Celebrating Data Privacy from A to Z
In honor of Data Privacy Day and its spirit of education, I thought it might be appropriate (and fun) to celebrate some (but certainly not all) of the A, B, Cs of Data Privacy. Would love to see your contributions, too!
A is for Advance Encryption Standard or AES, approved by NIST. Are you encrypting transmissions of sensitive data and portable storage devices? See more below.
B is for Breach Notification Laws, including the 45 state laws, District of Columbia, Puerto Rico, Virgin Islands, HITECH Act, and international regulations. (Also Behavioral Advertising.)
C is for . . . what to Choose? -- Contracts? Cloud Computing? How about California - the first state to enact a breach notification law, California Civil Code sections 1798.29, 1798.82 et seq. (SB 1386), and the first state Office of Privacy Protection
D is for Data Protection Authorities in the European Union
E is for the EU Data Protection Directive. Oh, and Encryption, of course. See above and below.
F is for Financial Institutions, regulated by (wait for it . . . after the jump . . .)
G is for the Gramm-Leach-Bliley Act and the new model privacy notice form
H is for HIPAA and the HITECH Act, which impose privacy and data security obligations on health care providers and their business associates
I is for the International Association of Privacy Professionals, IAPP
J is for John and Jane Doe, anonymity - is there any such thing?
K is for Kearney v. Salomon Smith Barney Inc, California Supreme Court (2006), requiring two-party consent for recording or eavesdropping on telephone conversations, even if only one of the participants is in a two-party consent state
L is for Legislation -- will there be a federal breach notification law in 2010 (other than HITECH) that will preempt the state data breach notification laws?
M is for Massachusetts and its new data security regulations, 201 CMR 17.00 et seq., effective March 1, 2010
N is for Nevada and its new encryption law, SB 227, effective January 1, 2010
O is for Outsourcing, and the need for due diligence and contractual provisions to safeguard personally identifiable information (and other kinds of sensitive information) shared with third parties. See, e.g., Massachusetts 201 CMR 17.00 et seq. and California Civil Code section 1798.81.5. Oh yes, and don't forget the Cloud in this context - are you putting data in the cloud? Have you done your due diligence?
P is Personally Identifiable Information or PII -- what IS it anyway? Depends where you live.
Q is for Questions, Q & A, and the Q in FAQ: ASK QUESTIONS early and often about how your organization will use personal information of customers and/or employees in its business operations.
R is for Radio Frequency Identification or RFID and locational privacy issues - should organizations be able to use RFID to track customers/products?
S is for SO many things -- Social Networking, Social Security numbers, Surveillance, Spam, . . .
T is for Telemarketing, Text Messages, and the TCPA -- do you have opt-in for your mobile marketing campaigns?
U is for the UK ICO, which will order companies to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act
V is for the Video Privacy Protection Act or VPPA, the basis for a recent privacy class action filed against Netflix in the Northern District of California
W is for Website Privacy Policies, required under California law for any website that collects information from California residents, Cal. Bus & Prof. Code section 22575 et seq. When was the last time you updated yours? Is it accurate?
X is for XXXXX -- Redact the information!
Y is for Yes, You can implement a successful data protection program in Your organization
Z is for Zango, the adware distributor that settled FTC charges that it used unfair and deceptive methods (FTC Act Section 5) to download adware and block consumer efforts to remove it
Happy Data Privacy Day!
Will 2010 See the Enactment of a Comprehensive Federal Data Security Law?
Today the Senate Judiciary Committee approved two federal data security bills, Senator Leahy's S. 1490, the Personal Data Privacy and Security Act, and Senator Feinstein's S. 139, the Data Breach Notification Act. Of course, there have been dozens of proposed federal breach notification bills over the past several years, from both sides of the aisle. Senator Leahy's office issued this statement earlier today. While we cannot predict the fate of S. 1490 and S. 139, and we will have future occasion to comment on the bills in more detail, Tanya and I wanted to highlight a few notable provisions now.
S. 139 appears to greatly expand the categories of personal information that would result in a notice obligation in the event of a breach. Under the bill, “sensitive personally identifiable information” includes first name and last name in conjunction with any 2 of the following pieces of information: Home address or telephone number; Mother's maiden name; or Month, day, and year of birth. This definition would significantly alter a company's notice obligations under the current state regulatory scheme (most state follow California's model, requiring notice only for breaches involving name in conjunction with Social Security number, driver's license number, financial account number, and in some cases medical information). Under S. 139, a company that suffers a breach exposing only first and last name, address (or phone number) and date of birth would have notice obligations (subject to the risk of harm threshold incorporated into the bill, discussed below), including a requirement to notify the DOJ, resulting in further scrutiny. Moreover, this bill allows for fines up to $1,000 per day per impacted person (up to $1 million).
