Social Networking: Setting Boundaries in a Borderless Brave New World
The explosive growth and morphing applications of social media such as Facebook and Twitter create new opportunities and challenges for individual users, parents, employers, organizations, governments, and marketers. Where a social phenomenon has such a wide and unpredictable impact, it almost inevitably attracts a retinue of lawmakers and regulators, as well as lawyers and HR managers struggling to craft appropriate policies for employees. And given the globalization of social media, those policies have to take account of the evolving rules in multiple jurisdictions.
When I was a kid in Las Vegas, I had a “pen pal” in France. We exchanged the occasional letter, painfully translating into each other’s languages and then trying to figure out how much postage to stick on the envelope. It seems quaint now.
Thanks to Facebook, LinkedIn, and Twitter, I’ve enjoyed meeting people with similar interests and reconnecting with people I knew socially or professionally in years past, in several countries. It’s usually pretty easy to look up people as you think of them, and there’s no postage and little delay.
Those services, and an array of other social media, have become truly international. Some 15% of the world’s Internet users are American, so even successful social media operators in the US naturally look abroad to expand their increasingly monetized networks. Competing with national and regional social networks throughout the world, leading social networking providers in the US, Europe, China, and India have turned social media into a global phenomenon. To take one prominent example, US-based Facebook now translates into more than 100 languages and reported this month at InsideFacebook.com that nearly 70% of its hundreds of millions of users reside outside the United States.
Facebook aggregates users’ self-reported demographic data and sells the information to advertisers, who are understandably eager to tap the advertising possibilities of social media. In several developed countries, a third or more of the population uses Facebook, many on a daily basis.
Facebookers and other social networkers often end up sharing a large amount of personal and professional information over time with friends . . . and friends of friends, and friends of friends of friends, and ultimately with a lot of people they wouldn’t recognize across a restaurant. By some estimates, roughly a third of Facebook users ultimately divulge their home address and current employment to an unknown number of people who are perhaps not all really their friends. New York Senator Charles Schumer recently called on the Federal Trade Commission to develop guidelines for social networking sites, and the FTC has already had occasion to investigate the extent to which identity theft and fraud are attributable to bad hygiene, or bad policies, in social media.
Most of the social networking groups I belong to are professional ones, linking lawyers, business people, inventors, IT managers, academics, and government officials who share certain interests and follow developments in particular fields. Those who participate often share ideas and some personal and career information, and they sometimes comment about their own companies or organizations or the offerings of their competitors.
So, as a lawyer, it strikes me that some social networkers may be exposing themselves not only to embarrassment and unwanted solicitations but also to fraud or identity theft. They also may be setting themselves up for trouble with prospective employers, or with their current employers or business partners who feel the talkative social networker has violated confidentiality policies or nondisclosure agreements (in surveys, many large US employers acknowledge that they have fired or disciplined employees for the contents of their posts or blogs). Advertising thinly disguised as a Tweet or post may not conform to advertising rules in all the relevant states, provinces, or countries. An intemperate rant or sly aside, broadcast to a few hundred of the user’s “closest friends,” raises the potential of liability for defamation or commercial disparagement. Comments about associates or coworkers, especially in the context of social media that blur the lines between personal and professional life, may trigger sanctions under privacy and data protection laws. And thanks to the global nature of social media, the hapless social networker could conceivably run afoul of laws in multiple jurisdictions.
It’s not only the FTC that has started worrying about the dark side of social media. The Article 29 Data Protection Working Party (comprised of EU authorities and European national data protection commissioners) issued a statement this month declaring that Facebook’s new default privacy settings are dangerous. The group has also warned social media applications developers (such as FarmVille) to be careful in their handling of user data. Regulators on both sides of the Atlantic have expressed concern as well about behavioral marketing applications based on gathering information about an individual’s participation in social media.
It’s easy to over-react to the hazards of social media, of course. Some parents forbid their children from joining in (and some teens have created a “safe” MySpace page that their parents can see, while secretly maintaining a more dubious version to share with their peers). Some users decide to drop out entirely, finding the risks, or just the implied obligation to post and respond frequently, unmanageable; there is even a “Quitting Facebook” Community Page on Facebook itself. Reasonably careful social networkers simply look at the privacy policies and options and adjust their settings appropriately to their intended use – and then watch what they say about employers, competitors, and other sensitive types. Some corporations have blocked access to social networking sites from company computers and adopted policies against their employees saying, well, pretty much anything about the company or its competitors or regulators. But other companies have already designated a “director of social media” to help the organization make effective use of social networking, internally and externally.
It seems that the trend is for employers to expand their “acceptable use” policies on email and web browsing to encompass blogging and social media as well. This is a necessary step, but it is also fraught with concerns arising from labor law, privacy law, and rights of association and free expression, and the rules differ across the many jurisdictions that may be at issue.
It is possible to set some boundaries that will pass muster just about anywhere and articulate policies that guide employees toward safe and sensible use of social media. There is much to be learned in the way of evolving best practices, especially among large multinational employers. Just don’t forget to check with a knowledgeable lawyer when crafting such policies and determining how to enforce them.
BREAKING NEWS: FTC Extends Compliance Deadline for Red Flags Rule AGAIN to December 31, 2010
In the last hour, the news broke that the FTC has again extended the compliance deadline for the FACTA Red Flags Rule, this time to December 31, 2010, "[a]t the request of several Members of Congress." The FTC's press release of this morning is here. This is the fifth time the FTC has extended the enforcement deadline. As usual, the FTC's extension does not affect "other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight." For more on the Red Flags Rule, see our posts here.
