for the carriers, it was not easy to get people to understand the need for this coverage (and that is still a challenge today, but certainly a lesser challenge with all of the security and privacy news constantly streaming). Early on there were very few lawsuits and regulators were just beginning to consider enforcement of relatively new statutes like GLB and HIPAA.

Two things changed that made cyber insurance much more relevant. One was a rather sudden event, and the other more gradual.

First, in 2003, California passed SB1386, the world’s first breach notification law. The reality then (as now) is that companies suffer security breaches each and every day. Prior to SB1386, however, breaches of personal information simply went unreported. With SB1386 and the subsequent passage of breach notice laws in 45 other states (and now coming internationally), the risk profile changed for data breaches. Instead of burying the breaches, companies were required to incur significant direct expenses to investigate security breaches and comply with applicable breach notice laws, including the offering of credit monitoring to affected individuals (which is not legally required by existing breach notice laws, but is optionally provided by many companies or "suggested" by state regulators). As a result, the plaintiffs’ bar now had notice of security breaches and began filing class action lawsuits after big breaches (usually involving high-profile brand name organizations). As such, cyber insurance coverage went from coverage addressing a hypothetical risk of future lawsuits, to a coverage addressing real-life risk (and now we have lawsuits getting deeper into litigation and public settlements of these types of cases). Moreover, shortly after the passage of SB 1386 many cyber insurance policies began covering the direct costs associated with complying with breach notification laws, including attorney fees, forensic investigation expenses, printing and mailing costs, credit monitoring expenses and call center expenses.  Breach notification costs are direct and almost unavoidable after a personal information breach.  Regardless of lawsuit activity, a direct financial rationale for cyber insurance coverage now existed.

The other change that occurred more gradually over time, but which has had a significant impact concerning the frequency and magnitude of data breaches was organized crime. In the early 2000s hacking was more of an exercise in annoyance or a used for bragging purposes. Hackers at that time wanted their exploits talked about and know. They wanted credit for hacking into or bringing down a sophisticated company (or better yet a division of the Federal Government or military). As such, when an attack happened it was discovered and remediated, and that would be the end of it.

True criminals, of course, are less interested in such notoriety. In fact, when trying to steal thousands/millions of records to commit identity theft or credit card fraud it is much better to NOT be detected. Lingering on a company’s network taking information for months or years is a much more profitable endeavor. Recognizing that this type of crime is low risk (it can be performed from thousands of miles away in Eastern Europe with almost not chance of getting caught) and high reward, organized crime flooded into the space. And in this context the word “organized” is truly appropriate – these enterprises retain very smart IT-oriented people that use every tool possible to scale and automate their crimes. They leverage the communication tools on the Internet to fence their “goods” creating, for example, wholesale and retail markets for credit cards, or “eBay”-like auction sites to hawk their illicit wares (e.g. valuable information). The change in orientation described above has essentially resulted in a 24/7/365 relentless crime machine constantly attacking and looking for new ways to attack, and always seeming to be one step ahead of those seeking to stop them. That is why we read about security and privacy breaches practically every day in the newspaper.

Fast-forward to present time. Cyber insurance is a much more established market with more carriers entering on a regular basis. There are primary and excess markets available for big risks, and companies of all sizes are looking at cyber more as a mandatory purchase rather than discretionary. As the world continues to change at seemingly light-speed and cyber risks increase (with the advent of hacktivism, social media and the consumerization of IT/BYOD ) the need for cyber is also growing. With competition pushing cyber insurance prices down, and significant security and privacy risk being retained by organizations, risk transfer is becoming very attractive (and from an overall big picture systemic point of view, spreading is risk is also attractive). Another area where cyber may help smooth out security and privacy risk is with cloud computing.

Where Privacy and Security Risk Breaks Down in Cloud Computing Contracts

As we have written extensively of in the past, Cloud computing raises significant privacy and security risks that are often difficult to hammer out in a Cloud computing negotiation (to the extent a Cloud customer gets a chance to negotiate at all). The net result of these contract negotiation difficulties and Cloud provider unwillingness in many cases to take on meaningful risk contractually, is that the risk is retained solely by the Cloud customer.  The following examples outline the privacy and security-related Cloud issues that impact the Cloud customer's risk:

• a Cloud provider failing to maintain reasonable security to prevent data breaches;

• a Cloud provider failing to comply with privacy and security laws applicable to the Cloud customer;

• a Cloud provider refusing to allow a Cloud customer to conduct its own independent forensic investigation of a data breach suffered by a Cloud provider;

• potential conflict of interests with respect a Cloud provider’s handling a data breach that may have been the fault of the Cloud provider, including failing to cooperate with its Cloud customers if that cooperation could adversely impact the Cloud provider;

• the Cloud customer’s potential obligation to comply with breach notice laws, including absorbing expenses for legal fees, forensic investigators, printing and mailing, credit monitoring and maintain a call center;

• lawsuits and regulatory actions against the Cloud customer because of Cloud provider security and privacy breaches, and the legal fees, judgments, fines, penalties and settlement costs associated with them; and

• Cloud providers seeking to leverage and data mine Cloud customer information being processed in the Cloud.

The justification used by Cloud providers to avoid responsibilities for these risks and the costs associated with them is essentially risk aggregation. Cloud providers maintain that, because they serve hundreds or thousands of customers on shared computing resources, a single attack could expose Cloud providers to liability from all of those customers at the same time. In fact, we already have one example involving a business interruption of a Cloud provider that demonstrates how multiple customers can be affected by a security breach. They also claim that independent forensic investigations by customers in the wake of a data breach are not possible because they cannot accommodate multiple customers at one time, and even if they could a forensic assessment would essentially expose each Cloud customer’s data to every Cloud customer conducting such an investigation.

Cyber Insurance: Addressing Retained Risk in the Cloud

So how does cyber insurance fit into this picture? As it currently stands, cyber insurance can be a very valuable tool for Cloud customers who are not able to get their providers to contractually take financial responsibility for security and privacy risk. Most cyber insurance policies cover data security and privacy breaches of not only the computer networks directly under the control of the insured, but also those computer networks operated by third parties for or on behalf of the insured. What this means in the Cloud context is that most cyber insurance policies may cover data breaches of the Cloud provider’s systems where the Cloud customer's/insured's data is stored and processed on those systems. This coverage will typically include most of the expenses listed above, including those direct expenses to comply with breach notice laws and costs to defend lawsuits and regulatory actions arising out of Cloud provider data breaches. As such, in the event a Cloud customer cannot get reasonable contract terms, assuming it has purchased the correct cyber coverage, it will have a fallback risk transfer and will not be retaining that risk solely on its own.

Is there a catch? Not really currently, except of course the premium that must be paid and the fact that most cyber insurance policies have a self-insured retention that must be satisfied by the insured before the carriers is required to pay. However, there may be longer term problems that arise for the carriers.

At this point, whether they like it or not, carriers whose cyber insurance policies cover security and privacy breaches of third party service providers are already beginning to aggregate their risk when it comes to Cloud providers. Imagine a world with a relatively small number of Cloud providers serving a much larger customer base (to some degree we may already live in such a world considering the dominance of Google, Amazon, Rackspace and other big cloud players). Many insureds/Cloud customers are going to be dealing with this relatively small number of Cloud providers. For example, I am sure that for most cyber insurance companies, if they were to check their books, would find that many of their insureds already use the same Cloud providers and/or other third party service providers to store and process the insureds’ data. Further consolidation of Cloud provider, should that occur, will only increase the aggregation of risk.

However, as long as cyber insurance is more widely adopted, the aggregation risk may be manageable. The entire purpose of insurance is to spread the risk across a wide community of insureds, and by doing so hopefully individual insureds that experience a breach are not catastrophically impacted. At the same time carriers can build reserves and achieve reasonable profits. The long term question is whether there are enough insureds purchasing cyber insurance to spread the risk and allow for the building of reserves to cover a breach of a major cloud provider that impacts a wide audience of insureds.

We probably are not there yet, and unless demand increases, we may not get there. One thing that may happen, perhaps, is a push from the Cloud provider/customer community to somehow make cyber insurance more of a mandatory condition of doing business in the Cloud. Time will tell as to whether the cyber insurers view this aggregation issue as serious, and whether they will take steps to mitigate it (hopefully those steps will not involve narrowing the coverage). In the meantime, companies that are going deep into the Cloud should quantify the risk they are retaining and seriously consider Cyber insurance coverage. The price may be right, and the peace of mind priceless.

As might be expected criminals view social media networks as fertile ground for committing fraud. There are three main security-related issues that pose potential security-related legal risk. First, to the extent that employees are accessing and using social media sites from company computers (or increasingly from personal computer devices connected to company networks or storing sensitive company data), malware, phishing and social engineering attacks could result in security breaches and legal liability. Second, spoofing and impersonation attacks on social networks could pose legal risks. In this case, the risk includes fake fan pages or fraudulent social media personas that appear to be legitimately operated. Third, information leakage is a risk in the social media context that could result in an adverse business and legal impact when confidential information is compromised.

One of the biggest social media security risks reveals itself in the name of the medium itself: social media yields social engineering. In short, when it comes to social media attacks, an organization’s own employees may be its worst enemy. Fraudsters leverage the central component of social media that makes it so attractive: trust between “friends.” Social media users may be tricked into downloading applications infected with malware because a posting was “recommended” by a friend. For example, almost immediately after Osama Bin Laden was killed by U.S. troops, one Facebook scam inserted malware on computers using a malicious (and false) link to the “real” Osama Bin Laden dead body photo that looked like it was posted on a friend’s wall. In addition, some scams have used messaging capabilities within social media platforms to initiate computer attacks.  Unfortunately, if a company's employee is scammed and downloads malware from a social media network to the company network, it may be the company that faces legal liability.

In addition, fraudsters use the trust users place in the social media platform itself to effectuate security breaches. For example, most would feel fairly comfortable clicking on an advertisement displayed on Facebook. However, in some cases that click could result in a “malvertisement” infection.

Another common attack technique is phishing. Criminals create fake email notices that appear to come from social media sites. Unsuspecting users that click on links in these emails may end up providing sensitive information to fake websites that look like the social media site they belong to, or downloading malware onto a company’s system.  Unfortunately, even an employee just giving up his or her personal social media passwords can be risky for a company. Many individuals use the same passwords at multiple sites and disclosing a social media password could also amount to providing the password to the network of an employee’s employer.

There is increasing evidence that criminals are using social media to target key company personnel in order to burrow into company networks and steal trade secrets and other sensitive information.  The wealth of personal information users share on social media sites provides ammunition for such attacks. Fraudsters can gather details about a user before engaging in an attack (e.g. employer, address, phone number, friends, affiliated companies, etc.) and then use the details to target the attack specifically at the individual(s) (such as a phishing email).  In fact, this very technique appears to have been used in one of the biggest breaches of 2011, the RSA breach.

With regard to legal risk, companies suffering a breach arising out of social media face the same risks for any security breach. If malware infects a system or an employee is tricked into providing his or her login-credentials, and confidential or personal information is stolen, the employer may face lawsuits or regulatory scrutiny.  Actions alleging breaches of NDAs may also come from third parties whose trade secrets or other confidential information a company holds. Moreover, if personal information is accessed or acquired due to the social media security breach, notification may be necessary and related costs would have to be incurred by the employer.

Social Media Spoofing and Hijacking

Companies may also face legal liability for failing to detect and notify social media users of scams associated with the company’s social media site or key personnel with social media presences. If an organization becomes aware of a spoofed fan page that looks like its own, or a criminal disseminating a malware-infested social media application that looks like it is sponsored by the organization, legal repercussions could arise. Similarly, fraudsters could create fake profiles of key company personnel in order to commit crimes.

Security and legal risks can also arise if hackers are able to take over a company’s fan page or social media profiles of key company personnel. By creating a fake fan page or profile, or hijacking an existing fan page or profile, fraudsters could send out messages with malware to all of the individuals who joined the fan page or trick customers into disclosing sensitive information.  From the legal risk perspective, while case law is sparse, companies that fail to have fake fan pages removed or that fail to warn their customers of scams that look like they come from the company, could face legal liability.

Confidential Information Leakage

Another important business and legal risk arises out of potential confidential information leakage on social media sites.

Imagine a company that is heavily reliant on traditional sales methods and has built up a customer list (a trade secret) with key, difficult-to-find contacts. Oftentimes, companies like this rely on key sales people to bring in large portions of their revenue. Perhaps seeking to be on top of modern marketing practices some of these salespeople establish LinkedIn accounts, and naturally begin linking to dozens or perhaps hundreds of friends, colleagues and customers. On LinkedIn, if settings are not set properly, all of the contacts related to these key salespeople could be publicly viewable. That being the case, it would not be difficult for a competitor to simply view and record those contacts, thereby potentially exposing the company’s customer list and key customer contacts.

Take it one step further. Suppose one of the key sales persons leaves with the customer list and the company sues alleging misappropriation of trade secret. One of the elements for establishing a trade secret are efforts to keep the secret confidential. However, by allowing the sales person to display all of his contacts on LinkedIn, has the company effectively failed to maintain that confidentiality and lost its trade secret protection?

In 2010, we saw an Eastern District of New York case that looked at this issue and ruled that trade secret protection was unavailable for a company where the customer list information at issue could be readily ascertained using sites like Google and by viewing LinkedIn profiles. In contrast, in 2011, the court in Syncsort Incorporated v. Innovative Routines, International, Inc., looked at the issue of whether a trade secret posted on the Internet loses its protection. While the court ruled that trade secret protection was not lost under the facts of Syncsort (where only a portion of the trade secret was available for a limited time), it appears that a different set of facts could yield a decision going the other direction.

The inadvertent disclosure of confidential information by employees may also be problematic for organizations. This problem can arise when employees mistakenly or unknowingly disclosing sensitive information. For example, in September 2011 a Hewlett-Packard executive updated his LinkedIn status and revealed previously undisclosed details of HP's cloud-computing services. If he had instead posted confidential information about one of HP’s clients it may have resulted in legal liability. Moreover, for publicly-traded companies, certain inadvertent disclosures of financial information could lead to violations of securities laws and regulations.

Even if confidential information is not directly put into a single status update or other post, the aggregated social media postings of multiple employees could yield valuable competitive information. Companies (on their own or through third party service providers) are actively data mining social media sites with the hope of gathering enough bits and pieces of information to provide a competitive edge. Employees may be unwittingly posting what they think is a single piece of non-sensitive data.  However, when combined with multiple data points from other employees and sources, those innocent disclosures could suddenly reveal company or client confidential information.

Conclusion

In summary, the key security-related legal concerns associated with social media start with the fact that social media provides a rich target environment for criminals. Social media users are literally volunteering information that may be sensitive, and the disclosure of which could lead to legal risk. The culture of sharing present on social media sites itself can lead to over-disclosure by employees, and the pure volume of data that can be mined from social media sites may allow competitors and criminals to connect-the-dots to reveal confidential or sensitive information. Moreover, the sense of trust that comes with social media environments provides an opportunity for criminals to breach security. People may be tricked into providing certain information or downloading malware because they think they are having legitimate communications with colleagues or friends. Finally, the ability to easily spoof or create fake sites or pages in social media sites that look legitimate can lead to increased security risk. With this increased security risk, comes increased legal and liability risk (in an area of law that is very unsettled in terms of who can be liable for a security breach, and to what extent).

How can these risks be addressed and mitigated? First, it is key to understand the social media environment and how the various social media platforms work.  The unique characteristics of a particular social media platform may present risks specific to that platform. Second, organizations need to develop a social media strategy to maximize their leveraging of social media while minimizing risk (Are employees allowed to use their social media sites from work computers? Can they talk about the company and its plans on social media sites? What company information can they share on social media sites? Should only a handful of marketing-oriented employees be allowed to post about or on behalf of an organization? Can the company monitor social media usage?) Once strategy is developed, social media policies need to be drafted to reflect the strategy and address risks. In the security context, a big part of minimizing risk is educating and training employees and providing guidance on how to avoid or minimize it.  Technology solutions may also exist that can allow for monitoring and tracking of social media usage by employees. Ultimately, however, like social media itself, it comes down to people -- risk can only be addressed appropriately if the individuals using social media are equipped to identify and mitigate against it.

In terms of background, this matter involves a payment card data security breach perpetrated by hackers that resulted in the theft of 4.2 million credit and debit card numbers, expiration dates and security codes from the Hannaford Brothers grocery store chain. After being alerted of the breach by the credit card companies, Hannaford announced the breach and informed the public that 1,800 cases of fraud arose out of the theft of the cardholder data.

Twenty-six separate lawsuits were filed against Hannaford, and all were eventually consolidated in the Federal District Court of Maine (the “District Court”). After winding through various legal proceedings, including the Maine Supreme Judicial Court, the District Court eventually dismissed most of the plaintiff’s claims, except for the single plaintiff that was actually required to be responsible for $50 of fraudulent charges (the maximum for credit card fraud under U.S. law).

Plaintiffs alleged several causes of action, but this post will focus on the issue of whether damages were properly alleged for purposes of the plaintiffs’ negligence and implied contract claims as to certain categories of alleged damages.