The bill would preempt State breach notification laws. Notably, unlike many State laws, there is a risk of harm threshold in the S. 139. This means that, where an organization's risk assessment concludes that there is no significant risk of harm to the individual, notification may not be required (affected organizations must notify the Secret Service of their intention to invoke the exemption).
S. 1490, Senator Leahy's Personal Data Privacy and Security Act, goes beyond breach notification. The bill addresses data security in a proactive, as opposed to reactive, manner. That is to say, it would require many organizations to put measures in place to secure information, and not merely require notice in the event of a security breach. The bill would, among other things, require any business entity engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons, to implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities. There are similar requirements today for financial institutions under Gramm-Leach-Bliley and for health care providers under HIPAA. In addition, Massachusetts regulations scheduled to go into effect on March 1 would require a similar program for companies that own or license the data of Massachusetts residents. S. 1490 also would require these business entities to conduct risk assessments regarding data security measures and put in place measures such as encryption, access controls, redaction and disposal of sensitive personally identifiable information. It would mandate training and vulnerability testing. The bill, like Massachusetts and other state laws, also requires appropriate due diligence and contract terms with third party service providers. It would preempt state law.
Separately, and perhaps of even greater interest, S. 1490 would impose new disclosures on “data brokers” to, upon the request of an individual, disclose to such individual all personal electronic records pertaining to that individual maintained specifically for disclosure to third parties that request information on that individual in the ordinary course of business in the databases or systems of the data broker at the time of such request. The broker also would be required to provide notice of adverse action, similar to regulations governing users of credit reports under the Fair Credit Reporting Act. “Data brokers” is a term broadly defined to include any business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purposes of providing such information to nonaffiliated third parties on an interstate basis.
We will keep you posted.
FTC Settles Charges Against Kids' Apparel Brands for Alleged COPPA Violations
Remember Candie's shoes and Op shorts? The FTC announced yesterday that it has settled charges against Iconix Brand Group, the owner, licensor, and marketer of popular kids' apparel brands such as Candie’s, Op, Mudd, and Bongo, for allegedly violating the Children's Online Privacy Protection Act (COPPA). Among other things, Iconix will pay a $250,000 civil penalty. The FTC filed its complaint and submitted its consent decree and order for approval yesterday in the Southern District of New York.
The FTC charged Iconix with knowingly collecting personal information from approximately 1,000 children since 2006 without obtaining prior parental consent, and failing to delete the information. The FTC claimed that Iconix required consumers to provide personal information such as name, e-mail address, zip code, and in some cases mailing address, gender, phone number, and date of birth, in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other Web site features. The FTC further charged Iconix with posting a privacy policy that falsely stated that it would not seek to collect personal information from children without obtaining prior parental consent and would delete any such information about which it became aware. Specifically, the privacy policy stated as follows (after the jump):
"We do not seek to collect personally identifiable information from persons under the age of 13 without prior verifiable parental consent. If we become aware that we have inadvertently received such information online from a child under the age of 13, we will delete it from our records. If you are under the age of 13, please do not submit any personally identifiable information to us. If you are the parent or guardian of a person under the age of 13 who has provided personally identifiable information to us, please inform us by contacting us at info@iconixbrand.com and we will remove such information from our database. If you are concerned about your children's use of the Site, you may use web filtering technology to supervise or limit access to the Site."
In addition to the $250,000 penalty, pursuant to the settlement, Iconix must, among other things, delete all personal information collected and maintained in violation of COPPA, distribute the settlement order and the FTC’s “How to Comply with the Children’s Online Privacy Protection Rule” to company personnel, and link to the FTC's www.OnGuardOnline.gov Web site on any Iconix Web site that collects or discloses children’s personal information and on any Iconix site that offers the opportunity to upload writings or images, create publicly viewable user profiles, or interact online with other Iconix site visitors.
Of course, this is not the first time the FTC has brought and settled COPPA charges. There have been more than a dozen COPPA enforcement cases, the most notable being a 2008 $1 million settlement with Sony BMG and a 2006 $1 million settlement with Xanga.
The FTC's most recent COPPA enforcement action is another reminder of (a) the importance of posting a privacy policy that accurately reflects a company's practices with respect to children's (and others') personal information; and (b) the need for legal, marketing, and IT to work hand-in-hand in developing kid-friendly and compliant online campaigns.