Physicians Seek Relief On Eve of FTC's Red Flags Enforcement Deadline
As previously reported here, the Federal Trade Commission (FTC) is currently scheduled to commence enforcement of the FACTA Red Flags Rule (72 Fed. Reg. 63,718) on June 1, 2010. On Friday, only 10 days before the deadline, the American Medical Association, the American Osteopathic Association, and the Medical Society for the District of Columbia filed suit against the FTC in the United States District Court for the District of Columbia (AMA v. FTC, D.D.C., No. 1:10-cv-00843), following in the footsteps of similar lawsuits filed in the past year by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA). The ABA, in a lawsuit filed last August (ABA v. FTC, No. 1:09-cv-01636-RBW), succeeded in obtaining an order (now on appeal) barring the FTC from enforcing the Red Flags Rule against lawyers. (There has been no ruling on the AICPA complaint filed last November.)
Following is a discussion of the definitions ("creditor" and "credit") at the heart of the dispute, a summary of the positions taken by the FTC and the AMA with respect to application of the Red Flags Rule to physicians, and a brief review of the court's decision in ABA v. FTC.
The Definitions of "Creditor" and "Credit"
"Creditor" and "credit" are defined terms under the FACTA Red Flags Rule. The Fair and Accurate Credit Transactions Act (FACTA) (15 U.S.C. § 1681a(r)(5)) incorporates by reference the definitions of "creditor" and "credit" found in the Equal Credit Opportunity Act (ECOA). The ECOA defines "creditor" as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." 15 U.S.C. § 1691a(e). The ECOA defines "credit" as "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor." 15 U.S.C. § 1691a(d).
The FTC's Position
As noted in the AMA complaint, the FTC's position on the application of the Red Flags Rule to physicians (and to attorneys) was first spelled out on April 30, 2009 in a footnote of its "Extended Enforcement Policy: Identity Theft Red Flags Rule":
In FACTA, Congress imported the definition of creditor from the [ECOA] for purposes of the [FCRA]. This definition covers all entities that regularly permit deferred payments for goods or services. The definition thus has a broad scope and may include entities that have not in the past considered themselves to be creditors. For example. creditors under the ECOA include professionals, such as lawyers or health care providers, who bill their clients after services are rendered.
(Emphasis added.)
In May 2009, the FTC published another document on its website entitled "'The ‘Red Flags’ Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft.” That document stated as follows:
Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.
In a press release dated July 29, 2009, the FTC referenced a document that provided answers to frequently asked questions (FAQs), which reiterated its position that attorneys and health care providers are required to comply with the Red Flags Rule when their billing arrangements qualify them as creditors under FACTA and the ECOA:
the definition of "creditor" is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. . . . Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies.
The AMA's Position
The AMA argues that physicians are not creditors under the Rule and that the practice of allowing deferred payment by patients, particularly in emergency circumstances, serves a number of purposes unique to the profession:
. . . The practice of not demanding payment at the time care is provided serves several purposes. It gives a benefit to patients who are often under stress when receiving care. It underscores that the physician has a fiduciary relationship with the patient and thereby furthers the patient-physician relationship. Where the patient is insured, the practice enables the insurer to determine what portion of the bill is covered and what amount should be billed to the patient. Because the amount that the patient will owe the physician is not certain at the time that services are provided, the physician does not defer payment of a “debt” by billing after the patient is treated. In many cases, a physician is not entitled to bill patients immediately upon providing services under contracts with health insurance carriers.
Physicians also provide emergency medical care to patients whose identifying information may be unknown to them and who may even be unconscious. In some emergency situations, which may occur for certain physicians on a regular basis, there is no practical way for the physician to bill for his or her services at the time of those services. Further, it would violate the norms of human decency, not to mention principles of ethical conduct . . . , for a physician to demand payment at the time of service in such situations. Indeed, federal law requires a physician to provide services to a patient in an emergency condition without regard to the patient’s ability to pay. See 42 U.S.C. § 1395dd.
The AMA further argues that the Red Flags Rule would interfere with the patient-physician relationship and a physician's ethical responsibilities:
the FTC’s attempt to impose a duty upon physicians to investigate each patient’s identity in advance of treatment conflicts with basic precepts concerning the patient-physician relationship and physicians’ ethical responsibilities to safeguard that relationship. “From ancient times, physicians have recognized that the health and well-being of patients depends upon a collaborative effort between physician and patient.... The patient-physician relationship is of greatest benefit to patients when they bring medical problems to the attention of their physicians in a timely fashion, provide information about their medical condition to the best of their ability, and work with their physicians in a mutually respectful alliance.” AMA, Ethical Opinion 10.01 (“Fundamental Elements of the Patient-Physician Relationship”). Because the success of diagnosis and treatment depends on patients’ willingness to divulge often private and highly sensitive information to their physicians, the patient-physician relationship “is based on trust and gives rise to physicians’ ethical obligations to place patients’ welfare above their own self-interest and above obligations to other groups, and to advocate for their patients’ welfare.” AMA, Ethical Opinion 10.015 (“The Patient-Physician Relationship”). Contrary to these obligations, the FTC requires physicians to approach each new patient with skepticism concerning his or her identity. As a result, the FTC’s Extended Enforcement Policy compromises physicians’ ability to gain new patients’ trust, which is essential to the well-being of patients.