The Holding

As is to be expected when twenty-six lawsuits are filed in a relatively novel area of law, the plaintiffs’ alleged several different damage elements resulting from the data breach, including:

1. unreimbursed fraud charges;
2. overdraft fees;
3. loss of accumulated reward points;
4. loss of opportunities to earn reward points;
5. the time and effort consumers spent to protect against losses;
6. the fees charged by issuing banks to customers who requested that their credit card be replaced; and
7. the cost for identity theft insurance/credit monitoring.

The Court of Appeals agreed with the District Court and affirmed the dismissal of plaintiffs' negligence and implied contract claims alleging the damage elements set forth in 1. through 5. above. The Court, however, reversed the District Court’s dismissal of the damage elements set forth in 6. and 7. above (“Mitigation Costs”).

The Court of Appeals looked at Maine negligence law in rendering its decision, which requires damages to be both reasonably foreseeable and not barred for policy reasons. In addition, for nonphysical harm, Maine courts take policy considerations into account such as “societal expectations regarding behavior and individual responsibility in allocating risks and costs.” The Court of Appeals also indicated that Maine courts had previously allowed plaintiffs to recover for costs and harms incurred during a reasonable effort to mitigate harm. It specifically cited the Restatement (Second) of Torts section 919(1), which provides in relevant part:

[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened

The Court of Appeals noted that to recover mitigation damages, plaintiffs need to show that their mitigation efforts were reasonable and that those efforts constitute a legal injury, such as actual money loss (rather than time or effort expended). In order to judge whether a mitigation decision was reasonable, Maine courts consider reasonableness at the time the decision was made (not using 20/20 hindsight). According to the Court’s interpretation of Maine law, mitigation damages are available even when it is not certain at the time that the costs are needed, when mitigation costs are sought but other damages are unavailable, and when mitigation costs exceed the amount of actual damages. In support of its decision, the Court of Appeals cited and summarized several cases from multiple jurisdictions, many of which involved structural damages or defective construction.

The Court of Appeals considered whether the Mitigation Costs alleged by the Hannaford plaintiffs were reasonable. It first noted that the Hannaford breach involved a large scale and sophisticated criminal operation. Moreover, there was actual widespread misuse of credit cards and fraud committed using the cards (as announced by Hannaford itself). In the Court of Appeal’s view, the plaintiffs were “not merely exposed to a hypothetical risk, but to a real risk of misuse.” Moreover, the Court noted that there was no way for plaintiffs to predict whose accounts would be used for fraudulent purposes. As such, in the Court’s view it reasonably appeared that all Hannaford customers that used credit cards during the relevant time frame of the breach were at risk of unauthorized charges.

Looking at plaintiffs who had to pay fees to have their cards reissued (apparently not all banks reissued cards), the Court indicated that the immediate reissuance of cards by many banks was evidence of reasonable mitigation.  As such, plaintiffs who were required to pay such fees properly alleged damages.

The Court also indicated that it was reasonable mitigation for a plaintiff to purchase identity theft insurance after she experienced unauthorized charges to her account. The Court of Appeals contrasted decisions in other jurisdictions that rejected credit monitoring costs as a cognizable damage element. In those cases, unlike Hannaford, the plaintiffs failed to allege that any of the similarly situated plaintiffs had been the victim of identity theft or other harm. In this case, the plaintiff who purchased identity theft insurance actually had unauthorized charges on her card, and there were at least 1800 instances of fraud reported by Hannaford when it announced the breach.  Therefore, the plaintiffs alleging this damage element satisfied their pleading requirements.

Observations

As mentioned above, this case could significantly impact the liability risk associated with data breach lawsuits. Some observations below:

• Early Stages. Readers must be reminded that even if the negligence and implied contract claims are allowed to proceed, we are only at the pleading stage. It may be possible for Hannaford to win on a motion for summary judgment, the issue of class certification and at trial

• Class Certification Difficulties. Even if certain individual plaintiffs are able to allege negligence and implied contract claims, they may not be able to certify a class action if there is not sufficient commonality between the class members. Class certification is the wild card at this point. It is one thing to have a handful of plaintiffs individually suing for relatively small amounts, and quite another to have a large class doing the same.

• Misapplied Theory of Mitigation Damages? The mitigation damages theory seems weak in one key area: most of the cases cited by the Court of Appeals involved situations where some physical harm or a harmful property defect had already occurred, and the mitigation efforts related to cutting off the harm arising from such harm or defect. In contrast, for data breach situations we do not have physical harm or harmful property defects; many would argue that the mitigation is an attempt to cut off future harm (and that is what other courts have held), and should not be construed as cognizable

• U.S. Supreme Court. While there may be differences between various decisions that may preclude a conflict, it now appears that we have a split between U.S. Courts of Appeal. On one side we have the 7th and 9th Circuits throwing data breach lawsuits out due to lack of cognizable harm. On the other we have the 1st Circuit going the opposite direction for some damage elements. Will the U.S. Supreme Court have to weigh in to resolve the split?

• Create Your Own Class. If purchasing identity theft insurance or credit monitoring equals cognizable harm, will plaintiff lawyers direct their clients to purchase such services (in part so that they can recover from the breached organizations?

• Offering Credit Monitoring Services and Identity Theft Insurance. It is not unusual for breached organizations to offer credit monitoring and/or identity theft insurance to individuals impacted by a breach (often for customer relations purposes). However, as we have predicted in the past, will offering such services effectively cut off lawsuits? Plaintiffs may not be in a position to allege out-of-pocket costs if those services were offered for free by the breached organization. Considering that the redemption rate for such services is relatively low (in our experience typically less than 20%), offering the services might save a breached entity on the litigation end of the equation. Even so, plaintiffs' lawyers might simply move the goalposts, and even if one year of such services is offered, they may allege that two years is required/reasonable.

• Other Mitigation Damages? What other costs might constitute recoverable mitigation damages? The threshold is reasonableness, and it does not necessarily appear that the plaintiff needs to be aware of actual harm or misuse of personal information (although it helps the reasonableness argument if they are). We have had regulators ask our clients to offer to pay for fraud alerts after a data breach – might the cost of a fraud alert also equal a recoverable mitigation damage element? There are probably other similar costs that creative plaintiff lawyers will come up with.

We will have to wait to see what the ultimate impact of this decision is. However, with cases like this and other favorable decisions for plaintiffs concerning the issue of damages arising out of a data breach, we could be witnessing the beginning of a shift in the legal liability environment. At this point, since it may be the case that these data breach lawsuits have more litigation legs, organizations concerned about liability should consider focusing more on whether their security is reasonable and legally defensible. 

Why are privacy-related legal issues a key concern in the social media context? The entire marketing model inherent in the use of social media involves direct communication with, and gathering key information about, clients and customers in order to more efficiently and effectively deliver goods and services. The more granular and accurate the information about a social media user, the more valuable to companies seeking to leverage it. Naturally, as they collect and use information about social media users, organizations will come into contact with sensitive personal information about those users. This sensitive information goes beyond “traditional” personally identifiable information, and can include geo-location information, photographs and videos, relationship information (friends of friends), online behavioral information, political viewpoints and more.

The types of information available to a company employing a social media strategy will vary based on the platforms used, the method of interaction within a given platform (e.g. fan page versus company profile), technical constraints and policies, and the nature of the strategy itself. In analyzing privacy legal issues, organizations should ask the following questions:

• What types of personal information will the organization have access to?

• What types of personal information will the organization collect, and how will it use that information?

• What legal restraints exist with respect to the collection and use of the personal information (e.g. regulations, contracts, internal policies, etc.)

While this post focuses on privacy legal risk, it must be noted that the collection and use of personal information derived from social media may pose additional moral, reputational and business issues (which go beyond the scope of this article). As such, even if a practice is legal, the “big picture” must always be taken into account.

Key Privacy Legal Issues

• Social Media Platform Terms of Use

The first place to look for privacy legal obligations are the terms of use of a particular social media platform. Social media platforms attempt to balance privacy concerns of their users against commercial use of user information by laying out specific limitations and conditions related to the collection and use of personal information. For example, for applications built by companies for use in Facebook, organizations may not use a user’s friends list outside of the application, even if a user consents to such a use (organizations, however, may use connections between two users that have both connected to the application). As a general rule, companies can only use the Twitter API to reproduce, modify, create derivative works, distribute, sell, transfer, publicly display, publicly perform, transmit, or otherwise use Twitter content.

In addition, certain privacy-related terms and conditions may apply depending on the specific social media activities or functionality a company leverages within a social media platform.   Organizations seeking to leverage social media need to understand and implement the (sometimes confusing and often very detailed) rules of multiple platforms, and for multiple functionalities and activities within a platform.

For example, on Facebook, organizations that set up a Fan Page are not allowed to collect information from users unless they have obtained their consent.  In contrast, companies wishing to develop and launch a Facebook application can only request information from users that is necessary to run the application, but do not need consent for every data collection. Facebook also imposes certain limits on what and how personal information can be collected when using a Facebook application. For example, for all data obtained through the Facebook API except “basic account information,” organizations must obtain explicit consent from the user to use that data for any purpose other than displaying it back to the user in the application. Companies are prohibited by Facebook from soliciting or collecting user profile login information, such as usernames or passwords.  Consider the number of platforms and the number of rules within a platform, and the fact that these rules often change, and it becomes apparent that compliance can get tricky.

Unfortunately, the failure to follow these privacy-related terms of use can (and already has) get companies into legal trouble. That trouble can arise directly with the social media platform provider in the form of a banning or a breach of contract action. In addition, a violation of the obligations set forth in a social media platform's terms of the use may be alleged as the basis for lawsuits against companies using social media.

• Regulatory Privacy Issues

An organization’s social media activities may also raise regulatory concerns. In the United States, the FTC has not been shy about bringing actions under the FTC Act for “unfair” or “deceptive” business practices. As with a normal website privacy policy, if an organization does not follow its privacy policy related to a social media application and personal information related thereto, the FTC could allege that such failure is a deceptive trade practice.

A particular area of concern for violations of privacy policies arises when companies integrate social media functionality directly into their websites. Some company websites may embed social media functionality that allows users to comment on a website post or article using Facebook or Twitter’s comment platform. The user comments are displayed both on the website and on the social media platform. The question is to what extent does the website’s general privacy policy apply to the information gathered through the embedded social media platform. The second question is whether the organization’s handling and use of such personal information violates the website’s general privacy policy.   As the lines between an organization's general website presence and their social media presence blur even more over time, consistent privacy practices will become increasingly important (note:  InfoLawGroup has developed privacy policy language to address this situation).

Beyond general regulatory authority present in consumer protection acts, some specific privacy regulations may apply in the social media context. For example, for employers that use social media to vet potential employment candidates, the information obtained from a social media site may constitute a “consumer report” under the Fair Credit Reporting Act and similar state laws (this topic is discussed in more detail in the upcoming part of this series concerning social media and employment issues). In addition, there has been some activity around the Children's Online Privacy Protection Act (COPPA) and social media, including FTC actions against a social media site for children and a mobile phone game developer that created games for children.  In fact the FTC recently released proposed revisions to COPPA intended to address social media that is used often by children.

The collection and dissemination of information from social media users may be even more problematic when information concerning European users is at issue. Under the EU Data Protection Directive, personal data is defined as "any information relating to an identified or identifiable natural person”. This definition is generally much broader than most U.S. laws that reference personally identifiable information (those definitions typically require a first name/first initial and last name in combination with other specified data elements such as social security number, financial account number, driver’s license number, etc.). Regulators in Europe have reported that information derived by or from social media sites constitutes personal data under EU law.  For example, one German state has indicated that the “Like” button on Facebook is in violation of German privacy law. If the EU Directive does apply to information from a social network, the transmission of personal data of a European resident to the United States could violate various requirements concerning transborder data flow.

Finally, as the definition of personal information expands in the United States (the FTC has defined personal information broadly in the social media context to mean “information respondent collects from or about an individual”), it is likely that information relating to individuals collected from social media activities will be more closely regulated.  It is therefore important to keep up with the regulatory environment and legislation being proposed on both the Federal and State levels.

Conclusion

Participation and a presence in the social media context can be very valuable for organizations, and that value is likely to increase significantly in the future. Most organizations will seek to discover as much information about social media users as possible, and as more of our lives (social and commercial) are lived on the Internet, this information will be highly sought after.

This of course will raise significant privacy issues; privacy issues that current law may not fully address. In the U.S., we anticipate an evolution in the social media context that will initially involve regulators utilizing their broad and general regulatory authority (e.g. the FTC Act), and then may result in the passage of more specific laws and regulations. Even without specific regulatory constraints, organizations looking to leverage social networking today should carefully review the social media platform TOUs and their existing privacy policies, and develop policies and practices that address social media where appropriate. In addition, companies should analyze how existing laws in relevant jurisdictions might apply to their collection, processing, storage and distribution of personal information obtained from social media.  A reasonable balancing of these privacy legal risks against the commercial advantages to be derived from social media is the best course of action.

The SEC indicated that in analyzing cyber security risks and whether those risk should be reported, registrants should take the following into account:

• prior cyber incidents and the severity and frequency of those incidents;

• the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and

• the adequacy of preventative actions taken to reduce cyber security risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.

Additionally, the guidance advises registrants to address risks and incidents in their MD&A “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.” Other situations requiring disclosure include if one or more incidents has materially affected a registrant’s “products, services, relationships with customers or suppliers, or competitive conditions” and if an incident is involved in a material pending legal proceeding to which a registrant or any of its subsidiaries is a party.  Registrants are also expected to disclose certain security incidents on financial statements, as well as the effectiveness of disclosure controls and procedures on filings with the SEC.

While cyber security risk has always been a potential financial disclosure issue, and something that directors and officers need to take into account, the SEC guidance really highlights the issue and brings it to the fore. Even so, materiality is still going to a big issue, and not every breach will need to be reported as many/most will not likely involve the potential for a material impact to a company. 

What the guidance document does stress, however, is process and risk assessment.  One read of this guidance is that companies internally are going to have to more carefully forecast and estimate the impact of cyber incidents and the consequences of failing to implement adequate security.  This analysis will go well beyond privacy-related security issues where most companies have focused (due to various privacy laws and regulator activity), and implicate key operational issues impacted by security breaches.  It will be interesting to see how this affects the internal corporate dynamics between CIOs and their business counter-parts.  This guidance may provide additional leverage for security risk managers to obtain bigger budgets, new technology and more personnel. 

This guidance may impact the traditional breach notification process as well.  Companies may now need to analyze not only whether notice to impacted individuals is necessary, but also whether shareholders should be getting a disclosure in financials statements.  This new guidance also raises the specter of directors and officers lawsuits.  We saw a D&O suit in the Heartland data breach that went nowhere, does this guidance provide more legs to plaintiffs?  Only time will tell.

Much like the “Cloud computing revolution" there is an almost frenzied excitement around social media, and many companies are stampeding to exploit social networking.  The promise of increased intimate customer interactions, input and loyalty, and enhanced sales and expanded market share can result in some organizations overlooking the thorny issues arising out of social networking.  Many of these issues are legal in nature and could increase the legal risk and liability potential of an organization employing a social media strategy.  

Coming on the heels of a white paper we wrote with ACE USA, in this multi-part series the InfoLawGroup will identify and explore the legal implications of social media. This series will help organizations begin to identify some of the legal risks associated with social media so that they may start addressing and mitigating these risks while maximizing their social media strategy.

In Part One of the series, we will provide a high level overview of the legal risks and issues associated with an organization’s use of social media. In subsequent parts members of the InfoLawGroup team will take a deeper dive into these matters, and provide some practical insight and strategic direction for addressing these issues.   As always, we view our series as the beginning of a broader conversation between ourselves and the larger community, and we welcome and strongly encourage comments, concerns, corrections and criticisms.

For a phenomenon that is taking over the world, one would think that the meaning of social media would be clear. While that may not be the case, we are not going to belabor the issue in this post. Instead we will simply use the definition generated by Wikipedia (itself a form of social media that relies on the collective efforts of its users to come up with the “right” answer): 

Social media are media for social interaction, using highly accessible and scalable publishing techniques. Social media use web-based technologies to turn communication into interactive dialogue.

Examples of websites and internet activities that fall into this definition include: LinkedIn, Facebook, Twitter, Digg, Delicious, StumbleUpon,Foursquare, blogging platforms (e.g. WordPress, Drupal, etc.), Wikipedia, bulletin boards (e.g. phpbb.com), Quora and YouTube.

The InfoLawGroup is a heavy user of social media, and the best way that I have been able to explain our social media is by analogy: social media is like a wide-ranging conversation that can be with the entire world, or on a very intimate level with a single individual, and often both. Social media provides a mechanism for finding communities of like-minded (or not) individuals interested in particular topics (and sub-topics).    InfoLawGroup uses social media to engage in conversation concerning issues that are important and interesting to us (and others), and by engaging in that conversation in a meaningful way, others begin to recognize and value our input (and we in turn discover experts, influencers, and valuable information resources). Based on our experience, the key attributes of a successful social networking include clear communication, multi-party interaction, trust and intimacy. 

How is Social Media Used?