Finally, the AMA argues that, when Congress intends to regulate the practice of medicine, it does so expressly (e.g., in enacting the Health Information Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
The Court's Analysis in ABA v. FTC
Naturally, the analysis of the District Court in ABA v. FTC (currently on appeal) is of interest here. In that case, the court applied the test for review of agency action set forth in Chevron, U.S.A., Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984), and concluded that the FTC's actions violated the Administrative Procedure Act and must be rejected "because the Red Flags Rule cannot be properly applied to attorneys in the overly broad manner in which the Commission seeks to enforce it."
First, the court found that "it was not 'the unambiguously expressed intent of Congress,' Chevron, 467 U.S. at 842-43, to bring attorneys within the purview of the FACT Act and thus subject them to regulation by the Commission's Red Flags Rule." Footnote 9 of the court's decision, while dicta, is particularly interesting for purposes of the new AMA lawsuit. There, the court rejected the FTC's reliance on a particular Sixth Circuit case regarding medical providers:
The Court is not persuaded that the Commission's reliance on Barney v. Holzer Clinic, Ltd., 110 F.3d 1207 (6th Cir. 1997), is sound given that the Sixth Circuit expressly refused to address the question of whether a medical services provider was a creditor under ECO Act, id. at 1209 . . . and made findings to the contrary, id. at 1211 ("The provision of medical treatment under this program is not a credit transaction, either under the technical language of the ECO[ Act] or in the more common sense of the term, any more than is a court-appointed attorney's agreement to represent an indigent defendant.").
(Emphasis added.)
The court also rejected the FTC's reliance on the Federal Reserve Board's staff notes to Regulation B (which state that, if a doctor or lawyer allows the client or customer to defer the payment of a bill, that deferral of debt is credit for purposes of the “incidental credit” regulation, even though there is no finance charge and no agreement for payment in installments). The court did so "because those interpretations were made in a context totally unrelated to identity theft, and therefore the Court is not convinced that it is proper to presume that Congress intended to adopt the Regulation B interpretations when it enacted the FACT Act. Accordingly then, absent any legislative history showing that the Federal Reserve Board's staff's interpretation of Regulation B was actually considered by Congress when enacting the FACT Act, and given that the purposes of the FACT Act and Regulation B do not square with one another, the Court cannot draw the inference the Commission urges."
The court also noted that monthly billing by lawyers is driven by practical considerations: "Invoicing clients for services previously rendered, instead of demanding immediate payment when service is provided is more likely an outgrowth of practicality and necessity, rather than an attempt to provide clients credit."
Although the court resolved the issue under the first prong of Chevron, it went on to determine that, "even if [it] were to reach question two of Chevron by finding that the FACT Act did not foreclose the Commission's regulation of attorneys, it would still find that the Commission's interpretation of the FACT Act and its resulting application of the Red Flags Rule to attorneys is unreasonable and therefore undeserving of deference."
In its Chevron prong two discussion, the court took issue with the FTC's interpretation of what it means to "defer" payment, again noting the practicality of monthly billing by lawyers:
To invoice client at the end of each month is not delaying payment or giving a client a right to postpone payment. As a practical matter in the legal context, legal services are not the type of services that can in may instances be billed and payment received simultaneously with the occurrence of the services, as can be done, for example, when one's furnace is repaired or catering services are provided for a wedding. . . . And as a practical matter, it would be unreasonable to expect attorneys to bill for services in any manner other than periodically, especially given the frequent unanticipated services attorneys have to perform for their clients or the practical reality that clients may lack the ability to immediately access funds when legal services unexpectedly have to be performed without delay. Not only would immediate billing and collection of fees and expenses be impractical, considering the unique nature of the practice of law, but contrary to the Commission's position, conducting a legal practice in that manner would be extremely costly and time consuming. It does not take much imagination to appreciate the added cost and burden attorneys would incur if they were required to immediately calculate, bill and collect their fees after each task is performed or else run afoul of the Commission's construction of the FACT Act through its adoption of the Red Flags Rule.
Query whether the same analysis should apply to physicians. We shall see.
So, Must Physicians Comply with the Red Flags Rule by June 1?
Yes, for now. Indeed, the BNA Privacy and Security Law Report reports that, pending resolution of the litigation, the AMA has encouraged physicians to comply with the rule, using online resources provided by the AMA.
Dave & Buster's Busted: Another Allleged Failure to Implement "Reasonable Security"
We are seeing more and more private litigation and regulatory enforcement actions around the issue of what constitutes "reasonable security." This week we see another. Once again the FTC asserts that a company has failed to take "reasonable and appropriate security measures" to protect personal information. Yesterday, in its 27th case challenging inadequate data security practices by organizations that handle sensitive consumer information, the FTC announced settlement of its complaint against Dave & Buster's, the restaurant chain. Here is the Agreement Containing Consent Order. The FTC alleged in its complaint that, from April 30, 2007 to August 28, 2007, a hacker exploited vulnerabilities in Dave & Buster's systems to install unauthorized software and access approximately 130,000 credit and debit cards.
Dave & Buster's collects from consumers the following kinds of card information to obtain authorization for payment card purchases: credit card account number, expiration date, and an electronic security code for payment card authorization. The restaurant collects this information at in-store terminals, transfers the data to its in-store servers, and then transmits the data to a third-party credit card processing company. The FTC alleges the the hacker was successful because Dave & Buster's:
(a) failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by employing an intrusion detection system and monitoring system logs;
(b) failed to adequately restrict third-party access to its networks, such as by restricting connections to specified IP addresses or granting temporary, limited access;
(c) failed to monitor and filter outbound traffic from its networks to identify and block export of sensitive personal information without authorization;
(d) failed to use readily available security measures to limit access between in-store networks, such as by employing firewalls or isolating the payment card system from the rest of the corporate network; and
(e) failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks.
The card issuing banks have claimed several hundred thousand dollars in fraudulent charges.
Not surprisingly, the FTC alleged these failures to implement "reasonable security" constituted an unfair act or practice in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a).
Like many other similar FTC settlements, this one requires that Dave & Buster's establish and maintain a comprehensive information security program and obtain independent audits by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, for (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order.
Dave & Buster's' comprehensive information security program must include the following, and more:
A. the designation of an employee or employees to coordinate and be accountable for the information security program;
B. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;
C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
D. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and
E. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.
Incidentally, for those of you, like me, who are fascinated (yes, it is true, I admit it) by the many and differing definitions of "Personal Information" out there in this country, you may be interested to note the FTC's definition for purposes of this settlement:
“Personal information” shall mean individually identifiable information from or about an individual consumer including, but not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number; (e) a Social Security number; (f) a driver’s license number; (g) a credit card or debit card account number; (h) a persistent identifier, such as a customer number held in “cookie” or processor serial number, that is combined with other available data that identifies an individual consumer; or (i) any information that is combined with any of (a) through (h) above.
We fully expect to see more FTC action in this area. Stay tuned for settlement number 28.
Is Your Organization's Red Flags Rule Identity Theft Prevention Program Ready for Primetime?
As our readers know, the FTC, after four extensions of the deadline, currently intends to begin enforcing the Red Flags Rule with respect to organizations subject to its jurisdiction on June 1, 2010. In the meantime, the Red Flags Rule remains in effect as to all financial institutions and creditors (and has been subject to enforcement by the banking regulators since November 1, 2008). Although a recent decision of the United States District Court for the District of Columbia, ABA v. FTC, brought lawyers outside the scope of the Rule, the Rule remains broad and covers a wide range of entities as "creditors." Creditors subject to the FTC's jurisdiction need to have their written Red Flags Rule Identity Theft Prevention Programs prepared, approved by the Board, and implemented by June 1. For more on the history and the requirements of the Rule, see my recent article, "The FACTA Red Flags Rule: A Primer," published in Bloomberg Law Reports – Risk & Compliance, reproduced here with the permission of Bloomberg. Read on . . .
Are We Living in a Post-Disclosure, Opt-In World?
Today's New York Times Media Decoder Blog features an "on-the-record" discussion with Federal Trade Commission chairman Jon Leibowitz and Bureau of Consumer Protection chief David Vladeck. The question presented: "Has Internet Gone Beyond Privacy Policies?" The FTC (and Congress, for that matter) continue to signal that change may be imminent in the world of online privacy policies and traditional notions of opt-out consent.
The dilemma remains - if consumers don't want to read privacy policies, what would constitute true notice and consent? And, in the Web 2.0 world with consumers' insatiable appetite for on-demand, customized and interactive content, how can that process be handled in a manner that is both meaningful and consumer-friendly? What do consumers really want? And are their expectations regarding privacy simply inconsistent with the modern realities of social networking? Just yesterday, the blogosphere was abuzz with news of the Facebook CEO's comments at the Crunchies Awards that "[p]eople have really gotten comfortable sharing more information and different kinds but more openly and with more people."
At the end of the day, the real question (and answer) may have more to do with what constitutes "personal information," what consumers "reasonably" expect in today's world, and whether the sharing and use of certain kinds of information should be regulated.
In our current legal structure, even though such information flows around the world at breakneck speed, the definition of personal information ultimately depends on where you reside - and that, in turn, has grown out of social and cultural expectations. In the United States this has traditionally meant information that can be used to identify and victimize you (i.e., identity theft) - Social Security number, financial account number, and now, to a growing extent, medical information - although, in some new state statutes, the definition is much more broad. In Europe, the answer, for cultural and historical reasons, continues to be much more expansive, encompassing just about anything that can identify an individual.
So when an individual shares information on Facebook about his or her favorite music, or holiday plans, or the color of a piece of clothing, does that constitute "personal information"? What are consumers' reasonable expectations about how that information, if disclosed publicly -- or not so publicly (e.g., to one's "friends") -- should be used? And should the government regulate the sharing and use of such information by data brokers, social networks, cloud computing vendors, and advertisers?
Last year, the FTC introduced self-regulatory principles for behavioral advertising, but issued a warning that advertisers had one last chance before the FTC would take further steps to regulate. Has that time come? Mr. Vladeck told the New York Times today that the FTC will issue a report in June or July. Chairman Leibowitz said:
I have a sense, and it’s still amorphous, that we might head toward opt-in.
What would such opt-in look like and how would it operate? Is any opt-in solution manageable in the online world? Can any proposed model keep up with rapid changes in technology and consumer expectations? And will this focus on online privacy issues affect and/or eclipse the progress of the many pending federal data security and breach notification bills?
We shall see.