So your organization wants to “use” social networking. Why? For many organizations considering the use of social media a vague idea may exist that they “should” be doing that. However, clear organizational goals may not exist concerning the use of social media. As a threshold issue, before even considering specific legal issues, organizations must have a clear idea of why they want to use social media.    Companies should identify the business process or organizational strategy they are seeking to advance by the use of social networking. They should be able to establish goals and metrics in order to measure success and allow for the adjustment of their strategy if it is not proving successful.   Of course, when the question of why is answered, then the question of “how” must be addressed (and often the two questions must be considered together).

The process of developing a social media strategy tied to specific business processes and goals will enlighten companies as to the legal implications of their use of social networking. While there may be certain legal concerns baked into “social media” in general, many of the legal risks will arise based on the specific business process and goals surrounding the use of social media. In addition, the characteristics of the social media platform(s) an organization chooses to leverage may also impact the legal risks faced by the organization.

While there are as many social media strategies as there are organizations seeking to employ them (in fact, there are certainly many more), we have laid out some “use cases” that will help us explore the legal implications of social media:

• Direct Interaction. Direct interaction (with customer, "influencers," media, colleagues, etc.) is really the most basic use of social media, it involves an organization using social media to communicate and interact with the general social media population (or subsets of that population).    This would happen on various social media platforms such as Facebook, LinkedIn and Twitter, or through a weblog.   However, the approach organizations employ to interact may vary, and as discussed later, the differences in approach could impact the legal risks associated with social media. Some approaches for direct interaction include the following: (a) allowing an organization’s general employee population to go out and interact on behalf of the company with little instruction or supervision; (b) allowing an organization’s general employee population to go out and interact on behalf of the company with strict instructions and supervision; (c) identifying a small dedicated group to interact on social media on behalf of the company, including potentially the use of “corporate profiles” not tied to any individual person; and (d) hiring a third party marketing company to interact on social media pursuant to a specific marketing strategy.

• Company Page/Fan Site. Some social media platforms allow organizations to create “fan pages” (e.g. Facebook) or company pages (LinkedIn). In essence these types of pages/site allow an organization to set up a centralized presence or "destination" within a social media platform.   Interested individuals can then join or follow postings that occur on the organization’s fan page/site, and those visitors can themselves post and interact on the fan page or site. This allows for interaction in a more centralized fashion.

• Social Media Applications. Some social media platforms may allow organizations to create applications that can be plugged into the social media platform. For example, a mortgage broker with a presence on Facebook could hire an application developer to develop a mortgage interest rate calculator application that Facebook users could operate. This would essentially provide an advertisement for the mortgage company and create goodwill amongst potential customers. In addition, when the application is downloaded by a user, the mortgage company would then get access to certain personal information that is part of the user’s profile. This information can be valuable for targeting prospective customers and data mining purposes.

• Blogging. While it may not be obvious to everybody, most blogs constitute social media.   Blogs that allow for comments and interaction between the blogger and his readers (and interaction between the readers themselves) are social media. This interaction typically occurs in the “comments” section of a blog. In addition, many organizations use their blog as the kernel for interaction in other social media platforms. So, an organization with a blog might do a post and tweet it on Twitter, cross-post it on their Facebook fan page and post it in a LinkedIn Group, in order to drive traffic to the company’s blogpost (and ultimately website, product or service).

• Social Plug-ins. Many social media platforms provide “widgets” or “plug-ins” that can be put into a website to allow the content of the website to be commented upon and shared within the social media platform. The plug-in may be in the form of a “button” that allows a website visitor to “like”  particular content and have their preference posted in Twitter, Facebook or Digg. Some social medial platforms may be seamlessly integrated into a website in such a manner that makes it virtually invisible. Using these plug-ins can help` spread an organization’s message to a much wider audience and drive traffic to the organization’s website.

• Log-In Credentials. Another interesting way social media platforms are being utilized is to allow website visitors to login to an organization’s website employing the log-in credentials they use to gain access to a social media platform. Under this scenario an organization with a website could allow visitors to access the company's website by logging into their Facebook or Twitter account using the same username and password (this is achieved by utilizing the social media platform’s API). The organization benefits in several ways by employing this practice. First, the visitor gets to avoid setting up a new username and password specific to the website, which can be viewed as time-consuming by some visitors. Second, the user is less likely to forget a username/password from a frequently-used social media platform, and this makes logging in very easy. Last, by linking to the social media platform’s authentication credentials, the organization is able to obtain certain personal information about that visitor that is available on the social media platform.

The forgoing use case scenarios are surely the tip of the iceberg, and new social media platforms and strategies are being developed every day.   It is in this dynamic environment that organizations must analyze and understand the legal risks associated with the use of social media.

Social Media Legal Issues

As we work through the various legal implications of social media it hopefully will become increasingly clear that context is very important. While we can (and will) talk about broad categories of legal risks that apply to most (or all) social media, a basic formula can be used to identify and analyze the specific legal risks of a particular social media use. The social media legal risk “formula” can be summarized as follows:

• the inherent characteristics/capabilities/limitations of the social media platform to be leveraged, PLUS

• the organization’s specific intended social media strategy and uses, REVEALS

• the relevant legal issues and level of legal risk present.

With this formula in mind we turn to a short summary of the social medial legal issues that InfoLawGroup will be exploring in detail as part of its multi-part blog series.

Information Security Legal Risk

Organizations that employ social media face several information security legal issues.   These legal risks can be broken down into three broad categories: (1) potential liability due to a breach of the organization’s security as the result of an attack originating through the use of social media; (2) potential legal risk associated with social engineering and spoofing attacks against users or “fans” of an organization’s social media presence, persona or application; and (3) legal consequences of leakage of third party confidential information as a result of social media use.

As might be expected organized crime views social networks as fertile ground for committing fraud. One of the biggest risks is in the name of the medium itself.  Social media yields social engineering. Fraudsters leverage the central component of social media that makes it so attractive: trust between “friends.” As such social media users are tricked into downloading applications infected with malware because it was “recommended” by a friend, or they click on the link of the “real” Osama Bin Laden dead body photo that looks like it was posted on a friend's wall (and a computer attack occurs), or they visit a site that looks like a brand name company’s fan page and are enticed to provide some of their personal information to criminals. The direct risk to an organization allowing its employees to use social media on company computers is obvious: if malware from social media infects a company computer and steals personal information, credit card numbers or trade secrets, the company may have to provide notice of a security breach and could face lawsuits and regulatory actions arising out of the breach.

Companies may also face liability for failing to detect and notify social media users of scams associated with the company’s name or site. If an organization becomes aware of a spoofed fan page that looks like its own, or a criminal disseminating a malware-infested social application that looks like it is sponsored by the organization, legal repercussions could arise. In the email context we are already aware of lawsuits involving phishing that allege that the defendant should have been aware of scam emails sent to their customers, and should have warned those customers of the scam.

Finally, social media sites and the activities of multiple users for or on behalf of an organization could result in information leakage. If that leakage involves confidential information or trade secrets of an organization’s customer, or perhaps certain financial disclosures in violation of securities laws, liability could arise. The risk of confidential information leakage was recently on display involving the use of LinkedIn.  This risk can also be indirect in its nature, and there are several social media corporate intelligence companies that will data mine and aggregate information about competitors in order to discover leaked secrets, plans and trends.

Privacy

For many companies the Holy Grail of social media is in depth and detailed personal information about their current and would-be customers. Social media provides a platform for much more interactive and intimate communications between companies and their customers. In turn companies seek to use this knowledge to sell their products and services back to these customers (in a way that does not erode the trust relationship that is often gained in the social media context).   Social media platforms enable the gathering of information, including personal information, in ways that were unimaginable only a few years back.   Companies leveraging social media, depending on the platform, can gain access to this personal information. This raises a host of privacy concerns that could increase legal risk. Most social media sites have terms and conditions that may result in legal liability if an organization’s collection or use of personal information violates those terms.    Laws such as COPPA may have applicability with respect to an organization’s “fan” page.    Finally, to what extent do an organization’s privacy policies apply, if at all, to its social media activities?   All of these issues will become increasingly important as use of social media becomes the norm.

IP Infringement

Social media sites allow users and companies to post content, including content that may be copyrighted or trademarked. Posting can be performed not only by employees of organizations using social media, but also fans and visitors to a company’s social media site. Organizations may face infringement claims (direct or based on vicarious liability) due to copyrighted or trademarked materials being posted by them or by third parties.

Disparagement and Defamation

Social media environments provide a forum for defamatory statements to be made about individuals, and disparaging remarks to be made about companies' products and services. Organizations with overzealous employees attempting to get a leg up on competitors may post comments or remarks that may not be fully accurate or true about an individual or a competitor’s products or services. This could lead to a potential lawsuit and liability. Social media sites and blogs that allow comments may also involve such statements made by third parties over which the organization has little to no control. While defenses may exist, including potentially Section 230 of the Communications Decency Act, this area of law is notoriously fact specific and varies by jurisdiction, and it could pose problems for companies.

Employment Law Issues

The use of social media in the employment context raises a lot of tricky legal issues. First, many organizations use social media to vet candidates for employment and as part of background checks. The information obtained from a social media site may constitute a “consumer report” under the Fair Credit Reporting Act and similar state laws, and employers may have to obtain an individual’s consent before accessing such information (or may be prohibited from using that information to make employment decisions). During employment, the issue is to what extent an employee may have privacy rights concerning its use of social media while at work, and to what extent the employer may monitor such activities. Overzealous employers that create fake social media accounts to monitor social media activities of their employees could also raise legal issues, including issues under the Stored Communications Act, which is part of the larger Electronic Communications Privacy Act. Finally, using social media activities as the basis for firing or taking disciplinary action against employees may run afoul of the law. Recently, there have been a series of “Facebook Firings” where the National Labor Relations Board has alleged that and employer’s action violated the National Labor Relations Act.

Advertising Law

Organizations that use social media to promote their products and services should also be concerned about advertising laws. For example, some social media activities may amount to a contest or sweepstakes and may need to have appropriate disclaimers and notices. In addition, for social media sites that allow users to rate products or services, an employee that “rates up” the products or services of his or her company may violate advertising laws concerning testimonials and endorsements.

Electronic Discovery and Evidence

Social networks are brimming with social interactions and information generated by and about those interactions. That information may be highly relevant in a litigation context, and the parties in a litigation may seek to obtain this information via discovery or subpoena. Questions arise as to whether obtaining this information for use in court is permissible in light of potential privacy concerns. On the flipside, when litigation begins, how should lawyers advise their clients concerning the preservation of information on social media sites, and what kind of problems may arise if a litigant fails to preserve social media information.

Drafting a Social Media Policy

In the final part of this series, we will take a closer look at one of the key controls to address the legal risk associated with the use of social media:  the social media policy. We will look at the key elements and issues that should be addressed in a social media policy, and identify strategies for dealing with this risk. In addition, we will discuss some new technological controls that companies are developing to help organizations understand, monitor and manage social media use and legal risks. Overall, there is much more to come on this topic. Stay tuned! 

The privacy landscape appears to be shifting toward a model that promotes greater consumer awareness of and control over data. Reflecting its consumer protection mission, the FTC’s Protecting Consumer Privacy in an Era of Rapid Change issued December 1, 2010 urges companies to adopt a "privacy by design" approach. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced their "Commercial Privacy Bill of Rights" which adopts some of the FTC’s privacy by design principles, requiring companies to implement privacy protections when developing their products and services. The foundational principles of privacy by design, originally developed by Information and Privacy Commissioner of Canada Ann Cavoukian, address the effects of increasing complexity of data usage. With data now ubiquitously available, as well as processed and stored on a multinational level, privacy by design is becoming internationally recognized as fundamental for the protection of privacy and data integrity.

So what does privacy by design mean? How can start-up companies incorporate privacy by design principles into their business practices to attract VC funding? How should privacy and security legal risks (and solutions) be written into a start-up’s business plan? This post tries to answer these questions.

Step 1 - Understand Your Business Model.

Privacy by design advances the view that privacy assurance should be companies’ default mode of operation. To build privacy protections into a business model, organizations (particularly entrepreneurs seeking VC funding) should know their business models better than anyone else. Companies must understand how they will interact with consumers at every step of each transaction when products and services are under development. From consumer solicitation to the sale of products or services, an entrepreneur should consider evaluating whether and how his or her company collects, maintains, shares, or otherwise uses consumer data. Entrepreneurs may want to conduct a run-down of any and all data involved in their business transactions, including personal consumer data (names, addresses, credit card information, etc.) as well as any other information that can be linked to a specific consumer, computer, or other device. A keen understanding of the technology used by the start-up is also crucial as the functionality provided by such technology (or the lack of certain functionalities) may impact privacy, including the ability of consumers to make decisions about their personal information. By understanding the data and technology involved at each step of the way, entrepreneurs will be more likely to spot potential risks their companies face. Companies that fully understand the scope of the data they collect and how that data is handled will be in better positions to address consumer concerns and respond to objections. Most importantly, they will be in a better position to address legal requirements and build privacy into their products and services from the outset.

Step 2: Understand Your Market.

Really understanding your business model also means understanding the market - including the wants and needs of target consumers and the privacy-related activities of similarly situated companies. Consumers are increasingly wary of privacy issues triggered by their online participation. Start-ups may want to tailor their approach to privacy issues based on their target audience, as various studies show that different subsets of the population may have different privacy expectations and concerns.

For example, a Webroot study concluded that mobile device users over the age of 39 are more concerned about the possible risks associated with geolocation tools compared to 18- to 39-year-olds. Teens may be beginning to respond to privacy concerns on online – TRUSTe found that about 64% of teens use privacy controls on social networks. The platform for personal information collection, storage and processing may also impact the scope of consumer concerns. A new report from the market research firm Nielsen confirms that many Americans have strong concerns about losing some privacy by using location-based mobile services. According to the report, 59 percent of women and 52 percent of men reported having privacy concerns with location-based services and check-in apps. Only 8 percent of women and 12 percent of men reported that they are not concerned with the privacy implications of location-based services and check-in apps.

Consumer outcry and regulatory pressure have forced companies such as Facebook and Google to change their practices, offering consumers privacy controls that are simpler and easier to use. However, while many studies and surveys conclude that people are worried about privacy, people continue to use social media sites, location-based apps, and check-in services despite their concerns. From a market point of view, it’s important for companies to attempt to determine the privacy protections consumers want, as well as what practices may be deemed invasive and “over the line” which could result in backlash.

Determining whether products and services are “over the line” is also valuable for attracting business deals and securing investments. According to a report by the Ponemon Institute, privacy issues have prompted marketers to use online behavioral advertising 75% less than they would otherwise. However, in a previous post we noted that despite consumer concerns, Internet tracking companies continue to secure new investments from VC firms. Recently, a Wall Street Journal article noted that VCs in Silicon Valley are dumping money into social start-ups promoting mobile apps. If they haven’t already, VCs may begin to factor privacy concerns into their due diligence process to avoid future consumer and agency backlash that could potentially devalue their investments. As such, incorporating privacy by design - assessing privacy issues and implementing privacy protections every step of the way – may help attract funding and avoid potential liability.

Understanding the market also means understanding the competition. From start-ups to major market players, many companies are offering privacy protective products and services in response to consumer demand. Companies should conduct thorough due diligence regarding the data practices of established, similarly-situated companies. And a thorough understanding of the market isn’t only about evaluating competitors that exist today – companies would be wise to consider what potential business combinations could become competitors in the future.

Step 3 – Understand the Legal Risk Environment.

Keeping tabs on the privacy legal landscape is important for companies and investors looking to capitalize on consumer demand, particularly those interested in tapping into online markets. Additionally, agency enforcement is on the rise. As such, researching the legal and regulatory environment is a crucial part of due diligence for entrepreneurs and VCs alike.

Multiple privacy bills from both the House and the Senate have recently been introduced. In February, Representative Jackie Speier (D-CA) introduced the “Do Not Track Me Online Act of 2011” that would give the FTC authority to establish an online do-not-track system, giving consumers the ability to prevent the collection and use of data on their online activities. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the “Commercial Privacy Bill of Rights Act of 2011” in April, which would give the FTC significant authority to create rules as to how businesses collect, use, transfer and maintain personal information (for a summary of the bill, click HERE). This month, Senator Jay Rockefeller (D-WV) introduced the “Do-Not-Track Online Act of 2011,” which would create a "universal legal obligation" for companies to honor users' opt-out requests on the Internet and mobile devices, and would give the FTC the power to take action against companies that don't comply. Also this month, Representatives Edward J. Markey (D-MA) and Joe Barton (R-TX) introduced a draft of the “Do Not Track Kids Act of 2011” which would prohibit companies from tracking children on the Internet without parental consent, restrict online marketing to minors and require an "Eraser Button" that would allow parents to eliminate kids' personal information already online. An underlying policy of all of this proposed legislation is the idea that companies should be required to give consumers more notice about the information that is being collected about them, as well as the ability to control such collection.

While much attention has been given to privacy and security legislation at the federal level, there has been a renewed sense of vigor on the state level as well. The privacy legal risk environment is constantly in flux, and the state of law may vary by jurisdiction. For example, Hawaii’s information privacy proposed bill would require breached entities to provide credit monitoring and call center services to impacted individuals. In Colorado, a proposed bill takes a new approach to incentivizing companies to implement good security (for a summary of the bill, click HERE).

This year has also seen an explosion of privacy-related litigation (the RockYou data breach litigation, Amazon privacy litigation, suits involving online tracking, cookies, history sniffing, etc.) as well as agency enforcement actions (Playdom, Google Buzz, Ceridian/Lookout, GunnAllen, etc.). The end results of agency enforcement and privacy-related lawsuits are bound to impact what the government and the public considered “acceptable” from a privacy point of view.

It can be difficult and time-consuming to navigate the legal and regulatory privacy environment, and companies are encouraged to seek the advice of experts to identify potential privacy legal risks. In many cases, to proactively address privacy concerns, it requires careful analysis and prognostication based on the bills, laws, lawsuits and regulatory actions that are in play. Oftentimes, after careful analysis, potential trends and commonalities can be gleaned that can help companies anticipate where the privacy legal environment is going. If the legal risks are identified early and companies keep up-to-date regarding their responsibilities, mechanisms can be built into products and services to allow for compliance with the current legal framework. For example, building in consumer opt-outs of data collection and honoring such requests, as well as encrypting any sensitive personal information collected, are proactive measures that may be used to provide companies with flexibility to adjust to changing legal requirements.

Step 4 – Integrate Privacy by Design.

It’s easier to tailor privacy and security protections to a company’s everyday business practices, products and services once the company has a comprehensive understanding of its business model. the market and legal compliance requirements. It is much easier for a startup company to undertake this exercise at the outset of its business planning and product/service development. As part of its privacy by design framework, the FTC urges companies to systematically consider four substantive privacy protections at all stages of the design and development of their products and services:

Data Collection. One key principle of privacy by design is that companies should automatically protect any consumer data handled by default. However a company chooses to handle consumer data, it may want to consider mechanisms that enable consumers to opt-out or opt-in of data collection practices (even if those mechanisms are not implemented from the outset). Doing so early will decrease the burden of regulatory compliance if offering opt-in or opt-out consent becomes mandatory. Another key principle of privacy by design encourages companies to handle data in a way that is visible and transparent to the consumer, and that allows companies to honor any representations they make to consumers about their business practices. The FTC has increasingly enforced this principle, settling privacy enforcement actions with Twitter and Chitika for deceptive business practices and with Ceridian and Lookout Services for unfair business practices for failing to safeguard personal employee information, among others. Companies are advised to implement data security protocols and privacy policies and to address the concerns of their consumers. Companies can avoid regulatory enforcement by understanding their commitments to protect consumer privacy, being transparent about their business practices, and adhering to their policies and procedures.

The FTC also emphasizes “minimization” – under this concept, the only consumer data that a company should collect is that which is needed to accomplish legitimate business goals. If a company has internal systems and networks, it should consider whether data is routinely saved by default if there is no legitimate business need to do so. By limiting the scope and amount of consumer data collected, companies reduce potential harms that can result in the event of a breach. The information companies need to collect wholly depends on their business model and the consumer data needed to make it work.

Security for Consumer Data. Many companies that conduct internal evaluations of their data practices will conclude that they maintain consumer data in one form or another. Companies that maintain consumer data can proactively employ physical, technical, and administrative safeguards to protect that information. As the FTC notes, the level of security required depends on the sensitivity of the data a company maintains, the size and nature of a company’s business operations, and the types of risks a company faces. A number of federal and state laws require companies to actively protect the data they maintain, and the FTC is increasingly bringing enforcement actions against companies for their failure to do so.

Maintaining adequate security for consumer data helps companies avoid potential lawsuits and FTC enforcement actions in the event of a breach, and mitigates other attendant consequences such as lost productivity and service interruptions. It also helps reduce the possibility that the enormous costs of responding to a breach will be incurred. Symantec Corporation and the Ponemon Institute estimate that the average organizational cost of a data breach in 2010 was $7.2 million and cost companies an average of $214 per compromised record.

To prevent security breaches, data loss, and other headaches, companies can proactively assess their baseline security measures. Again, a company’s thorough understanding of its business model is key in identifying potential protection gaps. Entrepreneurs and established market players alike would be wise to inventory their information assets, and understand where those assets are stored and how they’re accessed. Start-up companies can attempt to forecast their need for antivirus software, firewalls, virtual private networks (VPNs), and intrusion prevention mechanisms to protect their information assets in the face of internal and external risks. The FTC advises companies to use privacy-enhancing technologies such as identity management, data tagging tools, and Transport Layer Security/Secure Sockets Layer (“TLS/SSL”) or other encryption technologies, particularly if a company is handling sensitive consumer data. Start-ups may want to consider their plans for growth and assess whether their network security measures will be able to accommodate increased network traffic or advanced applications without disrupting service.

Data Accuracy. Privacy by design emphasizes that companies should strive to collect accurate consumer data, and that companies ought to implement mechanisms so that consumers can correct the information that companies collect about them, particularly when sensitive data is involved. Kerry and McCain’s "Commercial Privacy Bill of Rights" would require companies that collect data to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution. Regardless of whether such a requirement is codified, companies - particularly start-ups – may want to anticipate and plan for data correction procedures as well as any attendant costs.

Data Retention and Disposal. Companies can retain data for increasingly long periods of time due to the dramatically decreasing cost of data storage. A concern shared by the FTC and privacy advocates is that companies that retain data for long periods of time invent new, secondary uses for the data that consumers didn’t anticipate when they provided the data in the first place. To promote transparency and consumer notice, companies are encouraged to retain consumer data for only as long as they have a specific business need to do so. Companies are also encouraged to safely dispose of data no longer being used to further a specific business need. The "Do-Not-Track Online Act of 2011" would require online companies to destroy or anonymize personal information after it's no longer needed. We have already seen the concept of limited data retention becoming a regulatory principle in the European Union.

Conclusion

As consumers express an increased demand for privacy protections, entrepreneurs should ask themselves if their products and services provide consumers with notice and choice as to how their data is collected and handled, and tailor their business practices accordingly. Companies are wise to understand their business model and the market in order to tailor their products and services accordingly.

Consumer outcry has caused companies such as Google and Facebook to retroactively change their privacy practices – a process than can be costly with unnecessary attendant negative publicity. Anticipating and preventing privacy violations before they happen mitigates the risk such invasions will occur as well as the costs of remediation. This means having a thorough understanding of the privacy legal risk environment. Doing so is difficult as the environment is in upheaval, therefore companies would be wise to seek professional advice to navigate the legal and regulatory landscape at both the state and federal level.

A start-up company has the advantage of being able to develop and implement a privacy program early, and bake privacy into the design of their products and services, thereby ensuring that these substantive privacy protections become a foundational part of its business model. Employees can be trained early regarding the need for privacy and network security, which helps foster a consumer-protective enterprise culture. Privacy by design makes privacy an essential component of the core product or service a company delivers. Spotting privacy issues and addressing concerns before launch aligns products and services with consumer expectations and can save everyone – entrepreneurs and VCs alike – from future headaches.

Standing under Article III

The Court first explored whether the plaintiff failed to allege an "injury in fact" for purposes of Article III standing.  To support the injury in fact argument (as well as their arguments for harm under various legal claims), the plaintiff offered the following argument (as summarized by the Court):

Plaintiff generally alleges that defendant’s customers, including plaintiff, “pay” for the products and services they “buy” from defendant by providing their PII, and that the PII constitutes valuable property that is exchanged not only for defendant’s products and services, but also in exchange for defendant’s promise to employ commercially reasonable methods to safeguard the PII that is exchanged.  As a result, defendant’s role in allegedly contributing to the breach of plaintiff’s PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data.

Most regular readers of this blog will recognize that this argument for harm varies significantly from those used in the past that focused on items such as cost of credit monitoring, the costs of lost time and effort to monitor for identify theft and emotional distress.  Rather, under this theory, the focus is the implied quid pro quo that exists throughout the Internet when users access free content and services in exchange for access to personal information and the ability to advertise to individuals.  So what did the Court have to say about this?

On balance, the court declines to hold at this juncture that, as a matter of law, plaintiff has failed to allege an injury in fact sufficient to support Article III standing. Not only is there a paucity of controlling authority regarding the legal sufficiency of plaintiff’s damages theory, but the court also takes note that the context in which plaintiff’s theory arises – i.e., the unauthorized disclosure of personal information via the Internet – is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts. For that reason, and although the court has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact. If it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiff’s claims for lack of standing at the dispositive motion stage.

The Court then turned to the issue of whether damages were properly alleged for the plaintiff's breach of contract and negligence-oriented claims.

Damages Alleged for Substantive Claims

In its motion to dismiss, the defendant argued that the plaintiff failed to allege damages for its breach of contract, breach of implied contract, negligence and negligence per se claims.  Specifically the defendant argued that dismissal was warranted as follows:

Specifically, defendant asserts that plaintiff has failed to allege that the value of his PII has diminished as a result of defendant’s actions, how the breach of his PII affects him, or any loss whatsoever.

The Court, however, disagreed.  It referred to the same reasoning it employed for the defendant's lack of standing argument:

For the reasons already noted at the outset, therefore, the court concludes that at the present pleading stage, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified “value” and/or property right inherent in the PII. As such, the court declines to dismiss plaintiff’s breach claims on grounds that plaintiff has failed to allege damages or harm as a matter of law.

As such, these four claims were allowed to proceed forward.

Implications

So what are the implications of the Court's decision?  One could argue that the decision signals a new willingness of courts (at least California Federal Northern District Courts) to allow for a more thorough judicial review of the claims alleged by data breach plaintiffs.  We saw a similar holding  in the Ruiz v. Gap case (also heard in the Northern District of California).  That said, like the Ruiz court, it appears that the RockYou Court has some doubts as to whether the plaintiff will be able to establish damages going forward:

For that reason, and although the court has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact. If it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiff’s claims for lack of standing at the dispositive motion stage.

If the Northern District approach does represent a new approach ("As California Goes, So Goes the Nation") to analyzing these cases it could provide plaintiffs with additional litigation leverage.  The next bite at the apple for the defendants will likely be a motion for summary judgment after discovery has occurred (and most likely some expert testimony).  The risk of an adverse ruling on motion for summary judgment might induce settlement of some of these cases, which could attract more plaintiffs' lawyers to file data breach suits.

In this case the actual harm theory is also interesting, and if personal information is viewed as property having traditional monetary value, it could also increase litigation risk.  For example, if this theory is accepted by the Court, it could be used in cases involving data privacy.  Beyond litigation risk, treating personal information in the same manner as real property could significantly impact the current quid pro quo of the Internet, and how information is collected, used and transferred.  It will be interesting to follow this case through the next round of discovery and motion practice.  We will keep you informed.

As we move into 2011 it should be obvious that cloud computing is not a fad, but rather a computing model that is becoming ubiquitous. Cloud computing offers a slew of advantages including efficiency, instant scalability and cost effectiveness. However, these advantages must be balanced against the control organizations may lose over their information technology operations when they are reliant on a cloud provider to provide key processes (InfoLawGroup has written extensively on many of the legal challenges associated with cloud computing). The issues that arise out of this loss of control are apparent when considering data breach response and liability in the cloud.  When a cloud customer puts its sensitive data into the cloud it is completely reliant on the security and incident response processes of the cloud service provider in order to respond to a data breach. This situation poses many fundamental problems. 

You can read further about the data breach issues raised by Cloud computing, as well as ways to address these issues by visiting Hiscox's newsletter:  ENGLISH VERSION;  GERMAN VERSION;  SPANISH VERSION;  FRENCH VERSION.

UPDATE -- 022810:  Apparently there has been a committee vote on the Colorado bill that was split 5-5 along party lines.  As such, this bill will not move forward in this session.

Regulation is achieved via the “carrot” or the “stick” (and sometimes both). This is true in the information security context as well. For example, to incentivize encryption of personal information, breach notice laws use a stick: those that fail to encrypt may have to provide notice to affected individuals in the event of a security breach. In the credit card breach context, a Washington state law provides banks with a stick (e.g. the right to seek fraud and reissuance expenses from breached merchants), but also provides those merchants with a shield to block that stick (e.g. validation of PCI compliance blocks a bank’s ability to recover). In HB 11-1225, Colorado state legislator, Dan Pabon, apparently wants to give the carrot a chance. In the process, I am told that part of the goal is to make Colorado the “Delaware” of data storage. Here is how it works.

Immunity from Liability. Under HB 11-1225, if certain conditions are met (discussed below) a person or entity operating in Colorado that owns, licenses or maintains computerized data that includes “personal information” shall not be liable for civil damages resulting from a breach of data security due to its acts or omissions that are in good faith, and not grossly negligent or willful and wonton.  So essentially, this would provide immunity from negligence claims. In order to receive this protection, two conditions must be satisfied: (1) the breach must have been caused by an unauthorized third party, or an employee or agent acting outside the scope of his employment; and (2) the person or entity must have been certified by a “qualified information technology auditor or assessor” as having used “best practices of data security and meeting information technology standards” established by an authorized state entity.

Rebuttable Presumption of Non-Negligence. Even if a breached organization has not been certified as compliant with best practices/information technology standards, it can achieve certain protections under the bill. In court, an organization can establish a rebuttable presumption that it was not negligent if it can produce evidence that the organization implemented best practices and was compliant with technology security standards established pursuant to the bill.

Consumers’ Right to Petition Court for Subpoena. The bill provides persons whose personal information was compromised or who are victims of a computer crime, to seek a petition from a court impelling the breached organization or any third party to produce “any” information concerning the unauthorized access to personal information or the computer crime. This information may be obtained in order to facilitate the detection, apprehension and prosecution of the computer crime or breach.

Key Definitions. “Personal information” as defined under the bill is broader than definitions in most breach notice laws. One defined category of personal information is information that can be used, alone or in conjunction with any other information, to obtain cash, credit, property, services, or any other thing of value, or to make a financial payment, including personal identification number, credit card number, banking card number, checking account number, etc. Personal information is also defined as information that can be used, alone or in conjunction with other information, to identify a specific individual, including name, date of birth, social security number, government ID, passport number, etc.

In order to be a “qualified information technology auditor or assessor” one must be certified by a nationally recognized organization or association as having expertise in data security, and cannot have any convictions involving moral turpitude offenses. The bill indicates that the CIO of the State of Colorado is required to establish an entity to maintain a list of the nationally recognized IT associations that may certify a person’s qualifications in data security systems for purposes of the bill.

Establishing Best Practices and Information Technology Security Standards. One of the key challenges for implementing this HB 11-1225 (should it become law in its current form) is going to be the establishment of best practices and IT security standards. On this issue the bill requires the CIO of the State of Colorado to create an “entity” to establish these best practices and standards for commercial entities and persons that own, license or maintain computerized data that includes personal information. The bill does not provide additional guidance as to how those best practices shall be determined, or whether there will be one set of best practices that will apply to all entities (regardless of size, complexity or resources).

Analysis and Observations

Novel approaches to information security and privacy legislation are, of course, welcomed. The questions remain, however. Will it work? Will it pass? Unclear at this point. Below are a few observations pertaining to these questions.

• Does a duty exist to safeguard personal information under common law negligence principles? Surprisingly, at this point we have very little case law directly on point that delves into this issue. However, a recent Illinois appellate court recently ruled that a common law duty to safeguard personal information did not exist. In contrast, we are aware of cases that did find a duty to secure personal information, but both were in the banking context and were arguably based mainly on the expectations that arise in that context (e.g. banking customers are specifically providing their money to banks for safeguarding, among other reasons). If indeed, no case law establishing such a duty exists in Colorado, the question becomes whether the existence of a law providing immunity for negligence implies that the duty exists. Worse (from the company point of view), it is possible that the best practices established under the bill could end up establishing a standard of care, in and of themselves (where one may arguably not exist).

• Even if such a duty does exist, do the “good faith” and “gross negligence “exceptions” effectively eat the immunity? In the wake of a data breach where a plaintiff’s attorney has filed a lawsuit, you can bet that any and all potential theories of liability will be alleged. That of course may include allegations of gross negligence and “bad faith.” One of the benefits of HB 11-1225, assuming only a negligence claim is alleged, would be the ability of defendants to have lawsuits dismissed early, perhaps in a motion to dismiss or motion for summary judgment phase. However, if gross negligence, bad faith or other non-negligence claims are alleged, the plaintiff may have a better chance to get past early motions to dismiss. If that is the case, plaintiffs will still have litigation leverage (regardless of whether they have a truly winning case).  In fact, we are aware of one case in Federal court in Michigan that allowed a case to go to trial based on the issue of "good faith" behavior in the context of security. These “exceptions,” therefore, could undermine the effectiveness of the immunity granted in HB 11-1225. Of course, much more research is necessary to look into these issues.

• Is the jurisdictional scope of the immunity too narrow? At this stage in the game a large percentage of companies, big and small, conduct business with residents of more than one state (and in many cases all 50 states), and even with people residing outside of the United States. While HB 11-1225 may provide immunity from negligence claims for cases contained in Colorado, it may not help with lawsuits, for example, filed in other jurisdictions or Federal court where Colorado law is not the choice of law. So, if the goal of the law is to become the "Delaware of data storage", it may not be effective to shield companies that deal with personal information from non-Colorado states.  That all said,  there may be jurisdictional arguments that would preclude plaintiffs residing in other states from pursuing a company storing data in Colorado (although making and prevailing in such arguments in court can be an expensive process in and of itself). In addition, a choice of law provision in contracts with out-of-state counter parties might also do the trick to keep the immunity intact.