BREAKING: FTC Extends Red Flags Rule Enforcement Deadline to June 1, 2010
FTC Settles Charges Against Kids' Apparel Brands for Alleged COPPA Violations
Remember Candie's shoes and Op shorts? The FTC announced yesterday that it has settled charges against Iconix Brand Group, the owner, licensor, and marketer of popular kids' apparel brands such as Candie’s, Op, Mudd, and Bongo, for allegedly violating the Children's Online Privacy Protection Act (COPPA). Among other things, Iconix will pay a $250,000 civil penalty. The FTC filed its complaint and submitted its consent decree and order for approval yesterday in the Southern District of New York.
The FTC charged Iconix with knowingly collecting personal information from approximately 1,000 children since 2006 without obtaining prior parental consent, and failing to delete the information. The FTC claimed that Iconix required consumers to provide personal information such as name, e-mail address, zip code, and in some cases mailing address, gender, phone number, and date of birth, in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other Web site features. The FTC further charged Iconix with posting a privacy policy that falsely stated that it would not seek to collect personal information from children without obtaining prior parental consent and would delete any such information about which it became aware. Specifically, the privacy policy stated as follows (after the jump):
"We do not seek to collect personally identifiable information from persons under the age of 13 without prior verifiable parental consent. If we become aware that we have inadvertently received such information online from a child under the age of 13, we will delete it from our records. If you are under the age of 13, please do not submit any personally identifiable information to us. If you are the parent or guardian of a person under the age of 13 who has provided personally identifiable information to us, please inform us by contacting us at info@iconixbrand.com and we will remove such information from our database. If you are concerned about your children's use of the Site, you may use web filtering technology to supervise or limit access to the Site."
In addition to the $250,000 penalty, pursuant to the settlement, Iconix must, among other things, delete all personal information collected and maintained in violation of COPPA, distribute the settlement order and the FTC’s “How to Comply with the Children’s Online Privacy Protection Rule” to company personnel, and link to the FTC's www.OnGuardOnline.gov Web site on any Iconix Web site that collects or discloses children’s personal information and on any Iconix site that offers the opportunity to upload writings or images, create publicly viewable user profiles, or interact online with other Iconix site visitors.
Of course, this is not the first time the FTC has brought and settled COPPA charges. There have been more than a dozen COPPA enforcement cases, the most notable being a 2008 $1 million settlement with Sony BMG and a 2006 $1 million settlement with Xanga.
The FTC's most recent COPPA enforcement action is another reminder of (a) the importance of posting a privacy policy that accurately reflects a company's practices with respect to children's (and others') personal information; and (b) the need for legal, marketing, and IT to work hand-in-hand in developing kid-friendly and compliant online campaigns.
Merchant Liability for "Time and Effort" Following Security Breach?
The Hannaford saga continues, with possible civil liability implications for retailers.
Earlier this year, a federal judge in Maine dismissed almost all claims in the consolidated class action lawsuit against Hannaford Brothers Co. (In re Hannaford Bros. Co. Customer Data Security Breach Litigation, MDL No. 2:08-MD-1954, USDC Maine). Hannaford had millions of payment card records hacked in 2007 and 2008. Judge Hornby ruled that the common law in Maine allows consumers to seek restitution only for unreimbursed fraudulent charges on their credit or debit cards. Since the card issuers reversed the fraudulent charges under their “zero-liability” policies, the cardholders suffered only “collateral consequences” such as the time and effort involved in changing cards and accounts, monitoring for fraud, and dealing with banks, merchants, and others following notice of the breach. Judge Hornby did not believe such collateral harms were cognizable injuries under state law.
This week the judge reversed that decision and certified to the Maine Law Court (the highest court in the state) the following question:
“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”
That question might well be raised in many states that, like Maine, require some form of “economic loss” to sustain an action for negligence. The answer from the Maine Law Court could be an important precedent. So far, plaintiffs in the United States have generally been unsuccessful in pursuing claims against merchants based on fear of identity theft and incidental expenses to protect against it, following a security breach incident. “Lost time and effort” may not be worth a great deal in damages to any single cardholder, but if Maine allows such claims to proceed, a class action with millions of class members could make “time and effort” claims daunting, as well as allowing plaintiffs to sustain an action in which emotional distress can also be asserted as grounds for damages.
This development should serve as an additional spur for retailers to take precautions against the kinds of attacks that resulted in Hannaford’s data losses. Adherence to applicable security guidelines, prominently the Payment Card Industry Digital Security Standard (PCI DSS), will go far to avoid such incidents and protect a company from fines and civil liability as well. The Hannaford hackers, one of whom is now in jail, used SQL injection to plant malware in the merchant’s servers. This is hardly a new technique, and it is one that retailers may be held accountable for neglecting.
In 2008 Hannaford, which operates more than 150 grocery stores in New York and New England, announced that its payment card processing servers had been hacked for several months, exposing millions of payment card records and resulting in thousands of fraud investigations in the Northeast. In August this year, a federal grand jury in Newark, New Jersey indicted a 28-year-old Florida hacker named Albert Gonzalez (formerly an informant for the US Secret Service) and two unnamed persons living “in or near Russia” as conspirators who allegedly carried out the Hannaford hack and several others, including massive attacks on Heartland Payment Systems and the 7-11 retail chain. Gonzalez is already awaiting trial on charges in connection with the TJX hack in 2007. Altogether, the ring is accused of stealing data on more than 130 million credit cards and debit cards. According to the TJX and Hannaford/Heartland indictments, the hackers used several methods, but primarily SQL injection, to gain access to the target networks and install sniffer malware that intercepted card details and transmitted them to computers controlled by the hackers.