• Can the “entity” established by the State actually establish best practices that can work universally and result in good security? Legislating security controls is not an easy task. Two general approaches are used typically. One approach does not require specific controls, but rather mandates “reasonable” “adequate” “comprehensive” or “appropriate” security. The other method is more prescriptive in its approach, and seeks to require specific controls that certain entities must implement (e.g. Massachusett’s and Nevada’s personal information security laws). The risk of a prescriptive approach is the “check list” mentality whereby organizations simply address the specific requirements and don’t actually worry about truly securing themselves (this is a criticism of PCI, the ultimate prescriptive standard). However, even those taking a prescriptive approach may reference various risk factors that relate to the sensitivity of the data and the size, complexity and resources of the company trying to comply. The challenge for the entity developing these best practices is to provide enough clarity/certainty so companies have confidence that they are truly in the safe harbor, and yet to provide enough flexibility to allow companies of all shapes and sizes to get into the safe harbor in a relatively cost-efficient and realistic fashion. The failure to solve this problem could undermine the efficacy of the legislation if it is perceived to be unfair or discriminatory to small and medium-sized businesses who may have neither the expertise nor resources to implement a highly prescriptive set of controls.
   
• A Shift of Liability to the Auditors? On the one hand, this bill may serve as a business bonanza for IT security auditors who are called into validate compliance with the best practices laid out by the act. On the other hand, a mistake in validating the compliance of a company that suffers a breach could potentially lead to a lawsuit against not only the breached company, but the auditor as well. While a third party affected individual may have difficulty holding an IT security auditor liable without a contract, precedent may exist by analogy to accountants. Moreover, there is at least one known case (Merrick Bank v. Savvis) where an IT assessor (in this case a payment card security assessor) was sued by a party that allegedly relied on its compliance findings. So, from a “passability” point of view, does the IT security assessment community get on board or do they demand some of their own immunity in exchange for supporting this bill?

Conclusion

Overall, Representative Pabon’s bill represents a very interesting approach to data security regulation, and we applaud his efforts and creativity. There may be some hurdles to overcome to see this passed, and a vigorous debate on its mechanics is necessary. We will keep you up to date on its progress.
 

In Cooney, the main defendants were the Chicago Public Schools and its Board (“CPS”), and a printing and mailing company known as All Printing & Graphics, Inc. (“All Printing”). All Printing was retained by CPD to print, package and mail a COBRA Open Enrollment List to approximately 1,750 former CPS employees. Unfortunately each of the 1750 employees was sent a list containing the personal information of all the other 1749 former employees, including names, addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information. CPS notified the employees of the breach and offered one year of free credit protection insurance. Several of the employees filed individual and class action lawsuits, which were consolidated at the trial court level. The complaints alleged several causes of action (including common law negligence), which were all dismissed by the lower court. The appellate court set out to determine whether the dismissal was in error, and ultimately held that it was proper. One of the appellate judges, however, dissented. The following is a summary of the court’s opinion for the main causes of action alleged.

Common Law Negligence

In addressing the plaintiffs’ common law negligence claim, the court laid out the traditional elements necessary to allege negligence, and first set out to determine whether CPH was under a duty to safeguard the plaintiffs’ personal information.

First, under Illinois law, a violation of a statue designed to protect human life and property may be used as prima facie evidence of negligence (e.g. it can be used to allege a “duty” for purposes of negligence, and a violation of that duty). In this case, the plaintiffs argued that HIPAA and Illinois' breach notice law (815 ILCS 530) created a duty for negligence purposes. The court, however, rejected both arguments.

On HIPAA the court indicated that 45 CFR § 160.103 excluded “employment records held by a covered entity in its role as employer” from HIPAA coverage. According to the reasoning of the majority, since the CPH "held" the plantiffs’ health insurance elections in its role as employer, the disclosure of such records was not a HIPAA violation.  Notably, however, the dissenting judge disagreed with this assessment. He indicated that the exception only applied to employment records actually “held” by the covered entity, as opposed to those disclosed (and therefore no longer held by CPH) to unauthorized third parties. In the dissent's view, then, the plaintiffs did properly plead a negligence claim based on allegations that HIPAA had been violated. If this is appealed to the Illinois Supreme Court this will likely be a key issue in the case.  One important item to note here is that it appears that both the majority and dissent agreed that a data security statute can be used to establish a duty for negligence purposes even if the underlying statute does not itself provide a private right of action.

The plaintiffs also claimed that Illinois' breach notice law was violated because a “breach of the security of the system data” had occurred as defined in that law. The court rejected this argument as well, noting that Illinois' breach notice law already provided a specific and exclusive remedy for a breach of security of the system data: notice to the data subjects (which was properly provided in this case).

Second, the court considered whether a "new" duty to safeguard personal information existed in general for negligence purposes (i.e. without having to rely on a specific statute). On this issue, the court rejected the plaintiffs’ argument that the sensitivity of personal information such as birth dates and social security numbers justified the recognition of a duty. Notably the court did not consider any “foreseeability” arguments or analyze whether a duty should have existed based on something like Judge Learned Hand's risk formula. Based on the foregoing, the court found that the lack of an alleged duty justified dismissal of the common law negligence claim against both CPH and All Printing.

IL Consumer Fraud and Deceptive Business Practices Act

Section 2QQ of Illinois Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/1, et. seq.) prohibits a “person” from publicly posting or displaying an individual’s social security number. In this case the court held the CPH Board was a “body politic” and therefore not a “person” under the Act. In addition, while All Printing does qualify as a “person” covered under the Act, the plaintiffs failed to allege actual damages as required under the Act. Relying on the large body of case law on the damages issue, the Court specifically rejected plaintiffs’ contention that increased risk of identity theft, and costs to pay for credit monitoring, constitute actual damages.

Traditional Privacy Torts

The plaintiffs also alleged “intrusion upon seclusion” and “public disclosure of private facts.” In considering these theories the court indicated that both torts require disclosure of “private” matters or facts. The court held that the privacy element was not satisfied because no law existed in Illinois defining social security numbers as private information. In addition, names and dates of birth did not qualify as private facts because they are matters of public records. Finally, while Illinois law had defined social security numbers as “personal information,” the court held that personal information does not equate to “private” information. Private information, in the court’s view, means private facts that are facially embarrassing and highly offensive, if disclosed.  As such, the court ruled that these claims were properly dismissed by the trial court.

Other Miscellaneous Causes of Action

The appellate court, sometimes in a very cursory fashion, affirmed the dismissal of other causes of action the plaintiffs attempted to allege, including:

• Negligent infliction of emotional distress (dismissed because traditional negligence elements had not been alleged, as required)

• Breach of fiduciary duty (dismissed because no authority found to indicate that a fiduciary duty exists based on the plaintiffs providing their personal information “in confidence” to the CPS)

• HIPAA violations (dismissed because the plaintiffs did not allege that they had been deprived of a constitutionally protected right caused by a “municipal policy”; and because HIPAA does not provide a private right of action against non-state actors like All Printing)

• 4th Amendment privacy violation (dismissed because the plaintiffs failed to properly raise the issue before the trial court)

Conclusion

This case is very interesting because it is one of the first (if not the first) to squarely rule on whether a common law duty exists to safeguard personal data. It will be very interesting to see if this case is appealed to the Illinois Supreme Court. Based on the strong dissent it appears as if the majority opinion may be at risk for an overturn. What is somewhat disappointing, however, is the lack of deep analysis by the appellate court (especially on the issue of whether a common law negligence duty existed). It may be that key issues were not raised or briefed by the plaintiffs, but it would have been nice to see a full-throated analysis of "law school 101" issues like foreseeability, reasonableness and risk reduction. InfoLawGroup will try to get a hold of the appellate briefs and other underlying documents to see if they provide additional insight as to how the court reached its decisions (and we will post them here once we have them).  We look forward to your thoughts, comments and questions on this case.
 

However, while all the headline grabbing stories were catching the eyes of the average “American Joe,” an excellent series by the Wall Street Journal (“What They Know”; Pulitzer possibilities?) has ended up rocking the privacy legal liability landscape for 2011. While we can argue cause and effect all day long, it appears that the WSJ series has caught the eye of one important group in the American legal world: the plaintiffs' bar.

While we were all thinking about Halloween and Thanksgiving, and trying to avoid the crush of Hanukah, Christmas and New Years, several privacy lawsuits were filed against online behavioral tracking companies and some of their clients. In my view these lawsuits and the activity that arises out of them (regulatory, settlements, judgments and otherwise) will be one of the big data security and privacy stories of 2011.

These cases have the potential to change the privacy and security game in ways that are difficult to anticipate. Could they be the “tipping point” leading to new state or federal regulations? Might they result in a “break-through” case that leads to a flood of litigation? Will they impact the way companies handle personal information and do business? Will consumers think of their privacy in a different light if these suits are frequent or successful?

What follows is a very brief listing of some the key lawsuits from 2010 that InfoLawGroup is aware of and tracking.  There may be more that are not on the list (such is pace of change in this space) and if you know of others, please send them to me so I can list them here to serve as a resource for the larger privacy community.  Over the course of 2011 (and beyond) InfoLawGroup will be taking a deeper look at these cases and providing updates as they progress through motion practice, trial and settlement.

01.21.11, 02.08.11 & 03.11.11 UPDATE BELOW (Search for dates to find updates)

HTML5 mobile online tracking lawsuit. A class action lawsuit was filed against Ringleader Digital alleging privacy violations arising out of its use of HTML5’s client-side database storage capabilities to track users of mobile devices as they surfed the Internet. Similar to the flash cookie lawsuits, plaintiffs allege that the HTML5 tracking capabilities returned even if users were able to delete the HTML5 database engaged in the tracking. A copy of the complaint can be found HERE. It alleges a series of data privacy and security violations, including (among others) violations of CFAA and various California laws.

History sniffing online tracking lawsuit. In two separate lawsuits an online advertising company (Interclick) and a pornography website (YouPorn) were sued for engaging in a practice known as “history sniffing.” History sniffing involves obtaining data about a user’s web surfing by secretly accessing the web history data stored by most commonly used browsers. This browsing history data is then used to create profiles about the user’s online behavior and visits to websites across the Internet. The complaint against Interclick can be found HERE. The compliant alleges (among others) violations of the CFAA, ECPA, violations of various New York laws and trespass to chattels.

Deep packet inspection online tracking lawsuit. In December 2010 a Federal District Court in Montana refused to dismiss the CFAA claim against an ISP that had allowed an advertising company to engage in “deep packet inspection.” EPIC describes deep packet inspection in relevant part as follows:

Deep packet inspection is a computer network packet filtering technique that involves the inspection of the contents of packets as they are transmitted across the network. . . Deep Packet Inspection can be used to determine the contents of all unencrypted data transferred over a network. Since most Internet traffic is unencrypted, DPI enables Internet Service Providers to intercept virtually all of their customers' Internet activity, including web surfing data, email, and peer-to-peer downloads.

A copy of the court’s order denying in part and granting in part, the defendant’s motion to dismiss, can be found HERE.

Data aggregation and social media/application privacy lawsuits. Social media giant Facebook, social media application designers (such as Zynga), and a data broker (Rapleaf) were sued for their handling of personal information obtained from Facebook users. The plaintiffs allege that the defendants impermissibly shared the personal information of Facebook users with advertisers and marketing companies, including unique Facebook ID numbers that could be combined with other information to create user profiles. The complaint can be found HERE. It alleges (among others) violations of ECPA, the Stored Communications Act, and various California laws, and breach of contract. 03.11.11 UPDATE: class action filed against Netflix in California.

Apple iPhone/iPad Privacy Lawsuit. Apple was sued in the waning days of 2010 for allegedly allowing application makers for its popular iPad and iPhone to obtain and transmit personal information about users' activities. The complaint alleges that Apple’s iPad and iPhone are encoded with identifying devices that allow advertising networks to track applications users download, monitor their use and sell personal information of users. Also named are several application providers that allegedly provided their users’ personal information to advertisers. A copy of the compliant can be found HERE. It too alleges (among others) violations of the CFAA, ECPA and various California laws. Some believe that claims set forth in this lawsuit could impact Google in the future. 02.08.11 UPDATE:  Another class action filed against Apple in California.

01.21.11 UPDATE -- Canadian Class Action Against Google

We have identified a rare beast indeed:  a Canadian class action privacy lawsuit against Google (arising out of Google Buzz).  More HERE.  Will try to get the pleadings... stay tuned.

Conclusion

Based on the foregoing it should be apparent that there has been a significant increase in the volume of privacy lawsuits recently filed and being litigated. In addition, with significant settlements on the books (e.g. Google Buzz for $8.5 million; Facebook Beacon for $9.5 million; Quantcast for $2.4 million) it is likely that privacy-related lawsuits will become more attractive to the plaintiffs' bar.

It also should be noted that many/most of the lawsuits cited above involve online behavioral tracking. Moreover, not only are the social media companies and advertising networks being sued, “brand name” organizations are being brought into these suits if they participated in an advertising network or used a behavioral advertising services.  Based on these suits, it appears that privacy-related legal risk and liability potential is at a cross-road, and will likely increase going forward (at least in terms of litigation costs and settlements, and perhaps someday in the form of judgments and adverse case law).

Action Item.  At this stage companies that handle personal information, especially those that provide online behavioral advertising services, and those that purchase such services or participate in behavioral advertising, should consider an audit and risk assessment of their policies, processes and activities in order to reduce privacy-related legal risks. In fact, it is likely that some companies are not even aware that they are participating in online advertising networks that track users, or if they are aware they may not understand how their providers collect and use personal information. Preparation on privacy and security issues ahead of time is key in order to reduce risk and increase the likelihood of a favorable outcome should an organization find itself in a lawsuit.  Moreover, if a lawsuit arises, understanding the substantive privacy issues that it raises is crucial.  Again, we have blinked, and the privacy and security legal landscape looks very different.
 

Scraping raises a multitude of legal issues, including issues related to privacy and security, intellectual property, and laws concerning unauthorized access to computers and trespass to chattels (in fact, the overlapping issues raised by scraping represent a very good example of what we call “information law”). As such, a website being scraped may disapprove of such activity and may pursue legal action against companies that engage in scraping. Many companies would rather avoid lawsuits and attempt to stop scraping from occurring in the first instance. This can be achieved by implementing technologies such as CAPTCHA (which are becoming ubiquitous) that are intended to ensure that a human is entering the website rather than a computer software program or bot. If technologies like CAPTCHA are evaded by scrapers, some websites owners might pursue an action under the anti-circumvention provisions of the Digital Millennium Copyright Act (the “DMCA”). The DMCA provides for potential statutory penalties and even criminal sanctions for violations of its anti-circumvention provisions. This post explores how the DMCA might be used in this context and looks at some cases addressing whether circumvention of CAPTCHA (and similar protocols) might result in violation of, and liability under, the DMCA.

One method for preventing scraping software from being able to access information on a website is to use a challenge response test – a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated. CAPTCHA is one such protocol (it stands for “"Completely Automated Public Turing test to tell Computers and Humans Apart."). In short, when a person or computer program attempts to log into a website, the website will ask for login credentials as well as requiring the person or computer to complete a CAPTCHA test. Typically the CAPTCHA requires the person or computer to re-type a series of letters, symbols and/or numbers that are printed in barely legible font. The theory being that a computer program would not be able to discern the text, while a human could (even if it takes multiple attempts, and even if the person is required to listen to audio of the text read aloud in order to understand it). The end result would be humans in, computers out. Of course those that desire to get into these websites using computer programs might be able to design such programs in a manner that evades or defeats the CAPTCHA protocol. This type of activity has actually resulted in a couple lawsuits alleging DMCA violations (among others).

DMCA Anti-Circumvention Provisions

The DMCA anti-circumvention provisions prohibit persons and entities from circumventing the technological measures that effectively control access to a copyrighted work (in this case the copyrighted work on a website). Under the DMCA, “circumvent a technological measure” is defined as efforts to “descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.” A technological measure “effectively controls access to a work” if the measure, “in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.” The DMCA provides a private right of action for actual damages, as well as statutory damages in the sum of not less than $200 or more than $2,500 per act of circumvention, device, product, component, offer, or performance of service, as the court considers just. In addition, a willful violation of these provisions for purposes of commercial advantage or private financial gain could result in criminal penalties ($500,000 to $1,000,000 per offense) and jail time (up to ten years).

Relevant Caselaw

There are two main cases that look at this issue, the most recent of which was decided in March 2010 (see Craigslist, Inc. v. Naturemarket, Inc., 694 F. Supp. 2d 1039 (N.D. Cal. 2010); Ticketmaster L.L.C. v. RMG Technologies, Inc., 507 F. Supp. 2d 1096 (C.D. Cal. 2007)).

In the Ticketmaster case, Ticketmaster sought a premlinary injunction against RMG, and one of the causes of action alleged was a violation of the DMCA’s anti-circumvention provisions. RMG allegedly had developed a software program that allowed its customers to evade Ticketmaster’s CAPTCHA system in order to allow for the automated mass purchase of tickets. In granting Ticketmaster’s preliminary injunction, the court considered whether CAPTCHA constituted a “technological measure” (a term not defined under the DMCA):

First, the Court notes that the DMCA does not equate its use of the term "technological measure" with Defendant's terms "system" or "program." In any case, Plaintiff has submitted evidence that CAPTCHA is a technological measure that regulates access to a copyrighted work. Although the DMCA does not appear to include a definition of the term, it states that "a technological measure `effectively controls access to a work' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work." When the user makes a ticket request on ticketmaster.com, CAPTCHA presents "a box with stylized random characters partially obscured behind hash marks." The user is required to type the characters into an entry on the screen in order to proceed with the request."  Most automated devices cannot decipher and type the random characters and thus cannot proceed to the copyrighted ticket purchase pages. Thus, because CAPTCHA "in the ordinary course of its operation, requires the application of information . . . to gain access to the work," it is a technological measure that regulates access to a copyrighted work. Plaintiff is therefore likely to prevail on its DMCA § 1201(a)(2) claim.

The fact pattern in the Craigslist case was similar to Ticketmaster (and indeed relied in part on the reasoning in Ticketmaster). This case, however, came up in the context of a default judgment so its precedential value may be limited. Nonetheless, the court did look at whether Craigslist stated a proper DMCA anti-circumvention claim related to evasion of the CAPTCHA process used by Craigslilst. In this case the defendants provided their clients with a software service known as "CraigsList AutoPoster Professional" which included an automatic CAPTCHA bypass feature that allowed the defendant and its customers to circumvent Craigslist’s CAPCHA security measures. In holding that Craigslist stated a valid cause of action under the DMCA, the court indicated the following:

Plaintiff owns valid copyrights in its website and the content within. This content is protected by Plaintiffs CAPTCHA software and telephone verification, both of which were circumvented by Defendants. Plaintiff has alleged that Defendants' AutoPoster Professional software, pre-verified craigslist accounts, and CAPTCHA credits each circumvent these security measures and provide unauthorized access to Plaintiffs copyrighted material. Defendants' products and services were designed primarily for the purpose of circumventing Plaintiffs CAPTCHA and telephone verification measures. Defendants thus enabled unauthorized access to and copies of copyright-protected portions of Plaintiffs website controlled by these measures—particularly the ad posting and account creation portions of the website. As such, Defendants' manufacture, marketing, and distribution of their software provided third parties unauthorized access to Plaintiffs copyrighted material. Taken together, the undersigned finds that Plaintiff has sufficiently stated a claim for violation of Section 1201(a)(2) of the DMCA. Further, because the CAPTCHA Plaintiff employs also protects Plaintiffs rights in its website—a protected work—Plaintiff has also sufficiently stated a claim under Section 1201(b)(1).

Note that both the Ticketmaster and Craigslist case were against a company creating anti-circumvention software for use by others, and do not address the direct violation that could exist for an entity actually using the software. Note also that neither decision amounts to a final judgment on the merits of whether evading CAPTCHA is a DMCA violation. Nonetheless, it does follow that if a software program that evades CAPTCHA could constitute a violation of the DMCA’s anti-trafficking provisions, it is also likely that use of that software to evade CAPTCHA could be a violation of DMCA section 1201(a) (or at least it may be a valid allegation of such a violation).

Conclusion

So what does this all mean for companies engaged in scraping or desiring to engage in scraping (or having somebody else do it on their behalf). Be careful, especially where the scraping requires the circumvention or evasion of technological measures preventing access to the website’s copyrighted works. While we are still far from answering the ultimate question as to whether evading CAPTCHA is a violation of the DMCA, the risk inherent in the DMCA per violation statutory damages could be high (not mention the risk of criminal action). There is a potential multiplier effect because each circumvention of CAPTCHA could be a violation, and if this is being done automatically all the time those actions could be very numerous. Companies that are considering engaging in these activities need to look very closely at how the scraping will be done and whether technological measures need to be circumvented in order to get the data at issue. If using a third party they should inquire as to their practices in order to assess this risk (as there may be vicarious liability theories that could attach). Note, this blogpost does not even address other key issues like copyright infringement, potential computer fraud and abuse claims (e.g. under the Computer Fraud and Abuse Act), and others. Those issues so should also be analyzed and taken into account before engaging in these activities.

During the course of our work, especially on the customer side, we have seen certain “roadblocks” consistently appear which make it very difficult for organizations to analyze and understand the legal risks associated with Cloud computing. In some instances this can result in a willing customer walking away from a deal. Talking through some of these issues, InfoLawGroup thought it would be a good idea to create a very basic “Bill of Rights” to serve as the foundation of a cloud relationship, allow for more transparency and enable a better understanding of potential legal risks associated with the cloud.

Just a pre-emptive comment: while we use the strong term “rights,” we know that cloud arrangements vary and that every transaction has its own issues and circumstances that impact the nature and scope of a negotiation. Moreover, as with the real Bill of Rights, we realize that none of these rights are absolute and may appropriately be subject to reasonable limitations in certain contexts. This document should be viewed less as a universal mandate, and more as a tool for cloud customers and providers to engage in spirited debate about the issues addressed in this Bill of Rights.

The Bill of Rights is set forth below with annotations. In addition, you can download an un-annotated version here, and we have even provided a pocket-sized version that can be easily accessed by those who are actively engaged in vetting cloud deals (however, you may need to keep a magnifying glass in your other pocket in order to read this version).   This is a work in a progress and we invite you to submit your ideas on additional “rights” that we should include as well as any comments and criticisms on the current listing.

The following provisions (explained in more detail below) make up the Cloud Customer’s Bill of Rights:

Article I – Data Location Transparency

Cloud service providers shall reveal the physical location of the servers that will be processing their cloud customers’ data, and shall provide reasonable advance notice if those physical locations change; cloud service providers shall coordinate with their customers to assure compliance with local laws and any applicable restrictions on the transfer of certain categories of data from one jurisdiction to another.

Comments: The bottom line for this right is that in this day and age, for better or worse, the nature of the data and the physical location of its processing dictate legal obligations of cloud customers. Transborder data flow issues are not new, but they are magnified in the cloud context where the free flow of data across borders may be the norm (and this free flow will only increase as the “Intercloud” arises and data processing begins to behave more like electricity).

The classic example is the EU Data Protection Directive. A company that moves data made up of personal information of EU residents outside of the EU to certain countries (like the U.S.) risks a violation of EU law. In addition, the recent privacy law passed by the Canadian province of Alberta prohibits the transfer of Canadian personal information outside of Canada without providing certain notices to the data subject. Another example is the desire for some entities to avoid having their data processed on U.S. soil because of the USA Patriot Act. The processing of data in an unexpected country might also generally implicate jurisdictional issues over a particular cloud customer. Finally, in another twist, having to disclose certain data that is subject to a discovery request could run afoul of privacy laws in certain jurisdictions -- forcing the cloud customer to choose between violating the law and losing their lawsuit if they don't produce the evidence.

Cloud service providers that fail or refuse to reveal where their customers’ data is being processed risk exposing their customers to significant regulatory and legal risk. Unfortunately there are some providers that simply to refuse to provide this information (either because they don’t want to, or perhaps because they don’t know or can’t keep track of where data is being processed). Other cloud providers are more sensitive to this issue and will actually contractually agree that their customers’ data will be processed only in certain countries or locations. Nonetheless, for cloud customers to truly understand the legal risk of the Cloud, they need this information.

Article II -- Security Transparency

Cloud service providers shall provide full information and access to documentation concerning their security policies and measures, including the ability for cloud customers to conduct periodic security assessments and obtain relevant security-related information and documents from the service provider; this information and documentation should address data integrity and availability as well as the confidentiality of customer data.

Comments: Cloud customers may be ultimately liable for security breaches suffered by their cloud service providers. Moreover, cloud customers may have legal obligations to maintain certain security measures. These obligations do not disappear just because a customer’s data is being processed by a cloud service provider. Yet, in many cloud transactions, getting good information about security can be very difficult. While many cloud service providers are willing to provide SAS70 reports, if not tied to established data security standards such as ISO 27002, these reports may provide only a limited picture of security (and often the picture limited to that which the provider desires to reveal). Unless the cloud customer is a large entity (and even then), most cloud providers will not allow for an independent security assessment by the customer. Moreover, in long term relationships, a cloud provider’s security stance may change. Even if in-depth information is provided at the outset of a cloud relationship, if security is not allowed to be revisited, cloud customers may be at risk. Similar to the data location issue, this can result in very unpleasant surprises in the form of security breaches, lawsuits and regulatory actions. As such, from the cloud customer point of view, transparency around a cloud provider’s security is of paramount importance.

Article III -- Subcontractor Transparency

Cloud service providers shall provide cloud customers with notice as to which third parties will have the ability to access customer’s data and for what purposes, including subcontractors, subcontractors of subcontractors and so on.

Comments: It is not an uncommon for cloud customers to discover that the cloud service provider with whom they are entering into an agreement is not the sole entity that will be processing their data. The classic example is a SaaS running on a third party cloud. These relationships may be more attenuated than meets the eye as there may be third and fourth levels of cloud providers processing customer data, and the cloud customer may have no idea who is actually handling their data. Even if a cloud provider has revealed its subcontractors at the outset, it is not unusual for a cloud provider to switch subcontractors in the middle of a contract term. From the cloud customer’s point of view it is important to know exactly who will have access to its data, and whether those entities pose additional risk. Unfortunately, these subcontracting relationships may not be revealed up front by cloud providers, and are even less likely to revealed in the middle of a cloud relationship. Rather, many cloud contracts contain clauses that provide the service provider with the right to use third parties, or are silent on the issue. As such, some cloud customers may want to impose certain contract conditions to govern the use of subcontractors.

Article IV -- Subcontractor Due Diligence and Contractual Obligations

Cloud service providers shall conduct reasonable due diligence and security assessments of subcontractors or other third parties that will have access to customers’ data or systems, and shall enter into contracts with such third parties that hold those third parties to substantially similar obligations as in their cloud agreements with their customers; cloud service providers shall manage and similarly limit the ability of their subcontractors to utilize other subcontractors.

Comments: As a corollary to Article III above, to the extent that cloud providers do utilize subcontractors to process their customers’ information, a proper vetting of those subcontractors is appropriate, as well as certain contractual obligations. The providers’ due diligence should include not only data security and privacy assessments of their subcontractors, but also more generally ensuring that their subcontractors are capable of carrying out the promises made by the cloud providers to their customers. This due diligence should be buttressed by contractual obligations imposed on subcontractors that match those made by the cloud provider to its customers. Finally, both for their own protection and the protection of their customers, cloud providers need to worry about and limit their subcontractors’ ability to use subcontractors further down the line.

Article V – Customer Data Ownership and Use Limited to Services

Cloud customers shall have the right to solely “own” the data they put into a cloud service provider’s cloud, and cloud service providers shall use their customers’ information solely for the purposes of providing services to the customer, unless otherwise explicitly agreed.

Comments: Certain types of data flowing through cloud providers’ systems is extremely valuable (e.g. personal information of users) and there may be some temptation to use or exploit this data (or perhaps it is part of their business plan). Customers will expect that their cloud providers acknowledge that the customers are the sole owners of that data relative to the providers, and that the data should only be used to provide services to the cloud customer. In fact, this was one of the key requirements of the City of Los Angeles when it agreed to use Google cloud services. If service providers are going to use data beyond the purpose of providing services, prior notice to their customers should be provided. Service providers that do use their customers' data beyond primary purposes risk hurting their customers’ relationships with their clients and customers, and risk rendering their customers in violation of their privacy policies or data privacy laws.

Article VI – Response to Legal Process

Cloud service providers shall provide notice (within hours, not days) of the service of any subpoena or other legal process seeking their customers’ data, and shall assist and cooperate with their customers in responding to such legal process.

Comments: The ability of a cloud customer to understand when the government is seeking their data is crucial for managing legal risk. If a cloud service provider sits on a subpoena or other legal process it could harm the target customer, and hamper its ability to adequately respond to such a request and develop legal positions. Cloud service providers should develop a process for promptly dealing with these requests and providing notice to their customers. In the cloud context, with data potentially distributed across multiple geographically distant data centers, developing an efficient process and information flow may be challenging.

Article VII -- Data Retention and Access

Cloud service providers shall reveal their data search, retention and destruction practices to their cloud customers; and shall develop and enable data search, retention and destruction capabilities in order to allow their customers to implement their own data retention programs, efficiently effectuate litigation holds, and locate, collect and preserve relevant data, including metadata; cloud service providers shall build in processes and controls that allow for the efficient authentication of data (e.g. accurate time-stamping; metadata; chain-of-custody indicators, etc.).

Comments: Most sophisticated organizations have data retention policies and procedures in place for executing a litigation hold and preserving data. Implementing these policies and procedures internally can be a challenge, and that challenge is magnified significantly in a cloud environments where the customer must rely on a third party, the flow of data is very fluid, and data may be intertwined with the data of multiple cloud customers.  In an environment where proper eDiscovery and electronic evidence practices can make or break a lawsuit, the search, retention and preservation capabilities of a cloud provider are very important. Cloud customers will be seeking to ensure their own internal policies can be followed in their cloud provider’s environment.  On the front end,  this requires transparency and the availability of technologies that enable the efficient identification, collection and preservation of data. On the back-end, service providers will be expected to cooperate with and assist their customers with obtaining electronic evidence and responding to electronic discovery requests. As discussed with respect to Article VIII, this may be tricky in the cloud context, especially when it comes to a cloud customer's desire for an independent forensic investigation.

Article VIII -- Incident Response

In the event a cloud provider suffers a security breach, Cloud providers shall provide prompt notice of the security breach to their affected cloud customers, shall coordinate, cooperate and assist their customers with the investigation, containment and mitigation of the breach, and shall allow their cloud customers to conduct their own forensic assessment and investigation of the security breach.

Comments: Similar to issues around litigation holds and data preservation, cooperation and coordination is crucial when a cloud service provider suffers a security breach. Again, it is the service provider’s customers whose business will suffer due to a breach, especially if procedures are not in place for the containment and mitigation of a breach. This again requires service providers to provide transparency as to their internal incident response processes so that cloud customers can ensure that their own internal incident response policies match up. Also of significance is the ability of cloud customers to access their service provider’s facilities and systems in order to conduct their own forensic security assessment. This is important not only for data preservation, but also for substantive defense issues. Cloud customers need to be able to conduct such assessments to determine what went wrong, whether any laws may have been violated, the defenses that may be available to the company, and who was responsible for the breach. On the latter question, in some cases it may be the service provider who was at fault, which makes getting access an interesting proposition. Moreover, the multi-tenancy nature of cloud computing also poses challenges: some cloud providers claim that independent forensic assessment is not possible because it could expose the data of the provider’s other customers and potentially result in a violation of a non-disclosure agreement. Needless to say this is a very trick issue.

Article IX – Indemnification and Limits of Liability

Cloud service providers shall engage their customers in meaningful discussions and negotiations around indemnification and limitations of liability arising of security breaches, including consideration of exceptions to limits of liability for security breaches suffered by the cloud service providers.

Comments: The reality on this “right” is that for “commoditized” cloud service arrangements there will often be no or very limited negotiation on terms (terms will often be reduced to clicking “I agree” on a website). However, in other cloud service transactions, where the parties are on more equal ground in terms of bargaining power, these terms are and should be up for negotiation and debate.

From the customer perspective, it is ceding control of some of its most precious assets: its ability to provide its goods or services, and its data. When a customer suffers a breach internally its incentives are to mitigate the breach and potential adverse consequences to the organization. In the cloud context the service provider’s interests may not be aligned with those goals (in fact, to the extent the service provider was at fault, its interests may run counter to its customers'). Service providers, may choose to put their own considerations very high up. Also to the extent a breach involves multiple cloud customers, cloud service providers may also favor the interest of particular customers over others. This lack of control and reliance on the providers justifies serious consideration of indemnification clauses, consequential damages disclaimers and limitations of liabilities. In some cases, service providers may provide higher limits of liability (or even no limits of liability) for confidentiality breaches or security breaches.

This lawsuit arose of out of a data security breach that occurred between December 2007 and March 2008 that exposed up to 4.2 million payment cards of Hannaford customers. As you may recall this case was brought before the Maine Supreme Court after the U.S. District Court of Maine certified two questions of state law to the Maine Supreme Court. At the end of the day, however, the Supreme Court only considered the following question:

“In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?”

Ultimately the court answered this question in the negative.

The Court’s Rationale

The Supreme Court focused its decision on two particular classes of Hannaford plaintiffs: those that had never experienced a fraudulent charge on their payment card, and those that experienced a fraudulent charge that was reversed by their bank (and they were not responsible for any of the charge). The Court’s focus was the time and effort allegedly expended by these plaintiffs to protect themselves against fraud and identity theft.

In its holding the Supreme Court characterized time and effort in this context as “typical annoyances or inconveniences that are a part of everyday life.” It also proclaimed that an individual’s time alone is not protected by tort law, and that loss of time is a cognizable harm only if its related to loss of earning capacity or wages. In addition, loss of time might also be a cognizable harm if it could be assigned a value reflecting from loss of earning opportunities resulting from personal injury or property damage.