The Federal Trade Commission has publicly taken the position that SQL attacks are “commonly known or reasonably foreseeable” (see, for example, the FTC Complaint against Guess?, Inc., and the FTC’s press release concerning Life is good, Inc.). Thus, the FTC has fined retailers following such attacks and in some cases entered consent orders imposing additional sanctions and requirements. This makes it relatively easy to assert negligence in a civil action on behalf of a class of cardholders following a successful SQL attack.
Code or Clear? Encryption Requirements (Part 2)
In the last post, I talked about the role of encryption in fashioning a “reasonable” security plan for sensitive personal information and other protected data routinely collected, stored, and used by an enterprise. But lawmakers and regulators are getting more specific about using encryption and managing data that is risky from an ID-theft perspective. Here are some leading examples of this trend.
State Security and Breach Notification Laws
Since California adopted SB 1386, which went into effect in 2003, nearly all US states have enacted security breach notice laws that require notice to affected individuals, and in some cases to public authorities, when a party has reason to believe that the security of protected categories of personal data has been compromised. The protected categories are typically SSN (Social Security Number), driver’s license, financial account or payment card details (usually only if the password or access code is also compromised), and, increasingly, medical data not covered by federal HIPAA privacy protections.
All of these laws make an exemption from the notice obligation if the data were encrypted (some add that this is true only if there is no reason to believe that the decryption key was also compromised). The laws, and regulations adopted under the laws, typically do not specify the level or kind of encryption. For example, California’s Office of Privacy Protection published guidance specifically on the subject of “Recommended Practices on Protecting the Confidentiality of Social Security Numbers” in April 2007, which has only this to say about encryption, on page 11:
“Protect records containing SSNs, including back-ups, during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets.”
Partly as a consequence of these security and breach notice laws, organizations should limit their use and storage of these categories of personal data to the extent they are really necessary for business operations. Storage on servers or on archived media, and transmission over internal networks and VPN connections, may or may not be sufficiently secure without encryption, depending on the company’s risk assessment and IT security practices. Organizations should encrypt such data when it is resident on laptops or other portable devices and when it is in transit over the public Internet.
Massachusetts and Nevada have recently adopted stricter and more specific rules, however, that may become a model for other states. These increase the regulatory pressure for encrypting protected categories of personal data.
Massachusetts
The Massachusetts Personal Information Security Regulation (201 CMR 17.00) is now scheduled to take effect on March 1, 2010. The Regulation was promulgated by the Office of Consumer Affairs and Business Regulation (OCABR) under the authority of the Massachusetts personal information security law.
The Regulation will require all parties that “own or license” any of the protected categories of personal data concerning Massachusetts residents to encrypt the data in laptops or other portable devices, as well as in wireless transmissions and in transmission over public networks.
Note that the Regulation does not limit its coverage of financial account data to cases where the access code or PIN is compromised, as do most security and breach notice laws. The Regulation extends to any nonpublic financial account or payment card data, as well as to SSNs and driver’s license numbers. The Regulation does not cover medical information, however.
The Regulation mandates a number of “Computer System Security Requirements” (201 CMR sec. 17.04) for businesses that handle the protected categories of personal data. These expressly include the following:
“(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly . . .
(5) Encryption of all personal information stored on laptops or other portable devices . . .”
The level and type of encryption are not specified.
Nevada
Nevada recently amended its personal information security law, which already required “reasonable” security measures as well as breach notice (Nevada Rev. Stats. secs. 603A.010 et seq.). The amendments take effect on January 1, 2010.
The law covers SSNs, driver’s license numbers, and payment card or financial account data in combination with an access code or PIN. Medical information is not covered.
Under the amended law, businesses that accept payment cards (credit cards and debit cards) must comply with the Payment Card Industry Digital Security Standard (PCI DSS). In addition, a party handling any of the protected categories of information must encrypt the data if it transfers the data electronically “outside of the secure system of the data collector” or if the data is stored on a device (laptop, USB drive, etc.) that is moved “beyond the logical or physical controls of the data collector or its data storage contractor.”
“Encryption” is defined in the amendments with reference to “established standards,” specifically including FIPS and mentioning the need for standards-based key management as well as encryption protocols:
‘Encryption’ means the protection of data in electronic or optical form, in storage or in transit, using:
(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and
(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.”
Thus, while the law itself does not specify the form of encryption, it puts the burden on the user to choose an appropriate and standards-based method.
HITECH
Title XIII of ARRA, the federal economic recovery legislation adopted early in 2009, is labeled the Health Information Technology for Economic and Clinical Health Act (HITECH). It amends the HIPAA medical privacy provisions by adding a federal security breach notice requirement for nonpublic, personally identifiable health information. While HIPAA applies only to certain covered entities (healthcare providers and insurance companies and clearinghouses), HITECH also applies to “business associates” that provide services to those entities. HITECH reaches as well any employers that are covered by HIPAA because, for example, they operate company clinics or manage their own health plans.
HITECH requires notice to affected individuals when there has been a security breach exposing personally identifiable health data. HIPAA already lists 18 identifiers (names, addresses, SSNs, health plan ID numbers, etc.) that must be removed to establish that health records have been “de-identified.” Where compromised records have not been fully de-identified by removing these data fields, HITECH sec. 132400 also recognizes that the information may not be personally identifiable if it is effectively encrypted:
“(b) Implementation specifications: Requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination; . . . .”