Significantly, the Supreme Court did recognize that loss of time without a corresponding personal or property damage is compensable for certain torts, including: nuisance; false imprisonment and abuse of process. The Court unfortunately, did not explain why loss of time is a proper damage element for these torts, but not for a negligence or breach of contract claim.

It also recognized that under the doctrine of mitigation of damages, plaintiffs may recover for costs and harms incurred during a reasonable effort to mitigate harm. Nonetheless, if such mitigation only amounts to an inconvenience or annoyance, the Court held it did not amount to a legal injury.

In addition, the court analyzed cases put forth by the plaintiffs that appeared to allow recovery for loss of time (some of which date back to the 1800s). The court distinguished those cases because many of them involved at least one intentional tort. The court indicated that “because liability is often more extensive in cases of intentional torts than those in negligence, intentional tort cases recognizing recovery for time and effort have little bearing on our analysis.” It also discounted other cases finding time of loss harm because those cases failed to demonstrate how those damages were being measured.

Analysis

The final decision of the Maine Supreme Court in this case was not surprising in light of the multitude of caselaw rejecting the existence of legally cognizable harm in the security breach context. However, the caselaw used by the plaintiffs and the court’s reasoning in rejecting those cases was interesting.

In essence the court used a contextual argument to reject loss of time as a harm element in the data breach context. For some types of torts loss of time is a recognized damage, but for reasons that the Court did not fully explain, such loss of time in the negligent security breach context only amounted to “typical annoyances or inconveniences that are a part of everyday life.” It is unclear, for example, why being falsely imprisoned for several hours in the back of a store (e.g. wrongly accused of shoplifting) constitutes damages, but taking several hours to engage in credit monitoring, calling various banks and otherwise dealing with a data security breach does not constitute damages. Same holds true for intentional torts where loss of time was recognized as damages. The question is how does (or why does) the nature of the tort change the nature of the damages element (in this case loss of harm)? It seems from a consistency standpoint, one could argue that harm is harm is harm regardless of how that harm was made to occur.  It would have been nice to see the Court flesh this holding out more.

The Court also fumbled to some degree when it appeared to require some ability to measure the loss of time damages against earning capacity or wages. If loss of wages due to loss of time is a cognizable injury, this would seem to open the door to plaintiffs alleging that they were required to take time off of work or use a vacation day to deal with a payment card security breach. However, in cases where earning capacity is referenced, there is typically a corresponding personal injury that undermined that capacity. In other words, the cognizable harm is the personal injury and the loss of earning capacity is a method for measuring that harm. Without the personal injury, there would not appear to be a cognizable harm.  While the reasoning was ultimately correct, the court should have been more careful when it described loss of time has a cognizable harm in and of itself in the personal injury context.

Conclusion

Regardless of the potential flaws in this decision, we are talking about one of the highest courts in the land, and this decision adds another significant court to those that fail to recognize damages in a data breach lawsuit. At this point, it is unclear whether the plaintiffs’ bar will ever achieve a victory on this issue.
 

We previously reported on the lawsuit filed by Experi-Metal, Inc. (“EMI”) and the subsequent motion for summary judgment (and briefs) filed by Comerica Bank to have the case dismissed. As reported in July, the U.S. District Court for the Eastern District of Michigan has issued a ruling on Comerica’s motion for summary judgment. To make a long story short, the Court denied Comerica’s motion and this case appears headed toward trial (or potentially appeal or settlement). Ironically, in the course of its ruling the Court found that Comerica had utilized commercially reasonable security procedures. However, that ruling had more to do with the language in Comerica’s contracts than an actual substantive analysis of Comerica’s security procedures. In this blogpost, we take a closer look at the Court’s ruling.

To prevail in a motion for summary judgment (“MSJ”), the movant (Comerica) has the burden of establishing “the absence of a genuine issue of material fact.” If Comerica can meet this burden, the non-movant (EMI) can still defeat the MSJ if it is able to come forward with facts showing that a genuine issue of fact exists for trial. Overall, the court must accept EMI’s evidence as true and draw all justifiable inferences in EMI’s favor. It is under this standard that the court reviewed the available evidence and relevant law, and ultimately denied the MSJ.

Relevant Facts

As set forth in the various briefs filed by the parties, the factual scenario around the online banking breach was quite complex. The Court’s opinion actually cuts through (some might say ignores) this complexity.

Significantly, EMI had argued that Comerica actually provided EMI with two different services, but failed to implement a contract for the second “service.” The court did not buy this argument. While Comerica had changed the name of its online banking service, the Court found that it was still providing the same service to EMI. This finding is meaningful because if the name change had actually been a new service, EMI could have maintained that Comerica failed to comply with the contract requirements of Michigan’s version of UCC 4A-202 (sections MCLA 440.4702 and 440.4703 of Michigan’s Uniform Commercial Code). The end result of this finding was that EMI’s online banking and wire transfers in this case were governed by two agreements that Comerica entered into with EMI: the Treasury Management Services Agreement (for Comerica  NetVision Wire Transfer -- the "Services Agreement") and Comerica’s Treasury Management Services Master Agreement ("Master Agreement").

Another important fact in the Court’s view was the authority provided to EMI’s Controller (Keith Maslowski) for purposes of effectuating wire transfers. Maslowski was the person that actually provided the criminals with EMI’s online banking login credentials during a “phishing attack.” The Court held that contradictory evidence existed as to whether Maslowski was authorized to execute transfers through Comerica’s online banking service, and therefore a genuine issue of fact existed as to that authority. This factual discrepancy plays significantly into one of the legal elements Comerica needed to establish on this MSJ: whether Comerica followed agreed-upon security procedures (discussed further below).

The timing of the fraudulent wire transfers and communications between EMI was also an important factor in the Court’s ultimate decision. On January 22, 2009 (the day of the breach) 47 wire transfers were initiated using EMI’s account.  After noticing the wire transfer activity, at 12:05 that day, Comerica called EMI to inquire about the wire transfers. At that time EMI told Comerica that it had not authorized the 47 wire transfers, and informed Comerica that it should not honor the transfers or any other requested transfers (EMI also sent a follow-up email with basically the same instructions shortly after this call). Within 24 minutes of this call, most wire transfer activity had been halted. Nonetheless, between 10:53 a.m. and 2:02 an additional 46 wire transfers were initiated using EMI’s account.

In addition to the facts mentioned above, the Court made its decision based on evidence concerning the following factual assertions:

• Comerica’s evidence that it provided EMI with the option to require two simultaneous user logins and approvals in order to wire money using online banking

• Comerica had previously used a digital certificate security procedure to authorize online banking users (before switching to the secure token-based system that is at issue in this case), and as part of that old security procedure, Comerica periodically sent out emails requiring users to enter their login credentials in order to renew those digital certificates.

Now that we have laid out the key facts used by the Court to make its decision, let’s look at the law at issue and how the Court applied it to this fact pattern.

Summary of the Law at Issue

EMI’s complaint alleged that the payment orders initiated from its account were not effective as payment orders of EMI because Comerica failed to comply with sections MCLA 440.4702 and 440.4703 of Michigan’s Uniform Commercial Code. Rather than restate the specific rules, we will look to the Court’s summary of them.

The Court indicated that for a payment order to be an effective order of EMI, even though EMI did not actually initiate the order, the following elements must be established under 440.4702(2):

1.  an agreement between Comerica and EMI that the authenticity of payment orders would be verified pursuant to a security procedure;

2.  the security procedure is commercially reasonable;

3.  the security procedure and any written agreement or instruction by EMI is followed by Comerica; and

4.  Comerica establishes that it acted in good faith in accepting the payment order.

In addition, the Court looked to section 440.4702(3) of Michigan’s Uniform Commercial Code for purposes of analyzing whether Comerica’s security procedures were commercially reasonable. Under that section a security procedure will be deemed reasonable if the following elements are met:

A. the security procedure was chosen by EMI after Comerica offered, and EMI refused, a security procedure that was commercially reasonable for EMI; and

B. EMI expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by Comerica in compliance with the security procedures chosen by EMI.

After reciting how it viewed the law, the Court proceeded to apply the facts at issue. For ease of reference, the next section of this blogpost will refer to the Court’s judgment on each element listed above according to the numbering (or lettering as the case may be) listed above.

The Court’s Application of the Law

As to Element 1., the Court looked to the language of the Services Agreement and Master Agreement that EMI had entered into with Comerica. As an initial matter, the Court rejected EMI’s argument that Comerica had provided two separate services, one governed by the Services Agreement and Master Agreement, and the other governed by no agreement (according to EMI). The Court held instead that despite the name change Comerica had provided a single online banking program subject to the relevant agreements. If EMI had established this factual argument, it probably would have been very difficult for Comerica to establish compliance with 440.4702(2).

Having done away with EMI’s two service argument, the Court then turned to Element 2., whether the security procedure at issue, use of token-based multifactor authentication, was commercially reasonable. For this the Court analyzed Elements A. and B. above. Comerica argued that it had offered EMI an initial security procedure, which EMI rejected, and therefore the subsequently implemented token security should be deemed reasonable by the Court under 440.4702(3). In particular, Comerica claimed that it offered EMI the ability to prohibit wire transfers unless two individuals separately approved the transfer, and EMI rejected this security procedure.

The Court, however, rejected this argument. First, the Court reasoned that requiring additional user approvals was not a “security procedure,” but rather was “an option or element within a security procedure”. The security procedure in this case, the Court found was the “secure token technology.” Moreover, the Court noted that at the time the multiple user option was provided to EMI, Comerica was using the digital certificate technology, not the secure token technology.

Nonetheless, the Court eventually did find that Comerica’s security procedure was commercially reasonable as a matter of law. To do so, however, the Court did not engage in a substantive analysis of the commercial reasonableness of Comerica’s secure token technology. Instead, it relied on the contract language of the Service Agreement and Master Agreement. In both agreements, EMI agreed that the existing (and future) security procedures used by Comerica were commercially reasonable. In particular, in the Service Agreement, EMI agreed to the following:

“Customer [EMI] agrees that the Security Procedures are commercially reasonable for the type of entries which Customer may transmit to the Bank [Comerica]”

Similarly, in the Master Agreement EMI agreed that by utilizing the online banking service and employing the security procedure at issue, “the Security Procedure is commercially reasonable for the type, size and volume of transactions [EMI] will conduct using the Service.”

Based solely on the contract language in both agreements that EMI agreed to be bound by, the Court held that Comerica’s secure token security procedure was commercially reasonable as a matter of law. In fact, the Court rejected testimony by EMI’s expert witness that contradicted Comerica’s claim that its security procedure was commercially reasonable (the Court described the testimony as ineffective “parol evidence”).

Thus, what we have here is (to this author’s knowledge) the first court in the United States rendering a judgment on the issue of commercially reasonable security as a matter of law.  However, the Court did not actually independently analyze as a substantive matter whether the security was reasonable. The ruling was based purely on the contract language. One wonders whether the same result would have occurred if Comerica had used a security procedure that was glaringly weak. For example, if Comerica had only required a person to input their first and last name to login into EMI's online banking account, would similar contract language agreeing to reasonableness be effective?

At this point one reading the Court’s decision might be tempted to stop reading – clearly Comerica had established major elements of  the MSJ. However, the Court still required Comerica to jump through some additional hoops, in particular Elements 3 and 4. above.

Element 3 requires Comerica to establish that there was no genuine issue of fact as to whether Comerica followed its commercially reasonable security procedures. On this count the fuzzy scope of Maslowski’s wire transfer authorization did Comerica in. The Court ruled that a question of fact existed as to whether Maslowski was authorized to perform wire transfers using Comerica’s online banking services. If, as EMI contended, Maslowski was not authorized to make transfers, then it may be possible for a jury to find that Comerica did not follow its commercially reasonable security procedure. Stated differently, in EMI's view allowing an unauthorized person to initiate wire transfers would be a failure to follow the agreed upon security procedures. This failure to satisfy Element 3 was an independent basis to deny Comerica’s motion for summary judgment.

The Court went further, however, and also held that Comerica failed to establish Element 4. On this element, the Court analyzed the “good faith” requirements of 444.4702(3). The Court noted that the concept of good faith used in the UCC context is both subjective (e.g. “honesty in fact”) and objective (e.g. “observance of reasonable standards of fair dealing”). On this issue, the court analyzed four arguments put forth by EMI maintaining that Comerica did not act in good faith, including an alleged failure to act in good faith because Comerica:

• failed to institute additional security procedures that would have enabled it to detect the unusual activity with EMI’s account

• allowed thieves to initiate 47 wire transfers even though EMI had only initiated two wire transfers in the previous two years (and both of those transfers came a full two years before those initiated by the thieves in this case)

• failed to be alerted to the fraudulent nature of the wire transfers based on the unusual destinations of those transfers (e.g. Moscow, Estonia and China); and

• allowed the initiation of 46 additional wire transfers after being instructed by EMI that Comerica should not honor any more transfers.

While the Court did not agree with EMI’s first argument concerning additional security concerns (it felt that such security arguments were relevant to the issue of “commercially reasonable security,” not “good faith”) it did agree that EMI’s other positions were valid in the MSJ context. In particular, with respect to each of EMI’s other contentions, the Court held that Comerica failed to provide evidence to establish that it had acted in good faith in accepting the payment orders at issue. As such, the Court held that genuine issues of material fact existed as to EMI’s good faith requirements under 440.4702(2). This too is an independent basis for denying Comerica’s motion for summary judgment.

Observations and Conclusion

So there we have it: the first court to make a finding of commercially reasonable security as a matter of law, and it did so without actually analyzing the security in place by Comerica.

It remains to be seen whether this case moves forward, is appealed or is settled at this point.  What is clear, however, if other courts adopt the same analysis as this Court, banks may have some difficultly disposing of these cases early on and before trial. It will be interesting to see what transpires. On one hand, the case sets forth a contract-based procedure for banks whereby, based on the language of the contract, and the timing of the contract (relative to providing a customer with various security procedure options), a bank can potentially establish that it used “commercially reasonable security procedures” and protect itself before a security breach under UCC 4A-202. On the other hand, the good faith requirements of UCC 4A-202 suggest that both the bank’s fraud detection controls and post incident response will be scrutinized (especially its ability to call back or stop wire transfers that are in process). The issue of good faith, some would argue, is one of those questions of fact that rarely has a clear answer.

Overall, some of the Court’s reasoning could be challenged on an appeal. As noted, the Court failed to substantively scrutinize Comerica’s security procedures, and instead based its commercially reasonable security holding on the language of Comerica's agreement.  One could argue that the issue of commercially reasonable security under UCC 4A-202 should be independent of the language in a contract. For example, if a bank only required somebody to type their first and last name into a system in order to log in, and that was agreed to be reasonable security by the customer in a written agreement, would it truly be reasonable security from an objective standpoint? One might argue that the Court failed to take into account the objective standard that may be implied by the use of the word “reasonable” in this section of the UCC. The Court’s reliance on the parole evidence rule might also be scrutinized since EMI's cause of action was statutorily-based (i.e. it was outside of the contract).

In addition, the Court appeared to draw several distinctions as to what procedures and controls constituted a “security procedure” under MCLA 440.4702. Under MCLA 440.4701, “security procedure” is defined to mean:

a procedure established by agreement of a customer and a receiving bank for the purpose of: (i) verifying that a payment order or communication amending or cancelling a payment order is that of the customer, or (ii) detecting error in the transmission of a the content of the payment order or communication. (emphasis supplied)

At one point in its decision the Court rules that the “security procedure” at issue is the “secure token technology.” It rejected Comerica’s contention that a multiple login-in requirement is itself a security procedure, and implied that a multiple login with a secure token technology is not a separate security procedure from one that only utilizes only secure tokens. The Court also seems to suggest that fraud detection procedures based on wire transfer frequency and location are not “security procedures.” The meaning and scope of security procedure in this case could impact parts of this ruling. For example, if fraud detection measures based on the frequency and location of wire transfers are security procedures (or part of a security procedure), by the Court’s own reasoning, considering Comerica’s failure to implement such measures would not be appropriate for the “good faith” analysis under 440.4702(2).

Overall, we will continue to monitor where this case is going and will provide updates at the website as the situation develops.
 

This appears to be a novel new mechanism that allows covered entities to avoid certain obligations under the Act if they fall into a “safe harbor” that is based on a self regulatory program (known as a “Choice Program”). In particular, covered entities that satisfy certain Choice Program requirements shall not be subject to:

• the express affirmative consent obligations in 104(a);

• the requirements of access to information under section 202(b) of the Act; or

• liability in a private right of action brought under section 604 of the Act (discussed below)

Avoidance of the Act’s private right of action is especially significant in this context.

How does the “Choice Program” work?

It appears that people or entities (it does not appear to be limited to covered entities) can submit an application to the FTC for approval of a self-regulatory program (a.k.a Choice Program). The FTC can approve one or more of these programs. The FTC must either initially approve or deny a Choice Program within 270 days after the submission of the application. Modifications may be made to a Choice Program that was initially approved, and such modification must be approved or denied by the FTC within 120 days. Applicants have the right to appeal the FTC’s decision or failure to act within the 270 period to a U.S. District Court.

The FTC will only approve a Choice Program (or amendments) after notice and comments, and only if it satisfies the requirements of section 403 of the Act. If approved, a Choice Program remains approved for 5 years.

This section is very interesting as it appear to allow for some regulatory flexibility and recognizes the limitations of a one-sized-fits-all approach. Ostensibly certain industry segments could develop a Choice Program that more close fits their business model/industry (while of course still providing the protection and choice the Act seeks to impose).

What are the requirements of a Choice Program under section 403 of the Act?

In order to be approved a Choice Program must meet certain criteria. The Choice Program must provide individuals with:

• a clear and conspicuous opt-out mechanism that, when selected by the individual prohibits all covered entities participating in the Choice Program from disclosing covered information to a third party for one or more specified uses, and may offer individuals a preference tool to enable individuals to make more detailed choices about the transfer of covered information to a third party; and

• a clear an conspicuous mechanism to set communication preferences, online behavioral advertising preferences and other relevant preference options, and these preference would have to be followed by all covered entities in the Choice Program.

I almost think of this as a sort of “do not call list” type of mechanism. If a group of covered entity can agree to provide individuals with a set of choices, the individual does not have to constantly make a choice over and over again whenever engaging in particular transactions. While this is a little vague in terms of its mechanics and scope, it is very interesting and could provide meaningful trade-offs between business and individuals seeking to protect their privacy and more efficiently control their information.

In addition, a Choice Program will be approved by the FTC only if it establishes:

• Guidelines and procedures requiring participants to provide equivalent or greater protection for individuals and their covered information as set forth in titles I and II of the Act;

• Procedures for reviewing applications by covered entities to participate in the Choice Program (this appears to require an application and approval process, but it is not clear who would administer that process)

• Procedures for periodic assessment of the Choice Program’s procedures

• Periodic compliance testing of covered entities participating in the Choice Program; and

• Consequences for failure to comply with program requirements (e.g. public notice, suspension, expulsion or referral to the FTC)

Again, this provision is extremely interesting. It would appear to require some sort of private regulatory body be set up around the Choice Program (e.g. like the PCI Council for the PCI Standard), as well as a funding mechanism. Note that under section 404 of the Act, the FTC is charged with implementing regulations to provide further details as to how this safe harbor system is to work.

Are there any types of information or activities exempted from regulation by the Act?

Yes, section 501 of the Act sets forth some general exclusions. The Act does not prohibit a covered entity from collecting, using or disclosing:

• Aggregate information (see 501(a)(1)), which means data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed; or

• Covered information or sensitive information from which identifying information has been removed or obscured using reasonable/appropriate methods such that there is no reasonable basis to believe that the information can be used to identify the specific individual to which it relates or the computer or device owned or used by a specific individual (see 501(a)(2)).

May covered entities disclose aggregate information or information stripped of identifying information (as referenced in section 501(a)(1) and (2)) to third parties?

Yes, under section 502 information in that format may be disclosed to a third party, but the covered entity is required to take reasonable steps to protect that information. The Act provides two examples of “reasonable steps to protect,” including:

• refraining from disclosing to the third party the algorithm or other mechanism used to obscure or remove the identifying information, and obtaining; and

• obtaining satisfactory written assurances from the third party that it will not attempt to reconstruct the identifying information.

Does the Act prohibit any uses of covered/sensitive information stripped of identifying information (as referenced in section 501(a)(2))?

Yes, under section 501(c), if a covered entity claims the exemption for de-identified information under section 501(a)(2), it is unlawful for any person to reconstruct or reveal the identifying information that has been removed or obscured from information stripped of identifying information (as referenced in section 501(a)(2)). In short, the Act makes it illegal for third parties that receive de-identified covered/sensitive information to re-identify it. However, the Act also requires the FTC to promulgate regulations to establish exemptions from this rule.

How does the Act relate/interact with other Federal privacy laws?

Section 502 of the Act indicates that, unless expressly provided for in the Act, the Act shall not have any effect on activities already covered under other Federal laws, including GLBA, FCRA, HIPAA, certain parts of the Social Security Act, COPPA, certain sections of the Communications Act of 1934, CAN-SPAM Act, ECPA, and the Video Privacy Protection Act. On the one hand, this provision may be helpful for limiting the scope of the Act’s application to some entities, especially those that only deal with particular types of personal information. However, since the Act does not override other Federal requirements, entities that deal with different types of personal information in different contexts, may find themselves with the need to address multiple regulatory regimes for different parts of their organization or with respect to different business practices.

How is the Act to be enforced by government agencies?

Under section 602, the Act may be enforced in two different ways by the government. First, the Act grants the FTC the authority to enforce the Act under section 18(a)(1)(B) of the FTC Act. The Act indicates that any violation of titles I – III of the Act shall be considered an unfair and deceptive act or practice under the FTC Act. The penalties, privileges and immunities of the FTC Act shall apply as well.

Second, under section 603, the Act may also be enforced by the states. In particular, if a State AG or an official or agency of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by a violation of the Act, they may bring a civil action on behalf of those residents. However, no AG or state official/agency may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. The civil action may seek to enjoin further violation of the Act, compel compliance with the Act or impose civil penalties as described in the Act. The Act describes the various civil penalties that are available for violations of particular sections of the Act. In general penalties may be available for every day that a covered entity is not in compliance with the act, up to $11,000 per day. These penalties, however, are capped at $5 million for a related series of violations under title I of the Act, and $5 million for any related series of violations under titles II and III of the Act.

Does the Act provide a privacy right of action?

Yes, section 604 of the Act provides a private right of action for certain violations. In particular, covered entities that willfully violate sections 103 or 104 of the Act may be liable to affected individuals. However, no individual may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. Section 604 provides that affected individuals may recover the following amounts for such a willful violation:

•  the greater of actual damages of not less than $100 and not more than $1000;

•  punitive damages;  and

• in the case of a successful action under this section, the costs of the action together with reasonable attorney fees.

Individuals have two years from their discovery of a violation (or reasonable opportunity to discover) to bring a civil action under section 604.

Does the Act preempt similar State laws?

The Act would preempt any State law with respect to covered entities that “expressly requires covered entities to implement requirements with respect to the collection, use or disclosure of covered information address in the Act. However, the Act specifically would not preempt any of the following State laws:

• State laws that address the collection, use or disclosure of health information or financial information

• State breach notice laws

• State trespass, contract or tort law; or

• Other State laws to the extent that those laws related to acts of fraud.

When would the Act come into effect if passed into law?

The Act, if passed, will take effect 2 years after the date it is enacted. However the FTC has the option to stay enforcement of the Act in order for the FTC to establish the parameters of the Choice Program under title IV.

To foster transparency about the transparency about the commercial use of personal
information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes.

This Act comes on the heels of the Boucher Bill, which also represents a comprehensive data privacy approach (for more information on the reactions to the Boucher Bill you can look here and here).

We have put together a summary of the Act in “FAQ” format. In Part One we look at some of the key definitions, requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two focuses on the “Safe Harbor” outlined in the Act, various exemptions for deidentified information, and provisions concerning the application and enforcement of the Act.  Final note, this is not a law, but rather only a bill -- if passed at all, it is likely that the final version will vary from this initial proposal.

The Act defines “covered entities” to mean any person engaged in interstate commerce that collects or stores data containing covered information or sensitive information.  However, section 601 of the Act limits the application of the Act to only those persons over which the Commission has authority pursuant to section 5(a)(2) of the FTC Act (Note:  this section previously indicated that the Act applied to all persons engaged in interstate commerce [which is in the definition of covered entity]; the error was noted by a reader and the correction made here). Covered entities do not include any divisions of Federal or state government or some entities that meet specified criteria (e.g. store less than 15,000 records; collect less than 12,000 records in a year, etc.; see definition of “covered entity” for more detail).

Observations:  Significantly, it does not appear that the definition of covered entity makes the traditional distinction between data owner/controller and service provider/processor. As such, service providers may be directly subject to the Act as a result of collection or storage of covered/sensitive information on behalf of their customers.

What kinds of information does the Act regulate?

The Act regulates “covered information” and “sensitive information.”

“Covered information” includes such information elements as first name or initial and last name, postal address, email address, telephone/fax number, government issued identification numbers (e.g. tax ID, driver’s license number, etc.), financial account numbers, credit/debit card number, access codes/passwords, “unique persistent identifiers” used to collect, store or identify information about a specific individual or create a profile (e.g. customer numbers, IP addresses, unique pseudonym), and any information collected, stored, used or disclosed in connection with the foregoing information. Section (B) of the definition also lists a number of important exclusions concerning certain business-related information.

“Sensitive information” means information associated with covered information of an individual that relates directly to the individual’s medical history or health, race or ethnicity, religious beliefs/affiliations, sexual orientation/behavior, financial information (income, assets, liabilities, etc.), a person’s geolocation information, unique biometric information or social security number.

Observations: The definitions of information regulated under the Act go well beyond any U.S. definition of personally identifiable information. For example, the “traditional” definition of PII normally requires first name and last name combined with additional information such as financial account numbers. The definition of “covered information” in the Act does not require such a combination – each data element stands on its own and may not need to be tied to or identify a specific person. If I, as an individual, had an email address that was wildwolf432@hotmail.com, that would would appear to satisfy the definition of covered information even if my name was not associated with it.

The definition of “sensitive information” echos similar definitions under the EU Data Protection Directive and other laws based on an EU Model. Interestingly, however, it also specifically includes geolocation information (which some believe may become a larger privacy issue with the prevalence of mobile computing and smartphones).

How does the Act promote transparency about the commercial use of information?

Section 101 of the Act purports to promote transparency by requiring covered entities to provide certain information about the covered entity’s information practices and the individual’s options with respect to such practices, including:

• the identity of the covered entity

• description of covered/sensitive information collected or stored by covered entity

• the specific purposes for which the covered entity collects and used the covered information, including how the covered entity customizes products/services/prices based on such information

• the specific purposes for which covered/sensitive information may be disclosed to third parties and the categories of third parties who may receive such information the choice and means for limiting the collection, use and disclosure of covered/sensitive information

• a description of the information any individual may request access to and the means for making such a request

• how the covered entity may merge, link or combine covered/sensitive information

• the retention schedule for covered/sensitive information including whether the entity will retain information permanently

• whether the individual can direct the deletion of information collected from or about the individual

• a reasonable means for individuals to contact the covered entities regarding their handing of covered/sensitive information

• the process by which the covered entity notifies individuals of material changes to its practices or policies

• a hyperlink to the FTC Commissioner’s online consumer complaint form or the FTC’s toll-free number for the Commissions Consumer Response Center

• the effective date of the privacy notice.

Observations: While much of the notice requirements of the Act parallel the Fair Information Privacy Principles, one could argue that the Act also includes notice elements that appear to go beyond such principles. These additional elements also appear to address current issues that some believe may pose privacy problems. For example, it is interesting that notice is required concerning where/how information will be merged or combined with other data. The retention schedule requirement is also interesting as it may address concerns that some have about some companies retaining data too long.

How must the notice required under the Act be provided?

Under section 102 of the Act, the notices described in the prior FAQ must be “concise, meaningful, timely, prominent, and easy-to-understand” in accordance with FTC regulations authorized under the Act that will be published later. Notices must be retained for six years from the later of the date the notice was issued or the date it was last in effect.

Is notice required for “in-person transactions”?

Under section 103 of the Act, it appears that the notice and information referenced above is not necessary for “in-person transactions” but only if the covered information is collected for an “operational purpose” (e.g.for the purpose of providing goods or services, managing operations, compliance with legal obligations or protection against risks and threats ) or if the covered entity is only collecting name, address, email or phone/fax and does not share the information or use that information to acquire additional information about the individual from third parties.

Observations:  Notably, the Act does not indicate that covered information needs to be collected solely for operational purposes. Based on the current wording, one could argue that if covered information was covered for both operational purposes and marketing purposes, it could fall under the “operational purposes” exception.

Are covered entities required to get consent from individuals for the collection and use of covered information?

Yes, under section 103 of the Act covered entities must provide “opt-out” consent in order to collect or use covered information (except for the collection or use of covered information for operational purposes). The Act indicates that a covered entity shall be considered to have obtained proper consent if it has provided the notice required under the Act, provides a reasonable means to exercise an opt-out right and decline consent; and the individual either affirmatively grants consent or does not decline consent.

The consent shall be considered permanent unless directed by the individual. However, the covered entity must provide an individual with a reasonable means to decline or revoke previously granted consent at any time.

A covered entity may also provide individuals with the ability to decline consent for specific uses of his or her personal information, but only if the individual has been given an opportunity to broadly opt-out of all collection and use of covered information.

May covered entities collection or use covered information as a condition of an individual’s receipt of a service or other benefit?

Yes, but only if: the covered entity has a direct relationship with the individual; the information is not shared with any third party without the express affirmative consent of the individual; the covered entity provides a clear, prominent and specific statement of the specific purposes for which covered information will be used; the individual provides consent by acknowledging such uses; and the individual is able to later withdraw consent.

Are covered entities required to get consent from individuals for the disclosure of covered information to third parties?

Yes. In general, a covered entity may not disclose information to a third party unless it has received express affirmative consent from the individual prior to disclosure. However, some exceptions apply.  For example, no such consent is necessary for joint marketing activities as long as the covered entity has entered into a contract with the third party that prohibits the disclosure of the information except as necessary to carry out the joint marketing relationship.

Are covered entities required to get consent from individuals for the collection, use or disclosure of sensitive information?

Yes. In general, under section 104 of the Act, a covered entity may not collect, use or disclose sensitive information to a third party unless it has received express affirmative consent from the individual.

Does the Act put any limitations or restrictions on behavioral advertising or tracking an individual’s Internet browsing activities?

Yes. Under section 104 of the Act, covered entities may not use software or hardware to monitor all or substantially all (a.k.a. “comprehensive online data collection”) of an individual’s browsing activity (or other significant Internet or computer activity), and may not collect, use or disclose information concerning that activity unless certain conditions are met.

Covered entities may engage in comprehensive online data collection if: they receive the express written consent of the individual or for the purpose of making such information accessible to the individual for the use by the individual.

Are there any exceptions to the consent requirements of the Act?

Yes, exceptions exist under section 106 of the Act.

Covered entities may disclose information to a service provider as long as it has obtained the initial consent to collect information and contractually prohibits the service provider from disclosing the information other than for purposes of carrying out the purpose for which the information was disclosed. However, the Act indicates that the covered entity remains responsible and liable for the protection of the information transferred to a service provider for processing.

Consent is also not required for collection, use or disclosure necessary for fraud detection, imminent danger or compliance with law.

In addition, consent under the Act is not necessary for the collection, use or disclosure of publicly available information. However, even publicly available information cannot be used by a covered entity for marketing purposes if the individual has opted out of such use.

Do covered entities have any obligation concerning the accuracy of information they collect, assemble or maintain?

Yes, section 201 of the Act requires covered entities to establish reasonable procedures to assure the accuracy of covered information or sensitive information they collect, assemble or maintain. This duty may be further fleshed out as section 201 requires the FTC to promulgate regulations to implement this section. Limited exceptions exist with respect to fraud databases and publicly available information.

Does the Act require the covered entity to provide individuals with access to covered information or sensitive information?

Yes, under section 202, covered entities are required to provide access to such information if such information may be used for purposes that could result in an adverse decision against the individual, including the denial of a right, benefit, or privilege. If the information could not reasonably result in an adverse decision, the covered entity is only required to provide a notice to the individual of the type of information the covered entity typically collects.

In addition, covered entities, upon request, must provide individuals with access to their personal files, but only if the entity stores such file in a manner that makes it accessible in the normal course of business.

However, none of the foregoing obligations apply to information retained for under 30 days.

Is there any time frame by which a covered entity must respond to a permitted access, correction or amendment request?

Yes, in general, under section 202(f), covered entities have thirty days from the receipt of such request to respond.

Does the Act impose any data security requirements with respect to covered information or sensitive information?

Yes, under section 302 of the Act each covered entity and service provider must establish, implement and maintain “reasonable and appropriate” administrative, technical and physical safeguards to:

• ensure the security, integrity, and confidentiality of the covered information or sensitive information it collects, assembles, or maintains

• protect against any anticipated threats, reasonably foreseeable vulnerabilities, or hazards to the security or integrity of such information; and

• protect against unauthorized access to or use of such information and loss, misuse, alteration, or destruction of such information.

The Act requires the FTC to promulgate regulations to implement this section.

Does the Act require covered entities to conduct any risk assessment with respect to its information handling practices?

Yes, under section 302 of the Act covered entities are required to conduct an assessment of the risks to individuals raised by its collection, use and disclosure of covered information or sensitive information prior to engaging in such activities (or if it believes there is a reasonable likelihood that it will engage in such activities), but only if such activities will involve more than 1 million individuals.

Does the Act require any audits or assessments?

Yes, covered entities must conduct periodic assessments to evaluate whether the covered/sensitive information it has collected remains necessary for the purposes described at the time of collection, and whether the covered entities’ ongoing collection practices remain necessary for legitimate business purposes.

Does the Act limit how long a covered entity can retain covered/sensitive information?

Yes, under section 303 of the Act covered entities may retain covered/sensitive information for only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement.

Coming up next in Part Two:  the “Safe Harbor” outlined in the Act, various exemptions for de-identified information and application and enforcement of the Act.