Thus, HITECH does not specify a particular form of encryption but leaves it to IT security experts to decide whether the data are effectively unidentifiable in the hands of an unauthorized user. Note that the statute requires covered entities to maintain documentation of this professional analysis, and that the analysis must be based on “generally accepted” principles and methods – which means that professional opinions are likely to refer to published specifications and industry standards.
Red Flags
The 2007 Identity Theft Red Flags Rule (promulgated under the 2003 FACTA amendments to the federal Fair Credit Reporting Act) went into effect in November 2008, although the FTC suspended enforcement until November 1, 2009. (Similar rules were issued by the federal financial regulatory agencies, for the institutions they supervise.) The Rule requires covered entities to develop and implement written policies to prevent identity theft, including recognition of warning signs or “red flags” of suspected ID theft.
The Rule applies not only to traditional financial institutions but to “creditors,” defined as companies that “regularly defer payment for goods or services,” whether or not charging interest or finance charges, and therefore store personal information about individual debtors. Some employers, for example, sell goods or services to employees on deferred payment terms and may be treated as covered entities for that reason. (However, the Red Flag FAQs written by FTC staff take the view that an employer is not a covered entity simply because it sponsors a 401k or other qualified retirement plan that allows participants to borrow from their retirement funds.)
For covered entities, the mandatory policy to prevent ID theft must identify signs of possible security breaches involving certain data, as well as appropriate responses to those alerts. The covered data are SSNs and tax identification numbers, healthcare IDs, financial account and credit/debit card details, personally identifiable medical information, and identifying data from consumer reports (which are often used for employee background checks as well as for credit applications).
The Rule itself does not mandate encryption measures. However, most covered entities will necessarily address encryption in their written anti-ID theft policies. Their “red flags” should also include an alert if there is evidence that encryption keys have been misused, stolen, or hacked.
Code or Clear? Encryption Requirements under Information Privacy and Security Laws (Part 1)
“Exactly what data do we have to encrypt, and how?”
That’s a common question posed by IT and legal departments, HR and customer service managers, CIOs and information security professionals. In the past, they made their own choices about encryption, balancing the risks of compromised data against the costs of encryption. Those costs are measured not merely by expense but also by increased processing load, user-unfriendliness, and the remote but real possibility of lost or corrupted decryption keys resulting in inaccessible data. After weighing the costs and benefits, most enterprises decided against encryption for all but the most sensitive applications and data categories.
But changes in technology and law are making enterprises rethink that decision. Processing is faster and encryption software is cheaper and more reliable. There are now several efficient options for encrypting data in communications and on laptops and mobile storage devices, where historically data is most vulnerable. And at the same time, new compliance obligations and heightened litigation risks are pushing companies, government agencies, and nonprofits to explore these options and adopt a defensible policy toward data encryption.
From “Reasonable” to Specific
Legal and IT personnel are generally familiar with a traditional pattern in privacy laws: Security is always mandated, but the statutory language is usually limited to generalities, stating that a company must develop and implement “reasonable” or “appropriate” security measures proportional to the risk of harm if the information at issue is lost, altered, or obtained by unauthorized persons. This sort of language is found, for example, in HIPAA and GLBA, FTC guidance on fair trade practices, SEC internal control rules under Sarbanes-Oxley (SOX), the EU Data Protection Directive, and the personal information security laws of Canada, Japan, Australia, and other jurisdictions. Some laws (or regulations issued under those laws) emphasize that these safeguards must include technical, organizational, and physical security measures, but they typically do not specify what those measures must be.
This is because lawmakers are well aware that technology and criminal tactics are both constantly changing. There is an understandable reluctance to define appropriate security measures based on current technology and practices that may be outmoded within a year or two.
Nevertheless, the spate of personal information security breaches, some of them on a breathtaking scale, and the rise of identity theft as the fastest-growing criminal activity tracked by the FBI and several foreign law enforcement agencies, have pushed legislators and regulators to become increasingly specific in mandating security measures for especially sensitive or risky categories of personal data. That trend is reflected in the new generation of privacy and information security laws and regulations outlined below, with significant consequences for compliance practices.
Lawyers will appreciate that these increasingly specific security requirements have an impact not only in the compliance context but in civil litigation based on common-law doctrines of negligence, invasion of privacy, and breach of contract or on “unfair or deceptive trade practices” under FTC Act sec. 5 and parallel state laws. Many large-scale security breaches involving credit or debit card details or Social Security Numbers have resulted in civil litigation, much of it in the form of class actions, lawsuits filed by the attorneys general in several states, or “private attorney general” actions in California.
Companies increasingly deploy security measures such as encryption, strong passwords, and access logs to protect sensitive personal data in a wider range of IT applications, partly in response to litigation risks and new compliance obligations. But as they do so, public and judicial perceptions of “industry standard” safeguards and “reasonable” security practices change; the bar is set higher. It becomes harder to defend against an “unfair practices” or negligence complaint following a security breach by asserting that the plaintiff had no reasonable expectation of privacy or that the defendant acted as a “reasonable man” in storing and transmitting sensitive personal data without encryption, for example, or with unchanged, four-digit passwords.
Very few lawsuits involving consumer or employee privacy have proceeded to trial. They are usually settled – publicly, in the case of class actions and lawsuits brought by the FTC or a state attorney general. Settlements and FTC consent decrees have often included specific security undertakings, including encryption and password controls, to avoid future privacy violations.
The key, then, is not to focus solely on compliance within the scope of specific statutory requirements, but to look at the trends in these requirements as a guide to effective risk management in the litigation context as well.
There is clearly a trend toward requiring encryption of sensitive personal data (particularly the identifiers used commonly in ID theft, as well as medical information), especially when that information is transmitted over public networks or wirelessly, or when that information is stored on laptops, USB drives, smart phones, PDAs, and other portable devices. These are precisely the circumstances in which most large-scale personal data security breaches have occurred.
So far, companies have not normally been required to routinely encrypt all such data on secure servers or in data centers and storage media located on their premises (or those of their contractors), behind firewalls and internal network or VPN controls. Some companies have chosen to do so, however, to further reduce their risks of noncompliance or litigation exposure.
Sources of Legal Requirements
In the next installment, I’ll review recent US state and federal laws or regulations that push organizations to reconsider encryption, especially for data in transit and on portable devices. Then, we’ll look at the international scene, and finally at standards that are often incorporated in legal and regulatory decisions as well as in contracts.
Who Must Comply with FACTA's Red Flags Identity Theft Rule?
According to the FTC, any company that "regularly defer(s) payment for goods or services". . .
On October 31, 2007, the FTC released the Red Flags Identity Theft Rule (the "Red Flags Rule" or the "Rule"). The Red Flags Rule requires "covered entities" to conduct a risk assessment to determine if they have "covered accounts," which are consumer-type accounts that pose a reasonable risk of identity theft. If a covered entity does have covered accounts the Red Flags Rule requires the entity to develop and implement a written Identity Theft Program to identify, detect and respond to possible risks of identity theft. The deadline to comply with the Red Flags Rule was November 1, 2008. The FTC, however, announced that it would suspend enforcement of the Rule until May 1, 2009 (note that the enforcement date suspension DID NOT impact the compliance deadline -- all covered entities should have been in compliance by November 1, 2008).
Recently a controversy has arisen as to what constitutes a "covered entity" that must comply with the Rule. The FTC has taken the position, based on various definitions in the Rule and other relevant statutes, that the Rule applies to any company that "regularly defers payment for goods or services." This can include any company that does not require payment at the time goods or services are provided, including for example doctors, hospitals, lawyers, merchants and repairmen. As such the potential scope of the Rule is enormous and all companies should investigate whether they are subject to it.
The FTC's Position on the Scope of the Red Flags Rule
While it is obvious that the Red Flag Rule applies to traditional financial institution type companies (e.g. banks, credit unions, mortgage companies, etc.), the FTC's interpretation of "covered entities" could impose the Red Flags Rule on "non-financial" entities. The Rule defines "covered entities" as either "creditors" or "financial institutions." The current controversy revolves around the term "creditor," which is defined by the Rule by referring to the definition in the Equal Creditor Opportunity Act ("ECOA"). Under the ECOA, "creditor" means:
"any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit."
The ECOA defines "credit" as "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor." In a letter to the American Medical Association on this issue, the FTC cited Federal Reserve Board's elaboration on the definition of creditor and credit:
In its Official Staff Commentary to Regulation B, the Federal Reserve Board makes clear that the terms "creditor" and "credit" under the ECOA should be interpreted broadly so as to include all entities that defer payments, even in the normal course of a traditional billing process.' As the Official Staff Commentary states, "[i]f a service provider (such as a hospital, doctor, lawyer, or merchant) allows the client or customer to defer the payment of a bill, this deferral of a debt is credit for purposes of the regulation, even though there is no finance charge and no agreement for payment in installments.
In the same letter, the FTC also cited favorably to a legal treatise on the issue:
Similarly, one recent legal treatise on the subject explains that "[b]ecause credit under the ECOA involves any simple deferral of payment, even if there are no finance charges or installments, the ECOA applies to many transactions where the consumer pays after receiving the goods or services, such as doctor and hospital bills, bills from repair persons and other workers, and even a local store where a customer runs up a tab.""
The Impact of the FTC's Interpretation
The FTC's interpretation of "creditor" potentially extends the Red Flags Rule to large swaths of the economy. Taken to its logical conclusion, any company that does not require immediate payment for goods or services could be considered a "creditor." This could include law firms, hospitals, insurance companies, telecommunication companies, doctors and a host of other businesses that provide products or services and bill for them later. While the number of entities that need to comply with the Rule may be significant, the FTC also recognizes that entities posing a lower risk of identity theft may comply with the Rule by implementing simple (relate to high-risk entities) written Identity Theft Programs. The difference between low-risk and high-risk will vary depending on the particular circumstances.
What should a company do if it does allow deferred payments?
At this point, it appears that such companies must investigate whether they handle "covered accounts" and ascertain the identity theft risk associated with those accounts. The Rule is also, unfortunately, not clear on what constitutes a covered account in this context. Moreover, since business models vary, the risk posed and red flags established will likely vary between companies. Company's should retain counsel to work through these issues and help develop an Identity Theft Program.
In theory at least, lower risk and less complex entities will face lower compliance burdens and costs to achieve compliance. Nonetheless, because of the need to investigate the applicability of the law and the potentially fact-intensive process of assessing identity theft risk and crafting a program for a particular company, the costs may be significant for some companies (especially "high-risk" entities). More coming on compliance burdens in a future article on this blog.
FTC Releases Online Behavioral Advertising Principles
Online Behavioral Advertising Moving the Discussion Forward to Possible Self-Regulatory Principles
More to come after reviewing it. Happy hunting!
